Mercurial Mercurial > hg > sen-material / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
progs/README
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Tue, 11 Oct 2016 15:14:59 +0100
changeset 477 b2c5a721f360
parent 470 6764a249118a
child 479 f76074ed6c9e
permissions -rw-r--r--
updated

Virtual-Box

Start "Linux Hacking"   
  login is cu
  password is "test"

The programs are under 

  cu$> app-material/progs


Programs can be updated using

  hg pull
  hg update
  hg revert --all

Emacs can be used to edit files

  emacs -nw ...file....     (is also an alias)

Compiler

  gcc -O0 -o file file.c

Backtick is key §/±.

C0.c
====

Add the bigger string and the long is printed out differently.

foo("my string is too long !!!!! \x15\xcd\x5b\x07");

C1.c
====

needs to be called using

  ./C1 `./args1-good`
  ./C1 `./args1-bad`

or in gdb using

  gdb --args ./C1 `args1-bad`


C2.c
====

called with
  
  ./args2-good | ./C2
  ./args2-bad  | ./C2

C3.c
====
(shell injection)

called with 

  ./C3

opens a new shell


C4.c
====
Format string attack

  ./C4 "%s"
  ./C4 `./args4`

This vulnerability does not need the defences, but prints out
the string only correctly with `./args4`. The %s option needs

  -mpreferred-stack-boundary=2


------------------------------------

to switch off address randomization

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space



C0.c

add to string 
 
  " \x15\xcd\x5b\x07"

to get

  foo("my string is too long !!!!! \x15\xcd\x5b\x07");
sen-material