For this exploit tutorial we gonna use the Stack5 challenge from exploit-exercises.
Okay, we save the file and compile it and we get this message:
Okay, we save the file and compile it and we get this message:
Even gcc informs us we use a vulnerable function! Damn!
That means this attack is not going to be that easy for real life targets as long as the compiler informs the developers they have used an exploitable function.
Note that we have every protection(ASLR, NX etc) disabled on this machine so the real life exploitation won't be that simple for sure.
Let's start by debugging the program with skid's favourite debugger
Exactly, GDB!
Type `gdb ./stack5` and disassemble the main function to take a look at what this program does.
At this point we can see by ourselves the program is calling the gets function.
Nice, let's try to overwrite the return address to take control of the program flow.
The program tried to return at 0x41414141 that of course is not a valid address.
That means we overwritten the valid address! :)
We could find the offset manually but it will take lot of time because it requires lot of tests.
So we will use pattern_create and pattern_offset to calculate it.
Pattern 0x63413563 first occurrence at position 76 in pattern.
So the offset is 76
We are ready now to craft our exploit!
We will start by making an offset variable that will print out 76 As.
After that we make a variable of a address that we hope would land on our nopsled.
So now we have to specify a nopsled that would eventually land at our shellcode
We will print a junk of "\x90"s(NOPs)
Then it will be our shellcode that it will be a simple 28byte x86 execve(NOTE: it depends on your system architecture so it might not be suitable for you.
We will use the 0xbffffbf0 as the return address
But as long as we want it to hit our nopsled we will use the 0xbffffbf0+100
So our final payload will be
We save it and run it with the cat trick
Yeah!
Do you feel the pwn emotion? ;)
Author: Mike Tsapralis
Comments
Post a Comment