This is an old revision of the document!


Session 4: Intro to memory corruption mitigation.

Tasks

Summary

Tasks along with descriptions and hints are available only on the lab machines. The lab format is split into two parts and is challenge-oriented:

  • Each task ca be accessed only by its owner user (e.g. task randmin_01 and its source can only be read by user randmin_01)
  • The tasks have elevated permission on execution (e.g. task randmin_01 has permissions to read files of randmin_01 and randmin_02)
  • The password for the next level is in flags/next_task_level
  • Your goal is to 'trick' the application into reading the content of that file
  • After you obtain the password you can advance to the next level by switching to that user
  • You are initially given the password to log into randmin_01 and gatekeeper_01

Categories

Category 1 (address space recap) requires you to enter a password in order to print the flag for the next level, but there's a catch: you don't enter a password, you need to enter a memory address

  • gatekeeper_01
  • gatekeeper_02
  • gatekeeper_03

Category 2 (memory corruption)

  • randmin_01, randmin_02: You need to defeat NX by returning to .text
  • randmin_03, randmin_04: You need to defeat NX by returning to libc
  • randmin_05: You need to defeat NX + ASLR
  • randmin_06: You need to defeat NX + ASLR + PIE
  • randmin_07 (Bonus) : You need to defeat NX + ASLR + PIE + SSP

Example run

TODO

Gdb tricks you might need

TODO

sesiuni/memory/4.1373495218.txt.gz · Last modified: 2013/07/11 01:26 by rcaragea