1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
## Attack design
- Good countermeasure, but not enough.
- If the stack is not executable, an alternative solution is to make
the program jump to where there are executable codes.
- Enter the region for standard C library on Linux, called `libc`.
<figure
>
<picture>
<!-- Auto scaling with imagemagick -->
<!--
See https://www.debugbear.com/blog/responsive-images#w-descriptors-and-the-sizes-attribute and
https://developer.mozilla.org/en-US/docs/Learn/HTML/Multimedia_and_embedding/Responsive_images for info on defining 'sizes' for responsive images
-->
<source
class="responsive-img-srcset"
srcset="/assets/img/courses/csc302/libc/libc_design-480.webp 480w,/assets/img/courses/csc302/libc/libc_design-800.webp 800w,/assets/img/courses/csc302/libc/libc_design-1400.webp 1400w,"
type="image/webp"
sizes="95vw"
>
<img
src="/assets/img/courses/csc302/libc/libc_design.png"
width="50%"
height="auto"
alt="Overview of libc attack"
data-zoomable
loading="lazy"
onerror="this.onerror=null; $('.responsive-img-srcset').remove();"
>
</picture>
</figure>
- Create a file named `stack.c`
<script src="https://gist.github.com/linhbngo/a583a6912f26fb77b67c835933f76dce.js?file=stack_libc.c"></script>
- Compile stack with specific flags
```bash
gcc -m32 -fno-stack-protector -z noexecstack -o stack stack.c
sudo sysctl -w kernel.randomize_va_space=0
sudo chown root stack
sudo chmod 4755 stack
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
- We want `system()` to execute `/bin/sh`.
- Therefore, `/bin/sh` must be in memory, and
its address should be passed to `system()` as an argument.
- We cannot embed this in the source code (no access to source
code of vulnerable program).
- Solution:
- Utilize environment variables
- Create a file named `find_myshell.c`
<script src="https://gist.github.com/linhbngo/a583a6912f26fb77b67c835933f76dce.js?file=find_myshell.c"></script>
- Create the EV, then compile and run find_myshell.c
```bash
export MYSHELL="/bin/sh"
gcc -m32 -o myshell find_myshell.c
./myshell
gcc -m32 -o myshell0 find_myshell.c
./myshell0
gcc -m32 -o myshell1 find_myshell.c
./myshell1
gcc -m32 -o myshell22 find_myshell.c
./myshell22
gcc -m32 -o myshell222 find_myshell.c
./myshell222
|
1
2
3
4
5
6
7
8
9
|
## Attack
- Compile `gdb_stack`
```bash
gcc -m32 -fno-stack-protector -z noexecstack -g -o gdb_stack stack.c
gdb gdb_stack
|