SI485H: Stack Based Binary Exploits and Defenses (F15)
Home Policy Calendar Resources

Lab 12: The last lab

Table of Contents

Submission Instructions

Submission instructions for labs can be found on the resource pages. In paticular, you should view this subsection: Creating a new branch and submitting

Part 1: Return to the Scene of the Lib C! (1 points)

Description

  • Write a return-2-libc exploit to retrieve the secret flag

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab12.1

Instructions

  • Fork and clone the repository
  • You will find a source file for a program called vuln.c you can compile and work with this file as you wish

  • Your task is to exploit the version of the program that is compiled and executable on clone-2 saddleback VM at this location 

    /home/aviv/lab/12.1/vuln

  • Your task is to overwrite the return address with a call to system, launch a shell, and then print out the flag file: 

    /home/aviv/lab/12.1/flag
  • Once you've completed the assignment place the message in the flag file

Submission

  • You must submit one file:
    • flag : contents of the flag file

Hints

  • use the PATH Luke …

Part 2: Do the Chain-Gang (2 points)

Description

  • Write a ROP exploit that will chain the functions together to reveal the secret flag

Preamble

  • The assignment must be completed on the clone-2 saddleback VM which can be reached as follows: 

    ssh -p 5555 saddleback.academy.usna.edu

  • gitlab repository for this lab is found here 

    http://saddleback.academy.usna.edu/aviv/lab11.1

Instructions

  • Fork and clone the repository
  • You will find a source file for a program called vulne.c you can compile and work with this file as you wish

  • Your task is to exploit the version of the program that is compiled and executable on clone-2 saddleback VM at this location 

    /home/aviv/lab/11.1/vuln
  • Your task is to overwrite the return address of main() with a chain of function calls such that the string pwn contains the phrase gonavygo.
  • Once gonavygo is achieved, the last function called in the chain will be flag(), to reveal the secret message.
  • You should use the gen_chain.py program to build your ROP chain as it will be a tad long.

  • Once complete, the following will reveal the secret message: 

    ./vuln `python gen_chain.py`
pwn: gonavygo
FLAG ACHIEVED
<flag>

Submission

  • You must submit at least two files:
    • flag : contents of the flag file
    • gen_chain.py : the format string you used

Hints

  • There is a sequence of calls to add_a() and manipulate() calls that will achieve the desired result
  • You might need a gadget, or two, or three …
  • Don't forget to call flag() when you're done