Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-07 [2021/11/22 13:00]
ricardo.ungureanu [Tasks repository]
+++ cns:labs:lab-07 [2022/11/21 14:29] (current)
mihai.dumitru2201 [Basic Format String Attack]
@@ Line 4: / Line 4: @@
 All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]].
-Submit your flags to [[https://cns-lab-ctf21.cyberedu.ro/|the CNS CyberEDU Platform]].
 ===== Intro =====
@@ Line 39: / Line 37: @@
 We can test this using:
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�8�
 </code>
@@ Line 45: / Line 43: @@
 In order to check the hexadecimal values of the leak, we pipe the output through ''xxd'':
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak | xxd
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak | xxd
 00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
 00000010: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
@@ Line 131: / Line 129: @@
 $ gdb -q ./info_leak
 Reading symbols from ./info_leak...done.
-gdb-peda$ b printf
+gdb-peda$ b my_main
 Breakpoint 1 at 0x400560
 gdb-peda$ r < <(python -c 'import sys; sys.stdout.write(32*"A")')
 Starting program: info_leak < <(python -c 'import sys; sys.stdout.write(32*"A")')
 [...]
+# Do next instructions until after the call to printf.
+gdb-peda$ ni
+....
 gdb-peda$ x/12g name
@@ Line 183: / Line 185: @@
 <note tip>
 Same as above, use ''nm'' to determine address of the ''my_evil_func()'' function.
+When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
 </note>
@@ Line 195: / Line 198: @@
 <note tip>
-In case of a successful exploit the program will return with the ''42'' error code in the ''my_evil_func()'' function, same as below:
+In case of a successful exploit the program will spawn a shell in the ''my_evil_func()'' function, same as below:
 <code>
 $ python exploit.py
@@ Line 202: / Line 205: @@
 [*] old_rbp is 0x7fffffffdd40
 [*] return address is located at is 0x7fffffffdd38
-[*] Process './info_leak' stopped with exit code 42 (pid 6422)
+[*] Switching to interactive mode
+Returning from main!
+$ id
+uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
 </code>
 </note>
@@ Line 299: / Line 305: @@
 After the plan is complete, write down the attack by filling the ''TODO'' lines in the ''exploit.py'' solution skeleton.
+/*
+<note tip>
+When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
+</note>
+*/
 After you write 0x300 chars in v, you should obtain shell
 <code>
-$ python exploit64.py
+$ python exploit.py
 [!] Could not find executable 'basic_format_string' in $PATH, using './basic_format_string' instead
 [+] Starting local process './basic_format_string': pid 20785

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-07.1637578837.txt.gz · Last modified: 2021/11/22 13:00 by ricardo.ungureanu

Show page Old revisions

Media Manager Back to top