Security Summer School

User Tools

Site Tools

session:12

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
session:12 [2020/07/19 09:49] – external edit 127.0.0.1session:12 [2020/07/20 14:34] (current) – [1. Challenge: Using ROP to Leak and Call system()] Liza-Elena BABU (78556)
Line 279: Line 279:
 ==== 1. Challenge: Using ROP to Leak and Call system() ==== ==== 1. Challenge: Using ROP to Leak and Call system() ====
  
-Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''challenge-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.+Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''task-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
  
 You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call. You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call.
Line 356: Line 356:
 The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that.
  
-For the current task, switch to the ''challenge-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.+For the current task, switch to the ''task-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.
  
 Find out how much space you have in the overflow and assess the situation. Find out how much space you have in the overflow and assess the situation.
Line 427: Line 427:
 </note> </note>
  
-==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====+/*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====
  
 We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call. We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call.
Line 460: Line 460:
 Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode. Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode.
 </note> </note>
 +*/
  
-==== 5. Challenge [Bonus] ====+==== 4. Challenge [Bonus] ====
  
-Switch to ''challenge-05''. You have a 64 bit binary that you need to exploit to execute /bin/date:+Switch to ''task-04''. You have a 64 bit binary that you need to exploit to execute /bin/date:
   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.
   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.
session/12.1595152140.txt.gz · Last modified: by 127.0.0.1