Project Files
Due Monday, January 1st

Worth 85 points


Listed above are 3 port numbers. Those 3 port numbers are running services that you must exploit. The first is easy, the second is medium difficulty and the third is intended to be hard.

If you do not see those ports, please log in by clicking the "Login" at the top right of this page.

These services are running on netsec-projects.cs.northwestern.edu. You can view the source code on any machine within the directory /home/shared/vulnerable/overflows.

Note: netsec-projects is firewalled, and the ports are only accessible from hamsa. In order to check if your code works, you should run your code from hamsa.


We recommend consulting people working on the same vulnerability, but we expect that you will write the exploit yourself.


Points are broken down as follows:


If you need to review the relevant Metasploit commands, check here: http://hamsa.cs.northwestern.edu/readings/metasploit-basics/

Metasploit is only available on hamsa (not on the VMs).

Useful gdb Command

set follow-fork-mode child: All of the services fork a new process after accepting a new TCP connection. This will allow you to debug the new process, which is what you want.

How to Start Debugging

(1) Copy all the necessary files to your own directory on netsec-playground

(1.5) Consider running make clean, just in case.

(2) run ./configure and generate Makefile

(3) modify Makefile to add -g option to LDFLAGS and CFLAGS

(4) modify -DPORT in Makefile to avoid conflicts with other users

(5) Run make to build the program

(6) run gdb prog

(7) set follow-fork-mode child to make sure that gdb will follow the child process

(8) nc netsec-playground port_number (Or use metasploit, but make sure your breakpoint is after all input is handled or you will get a SIGPIPE)

(9) Debug until you can jump to an arbitrary memory address

(10) Run your metasploit module from hamsa on netsec-projects

Tips After Starting

The easy program should be a simple buffer overflow.

The medium program will involve some more complicated pointer manipulation and stack writing.

The hard program should be tricky. Once you get the trick, the overflow should be easy again.

If your module is not overwriting the return address correctly:

If your module can jump to the right address but you can't get a shell:

If you can exploit netsec-playground and not netsec-projects: