This is an old revision of the document!

Session 4: Intro to memory corruption mitigation.



Tasks along with descriptions and hints are available only on the lab machines. The lab format is split into two parts and is challenge-oriented:

  • Each task ca be accessed only by its owner user (e.g. task randmin_01 and its source can only be read by user randmin_01)
  • The tasks have elevated permission on execution (e.g. task randmin_01 has permissions to read files of randmin_01 and randmin_02)
  • The password for the next level is in flags/next_task_level
  • Your goal is to 'trick' the application into reading the content of that file
  • After you obtain the password you can advance to the next level by switching to that user
  • You are initially given the password to log into randmin_01 and gatekeeper_01


Category 1 (address space recap) requires you to enter a password in order to print the flag for the next level, but there's a catch: you don't enter a password, you need to enter a memory address

  • gatekeeper_01
  • gatekeeper_02
  • gatekeeper_03

Category 2 (memory corruption)

  • randmin_01, randmin_02: You need to defeat NX by returning to .text
  • randmin_03, randmin_04: You need to defeat NX by returning to libc
  • randmin_05: You need to defeat NX + ASLR
  • randmin_06: You need to defeat NX + ASLR + PIE
  • randmin_07 (Bonus) : You need to defeat NX + ASLR + PIE + SSP

Example run


Gdb tricks you might need


sesiuni/memory/4.1373495218.txt.gz · Last modified: 2013/07/11 01:26 by rcaragea