Show page

Differences

This shows you the differences between two versions of the page.

--- isc:labs:05 [2024/11/03 22:10]
florin.stancu
+++ isc:labs:05 [2024/11/04 10:43] (current)
florin.stancu
@@ Line 1: / Line 1: @@
 ====== Lab 05 - Application Security ======
+===== Objectives =====
+  * Call conventions & stack structure
+  * Buffer overflow vulnerabilities
+  * Using pwndbg & pwntools to facilitate exploit development
 ===== Resources =====
-   *[[https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/|Buffer overflow explained]]
+   * [[https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/|Buffer overflow explained]]
-   *[[https://dhavalkapil.com/blogs/Shellcode-Injection/|Shellcode explained]]
+   * [[https://dhavalkapil.com/blogs/Shellcode-Injection/|Shellcode explained]]
+   * [[https://chatgpt.com/share/67279837-b05c-800e-a60a-6629ef3dd7f7|ChatGPT's record for stack structure & buffer overflow]] //(same length, but why bother read the opinion of some anonymous industry expert when you got the popular AI kid parroting the same stuff, right?)//
 ===== Setup =====
-  * [[:isc:info:virtualmachine|Open a lab VM instance]] on [[https://cloud.grid.pub.ro|OpenStack]], use the **m1.medium** flavor for 2GB of RAM (required by ''pwndbg'' :(( ).
+  * [[:isc:info:virtualmachine|Open a lab VM instance]] on [[https://cloud.grid.pub.ro|OpenStack]], use the **m1.medium** flavor for 1.5GB of RAM (required by ''pwndbg'' :(( ).
 **If you're not using the OpenStack VM**:
@@ Line 37: / Line 44: @@
 {{:isc:labs:stack_layout.png?700}}
+Also check out one of the resources linked on top ^^ !
 <note tip>
@@ Line 142: / Line 151: @@
     * Hint: you're on 64-bit, check the links above for the calling convention...
     * Hint 2: you also don't have debugging info compiled-in, so you must use disassembly to find the RBP offset of the ''buf'' variable;
+<spoiler In case of emergency, expand>
+If this seems too difficult or you wasted too much time, just add ''-g'' to the ''gcc'' rule inside the Makefile, recompile and try it this way :(
+</spoiler>
 <solution -hidden>
@@ Line 157: / Line 169: @@
 === [50p] 02. Stack overflow (EZ) ===
-  * Run & study the ''buffovf'' binary. There is a stack overflow vulnerability in there, can you see it?
+  * Run & study the ''buffovf'' binary. There is a vulnerability in there, can you see it?
   * Yep, you **must** use stack overflow to get this flag!
   * First, try to crash the program. Use programmatically generated input (e.g., from Python3);
@@ Line 175: / Line 187: @@
   * Things start to become easy; call the ''for_the_win'' function (simply replace the address above with the function's virtual address)!
     * Do not forget: x86 uses little endian encoding for multi-byte integers!
-    * Another warning: ASLR is enabled and the program is compiled as position independent code! Use ''gdb'' to "leak" the function's address, which shouldn't change while using ''gdb'' (it uses the same constant seed for ASLR's randomizer)!
+  * As bonus, can you further chain calls to make the exploited program gracefully exit?
 <solution -hidden>
 <code>
-pwndbg> run "briliantul" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08")')
+pwndbg> run "Salam" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x19 +b"\xb6\x91\x04\x08" + b"\x12\x93\x04\x08" + b"\xbe\xba\xfe\xca")')
-...
-hey, args
-what's ur last name?
-almost there, try to supply the correct arguments!
-bye
-Program received signal SIGSEGV, Segmentation fault.
 </code>
 </solution>

isc/labs/05.1730664628.txt.gz · Last modified: 2024/11/03 22:10 by florin.stancu

Show page Old revisions

Media Manager Back to top

Differences

Lectures

Labs

Support