Lab 13: Weakest Link in the Chain
Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting
Part 1: Do the Chain-Gang (2 points)
- Write a ROP exploit that will chain the functions together to reveal the secret flag
The assignment must be completed on the clone-1 saddleback VM
ssh -p 2201 saddleback.academy.usna.edu
gitlab repository for this lab is found here
- In the repo, you will find a source file for a program called
vuln.cyou can compile and work with this file as you wish.
Your task is to exploit the version of the program that is compiled and executable on clone-1 saddleback VM at this location
- Your task is to overwrite the return address of
main()with a chain of function calls such that the string
pwncontains the phrase
gonavygois achieved, the last function called in the chain should be
flag(), to reveal the secret message.
- You should use the
gen_chain.pyprogram to build your ROP chain as it will be a tad long.
Once complete, the following will reveal the secret message:
./vuln `python gen_chain.py` pwn: gonavygo FLAG ACHIEVED <flag>
- You must submit at least two files:
secret.txt: contents of the flag file
gen_chain.py: the format string you used
- There is a sequence of calls to
manipulate()calls that will achieve the desired result
- You might need a gadget, or two, or three …
- Don't forget to call
flag()when you're done
Part 2: mprotect chains them all together (3 points)
- Use a rop chain to change the protection of a mapped page so you can execute code to reveal the secret message.
- The assignment must be completed on your own VM
- Your task is to create a ROP chain that changes the memory
protection of a mapped page using the
- The mapped page is at address
0xb7db3000and the size of the page is 40960 bytes long.
- Once you change the protections of the map page, you should
execute the code found at the address
Once you've completed the secret message will print to the screen. Save it and submit it
./vuln YOUREXPLOIT > secret.txt
- You must submit secret.txt
- Use ROPGadget.py to find all the gadgets you need
- Adding and subtracting from numbers are a good way to avoid null bytes