IY2840语言代写、C++程序设计代写

日期：2022-03-19 02:29

IY2840 – Coursework 2

Deadline: 10:00am, 25th March 2022

This coursework is aimed to have you reflect on attacks and their mitigations. To get

started, it is important that you review the lecture material and the course text. You

are also expected to investigate online and/or library resources. We are not after essays

in this coursework. We are after concise and succinct responses to each question, and

suggest using bullet points and sketches where appropriate. Please make sure that

any resource you use is suitably acknowledged as submissions are routinely

checked for plagiarism. You are free to choose referencing style.

Total amount of marks in this coursework is 100 marks. This is a blind submission,

and submissions are to be uploaded in PDF format on Moodle. The PDF file should

contain all screenshots and source code requested. Specifics for these are indicated with

blue underlined text. Do not include screenshots or sourcec code as files. This

coursework counts for 20% of your grade on this module.

It is recommended that you use the SEEDLab VMs to perform any tasks required for

this coursework.

Question 1: Linux and Application Security

(a) An organisation is running a service to welcome its agents by printing a greeting

message along with their name on their terminal screen. The developer in this

organisation has created the C program (vulnerable-prog.c) to implement

this service on the Ubuntu 32bit Linux server and you are asked to compile the

program and manage its permissions in the operating system.

i. [3 marks] Compile the vulnerable-prog.c file using gcc but you have to

disable the smashing stack feature and enable the executable stack feature

to be able to solve the subsequent questions. Then, run the program and

provide a terminal screenshot of the outcome in your report.

ii. [2 marks] The compiled program (file) has to be a root-owned Set-UID

program. Provide the commands you would execute to achieve this. Show

the program file permissions in a terminal screenshot in your report.

(b) A cyber security team in the organisation has discovered that the previous program

(vulnerable-prog.c) is vulnerable to stack-based buffer overflow. As a

pentester, you have been assigned to perform a penetration test to check if this

vulnerability is exploitable in the system. You need to prepare the payload and

exploit which will be used for spawning shell with the root permission. You

have an exploit file (exloit.c) but this source-code file and is missing some

statements.

i. [15 marks] Fix the exploit.c file by completing the missing parts of this

file. Replace all instances of “?” with the appropriate instructions or values

to be able to compile and run the exploit program. Beforehand, you will

1

need to understand the buffer-overflow exploit program and how the shell

code is injected to have such an successful attack [Hint: you may need

to review the stack frame layout]. You may need to turn off the bufferoverflow

countermeasure features while compiling and running the program

(i.e. kernel.randomize va space = 0). Provide the amended exploit.c code

with your changes hilighted in your PDF.

ii. [3 marks] Briefly explain and justify the entire program after fixing it and

provide a screenshot of the execution output in your PDF.

(c) [12 marks] Briefly explain three countermeasures used in Linux to prevent

stack-overflow attacks. Include in your answer how to enable them or how to

check if they are already enabled.

(d) [15 marks] Turn on the ASLR countermeasure (i.e. kernel.randomize va space

= 2) which is associated with the space address randomisation and run the exploit

program (the amended exploit.c file) again. Briefly explain the observation

and provide a screenshot in your report. Then, write a program to defeat

this countermeasure. The program should also include a feature to display the

cost of defeating using the metric of either the actual time (hh:mm:ss) or the

number of runs. Briefly explain the scripts and provide a screenshot of the output

in your PDF. Include your source code in your PDF.

Note: In order to answer this part, you should have already solved

part b.

Question 2: Network Security

(a) A security analyst team has the capture1.pcap, capture2.pcap and

capture3.pcap files which are network traffic captures of different network segments.

They need to identify potential attacks in these files. You are asked to

assist them in their task by doing the following:

i. [15 marks] Examine these pcap files to determine the attacks within these

files using Wireshark; keep in mind, each file has only one attack. Justify

your answers including the description of those identified attacks and some

screenshots of parts in the traffic (the pcap files) which refer to the attacks

if necessary.

ii. [5 marks] It is important for security analysts to understand suspicious

activity in pcap files. This is often done by reproducing attacks. Setup and

execute the attack identified in capture3.pcap. Provide a screenshot of

network traffic caused by your attack in Wireshark.

Note: your pcap and the provided pcap files are not expected to

be identical. You are not expected to reproduce the pcap content

line by line, but it has to be the same attack.

Question 3: Web Security

A company owns a website which is utilised for managing the employees records of

the company. This website is run on a webserver using the Python code provided

2

(CW2WebServer.py). The webserver can be run on the SEEDLabs VM with the command

python3 CW2WebServer.py. The webserver runs locally and can be accessed

at localhost:8081. Be advised that when the webserver is restarted, it

resets the database. In order to access the website resources, you need to have a

login credentials. However, this website is vulnerable to SQL injection (SQLi) and

cross-site scripting (XSS) attacks. It is suggested you use two VMs; one as the web

server and one as the attacker.

(a) [10 marks] How can an attacker bypass the website login without having access

credentials? Assume there is an ’admin’ user for this system. Justify your answer

showing at least three different patterns of injections and provide screenshots

in your PDF.

(b) Within so many websites, a session cookie approach is still widely used as a

means to maintain a session of an authenticated user. This cookie is normally

created once a user logs on to the website. Suppose that you have already

compromised the admin password from the previous question.

i. [15 marks] Create an XSS attack to be able to persistently steal the

cookies for the current admin sessions in the websites even if the admin

changes the password and the SQL injection vulnerability is fixed for the

website hereafter. As an attacker, you need to find out the sink where to

inject the script which facilitates obtaining the cookie and how to receive

the cookie. Also, you may need to create a web server in your own virtual

machine to capture the cookie. You will need to use the JavaScript/HTML

method document.cookie to create a workable script for the attack, however

proposing some different alternatives of script methods is acceptable as long

as these scripts are executable.

ii. [4 marks] Report the steps of the scenario and the stolen cookie. Provide

screenshots of the outputs in your report. Include screenshots of the traffic

capture in Wireshark indicating that you performed a successful attack.

iii. [1 mark] Can you identify the type of the XSS attack in this context?

SK/GS March 2022

3