Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

6 Task 4: Launching Attack without Knowing Buffer Size (Level 2) In the Level-1 attack, using gdb, we get to know the size of the

6 Task 4: Launching Attack without Knowing Buffer Size (Level 2) In the Level-1 attack, using gdb, we get to know the size of the buffer. In the real world, this piece of information may be hard to get. For example, if the target is a server program running on a remote machine, we will not be able to get a copy of the binary or source code. In this task, we are going to add a constraint: you can still use gdb, but you are not allowed to derive the buffer size from your investigation. Actually, the buffer size is provided in Makefile, but you are not allowed to use that information in your attack. Your task is to get the vulnerable program to run your shellcode under this constraint. We assume that you do know the range of the buffer size, which is from 100 to 200 bytes. Another fact that may be useful to you is that, due to the memory alignment, the value stored in the frame pointer is always multiple of four (for 32-bit programs). Please be noted, you are only allowed to construct one payload that works for any buffer size within this range. You will not get all the credits if you use the brute-force method, i.e., trying one buffer size each time. The more you try, the easier it will be detected and defeated by the victim. Thats why minimizing the number of trials is important for attacks. In your lab report, you need to describe your method, and provide evidences.

We use a skeleton exploit.py code

#!/usr/bin/python3 import sys # Replace the content with the actual shellcode shellcode= ( "\x90\x90\x90\x90" "\x90\x90\x90\x90" ).encode('latin-1') # Fill the content with NOP's content = bytearray(0x90 for i in range(517)) ################################################################## # Put the shellcode somewhere in the payload content[517-len(shellcode):] = shellcode # Decide the return address value ret = 0x00 # Change this number # Spray the buffer with the return address for offset in range(): # Change this number content[offset*4:offset*4 + 4] = (ret).to_bytes(4,byteorder='little') ################################################################## # Write the content to a file with open('badfile', 'wb') as f: f.write(content)

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Database Concepts

Authors: David M. Kroenke, David J. Auer

7th edition

133544621, 133544626, 0-13-354462-1, 978-0133544626

More Books

Students also viewed these Databases questions

Question

Proficiency with Microsoft Word, Excel, PowerPoint

Answered: 1 week ago

Question

Experience with SharePoint and/or Microsoft Project desirable

Answered: 1 week ago