LDAP: couldn't connect to LDAP server

Differences

This shows you the differences between two versions of the page.

--- session:12 [2020/06/17 20:27] – Rareş-Mihail VISALOM (67101)
+++ session:12 [2020/07/20 14:34] (current) – [1. Challenge: Using ROP to Leak and Call system()] Liza-Elena BABU (78556)
@@ Line 1: / Line 1: @@
-= 0x0B. Return Oriented Programming (advanced)
+====== 0x0B. Return Oriented Programming (advanced) ======
-== Slides
+===== Slides =====
 [[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session 12 slides]]
@@ Line 9: / Line 9: @@
 [[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-full.zip|Session's solutions]]
-== Setup
+===== Setup =====
 The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget:
@@ Line 21: / Line 21: @@
 </code>
-== Tutorials
+===== Tutorials =====
 In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered:
@@ Line 33: / Line 33: @@
 As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder.
-=== Calling Conventions in the ROP Context
+==== Calling Conventions in the ROP Context ====
 As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload.
@@ Line 90: / Line 90: @@
-=== Intro to pwntools
+==== Intro to pwntools ====
 Writing exploits in command line using expressions such as the following is prone to errors:
@@ Line 147: / Line 147: @@
   - interact with the process using ''recvuntil'' and ''sendline'' functions
-=== Challenge 0 walkthrough
+==== Challenge 0 walkthrough ====
 Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output.
@@ Line 275: / Line 275: @@
-== Challenges
+===== Challenges =====
-=== 1. Challenge: Using ROP to Leak and Call system()
+==== 1. Challenge: Using ROP to Leak and Call system() ====
-Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''challenge-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
+Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''task-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
 You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call.
@@ Line 352: / Line 352: @@
 For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable.
 </note>
-=== 2. Challenge: Handling Low Stack Space
+==== 2. Challenge: Handling Low Stack Space ====
 The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that.
-For the current task, switch to the ''challenge-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.
+For the current task, switch to the ''task-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.
 Find out how much space you have in the overflow and assess the situation.
@@ Line 389: / Line 389: @@
 Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above.
 </note>
-=== 3. Challenge: Stack Pivoting
+==== 3. Challenge: Stack Pivoting ====
 Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain.
@@ Line 427: / Line 427: @@
 </note>
-=== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode
+/*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====
 We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call.
@@ Line 460: / Line 460: @@
 Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode.
 </note>
+*/
-=== 5. Challenge [Bonus]
+==== 4. Challenge [Bonus] ====
-Switch to ''challenge-05''. You have a 64 bit binary that you need to exploit to execute /bin/date:
+Switch to ''task-04''. You have a 64 bit binary that you need to exploit to execute /bin/date:
   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.
   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.
   * Extra: Pop a shell.
-=== Resources:
+==== Resources: ====
   * https://syscalls.kernelgrok.com/