Differences

This shows you the differences between two versions of the page.

--- session:solution:10 [2015/07/07 16:50] – created Razvan Deaconescu
+++ session:solution:10 [2020/07/19 09:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Session 10 Solutions ======
-===== Simple Syscall =====
+===== ret-to-plt =====
-TODO
+Idea: The stack would need to look like:
+  * address of puts (in place of the return address)
+  * address of exit
+  * argument to puts call (address of string)
-===== Looping Math =====
+===== ret-to-libc =====
-TODO
+Idea: The stack would need to look like:
+  * address of system (in place of the return address)
+  * address of exit
+  * argument to system call (address of string)
-===== Call Secret Function =====
+To find the ''%%"/bin/sh"%%'' string use the ''searchmem'' command in GDB PEDA.
-TODO
+===== Brute Force =====
-===== No Exit =====
+Idea: Used fixed addresses for ''system()'' and ''%%"/bin/sh"%%'' and run the exploit test command until the addresses match.
-TODO
+===== mprotect =====
-===== Extra: Obfuscation =====
+Idea: The stack would need to look like:
+  * address of ''mprotect()''
-TODO
+  * address of buffer start (where the shellcode is located)
+  * first argument of ''mprotect()''
-===== Extra: Platform-independent =====
+  * 2nd argument of ''mprotect()''
+...
-TODO