RUXCON 2004 Exploit Development Competition Guidelines 1 - Introduction ---------------- This years exploit development competition has been put online prior to RUXCON 2004 to allow attendees to get a headstart before the conference. The first four levels are available for download on the RUXCON website [1] in tar / gunzip file format. Source code to all levels (with the exception of two levels released as Linux ELF binaries) will be available at RUXCON 2004 and will also be put online after the conference. The levels demonstrate a range of vulnerabilities from very simple to fairly difficult. There may be bugs and poor programming practices intentionally present in some levels. Also, some levels have been re-used from RUXCON 2003. 2 - Judging submissions ----------------------- Solutions submitted at RUXCON 2004 will be judged by a small group of staff. Judging of levels will be based on three main points. These are: 1) exploit code 2) description of the bug(s) 3) solution / patch The exploit should be written in C and it should successfully exploit the vulnerability to spawn a shell. Extra credit will be rewarded for point 1 to submissions demonstrating advanced techniques and knowledge in their exploit code. Extra credit will be rewarded for point 2 to submissions providing in-depth and specific details of the vulnerability present (e.g: exploitation limitations for a specific operating system and architecture). To achieve full credit for point 3 it's required to supply a patch resolving all bugs for the level. Once the competition is closed and we're no longer accepting submissions at RUXCON, staff will judge participants submissions. The individual with the most credit will be rewarded with some cool prizes for their efforts! 3 - Entry Requirements ---------------------- To participate and be allegable for prizes you'll need to use your own Unix-like system, as we won't be providing shell access this years for entrants. We only want submissions specific to the x86 architecture and for either Debian Linux 3.0 or FreeBSD Current. Submissions not matching this criteria has a good chance of being discarded. 4 - Making Submissions ---------------------- If you're attending RUXCON 2004 it's encouraged you use the submission template available on the website [1]. The template has all of the fields required for staff to properly judge submissions on the day. For the fields 'System info' and 'Gcc version' please show the output of the commands 'uname -mrs' and 'gcc -dumpversion' on the system you're using for the competition. Once the Exploit Development competition is announced at RUXCON, it will be required for attendees wishing to participate to register their interest with staff. Once registered you will receive the necessary information on how to submit solutions for levels (which will require network connectivity to RUXLAN). If you're not attending the conference you're still welcome to attempt our levels to test or advance your knowledge with exploit development. 5 - Contact Info ---------------- If you have any enquiries, suggestions, or positive feedback, e-mail xcomp ruxcon org au. Have fun and good luck! RUXCON Staff staff-con ruxcon org au [1] http://www.ruxcon.org.au/xcomp/