Assignment 1: Buffer Overflow Discovery and POC
COMS E6998-9: Software Security and Exploitation
The assignment is due by midnight on 3/11 (Friday evening).
Please email me if you have any questions: firstname.lastname@example.org. Also, please let me know if you’d like to set up time to discuss this by phone.
The goal of this assignment is to help you better understand how buffer overflow exploits work. You’ll be asked to create some benign exploits for a widely known (and fixed) vulnerability in the VLC media player.
Take a look at CVE-2007-6681, a stack-based overflow in the VLC media player: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6681. The overflow occurs when a particularly large string is provided to VLC player through an SSA subtitle file. A brief description of the problem can be found here: http://aluigi.org/adv/vlcboffs-adv.txt. Additionally, proof of concept exploits are available:
Several versions of VLC player are affected. For this assignment you will need to download version 0.8.6d (the Windows binaries as well as the source code) from http://download.videolan.org/pub/videolan/vlc/0.8.6d/. Perform the following tasks using a Windows XP machine (latest updates and service packs):
Part 1: Control EIP
Using the techniques discussed in class, create an SSA file that puts the hex value “DEADBEEF” in the EIP register. Email me a .zip or .rar archive named “Part1” that has your SSA file and the associated AVI file. I will then verify it with version 0.8.6d of VLC played on Windows XP using the ntsd debugger.
Part 2: Stack execution
Using the techniques discussed in class and building on Part 1; manipulate EIP to point to your data (from the SSA file) on the stack. Specifically, force the “CC” instruction (Int 3) to be executed. Write a short description (1 page max) of what you did and any problems encountered or workarounds that were necessary. Include your description in the body of your submission email. Attach a .zip or .rar archive named “Part2” that has your SSA file and the associated AVI file. I will then verify it with version 0.8.6d of VLC player on Windows XP using the ntsd debugger.
Part 3: Proof of concept - launch notepad.exe or open a message box
Create a Windows message box (blank or with text) using the technique discussed in class. To do this you will need to call the MessageBoxA function in User32.dll. Alternatively, you can launch Notepad.exe by calling the WinExec() function in Kernel32 (or using some other means). Email me a .zip or .rar archive named “Part3” that has your SSA file and the associated AVI file. I will then verify it with version 0.8.6d of VLC player on Windows XP (with latest patches and service packs).
Part 4: Perform Part 3 on Windows 7 FOR EXTRA CREDIT ONLY (harder)
Port the solution found in Part 3 to Windows 7.
NOTE: More important than the SSA files themselves is a short description of what you did for each part. If you get stuck, tell me why. A tip is to find the smallest possible string that will cause the overflow to happen and then work from there.
Some additional reading/sites that will be helpful:
Wikipedia entry on Buffer Overflows: