Security Summer School

User Tools

Site Tools

session:06

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:06 [2018/06/28 19:35]
Razvan Deaconescu [01. Parrot] 		session:06 [2020/07/19 12:49] (current)
Line 1: Line 1:
-0x06. Buffer Management+====== 0x05. Buffer Exploitation ======
  
-== Slides+===== Resources =====
  
-Slides are available [[http://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|here]].+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session 5 slides]]
  
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]].+[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
  
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]]. [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
-== Tutorials 
  
-== Buffers+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/ 
 + 
 +===== Tutorials ===== 
 + 
 +===== Buffers =====
  
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes. A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
Line 215: Line 218:
 Can you guess how the resulting code will look like, disassembled? Where are we writing to? Can you guess how the resulting code will look like, disassembled? Where are we writing to?
  
-=== Stack buffer overflows+==== Stack buffer overflows ====
  
 As we have seen in previous sessions, the stack serves multiple purposes: As we have seen in previous sessions, the stack serves multiple purposes:
Line 405: Line 408:
 </note> </note>
  
-=== Diverting code execution+==== Diverting code execution ====
  
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says: We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
Line 548: Line 551:
 </note> </note>
  
-=== Overwriting the stored return address+==== Overwriting the stored return address ====
  
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack. Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
Line 706: Line 709:
 </note> </note>
  
-== Challenges+===== Challenges =====
  
 <note important> <note important>
Line 725: Line 728:
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]]. Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
  
-=== 01. Parrot+==== 01. Parrot ====
  
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function. Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
Line 747: Line 750:
 </note> </note>
  
-=== 02. Indexing+==== 02. Indexing ====
  
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in. More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
Line 779: Line 782:
 That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input. That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input.
 </note> </note>
-=== 03. Smashthestack Level7+==== 03. Smashthestack Level7 ====
  
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one. Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
  
-=== 04Neighbourly+<note tip> 
 +There's an integer overflow + buffer overflow in the program. 
 +</note>
  
-Let's overwrite a structure'function pointer using a buffer overflow in its vicinity. The principle is the same.+<note tip> 
 +What are the four 32 bit values that multiplied by ''4'' give you, let'say, ''256''? 
 +</note>
  
-=== 05. BonusBirds+<note tip> 
 +In order to run a program that receives command line arguments under gdb, you can do the following:
  
-Time for a more complex challengeBe patient and don't speed through it.+<code gdb> 
 +$ gdb ./main 
 +gdb$ set args arg1 arg2 arg3 
 +gdb$ start 
 +</code>  
 +</note> 
 +==== 04Neighbourly ====
  
-=== 06. Uninitialized+Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same. 
 + 
 +<note tip> 
 +The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function. 
 +</note> 
 + 
 +==== 05. Uninitialized ====
  
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell. There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
Line 798: Line 818:
 Do **not** use pwntools for this task. Do **not** use pwntools for this task.
 </note> </note>
-=== 07: Bonus: Uninitialized 2+==== 06: Bonus: Uninitialized 2 ====
  
 There's a small update to the ''uninitialized'' executable and you need to update your solution. There's a small update to the ''uninitialized'' executable and you need to update your solution.
  
 <note tip> <note tip>
-Use ''strace'' to understand what's happening differently.+Use ''ltrace'' to understand what's happening differently.
 </note> </note>
  
Line 809: Line 829:
 Create a pwntools-based script to solve both the initial executable and the bonus one. Create a pwntools-based script to solve both the initial executable and the bonus one.
 </note> </note>
 +
 +==== 05. Bonus: Birds ====
 +
 +Time for a more complex challenge. Be patient and don't speed through it.
session/06.1530203719.txt.gz · Last modified: 2018/06/28 19:35 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki