From fc6e82f8f35bc178fc01c01f75bd3fc090d22a99 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Wed, 18 Oct 2023 20:00:35 -0600 Subject: add link to tags --- docs/posts/2023-10-04-bomb-lab.html | 9 +- docs/posts/2023-10-05-attack-lab.html | 71 +++++------ docs/posts/index.html | 230 +++++++++++++++++----------------- 3 files changed, 149 insertions(+), 161 deletions(-) (limited to 'docs/posts') diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html index 799678d..c6e94db 100644 --- a/docs/posts/2023-10-04-bomb-lab.html +++ b/docs/posts/2023-10-04-bomb-lab.html @@ -49,11 +49,10 @@

Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems

-

The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.

-
- -
-

There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!

+

The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused. +

+ There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad! + Bomb Lab Handout

I like using objdump to disassemble the code and get a broad overview of what is happening before I start.

diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html index 82a02fe..d049a6b 100644 --- a/docs/posts/2023-10-05-attack-lab.html +++ b/docs/posts/2023-10-05-attack-lab.html @@ -49,7 +49,8 @@

Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems

-

This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.

+

This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow. + Attack Lab Handout

Again, I like using objdump to disassemble the code.

@@ -113,11 +114,10 @@ NICE JOB!

Phase 2

-

Phase 2 involves injecting a small amount of code as part of your exploit string.

-
- -
-

Within the file ctarget there is code for a function touch2 having the following C representation:

+

Phase 2 involves injecting a small amount of code as part of your exploit string. +

+ Within the file ctarget there is code for a function touch2 having the following C representation: + Attack Lab Handout

@@ -138,11 +138,10 @@ NICE JOB!

Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, - however, you must make it appear to touch2 as if you have passed your cookie as its argument.

-
- -
-

Recall that the first argument to a function is passed in register %rdi

+ however, you must make it appear to touch2 as if you have passed your cookie as its argument. +

+ Recall that the first argument to a function is passed in register %rdi + Attack Lab Handout

This hint tells us that we need to store the cookie in the rdi register

@@ -275,22 +274,17 @@ NICE JOB!

Phase 3

-

Phase 3 also involves a code injection attack, but passing a string as argument.

-
- -
-

You will need to include a string representation of your cookie in your exploit string. The string should - consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”

-
- -
-

Your injected code should set register %rdi to the address of this string

-
- -
-

When functions hexmatch and strncmp are called, they push data onto the stack, overwriting +

Phase 3 also involves a code injection attack, but passing a string as argument. +

+ You will need to include a string representation of your cookie in your exploit string. The string should + consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.” +

+ Your injected code should set register %rdi to the address of this string +

+ When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful - where you place the string representation of your cookie.

+ where you place the string representation of your cookie. + Attack Lab Handout

Because hexmatch and strncmp might overwrite the buffer allocated for getbuf we will try to store the data after the function touch3 itself.

@@ -390,21 +384,16 @@ NICE JOB! * movq * popq * ret - * nop

- - -
-

All the gadgets you need can be found in the region of the code for rtarget demarcated by the - functions startfarm and midfarm

-
- -
-

You can do this attack with just two gadgets

-
- -
-

When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit - string will contain a combination of gadget addresses and data.

+ * nop +

+ All the gadgets you need can be found in the region of the code for rtarget demarcated by the + functions startfarm and midfarm +

+ You can do this attack with just two gadgets +

+ When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit + string will contain a combination of gadget addresses and data. + Attack Lab Handout

Let us check if we can find popq %rdi between start_farm and end_farm

diff --git a/docs/posts/index.html b/docs/posts/index.html index f074fc5..6695789 100644 --- a/docs/posts/index.html +++ b/docs/posts/index.html @@ -6,7 +6,7 @@ - Section + Posts @@ -56,15 +56,15 @@
  • Published On: 2023-10-05 20:01
  • Tags: - gdb, + gdb, - reverse-engineering, + reverse-engineering, - c++, + c++, - csci2400, + csci2400, - assembly, + assembly @@ -75,15 +75,15 @@
  • Published On: 2023-10-04 13:12
  • Tags: - gdb, + gdb, - reverse-engineering, + reverse-engineering, - c++, + c++, - csci2400, + csci2400, - assembly, + assembly @@ -94,9 +94,9 @@
  • Published On: 2023-04-30 22:50
  • Tags: - astrophysics, + astrophysics, - mathematics, + mathematics @@ -107,9 +107,9 @@
  • Published On: 2023-03-17 13:57
  • Tags: - ramblings, + ramblings, - writing, + writing @@ -120,17 +120,17 @@
  • Published On: 2023-02-08 17:21
  • Tags: - Tutorial, + Tutorial, - Code-Snippet, + Code-Snippet, - Python, + Python, - Siri, + Siri, - macOS, + macOS, - AppleScript, + AppleScript @@ -141,9 +141,9 @@
  • Published On: 2022-12-25 17:32
  • Tags: - Python, + Python, - Mastodon, + Mastodon @@ -154,11 +154,11 @@
  • Published On: 2022-11-07 23:29
  • Tags: - Python, + Python, - OCR, + OCR, - Microsoft Azure, + Microsoft Azure @@ -169,9 +169,9 @@
  • Published On: 2022-08-05 14:46
  • Tags: - Self-Hosted, + Self-Hosted, - YunoHost, + YunoHost @@ -182,11 +182,11 @@
  • Published On: 2022-05-21 17:56
  • Tags: - Python, + Python, - Transformers, + Transformers, - Recommendation-System, + Recommendation-System @@ -197,11 +197,11 @@
  • Published On: 2021-06-27 23:26
  • Tags: - Swift, + Swift, - CoreML, + CoreML, - NLP, + NLP @@ -212,9 +212,9 @@
  • Published On: 2021-06-26 13:04
  • Tags: - Cheminformatics, + Cheminformatics, - JavaScript, + JavaScript @@ -225,11 +225,11 @@
  • Published On: 2021-06-25 16:20
  • Tags: - iOS, + iOS, - Shortcuts, + Shortcuts, - Fun, + Fun @@ -240,11 +240,11 @@
  • Published On: 2021-06-25 00:08
  • Tags: - Python, + Python, - Twitter, + Twitter, - Eh, + Eh @@ -255,13 +255,13 @@
  • Published On: 2020-12-01 20:52
  • Tags: - Tutorial, + Tutorial, - Code-Snippet, + Code-Snippet, - HTML, + HTML, - JavaScript, + JavaScript @@ -272,11 +272,11 @@
  • Published On: 2020-11-17 15:04
  • Tags: - Tutorial, + Tutorial, - Code-Snippet, + Code-Snippet, - Web-Development, + Web-Development @@ -287,11 +287,11 @@
  • Published On: 2020-10-11 16:12
  • Tags: - Tutorial, + Tutorial, - Review, + Review, - Webcam, + Webcam @@ -302,13 +302,13 @@
  • Published On: 2020-08-01 15:43
  • Tags: - Tutorial, + Tutorial, - AR.js, + AR.js, - JavaScript, + JavaScript, - Augmented-Reality, + Augmented-Reality @@ -319,11 +319,11 @@
  • Published On: 2020-07-01 14:23
  • Tags: - Tutorial, + Tutorial, - Code-Snippet, + Code-Snippet, - Colab, + Colab @@ -334,15 +334,15 @@
  • Published On: 2020-06-02 23:23
  • Tags: - iOS, + iOS, - Jailbreak, + Jailbreak, - Cheminformatics, + Cheminformatics, - AutoDock Vina, + AutoDock Vina, - Molecular-Docking, + Molecular-Docking @@ -353,15 +353,15 @@
  • Published On: 2020-06-01 13:10
  • Tags: - Code-Snippet, + Code-Snippet, - Molecular-Docking, + Molecular-Docking, - Cheminformatics, + Cheminformatics, - Open-Babel, + Open-Babel, - AutoDock Vina, + AutoDock Vina @@ -372,13 +372,13 @@
  • Published On: 2020-05-31 23:30
  • Tags: - iOS, + iOS, - Jailbreak, + Jailbreak, - Cheminformatics, + Cheminformatics, - Open-Babel, + Open-Babel @@ -389,9 +389,9 @@
  • Published On: 2020-04-13 11:41
  • Tags: - Molecular-Dynamics, + Molecular-Dynamics, - macOS, + macOS @@ -402,9 +402,9 @@
  • Published On: 2020-03-08 23:17
  • Tags: - Vaporwave, + Vaporwave, - Music, + Music @@ -415,9 +415,9 @@
  • Published On: 2020-03-03 18:37
  • Tags: - Android-TV, + Android-TV, - Android, + Android @@ -428,13 +428,13 @@
  • Published On: 2020-01-19 15:27
  • Tags: - Code-Snippet, + Code-Snippet, - tutorial, + tutorial, - Raspberry-Pi, + Raspberry-Pi, - Linux, + Linux @@ -445,11 +445,11 @@
  • Published On: 2020-01-16 10:36
  • Tags: - Tutorial, + Tutorial, - Colab, + Colab, - Turicreate, + Turicreate @@ -460,13 +460,13 @@
  • Published On: 2020-01-15 23:36
  • Tags: - Tutorial, + Tutorial, - Colab, + Colab, - Turicreate, + Turicreate, - Kaggle, + Kaggle @@ -477,9 +477,9 @@
  • Published On: 2020-01-14 00:10
  • Tags: - Code-Snippet, + Code-Snippet, - Tutorial, + Tutorial @@ -490,13 +490,13 @@
  • Published On: 2019-12-22 11:10
  • Tags: - Tutorial, + Tutorial, - Colab, + Colab, - SwiftUI, + SwiftUI, - Turicreate, + Turicreate @@ -507,11 +507,11 @@
  • Published On: 2019-12-16 14:16
  • Tags: - Tutorial, + Tutorial, - Tensorflow, + Tensorflow, - Colab, + Colab @@ -522,11 +522,11 @@
  • Published On: 2019-12-10 11:10
  • Tags: - Tutorial, + Tutorial, - Tensorflow, + Tensorflow, - Code-Snippet, + Code-Snippet @@ -537,11 +537,11 @@
  • Published On: 2019-12-08 14:16
  • Tags: - Tutorial, + Tutorial, - Tensorflow, + Tensorflow, - Colab, + Colab @@ -552,9 +552,9 @@
  • Published On: 2019-12-08 13:27
  • Tags: - Code-Snippet, + Code-Snippet, - Tutorial, + Tutorial @@ -565,7 +565,7 @@
  • Published On: 2019-12-04 18:23
  • Tags: - Tutorial, + Tutorial @@ -576,15 +576,15 @@
  • Published On: 2019-05-05 12:34
  • Tags: - Tutorial, + Tutorial, - Jailbreak, + Jailbreak, - Designing, + Designing, - Snowboard, + Snowboard, - Anemone, + Anemone @@ -595,7 +595,7 @@
  • Published On: 2019-04-16 17:39
  • Tags: - hello-world, + hello-world @@ -606,7 +606,7 @@
  • Published On: 2010-01-24 23:43
  • Tags: - Experiment, + Experiment -- cgit v1.2.3