Oh sweet success!!!

Tonight was the first full night I was able to completely concentrate on Lab 2, and, surprisingly I was able to accomplish what I wanted to accomplish. With a little insight from the professor and a little clarification from another class member, I was able to put the pieces together to correctly complete the lab.

This lab was a buffer-overflow exploit, executed from one virtual server to another. The lab instructions were pretty thorough, and there were even some hidden hints in the code that allowed me to complete this lab. I was able to exploit an integer overflow vulnerability and gain root access to one of the virtual servers I didn’t normally have access to. Most of the code was written by the professor, so there were basically some “fill-in-the-blanks” for the students to accomplish in order to gain elevated privileges on the server running the vulnerable code.
From looking at the serverv2.c code, I noticed that there was a short unsigned int; this is where I focused my attack. From the server dump, I was able to get the memory address of the integer.

I was excited that I was able to follow most of the code, (I’m just now taking my first class in C, and I have not yet taken 341, which is a class on assembly), and disseminate what I was supposed to do in order to complete the lab. I was stuck for the longest time on one aspect of the code: we were to get a “magic number” that was an unsigned short int, which is then interpreted as a signed int, and then as executable code. It took me a while to figure out that the argument to the ‘printf’ statement was being fed into the vulnerable server code to execute our over-flow attack; this was the jump point to inject our malicious code. Once I realized this was the integer value of the JMP ESP in x86 machine code…I was able to exploit the vulnerability on the server and gain root access.

At this point I haven’t been able to update the sudoers file; I get an error that it’s busy and to try again later; I’m assuming someone else was updating it at the time. It has been locked out for quite a while, so I’m not sure if there is an issue with the file.

Overall I thought this was a fun lab, and considering the extreme failure on lab 1, I’m happy that this lab turned out differently. I’m also relieved that this was done before spring break!!! It’s miller time!!! Ok, maybe not for someone that has a full-time job and no real spring-break from work… =)