Modern Offensive and Defensive Solutions

We discuss modern offensive and defensive solutions, focusing on recent research on application and system security.

Slides for this session:


Download the session task archive.

  1. Open the session task archive and access the rop-shell/ subfolder. Your goal is to open a shell by calling system("/bin/sh"). You can jump directly to where system() is called. You need to store the address of "sh" in RDI using a gadget. You can find the address of "sh" in the executable by using find in GDB PEDA.

    Construct the ROP-based payload in similar to the file in the rop-demo/ subfolder.

    You can look for ROP gadgets by issuing the command

    ROPgadget --binary vuln
  2. Open the session task archive and access the rop-chain/ subfolder. You goal is to call mega_checker() after the checker() call. Both the "ihahaha!" and the "Uberihahaha!" messages need to be printed. For the mega_checker() to be properly called you need to initialized both the RDI register (1st parameter) and the RSI register (2nd parameter).

    Construct the ROP-based payload in

  3. First make sure you have a recent version of Clang/LLVM (3.8+) installed. If you use the lab machines, use apt-get to install the clang-4.0 package.

    Open the session task archive and access the dop/ subfolder. Open dop.c. What is the vulnerability? Notice there is a buffer overflow in f and that f contains a while loop that acts as an interpreter.

    Open payload.c and study the example payload. What does it do? Fill in the missing addresses in payload.c. Generate the payload and feed it to dop. It should print “End of program: FAILAA!”.

    Devise a similar payload that makes dop print “End of program: SISPWN!”.

    Recompile dop with the -fsanitize=safe-stack flag and run the exploit again. What happened? Why?