Assignment 1: Buffer Overflow
Discovery and POC
COMS E6998-9: Software
Security and Exploitation
The
assignment is due by midnight on 3/11 (Friday evening).
Please email me if you have any questions: hthompson@cs.columbia.edu.
Also, please let me know if you’d like to set up time to discuss this by phone.
Overview
The goal of this assignment is to help you better understand how buffer overflow exploits work. You’ll be asked to create some benign exploits for a widely known (and fixed) vulnerability in the VLC media player.
Take a look at CVE-2007-6681, a stack-based overflow in the VLC media player: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6681. The overflow occurs when a particularly large string is provided to VLC player through an SSA subtitle file. A brief description of the problem can be found here: http://aluigi.org/adv/vlcboffs-adv.txt. Additionally, proof of concept exploits are available:
http://www.securityfocus.com/data/vulnerabilities/exploits/vlcboffs.zip
http://downloads.securityfocus.com/vulnerabilities/exploits/28251.c
Several versions of VLC player are affected. For this
assignment you will need to download version 0.8.6d (the Windows
binaries as well as the source code) from http://download.videolan.org/pub/videolan/vlc/0.8.6d/.
Perform the following tasks using a Windows XP machine (latest updates and
service packs):
Part
1: Control EIP
Using the techniques discussed in class, create an SSA
file that puts the hex value “DEADBEEF” in the EIP register. Email me a .zip or
.rar archive named “Part1” that has your SSA file and
the associated AVI file. I will then verify it with version 0.8.6d of VLC
played on Windows XP using the ntsd debugger.
Part
2: Stack execution
Using the techniques discussed in class and building on
Part 1; manipulate EIP to point to your data (from the
SSA file) on the stack. Specifically, force the “CC” instruction (Int 3) to be executed. Write a short description (1 page
max) of what you did and any problems encountered or workarounds that were
necessary. Include your description in the body of your submission email.
Attach a .zip or .rar archive named “Part2” that has
your SSA file and the associated AVI file. I will then verify it with version
0.8.6d of VLC player on Windows XP using the ntsd
debugger.
Part
3: Proof of concept - launch notepad.exe or open a message box
Create a Windows message box (blank or with text) using
the technique discussed in class. To do this you will need to call the MessageBoxA function in User32.dll. Alternatively, you can launch
Notepad.exe by calling the WinExec() function in Kernel32 (or using some other means). Email
me a .zip or .rar archive named “Part3” that has your
SSA file and the associated AVI file. I will then verify it with version 0.8.6d
of VLC player on Windows XP (with latest patches and service packs).
Part
4: Perform Part 3 on Windows 7 FOR EXTRA CREDIT ONLY
(harder)
Port the solution found in Part 3 to Windows 7.
NOTE: More important than the SSA files
themselves is a short description of what you did for each part. If you get
stuck, tell me why. A tip is to find the smallest possible string that will
cause the overflow to happen and then work from there.
Some
additional reading/sites that will be helpful:
Wikipedia entry on Buffer Overflows:
http://en.wikipedia.org/wiki/Buffer_overflow
Metasploit: