Security Summer School

User Tools

Site Tools

session:06

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:06 [2019/07/13 15:30]
Radu-Nicolae NICOLAU (78289) 		session:06 [2020/07/19 12:49] (current)
Line 1: Line 1:
-0x06. Buffer Management+====== 0x05. Buffer Exploitation ======
  
-== Resources+===== Resources =====
  
-[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session slides]]+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session slides]]
  
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]] [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
Line 9: Line 9:
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]]. [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
  
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/
  
-== Tutorials+===== Tutorials =====
  
-== Buffers+===== Buffers =====
  
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes. A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
Line 218: Line 218:
 Can you guess how the resulting code will look like, disassembled? Where are we writing to? Can you guess how the resulting code will look like, disassembled? Where are we writing to?
  
-=== Stack buffer overflows+==== Stack buffer overflows ====
  
 As we have seen in previous sessions, the stack serves multiple purposes: As we have seen in previous sessions, the stack serves multiple purposes:
Line 408: Line 408:
 </note> </note>
  
-=== Diverting code execution+==== Diverting code execution ====
  
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says: We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
Line 551: Line 551:
 </note> </note>
  
-=== Overwriting the stored return address+==== Overwriting the stored return address ====
  
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack. Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
Line 709: Line 709:
 </note> </note>
  
-== Challenges+===== Challenges =====
  
 <note important> <note important>
Line 728: Line 728:
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]]. Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
  
-=== 01. Parrot+==== 01. Parrot ====
  
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function. Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
Line 750: Line 750:
 </note> </note>
  
-=== 02. Indexing+==== 02. Indexing ====
  
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in. More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
Line 782: Line 782:
 That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input. That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input.
 </note> </note>
-=== 03. Smashthestack Level7+==== 03. Smashthestack Level7 ====
  
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one. Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
Line 803: Line 803:
 </code>  </code> 
 </note> </note>
-=== 04. Neighbourly+==== 04. Neighbourly ====
  
 Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same. Let's overwrite a structure's function pointer using a buffer overflow in its vicinity. The principle is the same.
Line 810: Line 810:
 The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function. The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function.
 </note> </note>
-=== 05. Bonus: Birds 
  
-Time for a more complex challenge. Be patient and don't speed through it. +==== 05. Uninitialized ====
- +
-=== 06. Uninitialized+
  
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell. There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
Line 821: Line 818:
 Do **not** use pwntools for this task. Do **not** use pwntools for this task.
 </note> </note>
-=== 07: Bonus: Uninitialized 2+==== 06: Bonus: Uninitialized 2 ====
  
 There's a small update to the ''uninitialized'' executable and you need to update your solution. There's a small update to the ''uninitialized'' executable and you need to update your solution.
  
 <note tip> <note tip>
-Use ''strace'' to understand what's happening differently.+Use ''ltrace'' to understand what's happening differently.
 </note> </note>
  
Line 833: Line 830:
 </note> </note>
  
 +==== 05. Bonus: Birds ====
 +
 +Time for a more complex challenge. Be patient and don't speed through it.
session/06.1563021004.txt.gz · Last modified: 2019/07/13 15:30 by Radu-Nicolae NICOLAU (78289)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki