20145318 "Cyber confrontation" injected Shellcode and RETURN-TO-LIBC

20145318 "Cyber confrontation" injects Shellcode and return-to-libc into shellcode knowledge points

• Injection Shellcodeshellcode is actually a piece of code (or can be filled with data), is used to send to the server to exploit the specific vulnerability of the code, generally can get permissions. In addition, Shellcode is generally sent as data to the attacked server. Shellcode is the overflow program and the core of the worm, mentioned it will naturally be associated with the vulnerability, after all, shellcode only for non-patched host. The most critical issue in exploiting exploits is shellcode writing.

Practice Process

• write a section of Shellcode, Save as 20145318shellcode.c

• Installing Execstack

• Sets the stack executable and queries whether the stack can be executed so that the shellcode can be executed on the stack

• Turn off Address randomization

• Use more/proc/sys/kernel/randomize_va_space to query whether address randomization is on or off, ' 2 ' is on, ' 0 ' indicates off.
• Take the nop+shellcode+retaddr Way to construct the payload (\x4\x3\x2\x1 will overwrite the location of the return address on the stack and need to change it to the Shellcode address)

• Injection attack buf

• Open a terminal, debug 5318pwn process with GDB, find process number 2906

• Start the GDB debugging process, set breakpoints, and view the memory address of the injected BUF

• After setting a breakpoint, press ENTER at another terminal and look for the return address, and see that 01020304 is the location of the return address, and the shellcode is next to this address, plus four bytes for its address

• To exit GDB, press anything+retaddr+nops+shellcode to modify Input_shellcode as follows

• Success

RETURN-TO-LIBC attack

• sudo apt-get update

• sudo apt-get install LIB32Z1 libc6-dev-i386

• Enter a 32-bit Linux environment and use bash

• Turn off address space randomization

• use another shell program (zsh) instead of /bin/bash , set the ZSH program

• Manually set stack at compile time is not allowed
• Writing RETLIB.C

• Compile the program, and set theSET-UID

• You need to use a program that reads the environment variables:getenvaddr.c

• Compile

• Writeexploit.c

• Get the address using the procedure just now. getenvaddr BIN_SH

• gdbGet system and exit address
• Compile

• GDB, get the system和 exit的 address.


• Modify the exploit.c file and fill in the memory address you just found

• Remove the exploit program and the Badfile file that you just debugged, recompile the modifiedexploit.c

• First run the attack program exploit, generated the Badfile file, and then run the vulnerability program Retlib, visible attack success, gain root authority

20145318 "Cyber confrontation" injected Shellcode and RETURN-TO-LIBC