Wargame Spec

Wargame 1 & 2 - Buffer Overflows & Format Strings README

The following wargames will provide you with exercises where you will be required to reverse the binary, figure out the vulnerability and write an exploit.

Please use the techniques learned in the lectures to exploit the challenges provided. These challenges closely mimic those that will be present in your midsem and final exam. If you are able to complete the challenges, you should be fine with the practical assessments in class (the exams).

Provided in this assignment are the following:

Notes on the challenges

The challenges are listed below. Please see due dates for the corresponding due dates for each challenge. For challenges without source code, you are expected to reverse the binary to find the vulnerability. We have included the source for the first few challenges as a gentle introduction to COMP6447.

Each challenge is listening on the listed port and contains a flag file at /flag, a successful exploit script should be able to automatically print out the contents of this file, or execute a shell.

All challenges have ASLR disabled.

ref number

Challenge

Challenge Name

Wargame

Port

Source

0

buffer-1

jump

Wargame 1

5001

yes

1

buffer-2

blind

Wargame 1

5002

yes

2

buffer-3

runner

Wargame 1

5003

yes

3

buffer-4

shellz

Wargame 1

5004

no

4

canary-1

elitecanary

Wargame 1

6001

no

5

canary-2

shellcrack

Wargame 1

6002

no

6

canary-3

stackdump

Wargame 1

6003

no

7

format-1

lots

Wargame 2

7001

no

8

format-2

formatrix

Wargame 2

7002

no

9

format-3

sploitwarz

Wargame 2

7003

no

Notes on the VM

The VM is configured to automatically start hosting each of the challenges on their listed ports, and to automatically connect to the network via DHCP.

Credentials to login: comp6447/comp6447

Due dates

The challenges will not all be due at the same time. We have given you the first two sets of wargames to provide you with enough range of challenges to practice for the midsem exam.

Wargame

Challenges

Due date

Wargame 1

0, 1, 2 ,3, 4, 5, 6

20th August (Date of Midsem Exam)

Wargame 2

7,8,9

31st August (Census Date)

Marking

As per the course outline, all the wargames collectively will be worth 20% of your final mark. Hence each wargames set will be worth 5%.

The challenges i n each wargame set are all weighted equally.

The marking criteria per week is as follows:

  • 1 mark for following instructions
  • 4 marks for wargames and writeups.

Submission Instructions

A markdown document (.md) containing the following for each challenge:

We are interested in proof that you understood the challenge, the vulnerabilities and how to exploit them. This is not intended as a formal bug report.

Example-1
===========================

General overview of problems faced
-------------------------------------
Had to research how to overwrite the return address

List of vulnerabilities
--------------------
1. The input for the user's name can overflow a fixed buffer on the stack

Steps to exploit
------------------
1. Enter a name exactly 100 bytes long, to overflow the buffer to the return address, and the append the address of the win function (0x15141312)

Script/Command used
------------------
```
python -c 'print(("A"*100)+"\x12\x13\x14\x15")' | nc 127.0.0.1 3000
```
Example-2...
=============

Please submit the document as a markdown file on give. You may submit as many times as you like. Only your most recent submission will be marked.

Submission for Wargame 1

give cs6447 war1 war1.md

Submission for Wargame 2

give cs6447 war2 war2.md

Late submissions incur a 0.5 mark penalty per day on the maximum possible mark you can get. Eg. If you submit 4 days late, and your raw mark is 2/5, then you will still receive 2/5. If you submit 4 days late, and your raw mark 5/5, your adjusted mark will be 3/5.

Resource created Monday 06 August 2018, 05:49:48 PM, last modified Sunday 02 September 2018, 01:17:10 PM.


Back to top

COMP6447 18s2 (System and Software Security Assessment) is powered by WebCMS3
CRICOS Provider No. 00098G