Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
sesiuni:memory:4 [2013/07/11 15:32]
rcaragea
sesiuni:memory:4 [2013/07/12 15:21] (current)
rcaragea [Hijacking control flow]
Line 19: Line 19:
   * Your goal is to '​trick'​ the application into reading the content of that file   * Your goal is to '​trick'​ the application into reading the content of that file
   * After you obtain the password you can advance to the next level by switching to that user   * After you obtain the password you can advance to the next level by switching to that user
-  * You are initially given the password to log into randmin_01 and gatekeeper_01+  * You are initially given the password to log into randmin_01: "​1234" ​and gatekeeper_01: "​4321"​
  
 == Categories == == Categories ==
Line 26: Line 26:
   * **gatekeeper_01**   * **gatekeeper_01**
   * **gatekeeper_02**   * **gatekeeper_02**
-  * **gatekeeper_03**+  * **gatekeeper_03** ​(Bonus)
  
 Category 2 (memory corruption) Category 2 (memory corruption)
Line 123: Line 123:
 </​code>​ </​code>​
  
-* Calling system(char *cmd) 
-     * Because system() takes one argument, you will have to do more than just overwrite the return address, you will need to append to your exploit pattern 4 bytes of '​JUNK'​ and 4 bytes that contain the address of char *cmd 
  
 + * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern
 +      <code c>
 +      ...
 +      int f()
 +      {
 +          printf("​Hello\n"​);​
 +          return 42;
 +      }
 +      ...
 +      </​code>​
 + * If the address of the function is 0x0804849c your exploit pattern will look like "​AAAAAA...AAA\x9c\x84\x04\x08"​ because calling this function will look like
 +      <code asm>
 +      ...
 +      call   ​804849c <f>
 +      ...
 +      </​code>​
 +* For tasks randmin_03 and up you will need to call system(char *cmd)
 +      <code c>
 +      ...
 +      int f(char *str)
 +      {
 +          printf("​%s\n",​ str);
 +          return 42;
 +      }
 +      ...
 +      </​code>​
 +*  Translated to asm:
 +      <code asm>
 +      ...
 +      movl   ​$0x80485a0,​(%esp) ​     (0x80485a0 is the address of the string parameter)
 +      call   ​804849c <​f> ​           ​
 +      ...
 +      </​code>​
 +* Because '​call'​ also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "​AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08"​ where ABCD is the 4 byte value mentioned (any value will work)
 +
 +== Tools you will need ==
 +  * gdb
 +  * nm
 +  * ldd
 +  * objdump
 +  * ulimit
 +  * checksec.sh [[http://​www.trapkit.de/​tools/​checksec.sh]]
 +  * <del> aslr_brute_helper.py [[http://​swarm.cs.pub.ro/​~rcaragea/​aslr_brute_helper.py]] </​del>​
sesiuni/memory/4.1373545949.txt.gz · Last modified: 2013/07/11 15:32 by rcaragea