Due: 25 September 2006

Description

        $ echo "Steve Zdancewic" | ./blame
        It's all Steve Zdancewic's fault.

        $ echo "Bill Gates" | ./blame
        It's all Bill Gates's fault.

Source code for blame.c is attached below and is also available at http://www.cis.upenn.edu/~cse331/blame.c.

Simple-minded string processing aside (it would be more correct, after all, to say that "It's all Bill Gates' fault"), there is a serious problem with the blame program. Despite Feckless' best efforts, a bug allows anyone who can provide input to this program to run arbitrary code on the target machine. (What might happen if it is run as a network service under inetd, as suggested in the comments?)

Your job is to create input that will cause the blame service to print out the helpful message "Now I pwn your computer" before it terminates. For example:

	$ cat exploit_file | ./blame
	...
	Now I pwn your computer

Deliverables

1. Write a well documented program that generates exploit_file. (You can assume you'd have access to the object code for the instance of blame against which it will be run). Your program should work on the Linux platform available on the eniac-l.seas.upenn.edu machine pool. The gcc compiler and gdb debugger are already installed. If, for some reason, you do not have an account on eniac-l.seas.upenn.edu contact one of the course staff members.

   Submit the program that generates your exploit_file as well as any tools you use to generate parameters and constants. Your software should be sufficiently documented to allow a novice programmer to port your code to other platforms or to modify it to exploit similar weaknesses in other programs. In other words, your submission should be suitable as a tutorial on exploiting (and avoiding) this class of vulnerability.
   
   

2. Fix the blame.c implementation so that it is not vulnerable to this buffer overflow attack, but still has the same behavior as the original program for inputs that fit into the buffer INPUT_BUFFER. How do you know your program is secure?
   
   
3. Your submission should consist of a single .tar, .tar.gz or .tgz file. Send it by e-mail to Savi Basavaraj (savi AT seas.upenn.edu), the class TA. The archive should include a README file containing your group information (including full names and e-mail addresses) and a list of the contents of the directory you submit. For help with creating a tar file, read the tar man pages.

Resources

• Aleph One's famous article Smashing the Stack for Fun and Profit
• The Gnu Compiler Collection
• The GNU Project Debugger
• Intel's X86 Instruction Set Architecture

Grading guidelines

• 50% - Working exploit_file and associated tools.
• 20% - Fixed version of blame.c
• 30% - Documentation, tutorial, and explanation of the two parts above.

Blame server source code (blame.c)

/*
 * Blame server.  Assigns blame to the person of your choice.
 *
 * Usage: blame
 *	(reads one line from standard input)
 *
 * To compile:
 *	cc blame.c -o blame
 *
 * Install under inetd as follows:
 *  blame	stream	tcp	nowait	root	/path/to/blame	blame
 *
 * Copyright 2004 by Feckless C. Coder, PhD.
 */

#include <stdio.h>
#include <string.h>
#define INPUT_BUFFER 256  /* maximum name size */

/*
 * read input, copy into s 
 * gets() is insecure and prints a warning
 *    so we use this instead
 */
void getline(char *s)
{
	int c;
	
	while ((c=getchar()) != EOF)
		*s++ = c;
	*s = '\0';
}

/*
 * convert newlines to nulls in place
 */
void purgenewlines(char *s)
{
	int l;

	l = strlen(s);

	while (l--)
		if (s[l] == '\n')
			s[l] = '\0';
}


int main()
{
	char scapegoat[INPUT_BUFFER];

	getline(scapegoat);
	/* this check ensures there's no buffer overflow */
	if (strlen(scapegoat) < INPUT_BUFFER) {
		purgenewlines(scapegoat);
		printf("It's all %s's fault.\n", scapegoat);
	}
	return 0;
}