Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-07 [2021/11/22 13:07]
ricardo.ungureanu [Basic Format String Attack]
+++ cns:labs:lab-07 [2022/11/21 14:29] (current)
mihai.dumitru2201 [Basic Format String Attack]
@@ Line 4: / Line 4: @@
 All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]].
-Submit your flags to [[https://cns-lab-ctf21.cyberedu.ro/|the CNS CyberEDU Platform]].
 ===== Intro =====
@@ Line 39: / Line 37: @@
 We can test this using:
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�8�
 </code>
@@ Line 45: / Line 43: @@
 In order to check the hexadecimal values of the leak, we pipe the output through ''xxd'':
 <code>
-$ python -c 'print("A"*32)' | ./basic_info_leak | xxd
+$ python -c 'import sys; sys.stdout.buffer.write(b"A"*32)' | ./basic_info_leak | xxd
 00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
 00000010: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
@@ Line 131: / Line 129: @@
 $ gdb -q ./info_leak
 Reading symbols from ./info_leak...done.
-gdb-peda$ b printf
+gdb-peda$ b my_main
 Breakpoint 1 at 0x400560
 gdb-peda$ r < <(python -c 'import sys; sys.stdout.write(32*"A")')
 Starting program: info_leak < <(python -c 'import sys; sys.stdout.write(32*"A")')
 [...]
+# Do next instructions until after the call to printf.
+gdb-peda$ ni
+....
 gdb-peda$ x/12g name
@@ Line 184: / Line 186: @@
 <note tip>
 Same as above, use ''nm'' to determine address of the ''my_evil_func()'' function.
-When sending you exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
+When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
 </note>
@@ Line 304: / Line 306: @@
 After the plan is complete, write down the attack by filling the ''TODO'' lines in the ''exploit.py'' solution skeleton.
+/*
 <note tip>
 When sending your exploit to the remote server, adjust this address according to the binary running on the remote endpoint. The precompiled binary can be found in [[cns:resources:repo|the CNS public repository]].
 </note>
+*/
 After you write 0x300 chars in v, you should obtain shell
 <code>
-$ python exploit64.py
+$ python exploit.py
 [!] Could not find executable 'basic_format_string' in $PATH, using './basic_format_string' instead
 [+] Starting local process './basic_format_string': pid 20785

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-07.1637579235.txt.gz · Last modified: 2021/11/22 13:07 by ricardo.ungureanu

Show page Old revisions

Media Manager Back to top