Differences
This shows you the differences between two versions of the page.
|
isc:labs:05 [2024/11/04 10:43] florin.stancu |
isc:labs:05 [2025/11/04 11:49] (current) david.gherghita [Exercises] |
||
|---|---|---|---|
| Line 15: | Line 15: | ||
| ===== Setup ===== | ===== Setup ===== | ||
| - | * [[:isc:info:virtualmachine|Open a lab VM instance]] on [[https://cloud.grid.pub.ro|OpenStack]], use the **m1.medium** flavor for 1.5GB of RAM (required by ''pwndbg'' :(( ). | + | * [[:isc:info:virtualmachine|Open a lab VM instance]] on [[https://cloud.grid.pub.ro|OpenStack]]. |
| - | **If you're not using the OpenStack VM**: | + | **If you're using the local VM for ARM 64 (AArch64)**: |
| - | * Install the 32-bit **libc** and **gcc-multilib** packages: <code> | + | * You have ''x86'' cross-compilers pre-installed! Use ''i686-linux-gnu-gcc'' to build 32-bit programs and ''x86_64-linux-gnu-gcc'' for AMD64 targets; |
| - | sudo apt install libc6-dev-i386 gcc-multilib | + | * You also have [[https://www.qemu.org/docs/master/user/main.html|qemu-user]] properly installed inside the local VM, so you can simply run any x86 binaries and they'll get emulated! |
| - | </code> | + | * If you intend to use ''objdump'' aarch64-hosted/emulated x86 binaries, you must use the cross compiler suite's, so make sure to prefix it, e.g.: ''x86_86-gnu-linux-objdump''! |
| - | * Install the PwnDbg plugin: <code> | + | |
| - | git clone https://github.com/pwndbg/pwndbg | + | |
| - | cd pwndbg | + | |
| - | ./setup.sh | + | |
| - | </code> | + | |
| - | + | ||
| - | To check if everything is OK, run the command ''gdb'' with no arguments. The prompt should be similar to this: | + | |
| - | + | ||
| - | <code> | + | |
| - | ➜ gdb | + | |
| - | GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 | + | |
| - | ... | + | |
| - | pwndbg> | + | |
| - | </code> | + | |
| - | Enter ''q'' to exit GDB. We are using [[https://github.com/pwndbg/pwndbg|PwnDbg]] instead of the classic GDB because it is much more user friendly. Hope you'll like it ;) | + | Note that we are using [[https://github.com/pwndbg/pwndbg|PwnDbg]] instead of the classic GDB because it is much more user friendly. Hope you'll like it ;) |
| ===== Overview ===== | ===== Overview ===== | ||
| Line 182: | Line 168: | ||
| * Next, try to answer this question: how many bytes do I need to overflow until I get to the EIP saved by the ''call''er (also see the stack diagram above)? | * Next, try to answer this question: how many bytes do I need to overflow until I get to the EIP saved by the ''call''er (also see the stack diagram above)? | ||
| - | * Use either ''objdump -S'' or ''pwndbg> disass <name>'' on the //vulnerable function// to figure out the offset of the buffer variable from the EBP register using the assembly code; | + | * Use either ''objdump -S -M intel'' or ''pwndbg> disass <name>'' on the //vulnerable function// to figure out the offset of the buffer variable from the EBP register using the assembly code; |
| * In order to check if the answer is right, try to use an input of the following form: ''%%b"A" * N + b"\xEF\xCD\xAB\x98"%%''; this should make the program segfault with the end instruction pointer at ''0x98ABCDEF'' (readily visible in pwndbg's automatic registers printing); | * In order to check if the answer is right, try to use an input of the following form: ''%%b"A" * N + b"\xEF\xCD\xAB\x98"%%''; this should make the program segfault with the end instruction pointer at ''0x98ABCDEF'' (readily visible in pwndbg's automatic registers printing); | ||
| Line 191: | Line 177: | ||
| <solution -hidden> | <solution -hidden> | ||
| <code> | <code> | ||
| - | pwndbg> run "Salam" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x19 +b"\xb6\x91\x04\x08" + b"\x12\x93\x04\x08" + b"\xbe\xba\xfe\xca")') | + | pwndbg> run "Salam" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x19 +b"\xa6\x91\x04\x08" + b"\x0e\x93\x04\x08" + b"\xbe\xba\xfe\xca")') |
| </code> | </code> | ||
| </solution> | </solution> | ||
