Format-String Vulnerability Lab
SEED Lab: A Hands-on Lab for Security Education
Overview
The learning objective of this lab is for students to gain the first-hand experience on format-string vulnerability by putting what they have learned about the vulnerability from class into actions. The format-string vulnerability is caused by code like printf(user_input), where the contents of variable of user_input is provided by users. When this program is running with privileges (e.g., Set-UID program), this printf statement becomes dangerous, because it can lead to one of the following consequences: (1) crash the program, (2) read from an arbitrary memory place, and (3) modify the values of in an arbitrary memory place. The last consequence is very dangerous because it can allow users to modify internal variables of a privileged program, and thus change the behavior of the program.
In this lab, students will be given a program with a format-string vulnerability; their task is to develop a scheme to exploit the vulnerability. In addition to the attacks, students will be guided to walk through a protection scheme that can be used to defeat this type of attacks. Students need to evaluate whether the scheme work or not and explain why.
Lab Tasks
- VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.
Recommended Time
- Supervised situation (e.g. a closely-guided lab session):
- Unsupervised situation (e.g. take-home project):
Last Update (New)
- The lab was last updated on January 12, 2020.
- Instructors now need to specify the value for a constant. This will make it difficult for students to reuse the solutions from the past.
Videos (New)
- This topic is covered in my Udemy course: Computer Security: A Hands-on Approach.
Files that are Needed
- The vulnerable server program: server.c
- A sample Python code on how to construct strings: build_string.py
- The skeleton exploit code (sample shellcode is included): exploit.py
Suggested Reading
- SEED Book by Wenliang Du
(Book website)
(Chinese version)