Description
Purpose
The purpose of this assignment is to test your understanding of memory corruption vulnerabilities and
familiarize you with bug hunting in both C source code and binary code. You will learn how to find
memory corruption vulnerabilities in C source code and binary code and derive input that is required
to trigger the vulnerability and crash the program.
Objectives
Learners will be able to:
● Read the source code of programs when their source code is available.
● Comprehend the decompiled code of binary programs when their source code is not available.
● Determine which input that can be used to trigger the vulnerability and lead the program to
crash.
● Reverse engineer simple binary programs.
Technology Requirements
All provided source code files are intended to be compiled under Linux (tested under Ubuntu 20.04
LTS). You are strongly encouraged to have the exact same environment as the test environment. If
you are using Windows or MacOS, please follow the instructor’s directions (provided in their Live
Event or in a course announcement) and install a virtual machine on your system. You can get
VMware for free as an ASU student (strongly recommended).
Assignment Description
For this assignment, you will get a tarball called `collection.tar.gz`. Inside the tarball, you will find
multiple programs, each in its own directory named after the name of the program (`p_N` where N is
an integer). Some programs are shipped with source code, while other programs are binary-only
CSE 543
Finding Crashes Assignment 1
(without any source code). Each program takes input from stdin, operates on the input, and either
exits gracefully or prints out some output before exiting.
Your goal is to do “bug hunting” on each program, find vulnerabilities that can lead to crashes, reason
about the input that will trigger the vulnerabilities you found, and then submit your input.
For each program, if source code is available, you are supposed to read its source code and find
vulnerabilities. If only binary code is available, you are supposed to use a decompiler (such as angr
management or Ghidra, which have been pre-installed for you in the pwn.college challenge
environment) to derive the pseudo code, read the pseudo code, and find vulnerabilities. While reading
disassembly is not necessary, you may find disassembly to be more useful than decompiled code at
times.
Your submission should include exactly *one* file for each program, named after the program name
(`p_N` where N is an integer), that will act as input through stdin for each program. You will score as
long as your input crashes the program.
Bonus: Control-flow hijacking is possible in some of these programs. If you can achieve control-flow
hijacking and make the program print out “Great Job” before _exiting gracefully_ (i.e., exiting with
return code 0), your score of that program will double.
Directions
Technology Setup Reminder
If you have not already joined the course’s pwn.college, please review the setup directions in Module
0: Welcome and Start Here of your course to properly gain access and start your work.
Accessing the Environment
1. Navigate to https://pwn.college.
2. Click “Login” in the upper right corner of the screen and enter your account credentials.
a. Click “Forgot your password?” if you have trouble logging in.
3. Navigate to “Dojos”, second option from the left at the top of the screen.
4. Under “Courses”, select “CSE 543 – Session X Year”.
5. Under “Modules”, select “Finding Crashes Assignment”.
CSE 543
Finding Crashes Assignment 2
6. Under “Challenges”, click on a level, read the details, and then click “Start” when you are
ready to work.
a. Optional: use “Practice” to help you work through the level with assistance.
7. You will see two challenges (hence, two flags) per level, one for crashing the challenge, and
the other for hijacking the control flow (which is the bonus). Please work on each of them to get
your flags.
Directions
For programs with source code available, you may use any text editor to read the source code, find
the bugs, and trigger crashes. Visual Studio Code is strongly recommended, although other text
editors work as well.
For programs without source code provided, please use a binary analysis tool, such as Ghidra, to
analyze and decompile the binaries directly.
Remember that not all levels can be crashed. Sometimes a level can be crashed, but the control flow
cannot be hijacked.
Submission Directions for Assignment Deliverables
You are given an unlimited number of attempts to submit your best work. The number of attempts is
given to anticipate any submission errors you may have in regards to properly submitting your best
work within the deadline (e.g., accidentally submitting the wrong paper). It is not meant for you to
receive multiple rounds of feedback and then one (1) final submission. Only your most recent
submission will be assessed.
There are two levels for each challenge: One for crashing the program, and the other for hijacking the
control flow. You can run /challenge/verify.py in the pwn.college environment to verify your input for
each level, and get a flag if you manage to crash the program or hijack the control flow and make the
program print out “Great job” to stdout.
You must complete your Pwn Them All Assignment deliverables in pwn.college and then submit the
deliverables in its submission space in the course. Carefully review submission directions
outlined in the overview document in order to correctly earn credit for your work. Learners may not
email or use other means to submit any assignment or project for review, including feedback, and
grading.
The Finding Crashes Assignment includes two (2) deliverables:
CSE 543
Finding Crashes Assignment 3
● Program Files: Exactly one (1) file for each program.
○ Each of the files in the ZIP should be named after the program name (`p_N` where N is
an integer).
File `p_N` will be the input for program p_N.
● Report: A document (DOC, DOCX, or PDF) with two to three (2-3) lines of an explanation on
how you solved each level.
○ Please include your name, course title, and date with your writing.
○ Your file should be titled using the format: “Last Name_First Name_CSE543_Finding
Crashes Assignment.”
Making File Submissions in Canvas
Before submitting, confirm that your deliverables follow the requirements for the project, and then
submit your work in the designated submission space in the course. Your submission will be reviewed
by the course team before finalizing your assignment grade.
1. In your course, go to Submission: Finding Crashes Assignment.
2. Click Start Assignment.
3. Click Choose File.
4. Locate and select one (1) deliverable file from your device.
5. If needed, click +Add Another File and repeat Steps 3 and 4 until all deliverables are added.
6. Select the agreement and then click Submit Assignment.
7. (If needed and allowed) To resubmit files:
a. Return to the Canvas submission space, click New Attempt, and repeat the process
from Step 3.
Evaluation
Your submission will be automatically graded in the challenge environment. As you complete each
challenge, you will receive a score in pwn.college. Scores will automatically populate to the course
after completion or after the due date passes.
Completing at least 50% of the challenges in pwn.college will earn you the maximum number of
points for the corresponding assignment in Canvas. For learning purposes, please attempt to
CSE 543
Finding Crashes Assignment 4
complete all the challenges available. Please refer to the Grade Breakdown in the syllabus PDF and
the assignment submission space in Canvas so you know how many points each assignment is
worth.
Your deliverables will be reviewed by the course team before finalizing your assignment grade. No
credit will be given for missing or incorrect submissions.
Review the course syllabus for details regarding late penalties.
● You will earn 5% credit for each crash.
● You will earn another 5% credit if your submission manages to hijack the control flow, make the
program print out “Great job” to stdout, and exit with an exit code 0.
● You will not earn credit for missing crashes and hijacks.