Rigel (Launched 2003)

  • Username: rigel
  • Click to reveal password: usegolanginstead
  • Points: 10 for code, 5 for write-up

Relevant lectures: 5 - Mitigating Memory Safety Vulnerabilities

The revelations from Antares are clear. Gobians considered the orbiter a serious threat, and you must too. Luckily, you now know where the final answer to this question, the blueprint, lies... Rigel is a true display of Gobian technological ingenuity. Launched right before the fall of the Union, it is armed with all of the most powerful hardening techniques at the time. Luckily, CSA allies have managed to disable the non-executable pages on the remote system and provided you with the shellcode to extract the blueprints from the satellite. Your final job is to defeat the remaining ASLR and stack canary countermeasures, hack into Rigel, and get the blueprints to fully understand Caltopia's true intentions.

This part of the project enables both stack canaries and ASLR.

Consider that enabling ASLR means you may end up with a nondeterministic solution. ./exploit accounts for this by running multiple times (which could take some time). If you see some Segmentation Faults when running your script, that’s expected!

Success State

When running ./exploit, the exploit will run five times. As long as it passes at least once (so it prints out the next question’s username and password), you’ve completed the question. You will not have to call cat README–the SHELLCODE for this question does not open a dummy shell.

Tips

  • You need to read Section 8 of “ASLR Smack & Laugh Reference” by Tilo Müller. The exploit for this question was not discussed in lecture, but is covered here.

  • You may find it useful to know how to examine the addresses of individual assembly instructions. This can be done by running disas <function_name> in gdb, where <function_name> is the name of a function like main or abs. If you are in layout split mode, you may not see a noticeable change in gdb. Note that you already have the current assembly instructions loaded, however, by calling disas <function_name>, it will switch to the assembly instructions of the function you’ve detailed.

  • It might also help to note that a no-op instruction in assembly can be represented by the single-byte instruction 0x90

  • In this question, it is necessary to receive all bytes that are printed out to you to prevent errors. We recommend using p.recvline() as opposed to p.recv(n) so you do not need to count all the individual bytes. Feel free to review the interact API documentation.

Deliverables

stars