This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:12 [2020/07/19 12:49] 127.0.0.1 external edit |
session:12 [2020/07/20 17:34] (current) Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()] |
||
---|---|---|---|
Line 279: | Line 279: | ||
==== 1. Challenge: Using ROP to Leak and Call system() ==== | ==== 1. Challenge: Using ROP to Leak and Call system() ==== | ||
- | Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' | + | Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' |
You can now call the functions in the binary but '' | You can now call the functions in the binary but '' | ||
Line 356: | Line 356: | ||
The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | ||
- | For the current task, switch to the '' | + | For the current task, switch to the '' |
Find out how much space you have in the overflow and assess the situation. | Find out how much space you have in the overflow and assess the situation. | ||
Line 427: | Line 427: | ||
</ | </ | ||
- | ==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ==== | + | /*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ==== |
We want to exploit a more constrained environment. The constraint is to remove the '' | We want to exploit a more constrained environment. The constraint is to remove the '' | ||
Line 460: | Line 460: | ||
Use the [[http:// | Use the [[http:// | ||
</ | </ | ||
+ | */ | ||
- | ==== 5. Challenge [Bonus] ==== | + | ==== 4. Challenge [Bonus] ==== |
- | Switch to '' | + | Switch to '' |
* First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | ||
* Then overflow the second buffer and issue a syscall for **execve("/ | * Then overflow the second buffer and issue a syscall for **execve("/ |