Computer and Network Security - UPB 2021-2022 - https://ocw.cs.pub.ro/courses/cns

Basic tools such as strace, ltrace, strings or objdump. Not included because too easy.

Mainly the analysis of ELF headers, sections an segments. Only 2 tasks are included because the rest are either stupid or uninteresting.

A few scenarios where buffer overflows could be exploited. Basically IOCLA.

Tutorials and introductory shellcodes tasks. Meant to be solved by manually writing shellcodes... pnwtools go brrrrrr.

Only 2 tasks:

• an env-based exploit, where the shellcode is stored in an environment variable;
• a disgusting command interpreter where you leak the address of a buffer and then use a 2-stage attack to open a shellcode.

This lab is about bypassing ASLR on 32-bit binaries by bruteforce (the good old way). The lab is also about bypassing stack canaries given an unsanitised read, whose buffer is printf'd without a trailing \0. This printf method is also used to leak the address of the environment variable SHELLCODE, which is used to pass ... well, a shellcode to the binary.

Tasks 0-3 are decent and are either simple information leaks or %n arbitrary memory writes. Task 4 is a disgusting mess, which should work in theory, but doesn't in practice. It's also hard to debug, because the bug happens somewhere inside printf (it tries to perform a memory write at an incorrect address...).

ROPs are used to chain function calls and to perform a ret-2-libc attack in order to call read for reading a shellcode into a data section buffer, then run mprotect(R | X) on that buffer, before finally jumping into it.

Theoretically, this lab is about stack pivoting. However, neither task even requires ROPs. The functions can be exploited by jumping inside them, after the parameters are checked. Obviously, since not even ROPs are necessary to solve the challenges, stack pivoting is even more overkill. Not cool.

The name of the lab says it all. What's interesting in this lab is that it also explains how virtual functions work in C++ and requires overwriting the vptr in C++ classes.

This lab is a recap in the shape of a CTF:

• basic ASLR bypass: libc-master
• string format vulnerability: strudel
• use after free: heap-the-road
• don't know (yet): strudel

Due to lots of things to do in the last week of the semester, I was only able to complete the first 2 challenges :(.

Honestly, the tasks are disgusting as all of them bar one (crypto) involve reversing and patching binaries. No overflows, no shellcodes, nothing interesting. And crypto is only cool because we're supposed to figure out the cipher is RC4. There's still hope for better 2nd and 3rd assignments.

A few rather easy reversing and pwn challenges. The pwn challenges are based on shellcodes. The only interesting one is Strict Shellcode, where the shellcode decrypts it's execve("/bin/sh") part, before executing it, in order to avoid sanitisation. The other challenges suck.

The assignment is mostly about ROPs. The tasks get rather boring and repetitive. Almost all use the puts@plt(puts@got) trick to find the address of system in libc. There is one interesting task, which I call GOT Poisoning: memory_writer.