This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:12 [2018/07/16 11:53] Adriana COGEAN (25140) |
session:12 [2020/07/20 17:34] (current) Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | = 0x0C. Return Oriented Programming (advanced) | + | ====== 0x0B. Return Oriented Programming (advanced) |
- | == Slides | + | ===== Slides |
- | [[https:// | + | [[https:// |
- | == Setup | + | [[https:// |
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== Setup ===== | ||
The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as '' | The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as '' | ||
Line 17: | Line 21: | ||
</ | </ | ||
- | == Tutorials | + | ===== Tutorials |
In this lab we are going to dive deeper into ROP (//Return Oriented Programming// | In this lab we are going to dive deeper into ROP (//Return Oriented Programming// | ||
Line 27: | Line 31: | ||
* ROP for syscalls and 64 bits | * ROP for syscalls and 64 bits | ||
- | As the basis of the lab we will use a CTF task called **ropasaurusrex** and gradually make exploitation harder. | + | As the basis of the lab we will use a CTF challenge |
- | + | ||
- | First download the [[https:// | + | |
- | === Calling Conventions in the ROP Context | + | ==== Calling Conventions in the ROP Context |
As you know, the [[: | As you know, the [[: | ||
Line 88: | Line 90: | ||
- | === Intro to pwntools | + | ==== Intro to pwntools |
Writing exploits in command line using expressions such as the following is prone to errors: | Writing exploits in command line using expressions such as the following is prone to errors: | ||
Line 145: | Line 147: | ||
- interact with the process using '' | - interact with the process using '' | ||
- | === Challenge 0 walkthrough | + | ==== Challenge 0 walkthrough |
- | Let's do a walkthrough/ | + | Let's do a walkthrough/ |
First we need to look in the binary and observe the stack buffer overflow: | First we need to look in the binary and observe the stack buffer overflow: | ||
Line 273: | Line 275: | ||
- | == Challenges | + | ===== Challenges |
- | === 1. Challenge: Using ROP to Leak and Call system() | + | ==== 1. Challenge: Using ROP to Leak and Call system() |
Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' | Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' | ||
Line 312: | Line 314: | ||
<note tip> | <note tip> | ||
- | Fire up GDB on the libc library and save the offset of the function you want to leak and '' | + | To find out the address of the '' |
+ | </ | ||
+ | |||
+ | /* | ||
+ | |||
+ | <note tip> | ||
+ | As an alternative, | ||
< | < | ||
root@kali: | root@kali: | ||
Line 332: | Line 340: | ||
After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the '' | After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the '' | ||
</ | </ | ||
+ | |||
+ | */ | ||
Call '' | Call '' | ||
Line 342: | Line 352: | ||
For the actual parameter use the '' | For the actual parameter use the '' | ||
</ | </ | ||
- | + | ==== 2. Challenge: Handling Low Stack Space ==== | |
- | === 2. Challenge: Handling Low Stack Space | + | |
The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | ||
Line 380: | Line 389: | ||
Use a new ropchain to call '' | Use a new ropchain to call '' | ||
</ | </ | ||
- | === 3. Challenge: Stack Pivoting | + | ==== 3. Challenge: Stack Pivoting |
Let's assume that '' | Let's assume that '' | ||
Line 418: | Line 427: | ||
</ | </ | ||
- | === 4. Challenge [Hard]: Change Memory Protection and Write Shellcode | + | /*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode |
We want to exploit a more constrained environment. The constraint is to remove the '' | We want to exploit a more constrained environment. The constraint is to remove the '' | ||
- | Go the '' | + | Go the '' |
<note important> | <note important> | ||
Line 449: | Line 458: | ||
<note tip> | <note tip> | ||
- | Use the [[http://pwntools.readthedocs.io/en/latest/ | + | Use the [[http://docs.pwntools.com/en/stable/ |
</ | </ | ||
+ | */ | ||
- | === 5. Challenge [Bonus] | + | ==== 4. Challenge [Bonus] |
- | Switch to task5. You have a 64 bit binary that you need to exploit to execute /bin/date: | + | Switch to '' |
* First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | ||
* Then overflow the second buffer and issue a syscall for **execve("/ | * Then overflow the second buffer and issue a syscall for **execve("/ | ||
* Extra: Pop a shell. | * Extra: Pop a shell. | ||
+ | ==== Resources: ==== | ||
+ | |||
+ | * https:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// |