session:solution:12
This is an old revision of the document!
Table of Contents
Session 12 Solutions
Gadget Tut
TODO
Echo Service
By going through the echo_service.c file we see that in the echo_service() function we use read() for reading 4096 bytes when we only have 1024 available for a the buf buffer. We can use this to create a return-oriented programming (ROP) attack.
Let's first consider our steps.
- We will create a payload that overflows the
bufbuffer and rewrites the return address of theecho_service()function triggering the attack (the ROP chain). - We will update the payload issue the following calls through the ROP chain, as also indicated in the task:
dup2(sockfd, 1);dup2(sockfd, 0);system(“/bin/sh”);
- We will start the server and then we will use
netcatto send the payload to the server to trigger the attack.
We aim for the stack to be the one below:
0x00000000 ... start address of buf ... +--------------------------------+ | dup2() address | <--- return address for echo_service() +--------------------------------+ | pop_pop_ret gadget address | +--------------------------------+ | 4 | +--------------------------------+ | 1 | +--------------------------------+ | dup2() address | +--------------------------------+ | pop_pop_ret gadget address | +--------------------------------+ | 4 | +--------------------------------+ | 0 | +--------------------------------+ | system() address | +--------------------------------+ | junk | +--------------------------------+ | "/bin/sh" address | +--------------------------------+ ... 0xFFFFFFFF
session/solution/12.1437654050.txt.gz · Last modified: (external edit)