CS 578 :: Spring 2025 :: Cyber-Security

Important Dates
  • Out: 04.02.2025 09:00 AM PT
  • Due: 04.16.2025 11:59 PM PT
Homework Overview

The learning objective of this homework is for you to understand the basics of network traffic and packet analysis. You will be required to capture DNS and HTTP/HTTPS packets using Wireshark and analyze them.

Initial Setup

To begin with, you are required to install Wireshark. You need to have access to a computer that support both Wireshark and the libpcap library. Wireshark is available for Windows, macOS, and Linux. You can download the latest version from the official website [link]. Your operating system (OS) may have the libpcap software installed. If you face an issue with the libpcap library, you can install it as follows, depending on your OS:

  • Windows: You can install WinPcap or Npcap [link].
  • Linux or MacOS: You can install libpcap. [link].

Running Wireshark
When you run the Wireshark program, the Wireshark GUI shown in this figure (on Mac) will be displayed. Initially, you can see the list of network interfaces on your computer, and a time-series diagram of the packets coming in and going out from the interface will be shown.

Now you are ready to do a test drive!
  • Step 1: Start Wireshark and select the network interface (e.g., eth0) you want to capture packets from. You can do this by clicking on the Capture menu and selecting Options.
  • Step 2: Click on the Start button to begin capturing packets. You should see packets being displayed in the packet-listing window.
  • Step 3: To filter the captured packets, enter a protocol name or other criteria in the packet-display filter field. For example, you can enter http to display only HTTP packets, as shown in this figure.
  • Step 4: To stop capturing packets, click on the Capture menu and select Stop. You can also click on the red square button in the toolbar.
  • Step 5: To save the captured packets, click on the File menu and select Save As. Choose a location and file name to save the captured packets.
  • Step 6: To analyze the captured packets, select a packet in the packet-listing window. The details of the selected packet will be displayed in the packet-header details window and the packet-contents window.
  • Step 7: You can expand or minimize the details of the packet by clicking on the arrowhead to the left of the protocol name in the packet-header details window. This will show you more information about the packet, such as the source and destination IP addresses, port numbers, and protocol-specific information.

Task I: Trace DNS with Wireshark
Capture the DNS packets generated by ordinary Web-surfing activity. You will need to analyze the captured packets and answer the following questions:

  • Step 1: Use ipconfig (Windows) / ifconfig (Linux, Mac) to empty the DNS cache on your host.
  • Step 2: Open your browser and clear your browser cache. (For Internet Explorer, go to the Tools menu, select Internet Options, then in the General tab select Delete Files.)
  • Step 3: Open Wireshark and enter ip.addr == your_IP_address into the filter, where you obtain your IP address (the IP address for the computer running Wireshark) with ipconfig. This filter removes all packets that neither originate nor are destined for your host.
  • Step 4: Start packet capture in Wireshark.
  • Step 5: With your browser, visit the Web page: https://www.google.com.
  • Step 6: Stop packet capture.
Now answer the following questions:

  1. What is the IP address of your computer?
  2. What is the IP address of the Google web server?
  3. How many DNS queries were generated by your web browser?
  4. How many DNS responses were received by your web browser?
  5. What is the port number used by your web browser to send the DNS query to the DNS server?
  6. What is the size of the DNS query packet sent from your web browser to the DNS server?
  7. What is the size of the DNS response packet sent from the DNS server to your browser?
Task II: HTTP and HTTPs Protocols
Now we use Wireshark to capture HTTP and HTTPS packets. You will need to analyze the captured packets and answer the following questions:

  • Step 1: Use ipconfig (Windows) / ifconfig (Linux, Mac) to empty the DNS cache on your host.
  • Step 2: Open your browser and clear your browser cache. (For Internet Explorer, go to the Tools menu, select Internet Options, then in the General tab select Delete Files.)
  • Step 3 Open Wireshark and enter ip.addr == your_IP_address into the filter, where you obtain your IP address (the IP address for the computer running Wireshark) with ipconfig. This filter removes all packets that neither originate nor are destined for your host.
  • Step 4: Start packet capture in Wireshark.
  • Step 5: With your browser, visit the website: http://relaxedgoodglowingmagic.neverssl.com/online/.
  • Step 6: Stop packet capture.
  • Step 7: Repeat Step 4-6 with the website: https://relaxedgoodglowingmagic.neverssl.com/online/.
Now answer the following questions:

  • HTTP website:
    1. What is the IP address of your computer?
    2. What is the IP address of the HTTP website?
    3. What version of HTTP is the website running?
    4. What is the status code returned from the website to your browser?
    5. What is the port number used by your browser to send the HTTP request to your web browser?
    6. What is the port number used by the HTTP website to send the HTTP response to your web browser?
    7. What is the size of the data in the HTTP response packet sent from the HTTP website to your browser?

  • HTTPS website:
    1. What is the IP address of your computer?
    2. What is the IP address of the HTTPS website?
    3. What version of TLS is the website running?
    4. What is the status code returned from the website to your browser?
    5. What is the port number used by your browser to send the HTTPS request to your web browser?
    6. What is the port number used by the HTTPS website to send the HTTPS response to your web browser?
    7. What is the size of the data in the HTTPS response packet sent from the HTTPS website to your browser?

Submission Instructions
Use Canvas to submit your homework. You need to make a single compressed file (.tar.gz) that contains your write-up as a PDF file. Your PDF write-up should contain the following things:

  • Task I (5 pts)
    • Your answer to the 7 questions above.
    • Your analysis: provide 2-3 sentences explaining why you see the results.
  • Task II (10 pts)
    • Your answer to the 14 questions above.
    • Your analysis: provide 2-3 sentences explaining why you see the results.

Important Dates
  • Out: 04.16.2025 09:00 AM PT
  • Due: 04.28.2025 11:59 PM PT
Homework Overview

The learning objectives of this homework are for students to gain hands-on experience with buffer overflow attacks. These attacks exploit a buffer overrun vulnerability in a program, causing it to bypass its usual execution sequence and instead jump to alternative code (typically launching a shell!). The attack overflows the vulnerable buffer to introduce the alternative code onto the stack and modifies the return address to point to that code.

Initial Setup

To begin, you are required to use a Linux machine with sudo privileges. You should not complete this homework on a shared server or any OSU computing clusters. If you perform a buffer overflow attack in these shared environments, you will be responsible for any consequences, and the instructor will not be liable. Note that you cannot run this on a Mac or Windows laptop. While these systems support command-line environments, they do not allow you to execute buffer overflow attacks. If you do not have a Linux machine, the instructor recommends creating a virtual machine using a commodity virtualization software, such as VMWare.

"One way to bypass the configuration hassles is to set up your own server using a popular cloud provider, Amazon Web Services (AWS). To do this, sign up for AWS, go to the AWS Console, and select EC2. Then, launch an instance, choosing the operating system Ubuntu 22.04 and the instance type t2.micro (which is eligible for the free tier). You will also need to configure an SSH key and a Security Group. Once completed, you can find the server's IP address in the console. Use that IP to log in to the cloud server via your terminal. 


                                    $ ssh -i "your-aws-key" ubuntu@"your-server-ip"
To run the code provided by the instructor, you will need to install a few packages, as listed below. Note that you may need to install more packages. In such cases, you can easily search the error message shown in the terminal on Google and find the answers. 

                                    $ sudo apt install cmake gcc g++ gdb
                                    $ sudo apt install vim-enhanced
                                    $ sudo apt install python3
Many countermeasures, such as ASLR, have been developed to address buffer overflow vulnerabilities. Circumventing these defenses is not as easy as it may seem, so we will disable them for this homework assignment. You can do so by following these steps: 

                                    $ sudo -i
                                    # sysctl -w kernel.randomize_va_space=0
                                    # exit      // exit the sudo; our assignment should be done in the user space.
[Important Note] Once you complete the homework, be sure to turn off and delete the cloud server to avoid being charged.

Task I: Access the (In-)accessible
Create a makefile, Makefile: 

                                $ vim Makefile
                                // paste the content below
                                CC=gcc
                                CFLAGS=-g -fno-stack-protector

                                all: bof.c
                                    $(CC) -m32 -o bof bof.c $(CFLAGS)
Create a vulnerable file bof.c, as follows: 

                                #include "stdio.h"
                                #include "stdlib.h"
                                #include "string.h"
                                #include "unistd.h"
                                
                                char *trueflag = "cs578{trueflag}";
                                char *fakeflag = "cs578{fakeflag}";
                                
                                void
                                shell(void) {
                                    setregid(getegid(), getegid());
                                    system("/bin/bash");
                                }
                                
                                void
                                process_user_input(void) {
                                    char *flag;
                                    char buff[12];
                                    char data[128];
                                
                                    // set the fake flag
                                    flag = fakeflag;
                                
                                    // load the memory locations
                                    printf("Your flag address is at %p\n", trueflag);
                                    printf("Your fakeflag is at %p\n", fakeflag);
                                    printf("Address of shell is at %p\n", &shell);
                                    printf("Currently, the flag variable has the value %p\n", flag);
                                    fgets(data, sizeof(data), stdin);
                                
                                    // copy the content directly to the buffer
                                    strncpy(buff, data, strlen(data));
                                
                                    printf("Your input was: [%s]\n", buff);
                                    printf("Your flag address is at %p\n", flag);
                                    printf("Your flag is %s\n", flag);
                                }
                                
                                int
                                main(void) {
                                    setvbuf(stdin, NULL, _IONBF, 0);
                                    setvbuf(stdout, NULL, _IONBF, 0);
                                    process_user_input();
                                }
You can now compile the bof.c file by running the make command. Once compiled, you are ready to exploit the buffer overflow vulnerability. The code by default, will print out the flag cs578{fakeflag}. Your job is to exploit the buffer overflow and force it to print out cs578{trueflag}.
Task II: Run Malicious Code
Now that you are familiar with buffer overflow exploitation, the instructor has prepared a fun task for you—running an arbitrary function that the program cannot execute normally. In this case, the function is the bash shell! (wait what?) Use the exact same program that the Instructor provided above and work hard to get a shell.

Tip: Python "print" may not work in some cases, e.g., it could add some termination characters like \x00. Please look for some other ways to write the address to the buffer. The instructor would not respond to any questions regarding this tip; it is the part of the homework assignment.
Submission Instructions
Use Canvas to submit your homework. You need to make a single compressed file (.tar.gz. .tar or .zip) that contains your write-up as a PDF file. Your PDF write-up should contain the followings:

  • Task I (6 pts)
    • You need to provide a screenshot of your terminal showing the command and its output.
    • You also need to provide a detailed explanation of how you exploit the buffer overrun to obtain the trueflag.
  • Task II (9 pts)
    • You need to provide a screenshot of your terminal showing the command and its output.
    • You also need to provide a detailed explanation of how you exploit the buffer overrun to obtain the bash shell.

To be announced soon.
To be announced soon.