Lab2 Walkthrough

Step 1: Open Terminal

Step 2: Check and Turn off ASLR

Type: cat /proc/sys/kernel/randomize_va_space If return 0, it means the ASLR have been turned off. Otherwise, we need to manually turn it off.

To turn off ASLR:

Change to root user: su root, default password is chensi
Then type: echo 0 > /proc/sys/kernel/randomize_va_space

Step 3: Compile the code

• Download the source code to a folder
• Compile the code, make sure to turn off DEP and StackGuard gcc lab2.c -o lab2 -m32 -fno-stack-protector

Step 4: Use GDB to trigger buffer overflow

• Similary to lab1, please use gdb to adjust the length of the dummy characters to trigger buffer overflow

Step 5: Prepare ROP chain

• The ROP chain should call add_bin() function first, then use a pop, ret gadget to push the argument 0xdeadbeef into ebp to make sure magic == 0xdeadbeef

• The address of add_bin() function is: 0x004005cb

• One pop, ret gadget we can utilize is locate at the end of the add_bin() function 0x00400616
• Next, the ROP chain should call add_bash() function, then use a pop, pop, ret gadget to push the argument 0xcafebabe and argument 0xbadf00d onto the stack to make sure magic1 == 0xcafebabe && magic2 == 0xbadf00d