Possible Challenges

[mudongliang]

1. simple demo - directly reads the /flag (Demo)
2. set setuid for other utilities (Backdoor)
3. Pwntools Usage - Program Interaction, 录屏，mdl
4. Assembly Basic (refer to Assembly Crash Course), mdl
5. CrackMe (ELF executable), pengyu
6. Gdb usage, 录屏，TODO !! hyh and pengyu
7. Buffer (Stack/Heap) Overflow done Off-by-one moves here
8. Integer Overflow, mdl, hyh TODO
9. UAF hyh （MDL check）
10. Shellcode Generation, pengyu
11. ROP, hyh; todo, execve done
12. bilibili & Zoho Docs
13. Other Vulnerabilities (Format String)
14. Mitigation Bypass (Canary) -> maybe we can move it to our experiment

[huyinhao]

TODO: dojo 分成两份 challenge，一份是专门上课使用的，如随堂作业，课后作业，另一份是专门的软件安全实验

[mudongliang]

buffer overflow（以stack overflow为例）：

1. 修改栈上局部变量，函数指针；
2. 修改栈上返回地址；简单 shellcode
3. shellcode 注入是不是可以直接放在当前这个地方；
4. off-by-one, off-by-null?
5. open read write flag or execve？
6. oob 和 uaf 整合成 memory safety？

[huyinhao]

1. sandbox
2. canary，nx，aslr 等综合起来
3. canary byte by byte

[huyinhao]

Optional: 设计一个在 overflow return address 的时候，维护 old rbp 的 challenge

[mudongliang]

Shell injection:

1. put shellcode after the return address; and directly calculate the stack adress;
2. use "jmp rsp" as a gift for students

[huyinhao]

更多利用方式：

1. ROP类：ROP, JOP, DOP, BROP, SROP, FSOP ...
2. _dl_runtime_resolve类攻击: ret2dlresolve, house-of-muney, ...
3. 劫持hook类攻击：malloc_hook, realloc_hook, free_hook, exit_hook, io_file_hook, ...

[wumingzhilian]

shellcode injection
shellcode 1-0 直接读取 并执行
shellcode 1-1 随机过滤前0x900字节
shellcode 1-2 过滤 \00 字节

shellcode 1-2 过滤 x64 汇编指令。（0x48 ）

shellcode 1-3 过滤 过滤syscall
shellcode 1-4 可见字符 执行 shellcode