Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
sesiuni:memory:4 [2013/07/11 04:36]
rcaragea [Gdb tricks you might need]
sesiuni:memory:4 [2013/07/12 11:52]
rcaragea [Tools you will need]
Line 19: Line 19:
   * Your goal is to '​trick'​ the application into reading the content of that file   * Your goal is to '​trick'​ the application into reading the content of that file
   * After you obtain the password you can advance to the next level by switching to that user   * After you obtain the password you can advance to the next level by switching to that user
-  * You are initially given the password to log into randmin_01 and gatekeeper_01+  * You are initially given the password to log into randmin_01: "​1234" ​and gatekeeper_01: "​4321"​
  
 == Categories == == Categories ==
Line 26: Line 26:
   * **gatekeeper_01**   * **gatekeeper_01**
   * **gatekeeper_02**   * **gatekeeper_02**
-  * **gatekeeper_03**+  * **gatekeeper_03** ​(Bonus)
  
 Category 2 (memory corruption) Category 2 (memory corruption)
Line 86: Line 86:
  
 **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space. **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space.
 +
 +
 == Gdb tricks you might need == == Gdb tricks you might need ==
-Check the [[sesiuni:​memory:​gdb|]]+Check the [[sesiuni:​memory:​gdb|]] ​especially in the '​information'​ and '​various useful stuff' sections 
 + 
 + 
 +== Hijacking control flow == 
 + * The exact location of a segfault is written in the kernel log. You can view it with dmesg (you'​ll only need the last line) 
 + 
 +<code bash> 
 +randmin_01@102lin:​~$ ./​randmin_01 
 +Enter the password: 
 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
 +You entered: 
 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
 +You are not the Randministrator! 
 +This unauthorized attempt will be logged. 
 +Segmentation fault 
 +randmin_01@102lin:​~$ dmesg|tail -1 
 +[ 5277.100200] randmin_01[5839]:​ segfault at 41414141 ip 0000000041414141 sp 00000000ffffd370 error 14 
 +randmin_01@102lin:​~$  
 +</​code>​ 
 + 
 +* You can use a pattern so that you can easily see what was written into the return address instead of trial and error. 
 +<code bash> 
 +randmin_01@102lin:​~$ ./​randmin_01 
 +Enter the password: 
 +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 
 +You entered: 
 +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 
 +You are not the Randministrator! 
 +This unauthorized attempt will be logged. 
 +Segmentation fault 
 +randmin_01@102lin:​~$ dmesg|tail -1 
 +[ 5481.155852] randmin_01[5853]:​ segfault at 64413764 ip 0000000064413764 sp 00000000ffffd370 error 14 
 +</​code>​ 
 + 
 + 
 +* For tasks randmin_04 and up: calling system(char *cmd) 
 +     * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of '​JUNK'​ and 4 bytes that contain the address of char *cmd 
 + 
 + 
 +== Tools you will need == 
 +  * gdb 
 +  * nm 
 +  * ldd 
 +  * objdump 
 +  * ulimit 
 +  * checksec.sh [[http://​www.trapkit.de/​tools/​checksec.sh]] 
 +  * <del> aslr_brute_helper.py [[http://​swarm.cs.pub.ro/​~rcaragea/​aslr_brute_helper.py]] </​del>​
sesiuni/memory/4.txt · Last modified: 2013/07/12 15:21 by rcaragea