SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 12: Return 2 the scence of the lib

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Return To the Shell (2 point)

Description

  • Use a ret2libc attack to launch a shell

Preamble

  • This lab must be completed on the si485h-clone1 vm machine

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • The vulnerable program is found at the following path

    ~aviv/labs/12.1/crack
    
  • The code is compiled witho non-executable stack.
  • This program source code is provided as part of the repo, but you must exploit the compiled version found at the path above.
  • You should launch a shell once you've completed the exploit. You can then find the secret message at the following path:

    ~aviv/labs/12.1/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Stack alignment is key

Part 2: Formats + r2libc (4 point)

Description

  • Use a format string attack to launch a shell via a return-to-libc call

Preamble

  • This lab must be completed on the si485h-clone1 vm machine

    ssh -p 2201 saddleback.academy.usna.edu
    

Instructions

  • The vulnerable program is found at the following path

    ~aviv/labs/12.2/crack
    
  • The code is compiled with stack protectors and non-executable stack.
  • This program source code is provided as part of the repo, but you must exploit the compiled version found at the path above.
  • You should launch a shell once you've completed the exploit. You can then find the secret message at the following path:

    ~aviv/labs/12.2/secret.txt
    

Submissions

  • You must submit the secret message in the file secret.txt

Hints

  • Once you determine where you are writing, you need to write to two address, one for the return2libc and one for the arguments.