Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-08 [2020/12/07 16:21]
mihai.dumitru2201 [5. Bonus ROP: Libc Functions chain]
+++ cns:labs:lab-08 [2021/12/14 13:28] (current)
razvan.deaconescu
@@ Line 1: / Line 1: @@
-====== Lab 08 - Return Oriented Programming ======
+====== Lab 08 - Return-Oriented Programming ======
 ===== Introduction =====
@@ Line 263: / Line 263: @@
   * As usual, we have to identify the overflowed buffer ''offset'' where the return address starts. We can do this using the ''peda'' ''pattc'' and ''patto'' commands as in the previous [[http://ocw.cs.pub.ro/courses/cns/labs/lab-06#phase_2finding_the_vulnerability|labs]].
   * The complete exploit can be found in ''00-tutorial-2-ret2libc/solution.py''
-</code>
 ==== 3. ROP: Find the buffer  ====
@@ Line 294: / Line 292: @@
 <note tip>
 The buffer address is stored in a register when ''ret'' is executed.
+There is no need for a memory disclosure / information leak of the buffer address. **You can find a gadget that jumps / calls that register.**
 Use ''%%ropsearch ... libc%%''. Instead of ''%%...%%'' place the instructions you search.
@@ Line 306: / Line 306: @@
     io = process(["./ropbuf", payload])  # Run ./ropbuf using payload as command line argument.
 </code>
+</note>
+<note important>
+You can't send NUL-bytes as part of command line arguments. When constructing the payload, use ''%%pack(...).strip(b\"x00")%%''.
 </note>

Resources

cns/labs/lab-08.1607350914.txt.gz · Last modified: 2020/12/07 16:21 by mihai.dumitru2201