CS6262 LAB Assignment 2: (Due on March 30)
------------------------

The goal of this assignment is to experiment with buffer overflow. You
will play with existing examples, learn how to write an attack and how
to detect it.

--------------
Task 1: (50pt)
--------------

1. Follow what you have learned in class and from the links provided
at class web site. You need to read especially Aleph One's classical
tutorial. For this lab you only need to know the Intel x86
architecture.

2. A notorious buffer overflow exploit works on some older versions
of imapd, an IMAP and POPx server from UW. The formal description
of this vulnerability can be found at
http://www.cert.org/advisories/CA-1998-09.html.

3. Find more materials to cover the issue. Especially, find out
where exactly the overflow problem lies. You need to list your reference
also. (10)

4. The daemon is currently installed on lab machine H1. You are
provided with a script to exploit it and gain root access. The script
is installed under /home/attack-tools/imapd-ex on H3. Run:

H3% (imapd-ex offset;cat)|nc H1 143

to start the attack. imapd-ex generates the long buffer containing
binary codes. nc is a utility to generate arbitrary TCP/UDP
traffic. It can be used for bidirectional communications. cat is used
to type interactive shell commands.

Why is an offset involved? If you are not clear, go back to 1 and
study hard. Otherwise, report the offset you have found working
(which is not unique).

Hint 1. If you succeed, you can execute shell commands as root (known as 
a root shell). The shell prompt will not be echoed back, however.

Hint 2: You can write a shell script to automate the process. The increment
can be 500. (Question for yourself: What is the maximal yet safe value for
the increment?) (You don't need to submit anything for this)

5. Once you have succeeded, read the contents in the top-secret file
/root/dr-lee. (40)

--------------
Task 2: (50pt+10pt)
--------------

1. OK. This is a security course. You need to stop the attack. 
Use either snort or bro to detect the specific attack in Task 1.
A bro implementation will have 10 extra points. (30)

2. Discuss different signature schemes for detecting a *general* 
buffer attack. How many of them can you find? What are the advantages
and possible limitations for each of them? Use as formal a language as 
you can (regular expression, for example) to describe signatures. (20)

--------------
Task 3: (Extra credit, 20pt)
--------------

1. You need to write the buffer overflow code now. You may find the
buffer overflow exploit code (as provided in Task 1) is not specific
to imapd. It can be used (with a different offset) for many different
programs. Why bother to write your own code?  The question is that
though some programs don't check the length of input data, they do
have a filtering on some characters on incoming buffer, which prevents
some of the exploit opcodes from being used. For instance, the byte
code in imapd exploit is already designed to avoid any lower case
characters.

2. Similarly, a program can have a preference of lower case letters
instead. We have a vulnerable server which simply calls tolower() for
all capitalized characters. Does the classical code work? Hack it 
if that is not the case. Otherwise, report the offset you have found.

3. The server is running on port 6500 of H1. The source code is
available at /home/servers/lowstr/ from the same terminal.

4. If you want to work outside the lab, you can *only* use a Linux
box on x86.

---------------
What to submit:
---------------
1. A report containing answers to 1.3, 1.4, 1.5, 2.2, (3.2). 
The report should be named README. 

2. Bro script(s) or snort rule(s) for 2.1.

3. Source code (should contain both disassembled instruction codes 
as well as byte codes somewhere) for 3.2. Specify build 
instruction and usage in README.

4. Tarball and gzip 1 to 3 and send to TA's email address
(yian@cc.gatech.edu) by March 30.

---------------
Grading:
---------------

As a convention, we will use a 100 point system for this lab.
It will be converted into the final score accordingly. Individual 
points have been shown above.

---------------
Time Assignment:
---------------
Again, you should register no more than two time slots in advance. You can
also work, without registration, at nights or in weekends. But you need
to resolve possible conflicts or some other issues by yourself. Write to TA
if you have any difficulties on this. The first available day is Tuesday, 
March 19.