Lab2 : Return to Libc
2015-11-02 19:24
525 查看
Lab 2 : Return to Libc
Lab Environment Setup
Ubuntu 12.04 ( 64 bits )Brief introduction
This is a experiment of Information Security, about 5 exercises in this blog. May be a lot mistakes here, if you find it, please contact me.This lab consists of three parts:
Part A: you will defeat the Non-executable stack protection, by using return-to-lic attack; and
Part B: you will defeat the Touchstone web server in a realistic environment: the ASLR is enabled.
Part A:Non-executable Stack and Return-to-libc Attack
Exercise 1
The Ubuntu 12.04 OS you’ve been using in this lab has the non-executable stack support by default. To compile a C program, just use the -z noexecstack option to mark the stack segment non-executable. Re-compile the vulnerable program stack2.c from lab 1:$ make stack2
perform a buffer-overflow attack as you do in Lab1, can you succeed any more? What do you observe?
It can not succeed any more ! A segment fault will be happened…
In stack2.c file, I change the
RETinto the first address of buffer in a stack, and we turn off the
execstackoption, the OS will see the value of this stack as a address rather than the instructions. In many cases, the value of this stack will be beyond the memory address of this program, then a segment will be happened….
Understand the Stack
To know how to conduct the return-to-libc attack, it is essential to understand how the stack works. We use a small C program to understand the effects of a function invocation on the stack.[code]#include <stdio.h> void foo(int x) { printf("Hello world: %d\n", x); } int main() { foo(1); return 0; }
We can use “gcc -S foobar.c” to compile this program to the assembly code. The resulting file foobar.s will look like the following:
The stack looks like the following:
leave This instruction implicitly performs two instructions:
mov %ebp, %esp
pop %ebp
ret This instruction simply pops the return address out of the stack, and then jump to the return address. The current stack is depicted in Figure(f).
Exercise 2 :
Use gdb to smash the function stack, the C program offered you here is exec3.c. As follows:As you can see, the command system(“ls”) constructed by gdb runs smoothly, but not perfect. What triggered the “SIGSEG” fault? Modify the process memory in gdb just likeabove, to to let the process exit gracefully.
We modify
RETinto the value of
systemfunction and pass
lsto it. It will call
system("ls")when the
funcalls end. Because of changing
RETdirectly, we lost the next instruction address(
EIP) and it will be unknown. So it will trigger the
SIGSEGfault after calling
system("ls").
If we want to let the process exit gracefully, we can call
exit(0)after calling
system("ls"), it just likes this :
Ret-to-libc Attack
Till now, you already know how the function call stack is organized and how to find the library function address. So you can try to attack the Touchstone web server using ret-to-libc.Exercise 3 :
Now, try to perform a return-to-libc attack by contructing and sending a malicious request containing your shellcode. Your shellcode can still delete a file from the web server, or can do something else.相关文章推荐
- Spring MVC 教程,快速入门,深入分析
- BestCoder Round #58 LCS 即hdu5495 (模拟)
- 简单安卓QQ登录界面
- BestCoder Round #58 Beauty of Sequence 即hdu5496 (递推)
- UVALive 3635-Pie-二分
- bestcoder#58 Inversion 即 hdu5497 (树状数组维护逆序数)
- swift 快速奔跑的兔几 本节的内容是:图形用户界面
- 【LEETCODE】107-Binary Tree Level Order Traversal II
- Hadoop回收站trash
- 大道至简第五章读后感
- JavaScript学习日记4 循环
- hdu1050 Moving Tables (贪心求最大重叠数)
- hdu1789 Doing Homework again (贪心+优先队列)
- 第十五周第一天
- nyoj1242 Distribution
- 【bzoj4151】 [AMPPZ2014]The Cave
- Spring @Transactional 如何开启事务
- torch.gt函数的用法
- hdu2037 今年暑假不AC (贪心求最长事件长度)
- 使用PullToRefresh实现下拉刷新和上拉加载