发表新帖
发表新帖

return to lib_c buffer overflow exercise issue

后端 未结
关注
2 1501
伪装坚强ぢ
伪装坚强ぢ 2020-12-13 20:46

I\'m supposed to come up with a program that exploits the \"return to libc buffer overflow\". This is, when executed, it cleanly exits and brings up a SHELL prompt. The pr

相关标签:
2条回答
  • 迷失自我
    2020-12-13 21:04

    The problem in your program is the pointer you suppose to point to the /bin/sh string is actually not pointing to /bin/sh.

    You get this address using gdb. But even without stack randomization, the stack address of your shell variable is different when the program is run under gdb than without gdb. gdb is putting some debug information into the stack and this will shift your shell variables.

    To convince yourself here is a quick and dirty program to find a /bin/sh string in the stack:

    #include <stdio.h>
#include <string.h>

int main(void)
{
    char s[] = "/bin/sh";
    char *p = (char *) 0xbffff000;

    while (memcmp(++p, s, sizeof s));

    printf("%s\n", p);
    printf("%p\n", p);
}

    First double check that stack randomization is disabled:

    ouah@maou:~$ sysctl kernel.randomize_va_space
kernel.randomize_va_space = 0
ouah@maou:~$

    Ok, no stack randomization.

    Let's compile the program and run it outside gdb:

    ouah@maou:~$ gcc -std=c99 tst.c
ouah@maou:~$ ./a.out
/bin/sh
0xbffff724
ouah@maou:~$

    Now let's run it under gdb:

    ouah@maou:~$ ./a.out
/bin/sh
0xbffff724
ouah@maou:~$ gdb a.out -q
Reading symbols from /home/ouah/a.out...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/ouah/a.out
/bin/sh
0xbffff6e4

Program exited normally.
(gdb) quit
ouah@maou:~$

    As you can see the address of the /bin/sh string is different when the program is run inside or outside gdb.

    Now what you can do is to use a variant of this program to find the true address of your string or a more elegant approach, get the address of a /bin/sh string directly from the libc (as you can guess there are a few occurrences).

    0 讨论(0)
  • 北荒
    2020-12-13 21:05

    You can search in libc for a fixed address of a /bin/sh string. Run you program in gdb then:

    > (gdb) break main
> 
> (gdb) run   
>
> (gdb) print &system  
> $1 = (<text variable, no debug info>*) 0xf7e68250 <system>
> 
> (gdb) find &system,+9999999,"/bin/sh"  
> 0xf7f86c4c
> warning: Unable to access target memory at 0xf7fd0fd4, halting search. 
> 1 pattern found.

    Good luck.

    0 讨论(0)
 看不清?
提交回复
热议问题