From a6908f8957d502893cfcd641d0de0bd2ea0145c2 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Mon, 23 Oct 2023 16:17:48 -0600 Subject: Update attack lab --- Content/posts/2023-10-05-attack-lab.md | 8 +++++++- docs/feed.rss | 15 ++++++++++++--- docs/posts/2023-10-05-attack-lab.html | 11 ++++++++++- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/Content/posts/2023-10-05-attack-lab.md b/Content/posts/2023-10-05-attack-lab.md index a173ab8..b31159f 100644 --- a/Content/posts/2023-10-05-attack-lab.md +++ b/Content/posts/2023-10-05-attack-lab.md @@ -41,8 +41,9 @@ Let us try to look into the `getbuf` from our disassembled code. We can see that `0x18` (hex) or `24` (decimal) bytes of buffer is allocated to `getbuf` (Since, 24 bytes are being subtracted from the stack pointer). +**Buffer Overflow**: A buffer overrun happens when the size of the data exceeds the memory size reserved for the buffer we are storing in our value. -Now, since we know the buffer size we can try passing the address of the touch1 function. +Now, since we know the buffer size we can try passing the address of the touch1 function after we pad it up with the buffer size. ```bash jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1 @@ -344,6 +345,11 @@ When a gadget uses a popq instruction, it will pop data from the stack. As a res string will contain a combination of gadget addresses and data. Attack Lab Handout +> What is ROP Attack? +

+is a computer security exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions +https://resources.infosecinstitute.com + Let us check if we can find `popq %rdi` between `start_farm` and `end_farm` The way a normal person would find the hex representation `58` to be between `start_farm` and `end_farm` is to find the line numbers for both and diff --git a/docs/feed.rss b/docs/feed.rss index bcafcbe..f2f8214 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ Navan's Archive Rare Tips, Tricks and Posts https://web.navan.dev/en - Sun, 22 Oct 2023 21:26:58 -0000 - Sun, 22 Oct 2023 21:26:58 -0000 + Mon, 23 Oct 2023 16:17:36 -0000 + Mon, 23 Oct 2023 16:17:36 -0000 250 @@ -1435,7 +1435,9 @@ Serving HTTP on 0.0.0.0 port 8000 ...

We can see that 0x18 (hex) or 24 (decimal) bytes of buffer is allocated to getbuf (Since, 24 bytes are being subtracted from the stack pointer).

-

Now, since we know the buffer size we can try passing the address of the touch1 function.

+

Buffer Overflow: A buffer overrun happens when the size of the data exceeds the memory size reserved for the buffer we are storing in our value.

+ +

Now, since we know the buffer size we can try passing the address of the touch1 function after we pad it up with the buffer size.

jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
@@ -1754,6 +1756,13 @@ NICE JOB!
   Attack Lab Handout

+
+

What is ROP Attack? +

+ is a computer security exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions + https://resources.infosecinstitute.com

+
+

Let us check if we can find popq %rdi between start_farm and end_farm

The way a normal person would find the hex representation 58 to be between start_farm and end_farm is to find the line numbers for both and diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html index 25c5607..db0324a 100644 --- a/docs/posts/2023-10-05-attack-lab.html +++ b/docs/posts/2023-10-05-attack-lab.html @@ -78,7 +78,9 @@

We can see that 0x18 (hex) or 24 (decimal) bytes of buffer is allocated to getbuf (Since, 24 bytes are being subtracted from the stack pointer).

-

Now, since we know the buffer size we can try passing the address of the touch1 function.

+

Buffer Overflow: A buffer overrun happens when the size of the data exceeds the memory size reserved for the buffer we are storing in our value.

+ +

Now, since we know the buffer size we can try passing the address of the touch1 function after we pad it up with the buffer size.

jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
@@ -397,6 +399,13 @@ NICE JOB!
   Attack Lab Handout

+
+

What is ROP Attack? +

+ is a computer security exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions + https://resources.infosecinstitute.com

+
+

Let us check if we can find popq %rdi between start_farm and end_farm

The way a normal person would find the hex representation 58 to be between start_farm and end_farm is to find the line numbers for both and -- cgit v1.2.3