Differences

This shows you the differences between two versions of the page.

--- sesiuni:memory:4 [2013/07/11 04:36]
rcaragea [Gdb tricks you might need]
+++ sesiuni:memory:4 [2013/07/12 11:52]
rcaragea [Tools you will need]
@@ Line 19: / Line 19: @@
   * Your goal is to 'trick' the application into reading the content of that file
   * After you obtain the password you can advance to the next level by switching to that user
-  * You are initially given the password to log into randmin_01 and gatekeeper_01
+  * You are initially given the password to log into randmin_01: "1234" and gatekeeper_01: "4321"
 == Categories ==
@@ Line 26: / Line 26: @@
   * **gatekeeper_01**
   * **gatekeeper_02**
-  * **gatekeeper_03**
+  * **gatekeeper_03** (Bonus)
 Category 2 (memory corruption)
@@ Line 86: / Line 86: @@
 **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space.
 == Gdb tricks you might need ==
-Check the [[sesiuni:memory:gdb|]]
+Check the [[sesiuni:memory:gdb|]] especially in the 'information' and 'various useful stuff' sections
+== Hijacking control flow ==
+ * The exact location of a segfault is written in the kernel log. You can view it with dmesg (you'll only need the last line)
+<code bash>
+randmin_01@102lin:~$ ./randmin_01
+Enter the password:
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+You entered:
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+You are not the Randministrator!
+This unauthorized attempt will be logged.
+Segmentation fault
+randmin_01@102lin:~$ dmesg|tail -1
+[ 5277.100200] randmin_01[5839]: segfault at 41414141 ip 0000000041414141 sp 00000000ffffd370 error 14
+randmin_01@102lin:~$
+</code>
+* You can use a pattern so that you can easily see what was written into the return address instead of trial and error.
+<code bash>
+randmin_01@102lin:~$ ./randmin_01
+Enter the password:
+Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5
+You entered:
+Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5
+You are not the Randministrator!
+This unauthorized attempt will be logged.
+Segmentation fault
+randmin_01@102lin:~$ dmesg|tail -1
+[ 5481.155852] randmin_01[5853]: segfault at 64413764 ip 0000000064413764 sp 00000000ffffd370 error 14
+</code>
+* For tasks randmin_04 and up: calling system(char *cmd)
+     * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of 'JUNK' and 4 bytes that contain the address of char *cmd
+== Tools you will need ==
+  * gdb
+  * nm
+  * ldd
+  * objdump
+  * ulimit
+  * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]]
+  * <del> aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] </del>

Pagini

Workshops

Organizatori

Parteneri

sesiuni/memory/4.txt · Last modified: 2013/07/12 15:21 by rcaragea

Show page Old revisions

Backlinks Back to top