CMSC 426 — Spring 2018

Exploitable Buffer Overflow in a Server

Objective

Identify the buffer overflow vulnerability in a server process. Verify the existence of the vulnerability by fuzzing the running server process. Outline an attack that would provide remote access to a shell running on the server hardware; if possible, implement the attack. Finally, describe how to fix the bug in the server software.

Scenario

The "Bad Server" package implements a simple server program that includes an exploitable buffer overflow. Your objective is to identify the vulnerability, verify the vulnerability through fuzzing, design an attack, and, if possible, implement the attack.

The server code, sample shell code, and any other documents are available from my Box directory.

Procedure

You may choose to begin by analyzing the server code, or you can go directly to running the server and attacking it remotely. The following steps outline how to install and interact with the running server.

• Build and install the server code on a vulnerable server VM (for example, the SEEDUbuntu12.04 VM, since it already has stack protections turned-off). Run the server as root and specify the port number on which it should listen for connections:

        sudo ./bad_server 50000	

• From your host computer (or second VM) connect to the remote server using netcat (nc). Here is an example from my installation (my input is in bold):

        nc 192.168.1.23 50000
        Welcome to TB Server 1000
        > help
        Available commands:
        help
        login passphrase
        quit

  Try each of the commands; note any messages that are returned.
• Write a Python program that uses Pexpect to remotely “fuzz” the server; determine what input causes the connection to terminate. If you analyzed the source code first, are your fuzzing results consistent with your analysis?
• Examine the provided connect-back shellcode (connectback_shell_v1.asm) and explain what this shellcode is doing. Outline an attack on the server using this shellcode; your description must include how the attacker would interact with the compromised server.
• Advanced: Implement the full attack on the vulnerable server.