I\'m writing a return to libc attack for my systems security class. First, the vulnerable code:
//vuln.c
#include
#include
I am fairly certain that this is impossible on 11.10, at least in the ways you mention. Have a look:
https://wiki.ubuntu.com/Security/Features
In detail, and just picking some problems with your ideas:
(1) because of canary values and for other reasons, buffer Overflow into esp+4 will raise a Segmentation fault exception
(2) you probably mean to extract the address of the environmental variable, which traditionally would have been at ESP (main) + a certain number of bytes. However, as even logical memory addresses these days are scrambled/randomized after compile, you will instead get a different mememory address for your $HOME variable for each run, probably somewhere on the other side of the main stack
(3) to the best of my knowledge, there are other ways in which return from library attacks these days are thwarted. I am less familiar with those. This should be why you see x00 for the address
Hacking these days on a ubunti system is hard. If you just need to do this for a class that doesn't insist on current distros, install instead the first ubunti distro in virtualbox. Magically, all you try will work. There is no more "standard overflow attack" that you also reference - even if you cleverly bypass canary valued etc, setting the nx bit makes this impossible. And similarly, while I'm less perfectly certain about how return from libc attacks are addressed, don't rely on believing this will be possible on a current distro. Good luck!
The act of mapping important libc function to addresses which contain a NULL byte is called ASCII armoring. This protection is part of RedHat Exec-shield which is currently enabled on recent ubuntu distros link To disable it you have to run as root:
sysctl -w kernel.exec-shield=0
as explained here
By the way you can find interesting material about how to bypass ASCII armoring here on exploit-db