发表新帖
发表新帖

Writing a return-to-libc attack, but libc is loaded at 0x00 in memory

后端 未结
关注
2 1073
北海茫月
北海茫月 2021-01-13 17:51

I\'m writing a return to libc attack for my systems security class. First, the vulnerable code:

//vuln.c
#include 
#include
相关标签:
2条回答
  • 鱼传尺愫
    2021-01-13 18:17

    I am fairly certain that this is impossible on 11.10, at least in the ways you mention. Have a look:

    https://wiki.ubuntu.com/Security/Features

    In detail, and just picking some problems with your ideas:

    (1) because of canary values and for other reasons, buffer Overflow into esp+4 will raise a Segmentation fault exception

    (2) you probably mean to extract the address of the environmental variable, which traditionally would have been at ESP (main) + a certain number of bytes. However, as even logical memory addresses these days are scrambled/randomized after compile, you will instead get a different mememory address for your $HOME variable for each run, probably somewhere on the other side of the main stack

    (3) to the best of my knowledge, there are other ways in which return from library attacks these days are thwarted. I am less familiar with those. This should be why you see x00 for the address

    Hacking these days on a ubunti system is hard. If you just need to do this for a class that doesn't insist on current distros, install instead the first ubunti distro in virtualbox. Magically, all you try will work. There is no more "standard overflow attack" that you also reference - even if you cleverly bypass canary valued etc, setting the nx bit makes this impossible. And similarly, while I'm less perfectly certain about how return from libc attacks are addressed, don't rely on believing this will be possible on a current distro. Good luck!

    0 讨论(0)
  • 长情又很酷
    2021-01-13 18:37

    The act of mapping important libc function to addresses which contain a NULL byte is called ASCII armoring. This protection is part of RedHat Exec-shield which is currently enabled on recent ubuntu distros link To disable it you have to run as root:

    sysctl -w kernel.exec-shield=0

    as explained here

    By the way you can find interesting material about how to bypass ASCII armoring here on exploit-db

    0 讨论(0)
 看不清?
提交回复
热议问题