Lab 4 - ROP based Exploitation
Watch the video for details on this lab. Concrete steps are also outlined below. To see a step by step process of using ROPGadget (the ones we saw in the lecture video), check this page
Aim: open a port on the victim machine using netcat tool that returns a shell (reverse shell exploit).
Setting up the environment:
- download ROPGadget and install from: URL. Its a github repo, so you can either clone it or (suggested) simple use “Download zip” option.
- Download netcat (the latest release of netcat that comes pre-installed in Ubunut has removed a particular option (-e) that we need.
Having said that, official netcat release still shipped with that option! So, we are not completely artificial ;). URL:. However, the same is also avaialble here.
- untar it and build–
make command (do not do make install!)
cp src/netcat /tmp/nc (check if the binary is working as expected
- Compile vuln3.c as
gcc -fno-stack-protector -m32 -static vuln3.c -o vuln3-32
- Use the same trick we saw in the lecture video to find the offsets where the input starts overwriting the saved return addr.
Start populating the supplied ROP exploit python script: exploit-nc-skeleton.py. For this step, you use ROPGadget.py to find ROP chain:
./ROPgadget.py --binary vuln3-32 --ropchain > out-rop.txt
[Note: in case your ROPgadget reports that it could not find a chain on this binary, you can use this binary. In worst case, if that still does not work, use VM that you used in your lab 1 -2 and repeat the whole steps]
- You have helper files to consult exploit-nc.py and exploit-rop.py
- Once successful, open another terminal and type:
$/tmp/nc 127.0.0.1 5678