Differences

This shows you the differences between two versions of the page.

--- session:06 [2018/06/28 14:08] – [Overwriting the stored return address] Add code snippets link archive Maria-Elena MIHĂILESCU (25616)
+++ session:06 [2020/07/19 09:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-= 0x06. Buffer Management
+====== 0x05. Buffer Exploitation ======
-== Slides
+===== Resources =====
-Slides are available [[http://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|here]].
+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session 5 slides]]
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]].
+[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
-== Tutorials
-== Buffers
+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/
+===== Tutorials =====
+===== Buffers =====
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
@@ Line 215: / Line 218: @@
 Can you guess how the resulting code will look like, disassembled? Where are we writing to?
-=== Stack buffer overflows
+==== Stack buffer overflows ====
 As we have seen in previous sessions, the stack serves multiple purposes:
@@ Line 405: / Line 408: @@
 </note>
-=== Diverting code execution
+==== Diverting code execution ====
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
@@ Line 548: / Line 551: @@
 </note>
-=== Overwriting the stored return address
+==== Overwriting the stored return address ====
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
@@ Line 706: / Line 709: @@
 </note>
-== Challenges
+===== Challenges =====
 <note important>
@@ Line 725: / Line 728: @@
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
-=== 01. Parrot
+==== 01. Parrot ====
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
@@ Line 731: / Line 734: @@
 We have implemented our very own ''parrot''. Can you avoid it somehow?
-=== 02. Indexing
+<note tip>
+Values are little endian. So if you want to send ''0xabcd'' you would send it as ''\xcd\xab\x00\x00''.
+</note>
+<note tip>
+When providing input to a program and wanting to maintain connection to its standard input, run:
+<code>
+cat payload - | ./program
+</code>
+Or, if you have a payload generator program such as ''payload.py'', run:
+<code>
+cat <(python payload.py) - | ./program
+</code>
+</note>
+==== 02. Indexing ====
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
@@ Line 737: / Line 756: @@
 Here's an interactive script to get you started:
-<code python>
+<code python exploit.py>
 #!/usr/bin/env python
 from pwn import *
@@ Line 752: / Line 771: @@
 </code>
-=== 03. Smashthestack Level7
+<note tip>
+Go through GDB when aiming to solve this challenge. As all input values are strings, you can input them at the keyboard and follow their effect in GDB.
+</note>
+<note tip>
+You can inspect the behavior of a program for a given input by doing:
+<code>
+cat payload | strace ./program
+</code>
+That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input.
+</note>
+==== 03. Smashthestack Level7 ====
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
-=== 04. Neighbourly
+<note tip>
+There's an integer overflow + buffer overflow in the program.
+</note>
-Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
+<note tip>
+What are the four 32 bit values that multiplied by ''4'' give you, let's say, ''256''?
+</note>
-=== 05. Bonus: Birds
+<note tip>
+In order to run a program that receives command line arguments under gdb, you can do the following:
-Time for a more complex challenge. Be patient and don't speed through it.
+<code gdb>
+$ gdb ./main
+gdb$ set args arg1 arg2 arg3
+gdb$ start
+</code>
+</note>
+==== 04. Neighbourly ====
+Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
+<note tip>
+The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function.
+</note>
-=== 06. Uninitialized
+==== 05. Uninitialized ====
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
@@ Line 771: / Line 818: @@
 Do **not** use pwntools for this task.
 </note>
-=== 07: Bonus: Uninitialized 2
+==== 06: Bonus: Uninitialized 2 ====
 There's a small update to the ''uninitialized'' executable and you need to update your solution.
 <note tip>
-Use ''strace'' to understand what's happening differently.
+Use ''ltrace'' to understand what's happening differently.
 </note>
@@ Line 782: / Line 829: @@
 Create a pwntools-based script to solve both the initial executable and the bonus one.
 </note>
+==== 05. Bonus: Birds ====
+Time for a more complex challenge. Be patient and don't speed through it.