As it turns out, the randomization varies from system to system and
is not truly random.
Start off by switching user to root and turning off stack randomization.
BT book $ su
Password: ****
BT book # echo 0 > /proc/sys/kernel/randomize_va_space
Take a look at the following vulnerable program:
BT book #cat vuln2.c
/* small buf vuln prog */
int main(int argc, char * argv[]){
char buffer[7];
strcpy(buffer, argv[1]);
return 0;
}
As you can see, this program is vulnerable due to the strcpy command that copies
argv[1]intothe small buffer. Compile the vulnerable program, set it as SUID, andreturn
to a normal user account.
BT book # gcc -o vuln2 vuln2.c
BT book # chown root.root vuln2
BT book # chmod +s vuln2
BT book # ls -l vuln2
-rwsr-sr-x 1 root root 8019 Dec 19 19:40 vuln2*
BT book # exit
exit
BT book $
Now we are ready to build the return into libc exploit and feed it to the vuln2 program.
We need the following items to proceed:
??? Address of glibc system() function
??? Address of the string ???/bin/sh???
It turns out that functions like system() and exit() are automatically linked into binaries
by the gcc compiler. To observe this fact, start up the program with gdb in quiet mode.
Set a breakpoint on main; run the program.
Pages:
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370