Skip to content
/ memoryattack Public

Docker build environment for memory attack haxing lectures

3 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RiceComp427-Spring2018/memoryattack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
getenvaddr
getenvaddr
 
 
input
input
 
 
peda
peda
 
 
shellcode
shellcode
 
 
stacksmash
stacksmash
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
lecture.md
lecture.md
 
 

Repository files navigation

Minimal Docker Env for Buffer Overflow Test

Intro

I followed the tutorial Part 1,Part 2, and Part 3. The exploitable code from the tutorials are stacksmash. Associated tools and utilities have been added to this repo and will be put into the image once it is built with the docker build command. The one thing that is dynamic is the location of the ENV variable for the attack.

Build Container

sudo docker build -t ndd/427hax .

Launch The Container

sudo docker run --privileged -it ndd/427hax /bin/bash

Build attacks

Make the stacksmash directory.

Build Input Files

You want to generate strings for input to overflow the buffer. These can be generated by the input/genvalidptrret.py. Note that this file doesn't generate the 400 A file or the 400 input patter with the BBBBB at the 104 offset (I created in400A.txt and in400safe.txt for these in the repo if you want). You can get that by modifying the script or looking at the blog post. Also note that you need to find the right env location of the injected shellcode before generating the workable input string that will transition control properly.

Constraints

Note that if you have security solutions turned on they will defeat your attack.

  1. Address space layout randomization can be disabled by issuing the following command:
sudo sysctl -w kernel.randomize_va_space=0

But only if you've given proper authority to the conainter through privileged creation with the --privileged flag.

  1. Do not do canary

  2. Do not do non-executable stack

Please look at the stacksmash Makefile for how these are generated.

Lecture Sequence

I went through the sequence of operations as indicated in lecture. This is somewhat a follow along with the blog post and may be of interest.

Useful Background

X86-64 Calling Convenctions

From stack overlow:

Passing arguments to variadic functions is more complicated. See x86-64 ELF ABI, section 3.5.7. Otherwise, x86-64 passes its first 6 arguments using registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 (excluding float / vector arguments).

From the specification, %rax = 0 means that the variable argument list has no (0) floating-point arguments passed in vector registers. Your approach is wrong, as the first argument (e.g., the nul-terminated string: "Hello\n") must be passed in %rdi, and %rax must be zero when the function is called.

About

Docker build environment for memory attack haxing lectures

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

6 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages