Security Summer School

User Tools

Site Tools

session:solution:10

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:solution:10 [2015/07/07 20:00]
Razvan Deaconescu 		session:solution:10 [2020/07/19 12:49] (current)
Line 1: Line 1:
 ====== Session 10 Solutions ====== ====== Session 10 Solutions ======
  
-===== ret-to-libc =====+===== ret-to-plt =====
  
-TODO+Idea: The stack would need to look like: 
 +  * address of puts (in place of the return address) 
 +  * address of exit 
 +  * argument to puts call (address of string)
  
-===== ret-to-plt =====+===== ret-to-libc ===== 
 + 
 +Idea: The stack would need to look like: 
 +  * address of system (in place of the return address) 
 +  * address of exit 
 +  * argument to system call (address of string)
  
-TODO+To find the ''%%"/bin/sh"%%'' string use the ''searchmem'' command in GDB PEDA.
  
 ===== Brute Force ===== ===== Brute Force =====
  
-TODO+Idea: Used fixed addresses for ''system()'' and ''%%"/bin/sh"%%'' and run the exploit test command until the addresses match.
  
 ===== mprotect ===== ===== mprotect =====
  
-TODO+Idea: The stack would need to look like: 
 +  * address of ''mprotect()'' 
 +  * address of buffer start (where the shellcode is located) 
 +  * first argument of ''mprotect()'' 
 +  * 2nd argument of ''mprotect()'' 
 +...
  
session/solution/10.1436288417.txt.gz · Last modified: 2015/07/07 20:00 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki