-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathREADME
33 lines (23 loc) · 1.2 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
There are two programs, bomb.c and server.c.
The program bomb.c runs locally and accepts input on stdin. It should
be straight forward to exploit.
The program server.c is a network server that listens for input on
port 1337. Exploiting this program will take some more effort.
There are three versions compiled for each program:
_nx_ : Non executable stack (NX) and _nonx_ with executable stack.
_can_ : With stack canaries and _nocan_ without canaries.
*_nonx_nocan is the easiest to exploit.
*_nx_nocan is trickier, but shouldn't be impossible.(1)
*_nx_can is hard. Might be impossible.
(1) If libc is in ASCII armored memory space. I.e. mapped into
addresses containing a 0-byte. Then the _nx_ versions are much harder
(impossible?) to exploit.
Run make aslr-off to turn off ASLR (duh!). Turn it back on with make
aslr-on. You will have to be root to do this.
Exploiting with ASLR turned on is really, really hard.
Don't forget to set up a firewall before experimenting with
this. Block (at least) port 1337.
The helper program wheres_the_stack_at can be run to get a hint on
where the stack will be for your program. By running it multiple
times it can also be used to verify that you have turned ASLR on or
off.