Skip to content

Overflows Lab Tasks

This week we have two lab tasks, covering the topics we discussed in the lecture.

Getting things installed

We are going to want a few extra tools to help us out.

  • The Multilib Library: Let us compile 32 bit version of the application

    sudo apt-install gcc-multilib

  • GDB: Gnu Debugger, will let us look inside the running binary

    sudo apt install gdb

  • pwntools The most excellent python library for exploit development.

    sudo pip3 install pwntools

My First Overflow

Work through the My First Overflow Example, and try to redirect the program flow to get a shell

Remember that the steps are:

  1. Make sure ALSR is turned off.

    sudo su
echo 0 >  /proc/sys/kernel/randomize_va_space 
exit

    Run the code a few times with 'A' as an input and check the memory addressess dont change.

  2. Feed input of various sizes to the program until you get control of the Function call address. I like to use a binary search here, but we can use things like the cyclic function from pwntools to help.

  3. Once we have control of the Return address, we can feed it the correct memory address we want to jump too.

Note

Its probably best to use python2 here.

python2 -c "print ('A'*50 + '\x42...')"

Python 3 string representation means what we have to use some sloghtly stange syntax to get the same thng printed on Stdout

python -c 'import sys; sys.stdout.buffer.write(b'A'*50 + b"\x42...")'

You may also want to repeat the process with a different sized buffer. This will help you practice the process of getting control of the Instruction Pointer (IP)

Classic Stack Smashing

Here we will Work through the Classic Stack Smashing Example.

Task

Try the 32 Bit version with ALSR turned off.

You can use GDB to help you calculate the location you need to jump to

Task

Try the 64 Bit version of the exploit.

Remeber you will need to update the addressess and the shellcode to be appropriate for a 64 bit system

Hardtask

Turn ALSR back on, and try the Ret2Reg Example, in both 32 and 64 bit.

This time we need to jump to the location of the register call.

sudo su
echo 2 >  /proc/sys/kernel/randomize_va_space 
exit
Back to top