However, brute-forcing techniques are
possible to find function calls like system().
Gray Hat Hacking: The Ethical Hacker??™s Handbook
184
Chapter 8: Advanced Linux Exploits
185
PART III
Return to libc Exploits
???Return to libc??? is a technique that was developed to get around non-executable stack
memory protection schemes such as PaX and ExecShield. Basically, the technique uses
the controlled eip to return into existing glibc functions instead of shellcode. Remember,
glibc is the ubiquitous library of C functions used by all programs. The library has
functions like system() and exit(), both of which are valuable targets. Of particular
interest is the system() function, which is used to run programs on the system. All you
need to do is munge (shape or change) the stack to trick the system() function into calling
a program of your choice, say /bin/sh.
To make the proper system() function call, we need our stack to look like this:
We will overflow the vulnerable buffer and exactly overwrite the old saved eip with the
address of the glibc system() function. When our vulnerable (main) function returns,
the program will return into the system() function as this value is popped off the stack
into the eip register and executed.
Pages:
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368