My buffer, it doth runneth over
Due before class, Wednesday 25 Oct 2006
You should look over these questions and answer them, but you do not need to turn them in: Pfleeger 3.4, 3.7, ....
In this assignment, you will be implementing a buffer overflow exploit against a program that is susceptible to a stack overflow. You will do so utilizing a version of the flaw hypothesis methodology and keep track of your results in a research notebook.
As with the other assignments, I encourage you to discuss various approaches with your peers. However, try to avoid getting into specifics as you might give away hints that the other students have not yet revealed to themselves.
For this project, I want you to proceed in an experimental fashion including basic experimental design and recording of observations and results.
Flaw Hypothesis Methodology (FHM) is sometimes referred to as Flaw Hypothesis Testing. It is a procedure used in system analysis and penetration testing. The general procedure is as follows:
I would like for you to keep a research notebook for this project. In this notebook, you will record the various details that you discover, your brainstormed hypotheses, the description of your experimental design, and the results and conclusions from your experiments.
I am interested in seeing the process through which you eventually construct your successful exploit. This means that I am interested in seeing the ideas that you develop and which ones you select for testing, as well as what experiments that you tried and found to be unsuccessful.
Initially, I want you to work on this individually. Should there be need, I am willing to allow combination into teams of 2 -- after break! Please clearly delineate which portions were done as a team, and which things were done individually.
This "notebook" need not be a paper record -- though it can be if you so desire. A simple text file will be sufficient.
The vulnerable program is a curses-based game called "freesweep", a clone of the popular windows game minesweeper. You can find a copy of it at
~kuperman/pub343/freesweep
Give it a play!
As far as I can tell, gentoo's glibc is detecting some sort of error in the program which may be unrelated to the exploitable overflow. You will need to run your experiments on gandalf.cs.oberlin.edu in order for it to work.
Should you figure out how to get it to work on the other machines, let me know.
I would like for you to design a buffer overflow attack against freesweep. You might want to start by reading Aleph One's Smashing the Stack for Fun and Profit.
There is a published exploit against this program. I'm asking you to not look it up and use it (that's no fun!); however, if you do so, you need to document such in your notebook and/or writeup.
I would like for you to turn in the exploit you wrote (and accompanying tools) as well as your research notebook. In addition, I would like you to create a README file that contains:
I find that there is a thrill from discovering and solving a puzzle on your own. However, I recognize that you might not agree, and possibly might get stuck on your way to a solution. As such, I've prepared a number of hints that you can optionally view to help you on your way.
Feel free to use the following in any order:
Hint 1 - The man page for freesweep.
Hint 2 - A readable binary
Hint 3 - An unstripped binary
Hint 4 - The sourcecode
Hint 5 - A hint about what data can be used to cause the overflow.
Hint 6 - Exactly what input source can cause an overflow.