# PROCESS

#### Start with

```
docker build . -t exploits
docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
```

#### Things that can counter

```
Global Offset Table (GOT)
Procedure Linkage Table (PLT)
```

#### GDB Documentation:

* https://sourceware.org/gdb/onlinedocs/gdb/
* http://visualgdb.com/gdbreference/commands/x

#### Build binary
```
$ gcc application.c -fno-stack-protector -z execstack -o stack
```

#### Run GDB
```
$ gdb stack
```

#### Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
```
(gdb) disassemble main
```

#### Create a break point when the main function returns
```
(gdb) break *0x0...
```

#### Define a hook-stop macro
```
(gdb) define hook-stop
```
#### Setup the hook
```
# Display the current instruction which will be executed next $eip (32) / $rip (64)
> x/1i $eip 
> x/1i $rip
# Examine 8 words as hex from the stack $esp(32)/$rsp(64) and x/8wx(32)/x8gx(64)
> x/8wx $esp
> x/8gx $rsp
# Close the hook stop
> end
```

#### Execute it
```
(gdb) r
```

#### The code should break at out breakpoint so let's step into the return
```
(gdb) si
```

#### Run the code with the alphabet
```
(gdb) r < alphabet
```

#### Step into what should be a segmentation fault
```
(gdb) si
```

#### Inspect the stack register $esp(32)/$rsp(64)
```
(gdb) x/s $esp
(gdb) x/s $rsp
```

#### Run it again
```
(gdb) r
```

#### Step into our return
```
(gdb) si
```

#### Inspect the registers
```
(gdb) info registers
```

#### Update the script with a INT3 and then run
```
(gdb) r < exploit
```

#### Continue the code which should show us telling the instructor to jump to the stack, hitting an int3 and if all worked you will have a SIGTRAP instead of a SIGSEGV
```
(gdb) c
```