Security Summer School

User Tools

Site Tools

session:06

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

session:06 [2018/06/28 16:36] – [03. Smashthestack Level7] Razvan Deaconescusession:06 [2020/07/19 09:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-0x06. Buffer Management+====== 0x05. Buffer Exploitation ======
  
-== Slides+===== Resources =====
  
-Slides are available [[http://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|here]].+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session 5 slides]]
  
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]].+[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
  
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]]. [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
-== Tutorials 
  
-== Buffers+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/ 
 + 
 +===== Tutorials ===== 
 + 
 +===== Buffers =====
  
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes. A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
Line 215: Line 218:
 Can you guess how the resulting code will look like, disassembled? Where are we writing to? Can you guess how the resulting code will look like, disassembled? Where are we writing to?
  
-=== Stack buffer overflows+==== Stack buffer overflows ====
  
 As we have seen in previous sessions, the stack serves multiple purposes: As we have seen in previous sessions, the stack serves multiple purposes:
Line 405: Line 408:
 </note> </note>
  
-=== Diverting code execution+==== Diverting code execution ====
  
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says: We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
Line 548: Line 551:
 </note> </note>
  
-=== Overwriting the stored return address+==== Overwriting the stored return address ====
  
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack. Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
Line 706: Line 709:
 </note> </note>
  
-== Challenges+===== Challenges =====
  
 <note important> <note important>
Line 725: Line 728:
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]]. Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
  
-=== 01. Parrot+==== 01. Parrot ====
  
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function. Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
Line 747: Line 750:
 </note> </note>
  
-=== 02. Indexing+==== 02. Indexing ====
  
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in. More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
Line 779: Line 782:
 That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input. That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input.
 </note> </note>
-=== 03. Smashthestack Level7+==== 03. Smashthestack Level7 ====
  
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one. Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
Line 787: Line 790:
 </note> </note>
  
-<note> +<note tip
-What are the four 32 bit values that multiplied by ''4'' give you, let's say ''256''?+What are the four 32 bit values that multiplied by ''4'' give you, let's say''256''?
 </note> </note>
-=== 04. Neighbourly 
  
-Let's overwrite structure's function pointer using a buffer overflow in its vicinity. The principle is the same.+<note tip> 
 +In order to run program that receives command line arguments under gdb, you can do the following:
  
-=== 05Bonus: Birds+<code gdb> 
 +$ gdb ./main 
 +gdb$ set args arg1 arg2 arg3 
 +gdb$ start 
 +</code>  
 +</note> 
 +==== 04Neighbourly ====
  
-Time for more complex challenge. Be patient and don't speed through it.+Let's overwrite structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
  
-=== 06. Uninitialized+<note tip> 
 +The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function. 
 +</note> 
 + 
 +==== 05. Uninitialized ====
  
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell. There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
Line 805: Line 818:
 Do **not** use pwntools for this task. Do **not** use pwntools for this task.
 </note> </note>
-=== 07: Bonus: Uninitialized 2+==== 06: Bonus: Uninitialized 2 ====
  
 There's a small update to the ''uninitialized'' executable and you need to update your solution. There's a small update to the ''uninitialized'' executable and you need to update your solution.
  
 <note tip> <note tip>
-Use ''strace'' to understand what's happening differently.+Use ''ltrace'' to understand what's happening differently.
 </note> </note>
  
Line 816: Line 829:
 Create a pwntools-based script to solve both the initial executable and the bonus one. Create a pwntools-based script to solve both the initial executable and the bonus one.
 </note> </note>
 +
 +==== 05. Bonus: Birds ====
 +
 +Time for a more complex challenge. Be patient and don't speed through it.
session/06.1530203816.txt.gz · Last modified: by Razvan Deaconescu