Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-07 [2020/11/23 19:09]
mihai.dumitru2201
+++ cns:labs:lab-07 [2022/11/21 14:29] (current)
mihai.dumitru2201 [Basic Format String Attack]
@@ Line 37: / Line 37: @@
 We can test this using:
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�8�
 </code>
@@ Line 43: / Line 43: @@
 In order to check the hexadecimal values of the leak, we pipe the output through ''xxd'':
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak | xxd
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak | xxd
 00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
 00000010: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
@@ Line 129: / Line 129: @@
 $ gdb -q ./info_leak
 Reading symbols from ./info_leak...done.
-gdb-peda$ b printf
+gdb-peda$ b my_main
 Breakpoint 1 at 0x400560
 gdb-peda$ r < <(python -c 'import sys; sys.stdout.write(32*"A")')
 Starting program: info_leak < <(python -c 'import sys; sys.stdout.write(32*"A")')
 [...]
+# Do next instructions until after the call to printf.
+gdb-peda$ ni
+....
 gdb-peda$ x/12g name
@@ Line 181: / Line 185: @@
 <note tip>
 Same as above, use ''nm'' to determine address of the ''my_evil_func()'' function.
+When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
 </note>
@@ Line 193: / Line 198: @@
 <note tip>
-In case of a successful exploit the program will return with the ''42'' error code in the ''my_evil_func()'' function, same as below:
+In case of a successful exploit the program will spawn a shell in the ''my_evil_func()'' function, same as below:
 <code>
 $ python exploit.py
@@ Line 200: / Line 205: @@
 [*] old_rbp is 0x7fffffffdd40
 [*] return address is located at is 0x7fffffffdd38
-[*] Process './info_leak' stopped with exit code 42 (pid 6422)
+[*] Switching to interactive mode
+Returning from main!
+$ id
+uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
 </code>
 </note>
@@ Line 297: / Line 305: @@
 After the plan is complete, write down the attack by filling the ''TODO'' lines in the ''exploit.py'' solution skeleton.
+/*
+<note tip>
+When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
+</note>
+*/
 After you write 0x300 chars in v, you should obtain shell
 <code>
-$ python exploit64.py
+$ python exploit.py
 [!] Could not find executable 'basic_format_string' in $PATH, using './basic_format_string' instead
 [+] Starting local process './basic_format_string': pid 20785

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-07.1606151373.txt.gz · Last modified: 2020/11/23 19:09 by mihai.dumitru2201

Show page Old revisions

Media Manager Back to top