Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-06 [2020/11/14 18:29]
dennis.plosceanu [3. Extra: infoleak + stack canary bypass] renamed binary
+++ cns:labs:lab-06 [2020/11/16 11:01] (current)
dennis.plosceanu [T1. GCC stack protector [1p]]
@@ Line 125: / Line 125: @@
 All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]].
-==== T1. GCC stack protector [1p] ====
+==== T1. GCC stack protector ====
 Take a look at ''vulnerable.c'' in the [[http://elf.cs.pub.ro/oss/res/labs/lab-06.tar.gz|lab archive]]. We are interested in particular in the ''%%get_user_input%%'' function, which ''read''s from standard input into a local buffer more bytes than are available:
@@ Line 431: / Line 431: @@
 <code>
-$ python -c 'import sys; sys.stdout.write("ABCD")' | SHELLCODE="\x90\x90\x90\x90" ./vulnerable2 | xxd
+$ python -c 'import sys; sys.stdout.write("ABCD")' | SHELLCODE="\x90\x90\x90\x90" ./stackbleed | xxd
 00000000: 4142 4344 d90f d3ff 010a                 ABCD......
 </code>
@@ Line 451: / Line 451: @@
 <code>
 log.info("Canary is: 0x{:08x}".format(unpack(canary, 'all', endian='little', sign=False)))
+</code>
+Or, if you set the context properly (e.g. ''context.binary = "./stackbleed"''), you can skip the arguments to ''unpack'':
+<code>
+log.info("Canary is: 0x{:08x}".format(unpack(canary)))
 </code>
 </note>

Resources

cns/labs/lab-06.1605371392.txt.gz · Last modified: 2020/11/14 18:29 by dennis.plosceanu