Security Summer School

User Tools

Site Tools

session:solution:10

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
session:solution:10 [2015/07/07 19:50]
Razvan Deaconescu created 		session:solution:10 [2020/07/19 12:49] (current)
Line 1: Line 1:
 ====== Session 10 Solutions ====== ====== Session 10 Solutions ======
  
-===== Simple Syscall =====+===== ret-to-plt =====
  
-TODO+Idea: The stack would need to look like: 
 +  * address of puts (in place of the return address) 
 +  * address of exit 
 +  * argument to puts call (address of string)
  
-===== Looping Math =====+===== ret-to-libc =====
  
-TODO+Idea: The stack would need to look like: 
 +  * address of system (in place of the return address) 
 +  * address of exit 
 +  * argument to system call (address of string)
  
-===== Call Secret Function =====+To find the ''%%"/bin/sh"%%'' string use the ''searchmem'' command in GDB PEDA.
  
-TODO+===== Brute Force =====
  
-===== No Exit =====+Idea: Used fixed addresses for ''system()'' and ''%%"/bin/sh"%%'' and run the exploit test command until the addresses match.
  
-TODO+===== mprotect =====
  
-===== ExtraObfuscation ===== +Idea: The stack would need to look like
- +  * address of ''mprotect()'' 
-TODO +  * address of buffer start (where the shellcode is located) 
- +  * first argument of ''mprotect()'' 
-===== Extra: Platform-independent ===== +  * 2nd argument of ''mprotect()'' 
- +...
-TODO+
  
session/solution/10.1436287800.txt.gz · Last modified: 2015/07/07 19:50 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki