summaryrefslogtreecommitdiff
path: root/docs/feed.rss
diff options
context:
space:
mode:
authorNavan Chauhan <navanchauhan@gmail.com>2023-10-18 20:00:35 -0600
committerNavan Chauhan <navanchauhan@gmail.com>2023-10-18 20:00:35 -0600
commitfc6e82f8f35bc178fc01c01f75bd3fc090d22a99 (patch)
treecb5a6d6ce6e2455c49d4a5a6e2a1c269d0c7d195 /docs/feed.rss
parent6e1c9bd4ef3658d2fde164c518f8df4c7e57f2bc (diff)
add link to tags
Diffstat (limited to 'docs/feed.rss')
-rw-r--r--docs/feed.rss84
1 files changed, 36 insertions, 48 deletions
diff --git a/docs/feed.rss b/docs/feed.rss
index db86de0..31e8f0e 100644
--- a/docs/feed.rss
+++ b/docs/feed.rss
@@ -4,8 +4,8 @@
<title>Navan's Archive</title>
<description>Rare Tips, Tricks and Posts</description>
<link>https://web.navan.dev/</link><language>en</language>
- <lastBuildDate>Wed, 18 Oct 2023 15:31:35 -0000</lastBuildDate>
- <pubDate>Wed, 18 Oct 2023 15:31:35 -0000</pubDate>
+ <lastBuildDate>Wed, 18 Oct 2023 16:25:58 -0000</lastBuildDate>
+ <pubDate>Wed, 18 Oct 2023 16:25:58 -0000</pubDate>
<ttl>250</ttl>
<atom:link href="https://web.navan.dev/feed.rss" rel="self" type="application/rss+xml"/>
@@ -1383,7 +1383,8 @@ Serving HTTP on 0.0.0.0 port 8000 ...
<p>Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems</p>
<blockquote>
- <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.</p>
+ <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.
+ <cite> Attack Lab Handout </cite></p>
</blockquote>
<p>Again, I like using objdump to disassemble the code. </p>
@@ -1447,11 +1448,10 @@ NICE<span class="w"> </span>JOB!
<h2>Phase 2</h2>
<blockquote>
- <p>Phase 2 involves injecting a small amount of code as part of your exploit string.</p>
-</blockquote>
-
-<blockquote>
- <p>Within the file ctarget there is code for a function touch2 having the following C representation:</p>
+ <p>Phase 2 involves injecting a small amount of code as part of your exploit string.
+ <br><br>
+ Within the file ctarget there is code for a function touch2 having the following C representation:
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<div class="codehilite">
@@ -1472,11 +1472,10 @@ NICE<span class="w"> </span>JOB!
<blockquote>
<p>Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case,
- however, you must make it appear to touch2 as if you have passed your cookie as its argument.</p>
-</blockquote>
-
-<blockquote>
- <p>Recall that the first argument to a function is passed in register %rdi</p>
+ however, you must make it appear to touch2 as if you have passed your cookie as its argument.
+ <br><br>
+ Recall that the first argument to a function is passed in register %rdi
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>This hint tells us that we need to store the cookie in the rdi register</p>
@@ -1609,22 +1608,17 @@ NICE<span class="w"> </span>JOB!
<h2>Phase 3</h2>
<blockquote>
- <p>Phase 3 also involves a code injection attack, but passing a string as argument.</p>
-</blockquote>
-
-<blockquote>
- <p>You will need to include a string representation of your cookie in your exploit string. The string should
- consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”</p>
-</blockquote>
-
-<blockquote>
- <p>Your injected code should set register %rdi to the address of this string</p>
-</blockquote>
-
-<blockquote>
- <p>When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
+ <p>Phase 3 also involves a code injection attack, but passing a string as argument.
+ <br><br>
+ You will need to include a string representation of your cookie in your exploit string. The string should
+ consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”
+ <br><br>
+ Your injected code should set register %rdi to the address of this string
+ <br><br>
+ When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
- where you place the string representation of your cookie.</p>
+ where you place the string representation of your cookie.
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Because <code>hexmatch</code> and <code>strncmp</code> might overwrite the buffer allocated for <code>getbuf</code> we will try to store the data after the function <code>touch3</code> itself.</p>
@@ -1724,21 +1718,16 @@ NICE<span class="w"> </span>JOB!
* movq
* popq
* ret
- * nop</p>
-</blockquote>
-
-<blockquote>
- <p>All the gadgets you need can be found in the region of the code for rtarget demarcated by the
- functions start<em>farm and mid</em>farm</p>
-</blockquote>
-
-<blockquote>
- <p>You can do this attack with just two gadgets</p>
-</blockquote>
-
-<blockquote>
- <p>When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
- string will contain a combination of gadget addresses and data.</p>
+ * nop
+ <br><br>
+ All the gadgets you need can be found in the region of the code for rtarget demarcated by the
+ functions start<em>farm and mid</em>farm
+ <br><br>
+ You can do this attack with just two gadgets
+ <br><br>
+ When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
+ string will contain a combination of gadget addresses and data.
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Let us check if we can find <code>popq %rdi</code> between <code>start_farm</code> and <code>end_farm</code></p>
@@ -3702,11 +3691,10 @@ logger.info("rdkit-{} installation finished!".format(rdkit.__version__))
<p>Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems</p>
<blockquote>
- <p>The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.</p>
-</blockquote>
-
-<blockquote>
- <p>There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!</p>
+ <p>The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.
+ <br><br>
+ There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!
+ <cite>Bomb Lab Handout</cite></p>
</blockquote>
<p>I like using objdump to disassemble the code and get a broad overview of what is happening before I start. </p>