SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

Lab 13: Weakest Link in the Chain

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Do the Chain-Gang (2 points)

Description/

  • Write a ROP exploit that will chain the functions together to reveal the secret flag

Preamble

  • The assignment must be completed on the clone-1 saddleback VM

    ssh -p 2201 saddleback.academy.usna.edu
    
  • gitlab repository for this lab is found here

    http://saddleback.academy.usna.edu/aviv/lab13.1
    

Instructions

  • In the repo, you will find a source file for a program called vuln.c you can compile and work with this file as you wish.
  • Your task is to exploit the version of the program that is compiled and executable on clone-1 saddleback VM at this location

    ~aviv/lab/13.1/vuln
    
  • Your task is to overwrite the return address of main() with a chain of function calls such that the string pwn contains the phrase gonavygo.
  • Once gonavygo is achieved, the last function called in the chain should be flag(), to reveal the secret message.
  • You should use the gen_chain.py program to build your ROP chain as it will be a tad long.
  • Once complete, the following will reveal the secret message:

    ./vuln `python gen_chain.py`
    pwn: gonavygo
    FLAG ACHIEVED
    <flag>
    

Submission

  • You must submit at least two files:
    • secret.txt : contents of the flag file
    • gen_chain.py : the format string you used

Hints

  • There is a sequence of calls to add_a() and manipulate() calls that will achieve the desired result
  • You might need a gadget, or two, or three …
  • Don't forget to call flag() when you're done

Part 2: mprotect chains them all together (3 points)

Description

  • Use a rop chain to change the protection of a mapped page so you can execute code to reveal the secret message.

Preamble

  • The assignment must be completed on your own VM

Instructions

  • Your task is to create a ROP chain that changes the memory protection of a mapped page using the mprotect system call.
  • The mapped page is at address 0xb7db3000 and the size of the page is 40960 bytes long.
  • Once you change the protections of the map page, you should execute the code found at the address 0xb7db3fed
  • Once you've completed the secret message will print to the screen. Save it and submit it

    ./vuln YOUREXPLOIT > secret.txt
    

Submission

  • You must submit secret.txt

Hints

  • Use ROPGadget.py to find all the gadgets you need
  • Adding and subtracting from numbers are a good way to avoid null bytes