SI485H: Stack Based Binary Exploits (SP17)

Home Policy Calendar Units Assignments Resources

Lab 13: Weakest Link in the Chain

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Do the Chain-Gang (2 points)


  • Write a ROP exploit that will chain the functions together to reveal the secret flag


  • The assignment must be completed on the clone-1 saddleback VM

    ssh -p 2201
  • gitlab repository for this lab is found here


  • In the repo, you will find a source file for a program called vuln.c you can compile and work with this file as you wish.
  • Your task is to exploit the version of the program that is compiled and executable on clone-1 saddleback VM at this location

  • Your task is to overwrite the return address of main() with a chain of function calls such that the string pwn contains the phrase gonavygo.
  • Once gonavygo is achieved, the last function called in the chain should be flag(), to reveal the secret message.
  • You should use the program to build your ROP chain as it will be a tad long.
  • Once complete, the following will reveal the secret message:

    ./vuln `python`
    pwn: gonavygo


  • You must submit at least two files:
    • secret.txt : contents of the flag file
    • : the format string you used


  • There is a sequence of calls to add_a() and manipulate() calls that will achieve the desired result
  • You might need a gadget, or two, or three …
  • Don't forget to call flag() when you're done

Part 2: mprotect chains them all together (3 points)


  • Use a rop chain to change the protection of a mapped page so you can execute code to reveal the secret message.


  • The assignment must be completed on your own VM


  • Your task is to create a ROP chain that changes the memory protection of a mapped page using the mprotect system call.
  • The mapped page is at address 0xb7db3000 and the size of the page is 40960 bytes long.
  • Once you change the protections of the map page, you should execute the code found at the address 0xb7db3fed
  • Once you've completed the secret message will print to the screen. Save it and submit it

    ./vuln YOUREXPLOIT > secret.txt


  • You must submit secret.txt


  • Use to find all the gadgets you need
  • Adding and subtracting from numbers are a good way to avoid null bytes