One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8330465 |
| Date de publication | 2023-04-24 00:08:44 (vue: 2023-04-24 01:08:26) |
| Titre | BSIDESSF 2023 Écritures: ROP TEPTING ZOO (Défi de l'éducation!) BSidesSF 2023 Writeups: ROP Petting Zoo (educational challenge!) |
| Texte | ROP Petting Zoo is a challenge designed to teach the principles of return-oriented programming. It\'s mostly written in Javascript, with a backend powered by a Ruby web server, along with a tool I wrote called Mandrake. Source code is shared between the three parts of the challenge, and is available here. Mandrake is a debugger / tracer I wrote that executes a binary and traces all code run between two points. It will show registers, memory, all the good stuff. ROP Petting Zoo is kind of a wrapper around that. Basically, you have a list of potential ROP gadgets and libc calls. You build a stack from all the ROP gadgets, hit Execute!, and the harness will return to the first address on the stack. Everything is running forreal in a container, so you get to see what would actually happen if this is a real exploit! The challenges are very guided / on-rails, with tutorials that show the exact steps you will need to take, but here are the solutions I wrote. It\'s helpful to remember that when a function is called, the arguments are, in order, passed in the registers rdi, rsi, rdx, and rcx. Level 1 print_flag() -> Immediately return to print_flag pop rdi / ret -> Pop the next value into register rdi 0 -> This is what\'s popped into rdi exit -> Return to exit(rdi) aka exit(0) Level 2 return_flag() -> Returns the flag in rax mov rdi, rax / ret -> Moves the flag pointer into rdi puts -> Return to puts(rdi) or puts(flag) pop rdi / ret -> Pop the next value into rdi 0 -> This is what\'s popped into rdi exit -> Return to exit(rdi) aka exit(0) Level 3 This part unfortunately ran a lot slower than I\'d intended, but hopefully it\'s educational enough: write_flag_to_file() -> Writes the flag to a file, returns the name in rax mov rdi, rax / ret -> Moves the filename to rdi, the first param |
| Envoyé | Oui |
| Condensat | 0xff 2023 actually address again all along are argument arguments around available backend basically between binary bsidessf build but call called calls challenge challenges code container debugger designed educational enough: everything exact execute executes exit exploit fgets file filename first flag fopen forreal from function gadgets get gets goes good guided handle happen harness have helpful here hit hopefully immediately intended javascript kind letter level libc list lot mandrake memory mostly mov move moved moves name need next order oriented parameter part parts passed petting pointer points pop popped potential powered principles print programming puts rails ran rax rcx rdi rdx real register registers remember ret return returns rop rsi ruby run running second see server shared show slower solutions some source stack steps string stuff take teach than third three tool tracer traces tutorials two unfortunately value very web what when which will would wrapper writable write writes writeups: written wrote zoo |
| Tags | Tool |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.