Lab12 port 32-bits to 64-bits #132
Conversation
dariabulacu
force-pushed
the
lab12-update
branch
4 times, most recently
from
ac0802d to
06730ec
Compare
teodutu
added
the
needs-rendering
teodutu
left a comment
teodutu
left a comment
There was a problem hiding this comment.
Pretty nice work overall. The solution scripts and / or the README guides work. Address my comments and we'll merge this.
.gitignore
Outdated
| labs/lab-12/tasks/*/solution/buff-ovf* | ||
| !labs/lab-12/tasks/*/solution/buff-ovf*.c | ||
| labs/lab-12/tasks/*/solution/obfuscator | ||
| labs/lab-12/tasks/*/solution/deobfuscator | ||
| labs/lab-12/tasks/*/solution/link | ||
| !labs/lab-12/tasks/*/solution/link.c | ||
| labs/lab-12/tasks/*/solution/link2 | ||
| labs/lab-12/tasks/*/solution/dynamic | ||
| !labs/lab-12/tasks/*/solution/dynamic.c | ||
| labs/lab-12/tasks/*/solution/dynamic2 | ||
| !labs/lab-12/tasks/*/solution/vuln.c | ||
| labs/lab-12/tasks/*/solution/rop | ||
| !labs/lab-12/tasks/*/solution/rop.c | ||
| labs/lab-12/tasks/*/solution/main | ||
| labs/lab-12/tasks/*/solution/main.o | ||
| labs/lab-12/tasks/*/solution/*.o |
There was a problem hiding this comment.
Add a .gitignore to each task in lab 12 and exclude or include the files from there.
| /* ROP gadgets for x86-64 */ | ||
| void gadget_pop_rdi(void) | ||
| { | ||
| __asm__("pop %rdi; ret"); | ||
| } | ||
|
|
||
| void gadget_pop_rsi(void) | ||
| { | ||
| __asm__("pop %rsi; ret"); | ||
| } |
There was a problem hiding this comment.
You generally find pop rdi; ret and pop rsi; ret gadgets in regular binaries. Why do you need these here?
There was a problem hiding this comment.
In this binary, compiled with -no-pie and -fno-stack-protector, it doesn't generate any gadgets naturally. Therefore I need to add them manually because the gcc copies the values directly to the stack and the only pop ; ret there is is for the frame pointer rbp.
| `gcc -no-pie -m32 link main.o -o a.out` | ||
|
|
||
| ```bash | ||
| gcc -no-pie -m64 link main.o -o a.out |
There was a problem hiding this comment.
Update the link object file to be compiled on 64 bits.
| padding_length="56" | ||
| address="\x16\x12\x40\x00\x00\x00\x00\x00" |
There was a problem hiding this comment.
Remove the solution. Keep the strings empty and leave the solution in ../solution/.
| **Key Differences from 32-bit**: | ||
|
|
||
| - Parameters in registers (RDI, RSI) instead of stack | ||
| - Addresses are 8 bytes (not 4) | ||
| - No need for `pop r15` or extra stack cleanup | ||
| - Simpler ROP chain structure |
There was a problem hiding this comment.
Remove these lines. Students won't study 32 bits anymore.
labs/lab-12/tasks/rop/solution/rop.c
Outdated
| void gadget_pop_rdi(void) | ||
| { | ||
| __asm__("pop %rdi; ret"); | ||
| } | ||
|
|
||
| void gadget_pop_rsi(void) | ||
| { | ||
| __asm__("pop %rsi; ret"); | ||
| } |
There was a problem hiding this comment.
Don't add these gadgets manually. You'll most likely find them in the binary, they're pretty common.
dariabulacu
force-pushed
the
lab12-update
branch
3 times, most recently
from
d572237 to
e56ae7d
Compare
This commit ports all Lab 12 CTF tasks from x86 (32-bit) to x86-64 (64-bit) architecture. Tasks ported: - feeling-chained: ROP chain with custom gadgets - hidden-in-plain-sight-1: Object file linking - hidden-in-plain-sight-2: Object file with parameters - indirect-business: Buffer overflow exploit - look-at-him-go: GDB debugging exercise - playing-god: Random number guessing - rip-my-buffers-off: Return address overwrite - rop: ROP chain to call special_function(6,9) Key changes: - Updated all Makefiles with -m64 compilation flag - Adapted ROP chains to use 64-bit registers (RDI, RSI) - Changed addresses from 4 bytes to 8 bytes (little-endian) - Updated padding for 64-bit stack alignment - Modified exploit scripts for 64-bit exploitation - Updated READMEs with comprehensive x86-64 explanations - Fixed all linting issues (trailing whitespace, markdownlint) All tests passing: 100/100 for each task. Signed-off-by: Daria Bulacu <dariabulacu@yahoo.com>
dariabulacu
force-pushed
the
lab12-update
branch
from
e56ae7d to
ae9de1e
Compare
| `f3` is the one that actually calls `get_flag()`. | ||
| Calling `get_flag()` directly shouldn't work (a global variable is checked to make sure all steps were made). | ||
|
|
||
| ## x86-64 (64-bit) Solution |
There was a problem hiding this comment.
| ## x86-64 (64-bit) Solution |
All is 64 bits, no need to write it.
| With static linking, natural ROP gadgets from libc are available: | ||
|
|
||
| - `pop rdi; pop rbp; ret` at `0x4022c8` | ||
| - `pop rsi; pop rbp; ret` at `0x4050a6` | ||
|
|
||
| Since these gadgets also pop RBP, we need dummy values after each parameter. |
There was a problem hiding this comment.
Add a section in the lab's reading/ file about ROPgadget and instruct students how to install and use it:
teo@astrocat support $ pip3 install ROPgadget
teo@astrocat support $ ROPgadget --binary buff-ovf3 | grep 'pop rdi'
0x00000000004013d8 : cli ; push rbp ; mov rbp, rsp ; pop rdi ; ret
0x00000000004013d5 : endbr64 ; push rbp ; mov rbp, rsp ; pop rdi ; ret
0x00000000004013db : mov ebp, esp ; pop rdi ; ret
0x00000000004013da : mov rbp, rsp ; pop rdi ; ret
0x00000000004013dd : pop rdi ; ret
0x00000000004013d9 : push rbp ; mov rbp, rsp ; pop rdi ; ret
teo@astrocat support $ ROPgadget --binary buff-ovf3 | grep 'pop rsi'
0x00000000004013e5 : cli ; push rbp ; mov rbp, rsp ; pop rsi ; ret
0x00000000004013e2 : endbr64 ; push rbp ; mov rbp, rsp ; pop rsi ; ret
0x00000000004013e8 : mov ebp, esp ; pop rsi ; ret
0x00000000004013e7 : mov rbp, rsp ; pop rsi ; ret
0x00000000004013ea : pop rsi ; ret
0x00000000004013e6 : push rbp ; mov rbp, rsp ; pop rsi ; ret
ROPgadget is cool because it also looks at arbitrary offsets in the text section so those instructions may not exist explicitly, for example the end of an instruction + the beginning of the next one can create a gadget.
In addition, using pop rbp fucks up the stack and the solution script causes seg faults with no result.
| # TODO set the right string | ||
|
|
||
| payload="" | ||
| payload="AAAAAAAAAABye" |
| Or use GDB to extract and calculate: | ||
|
|
||
| ```bash | ||
| gdb -batch -ex "break *main+67" -ex "run" -ex "print \$eax % 100000" ./dynamic2 < /dev/null |
There was a problem hiding this comment.
Don't forget to apply my suggestion above.
| - `pop rdi; pop rbp; ret` at `0x402268` | ||
| - `pop rsi; pop rbp; ret` at `0x405046` |
There was a problem hiding this comment.
Same as for feeling-chained: use ROPgadget to avoid pop rbp.
2 participants
Prerequisite Checklist
Description of changes