Lab2 Hint

2018-Fall Course Website

Advisor: Si Chen

Step 1: Open Terminal

Open Terminal

Step 2: Check and Turn off ASLR

Type: cat /proc/sys/kernel/randomize_va_space If return 0, it means the ASLR have been turned off. Otherwise, we need to manually turn it off.

To turn off ASLR:


Change to root user: su root, default password is csc495
Then type: echo 0 > /proc/sys/kernel/randomize_va_space

Step 3: Compile the code

  • Download the source code to a folder
  • Compile the code, make sure to turn off StackGuard gcc lab2.c -o lab2 -m32 -fno-stack-protector

Step 4: Use GDB to trigger buffer overflow

  • Similarly to lab1, please use gdb to adjust the length of the dummy characters to trigger buffer overflow
  • You can use peda plugin to generate, search, or write a cyclic pattern:
  • create pattern

    check pattern offset

  • The offset is 112.

Step 5: Prepare ROP chain

  • Please download the following python script [Link] which is able to auto-gen the shellcode and launch the attack. You need to add the address of the add_bin(), add_bash(),exec_string(), and all gadgets with it's actual address. Make sure the script and lab2 file are in the same folder and then type python2 lab2_exp.py
  • An similar Python script example can be found here:[Link]
  • The ROP chain should call add_bin() function first, then pass two arguments 0xdeadbeef and 0x41414141 to make sure magic1 == 0xdeadbeef and magic2 == 0x41414141. After that, we need to use a pop, pop, ret gadget to clean two arguments (note: each pop delete one argument from the stack) on the stack
  • Check ch10.pptx for more details: [Link]
  • add_bin address

  • The address of add_bin() function is: 0x004005cb (note: you may have a different address)
  • pop pop ret gadget

  • One pop,pop, ret gadget we can utilize is located at the end of the add_bin() function 0x00400615 :) (note: you may have a different address)
  • Next, the ROP chain should call add_bash() function. Please check the source code to figure out the arugments and also the gadget.
  • Finally, we need to put the exec_string's address into our ROP chain
  • exec_string()

  • You can type any bash shell command now:) Have fun