Step 1: Open Terminal
Step 2: Check and Turn off ASLR
Type:
cat /proc/sys/kernel/randomize_va_space
If return
0
, it means the ASLR have been turned off.
Otherwise, we need to manually turn it off.
To turn off ASLR:
Change to root user:
su root, default password is
csc495
Then type:
echo 0 > /proc/sys/kernel/randomize_va_space
Step 3: Compile the code
- Download the source code to a folder
- Compile the code, make sure to turn off StackGuard gcc lab2.c -o lab2 -m32 -fno-stack-protector
Step 4: Use GDB to trigger buffer overflow
- Similarly to lab1, please use gdb to adjust the length of the dummy characters to trigger buffer overflow
- You can use peda plugin to generate, search, or write a cyclic pattern:
- The offset is 112.
Step 5: Prepare ROP chain
- Please download the following python script [Link] which is able to auto-gen the shellcode and launch the attack. You need to add the address of the
add_bin()
, add_bash()
,exec_string()
, and all gadgets with it's actual address. Make sure the script and lab2 file are in the same folder and then type python2 lab2_exp.py
- An similar Python script example can be found here:[Link]
- The ROP chain should call
add_bin()
function first, then pass two arguments 0xdeadbeef
and 0x41414141
to make sure magic1 == 0xdeadbeef
and magic2 == 0x41414141
. After that, we need to use a pop, pop, ret
gadget to clean two arguments (note: each pop
delete one argument from the stack) on the stack
- Check ch10.pptx for more details: [Link]
- The address of
add_bin()
function is: 0x004005cb
(note: you may have a different address)
- One
pop,pop, ret
gadget we can utilize is located at the end of the add_bin()
function 0x00400615
:) (note: you may have a different address)
- Next, the ROP chain should call
add_bash()
function. Please check the source code to figure out the arugments and also the gadget.
- Finally, we need to put the
exec_string
's address into our ROP chain
- You can type any bash shell command now:) Have fun