This repository has been archived by the owner on May 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
76 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Pwn Lab 3:more ROP plz | ||
|
|
||
| 本节 Lab 由以下内容组成: | ||
|
|
||
| 1. 按照课上的演示,爆破 32 程序的栈随机化并通过 shellcode 进行攻击 (20 points) | ||
| 2. 按照课上的演示,选用 one_gadget 或者 ret2csu 的方法再次完成 lab2 中的 ropbaby (20 points) | ||
| 3. 完成 ropbasic 题目 (25 points) | ||
| 4. 完成 ropbasic-harden 题目 (35 points) | ||
| 5. Bonus: 完成校巴的新题目 off-by-null (30 points) | ||
|
|
||
| 相信完成这些题目后,相信你已经可以自信地 claim 自己是 master of ROP 了 | ||
|
|
||
| ## Challenge 1 | ||
|
|
||
| 相比于课堂下发的 `bruteforce_example`,这里的 `bruteforce_homework` 稍微修改了一下栈缓冲区的大小,详见[附件]((https://github.com/team-s2/summer_course_2023/tree/master/src/topic/pwn-lab3/bruteforce)) | ||
|
|
||
| 请通过编写正确的 exploit 生成带有 shellcode 的 `badfile`,类似课堂上的演示去本地循环的爆破 32 位下的栈随机,请在报告中给出最后爆破成功拿到 shell 的截图 | ||
|
|
||
| ## Challenge 2 | ||
|
|
||
| 上次 lab2 中的 ropbaby 我们要求通过 ROP 去执行 `system` 或者 `execve`,这节课结束后,请通过 `one_gadget` 的方式或者 `ret2csu` 的方式进行 ROP 攻击,请在报告中给出成功利用的截图以及将相关代码的打包上传 | ||
|
|
||
| ## Challenge 3 | ||
|
|
||
| 在 `ropbaby` 的基础上,增加了栈保护 stack canary,就成了 `ropbasic`。请完成对其的漏洞分析以及利用 | ||
|
|
||
| - [题目附件](https://github.com/team-s2/summer_course_2023/tree/master/src/topic/pwn-lab3/ropbasic) | ||
| - 题目部署在校网 IP: `10.214.160.13`, Port: `11022` | ||
|
|
||
| 请在报告中附上漏洞分析以及做法,给出成功拿到 flag 的截图,并将攻击代码以附件形式上传 | ||
|
|
||
| ## Challenge 4 | ||
|
|
||
| 在 `ropbasic` 的基础上,增加了 SECCOMP 保护,就成了 `ropbasic-harden`。请完成对其的漏洞分析以及利用 | ||
|
|
||
| - [题目附件](https://github.com/team-s2/summer_course_2023/tree/master/src/topic/pwn-lab3/ropbasic-harden) | ||
| - 题目部署在公网 IP: `116.62.247.145`, Port: `11023` | ||
|
|
||
| ## Bonus | ||
|
|
||
| ... pending ... 会在下课后测试完毕后给出 :) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| // gcc -o bruteforce_example -z execstack -fno-stack-protector -m32 bruteforce_example.c | ||
|
|
||
| #include <stdlib.h> | ||
| #include <stdio.h> | ||
| #include <string.h> | ||
|
|
||
| #ifndef BUF_SIZE | ||
| #define BUF_SIZE 32 | ||
| #endif | ||
|
|
||
| int bof(char *str) | ||
| { | ||
| char buffer[BUF_SIZE]; | ||
|
|
||
| /* The following statement has a buffer overflow problem */ | ||
| strcpy(buffer, str); | ||
|
|
||
| return 1; | ||
| } | ||
|
|
||
| int main(int argc, char **argv) | ||
| { | ||
| char str[4096]; | ||
| FILE *badfile; | ||
|
|
||
| /* Change the size of the dummy array to randomize the parameters | ||
| for this lab. Need to use the array at least once */ | ||
| char dummy[BUF_SIZE]; memset(dummy, 0, BUF_SIZE); | ||
|
|
||
| badfile = fopen("badfile", "r"); | ||
| fread(str, sizeof(char), 4096, badfile); | ||
| bof(str); | ||
| printf("Returned Properly\n"); | ||
| return 1; | ||
| } |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.