Minutes 2024-12-05: Difference between revisions
Jump to navigation
Jump to search
(initial commit) |
(fixed up unfinished notes and added some more content) |
||
Line 1: | Line 1: | ||
# Alex showed up for the first time in a while |
|||
# Jesse (from IT) |
# Jesse (from IT) showed up! |
||
# Josh's presentation on Linux buffer overflows! |
|||
# Josh's presentation on Linux buffer overflows [https://docs.google.com/presentation/d/1d3SiXnAacS5PeexusyiQWOLgdcf_MXyxOBSMpc6mIdM/edit#slide=id.p] |
|||
## ssh into shell, then <code>cd /home/jhstiebe/chal</code> |
## ssh into shell, then <code>cd /home/jhstiebe/chal</code> |
||
### Used Arney's account as temp for a non-member |
### Used Arney's account as temp for a non-member... |
||
#### Reset it after the meeting |
|||
## chal0 |
|||
## <code>chal0</code> |
|||
### input is stdin |
### input is stdin |
||
### set |
### set pointer to 0xDEADBEEF |
||
## chal00 |
## <code>chal00</code> |
||
### input is argv[0] |
### input is argv[0] |
||
### 29 |
### 29 byte offset for integer |
||
### 4 bytes for EDP |
### 4 bytes for EDP |
||
## These are 32-bit binaries |
## These are 32-bit binaries |
||
### 64-bit binaries have registers and gadgets instead of a 'stack', "return-oriented programming" |
### 64-bit binaries have registers and gadgets instead of a 'stack', "return-oriented programming" |
||
## chal1 |
## <code>chal1</code> |
||
###I didn't get this far lol |
|||
### |
|||
## |
## Builds are definitely not optimized by the compiler |
||
### might even be compiled as debug |
### They might even be compiled as debug |
||
## compiler freaked out about <code>gets</code> but not <code>strcpy</code> |
## compiler freaked out about <code>gets</code> but not <code>strcpy</code> |
||
### libc doesn't even implement it but still gives a bunch of warnings |
### libc doesn't even implement it but still gives a bunch of warnings if you import it yourself |
||
### Josh compiled it with default gcc C standard library version, might have worked if he used C99 |
### Josh compiled it with default gcc C standard library version, <code>gets</code> might have worked if he used C99 |
||
## Josh had to disable every security measure in the compiler (such as stack canaries), as well as ASLR on the system for the challenge to even work |
|||
### There are a lot of mechanisms nowadays to prevent these exact vulnerabilities |
|||
# Some news |
# Some news |
||
## We got the subnet from IT! |
## We got the subnet from IT! |
||
### It'll be a /27 |
### It'll be a /27 (32 theoretical IPs, probably ~28 usable) |
||
### It's not impossible for student |
### It's not impossible for student orgs to manage their own domains too |
||
#### |
#### However all subdomains need to be approved by the University's Marketing and Resources department |
||
#### I suspect this is why all student orgs I know of just buy their own domain and use that instead |
|||
##### ITO with [https://www.itoxygen.com/ itoxygen.com] |
|||
##### LUG with [https://linuxusers.group/ linuxusers.group] |
|||
##### NCSA with [https://ncsa.tech/ ncsa.tech] |
|||
Solutions: |
|||
##### WMTU with [https://wmtu.fm/ wmtu.fm] |
|||
## [[Locked HGST drives|The HGST drive hacking]] continues.... |
|||
### Jesse says someone in the university might have a license to SCSITools |
|||
#### Ron will ask around |
|||
### Jesse +1'd SartenX's recommendation asking Hydata for a free license as students |
Revision as of 04:57, 6 December 2024
- Alex showed up for the first time in a while
- Jesse (from IT) showed up!
- Josh's presentation on Linux buffer overflows [1]
- ssh into shell, then
cd /home/jhstiebe/chal
- Used Arney's account as temp for a non-member...
- Reset it after the meeting
- Used Arney's account as temp for a non-member...
chal0
- input is stdin
- set pointer to 0xDEADBEEF
chal00
- input is argv[0]
- 29 byte offset for integer
- 4 bytes for EDP
- These are 32-bit binaries
- 64-bit binaries have registers and gadgets instead of a 'stack', "return-oriented programming"
chal1
- I didn't get this far lol
- Builds are definitely not optimized by the compiler
- They might even be compiled as debug
- compiler freaked out about
gets
but notstrcpy
- libc doesn't even implement it but still gives a bunch of warnings if you import it yourself
- Josh compiled it with default gcc C standard library version,
gets
might have worked if he used C99
- Josh had to disable every security measure in the compiler (such as stack canaries), as well as ASLR on the system for the challenge to even work
- There are a lot of mechanisms nowadays to prevent these exact vulnerabilities
- ssh into shell, then
- Some news
- We got the subnet from IT!
- It'll be a /27 (32 theoretical IPs, probably ~28 usable)
- It's not impossible for student orgs to manage their own domains too
- However all subdomains need to be approved by the University's Marketing and Resources department
- I suspect this is why all student orgs I know of just buy their own domain and use that instead
- ITO with itoxygen.com
- LUG with linuxusers.group
- NCSA with ncsa.tech
- WMTU with wmtu.fm
- The HGST drive hacking continues....
- Jesse says someone in the university might have a license to SCSITools
- Ron will ask around
- Jesse +1'd SartenX's recommendation asking Hydata for a free license as students
- Jesse says someone in the university might have a license to SCSITools
- We got the subnet from IT!