CSE 127: Project

I made a one line change to the file rpc_server.c. This was an oversight -- forgot to do this when I check /etc/system. You may mount your attack using the new tar file or the original tar file; clearly state which one in your writeup.

Use the new binaries provided in the ../public/proj1 directory.

This is an attack / system understanding project. You will learn how Remote Procedure Calls (RPCs) are implemented, some networking basics, and of course have fun finding security vulnerabilities and then breaking in to the provided RPC system. Not all implementation bugs are of the buffer overflow variety.

You should get into groups of 3 to work on this assignment. If you're having troubles forming a group, go to the discussion board.

This is not an easy project, so be sure to get started on it early.

Your task is to read the code, understand how the RPC system works, and identify the security vulnerabilities (note plural) that exist in the code. Next, you should write an attack client which will exploit one or more of the identified vulnerabilities to take over the server process. The attack client should make the server print the string "Hello world" to its standard output.

You should turn in a tar file containing all the files in a subdirectory named rpc. Within the subdirectory, you should have a file README.txt which contains all of your writeup. In your writeup discuss all the security vulnerabilities you identified in the RPC system and the server code. (You may ignore the client files client.c and client2.c in your analysis.) The attacking client code should be in a file named attack.c. Modify the Makefile so that a binary named attack is built. You should not modify rpc.c, rpc.h, rpc_service.c, rpc_service.h, set_stack_offset.c, or net_redir.c -- you should omit these files in your tarball, as well as any executables or relocatable binaries. Points will be taken off for extraneous files.

Download the tar file containing the source code. Compile it using gmake on the ACS solaris machines.

You should pick a TCP port number greater than 1023 for your testing. Run the server with the command

set_stack_offset -- server -v -p 5141
to set a fixed stack offset with the server running in verbose mode, listening on port 5141. To run the client and have it talk to your server, run it like this:
net_redir -s 5141@localhost -d 3 -- client

Note that on many ACS machines, /etc/system has

        set noexec_user_stack=1
which makes it impossible to execute code from the stack segment.

This project is due March 8th.

[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | certserver ]
picture of bsy

bsy+cse127w02@cs.ucsd.edu, last updated Mon Mar 25 15:22:11 PST 2002. Copyright 2002 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!