This shows you the differences between two versions of the page.
cns:labs:lab-08 [2020/12/07 16:21] mihai.dumitru2201 [5. Bonus ROP: Libc Functions chain] |
cns:labs:lab-08 [2021/12/14 13:28] (current) razvan.deaconescu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Lab 08 - Return Oriented Programming ====== | + | ====== Lab 08 - Return-Oriented Programming ====== |
===== Introduction ===== | ===== Introduction ===== | ||
Line 263: | Line 263: | ||
* As usual, we have to identify the overflowed buffer ''offset'' where the return address starts. We can do this using the ''peda'' ''pattc'' and ''patto'' commands as in the previous [[http://ocw.cs.pub.ro/courses/cns/labs/lab-06#phase_2finding_the_vulnerability|labs]]. | * As usual, we have to identify the overflowed buffer ''offset'' where the return address starts. We can do this using the ''peda'' ''pattc'' and ''patto'' commands as in the previous [[http://ocw.cs.pub.ro/courses/cns/labs/lab-06#phase_2finding_the_vulnerability|labs]]. | ||
* The complete exploit can be found in ''00-tutorial-2-ret2libc/solution.py'' | * The complete exploit can be found in ''00-tutorial-2-ret2libc/solution.py'' | ||
- | |||
- | </code> | ||
==== 3. ROP: Find the buffer ==== | ==== 3. ROP: Find the buffer ==== | ||
Line 294: | Line 292: | ||
<note tip> | <note tip> | ||
The buffer address is stored in a register when ''ret'' is executed. | The buffer address is stored in a register when ''ret'' is executed. | ||
+ | |||
+ | There is no need for a memory disclosure / information leak of the buffer address. **You can find a gadget that jumps / calls that register.** | ||
Use ''%%ropsearch ... libc%%''. Instead of ''%%...%%'' place the instructions you search. | Use ''%%ropsearch ... libc%%''. Instead of ''%%...%%'' place the instructions you search. | ||
Line 306: | Line 306: | ||
io = process(["./ropbuf", payload]) # Run ./ropbuf using payload as command line argument. | io = process(["./ropbuf", payload]) # Run ./ropbuf using payload as command line argument. | ||
</code> | </code> | ||
+ | </note> | ||
+ | |||
+ | <note important> | ||
+ | You can't send NUL-bytes as part of command line arguments. When constructing the payload, use ''%%pack(...).strip(b\"x00")%%''. | ||
</note> | </note> | ||