Remote Access: If you cannot run the lab on your local machine, you may want to use the Linux Lab Machine remotely. To do so follow the online instructions. If you experience difficulty contact IT service.
Descritpion: The code format.c contains a format string bug when it calls
printf(welcome) at line 30. It then asks to enter a pin (line 31-32). If pin equals a number (in this example, we simply simulated a secret pin by calling rand() to generate a random number), you are authenticated properly. The secret pin is read in
spin variable, which is on the stack. You job is to get this pin by using the format string bug. Steps to follow:
vagrant upfollowed by
vagrant ssh. )
cd /vagrant. Use
tmuxand split the terminal.
gcc format.c -o format
echo $((0xhex_num))on the other pane.
Description: The code bof-admin.c containts a stack buffer overflow in the foo() function, which accepts a string as parameter and then calls
strcpy to copy that parameter inot a local buffer of fixed length. This code also has admin() function which is supposed to be accessed by admin staff if they know a PIN. Obviously, as a normal user, you do not know the admin PIN, but you want to still access admin related code. So, you mission is to exploit the buffer overflow bug to execute admin() function!
Few tips/steps are as follow:
Compile the code as follows
$ gcc -fno-stack-protector bof-admin.c -o bof Note: you can also add option `-ggdb` to make easier to work with gdb.
Switch off ASLR (we will lear about later in the course) by running the following command:
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Enable GDB to attach to a running process:
$ echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
tmuxto have a two-pane terminal to make your life easier.
bofwith a long input (as suggested in the source code).
initially, when you let your binary to run till the end (b continuing in GDB), it will crash and you will see a message in the GDB like bellow:
Program received signal SIGSEGV, Segmentation fault. 0x000055555555477a in foo ()
rspregister (this is what is moved into the rip register on return).
Now you know two most crucial information. Address of the admin() function and overflowing input bytes. Form you final input as described in the source code. On success, your program should print
**** Welcome to Admin console ****
Tips: As you use ssh to login to your VM, you are able to use only one terminal at a time. In order to get another terminal, you need to login to VM in a separate ssh sesssion. You can use another utility that allows you to get another terminal with the same ssh session. Use the command
tmux. You will see a status bar at the bottom which tells that tmux is running. Now you press
ctrl + b followed by
%. you will see your terminal is devided into two panes. You can use
ctrl + b followed by right/left arrows to nevigate between the panes. See this for more tmux commands.