Linux (x86) Exploit development Series 4: Using RETURN2LIBC to bypass NX

What is NX Bit?

Its a exploit mitigation technique which makes certain areas of memory non executable and makes an executable area, non w Ritable. Example:data, stack and heap segments is made non executable while the text segment is made non writable.

List the header information for an elf program

Readelf-l Vuln

How to bypass NX bit and achieve arbitrary code execution?

NX bit can is bypassed using an attack technique called "return-to-libc". Here return address was overwritten with a particular LIBC function address (instead of stack address containing the SHELLC ODE). For example if-attacker wants to spawn a shell, he-overwrites return address with system () address and also sets up th E appropriate arguments required by system () on the stack, for its successful invocation.

Use the LDD command to view the so library called by the target program.

Prevent the program from gaining root privileges

Vuln_priv.c#include <stdio.h> #include <string.h>int main (int argc, char* argv[]) {char buf[256];  /* Temporarily drop privileges */strcpy (buf,argv[1]); printf ("%s\n", buf); Fflush (stdout); return 0;}

For this kind of program, we can get root with the following call

• Seteuid (0)
• System ("sh")
• Exit ()

Linux (x86) Exploit development Series 4: Using RETURN2LIBC to bypass NX