Security Summer School

User Tools

Site Tools

session:08

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
session:08 [2018/07/03 17:01] Razvan Deaconescusession:08 [2020/07/19 09:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== 0x08. Shellcodes (advanced) ======+====== 0x07. Shellcodes (advanced) ======
  
 ===== Resources ===== ===== Resources =====
  
-[[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|Activities archive]]+/*[[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|Activities archive]]*/ 
 + 
 +[[https://github.com/hexcellents/sss-exploit|Activities repo]]
  
 [[http://shell-storm.org/shellcode/|Shellcode repository]] [[http://shell-storm.org/shellcode/|Shellcode repository]]
Line 70: Line 72:
 ===== 4. Challenge: Shellcode as Argument ===== ===== 4. Challenge: Shellcode as Argument =====
  
-Go to ''02-challenge-shellcode-argv/'' in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].+Go to ''04-challenge-shellcode-argv/'' in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
  
 Feed the ''vuln'' executable a proper ''x86_64'' shellcode as a program argument. Make sure it works by running it by itself and then run it under ''strace''. Feed the ''vuln'' executable a proper ''x86_64'' shellcode as a program argument. Make sure it works by running it by itself and then run it under ''strace''.
Line 224: Line 226:
  
 <note important> <note important>
-This didn't work for us. It may be because of x86_64 varying the addresses even in the absence of ASLR.+To reenable ASLR, simply exit the shell you created using ''setarch''. 
 +</note> 
 + 
 +===== 16. Challenge: io.netgarage.io level05 ===== 
 + 
 +Go to the ''16-challenge-io.netgarage.io-level05/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]]. 
 + 
 +It's a buffer overflow that may end up calling a shellcode placed on the stack buffer. 
 + 
 +Create a ''sol/exploit.py'' script that exploits the ''vuln'' executable. Use the ''sol/exploit.py'' script from the tutorial above as a starting point. 
 + 
 +<note tip> 
 +Use the ''argv'' parameter to the ''process()'' call in pwntools to pass an argument to the program. Read more [[http://docs.pwntools.com/en/stable/tubes/processes.html|here]].
 </note> </note>
  
 <note important> <note important>
-To reenable ASLR, simply exit the shell you created using ''setarch''.+Disable ASLR using ''setarch'' before running the exploit.
 </note> </note>
 +
 +===== 17. Challenge: Shellcode on Stack =====
 +
 +Go to the ''17-challenge-shellcode-on-stack/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +Update the ''sol/exploit.py'' script that exploits the ''vuln'' executable. It's similar to challenge 15.
 +
 +===== 18. Challenge: Shellcode on Stack (32 bit) =====
 +
 +Go to the ''18-challenge-shellcode-on-stack-32/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +It's similar to the challenge above, except that it runs on 32 bits. Copy and update the ''exploit.py'' script from the solution above and update it to make it work on 32 bits.
  
 /* /*
session/08.1530637266.txt.gz · Last modified: by Razvan Deaconescu