Lab2 Walkthrough

2017-Fall Course Website

Advisor: Si Chen

Step 1: Open Terminal

Open Terminal

Step 2: Check and Turn off ASLR

Type: cat /proc/sys/kernel/randomize_va_space If return 0, it means the ASLR have been turned off. Otherwise, we need to manually turn it off.

check ASLR

To turn off ASLR:

Change to root user: su root, default password is chensi
Then type: echo 0 > /proc/sys/kernel/randomize_va_space

Step 3: Compile the code

  • Download the source code to a folder
  • Compile the code, make sure to turn off DEP and StackGuard gcc lab2.c -o lab2 -m32 -fno-stack-protector

Step 4: Use GDB to trigger buffer overflow

  • Similarly to lab1, please use gdb to adjust the length of the dummy characters to trigger buffer overflow

Step 5: Prepare ROP chain

    ROP chain structure

  • The ROP chain should call add_bin() function first, then use a pop, ret gadget to push the argument 0xdeadbeef into ebp to make sure magic == 0xdeadbeef
  • add_bin address

  • The address of add_bin() function is: 0x004005cb
  • pop ret gadget

  • One pop, ret gadget we can utilize is located at the end of the add_bin() function 0x00400616
  • Next, the ROP chain should call add_bash() function, then use a pop, pop, ret gadget to push two argumenta 0xcafebabe and 0xbadf00d onto the stack to make sure magic1 == 0xcafebabe && magic2 == 0xbadf00d
  • add bash

  • The address of add_bash() function is: 0x00400618
  • pop pop ret gadget

  • One pop,pop, ret gadget we can utilize is located at the end of the add_bin() function 0x00400615 :)
  • Finally, we need to put the exec_string's address into our ROP chain
  • pop pop ret gadget

  • Now, we can pass the generated shellcode and stored it into a file named attack(similar to lab1) and send it as the input to lab2 program
  • shellcode

  • Nothing happened?? The reason that it not prompt a shell is because you are running /bin/bash from the command line, and you are using the < to feed the shellcode from a file, the shell will immediately terminate when it reaches the end of input. If you want it to remain keyboard interactive, do this: cat attack - | ./lab2 shellcode2

  • You can type any bash shell command now:) Have fun
  • If you are still confused, please download the following python script [Link] which is able to auto-gen the shellcode and launch the attack. All you need to do is replace the address of the add_bin(), add_bash(),exec_string(), pop_ret gadget and pop_pop_ret gadget with it's actual address. Make sure the script and lab2 file are in the same folder and then type python2