Lab2 : Return to Libc

Lab 2 : Return to Libc

Lab Environment Setup

Ubuntu 12.04 ( 64 bits )

Brief introduction

This is a experiment of Information Security, about 5 exercises in this blog. May be a lot mistakes here, if you find it, please contact me.


This lab consists of three parts:



Part A: you will defeat the Non-executable stack protection, by using return-to-lic attack; and

Part B: you will defeat the Touchstone web server in a realistic environment: the ASLR is enabled.

Part A：Non-executable Stack and Return-to-libc Attack

Exercise 1

The Ubuntu 12.04 OS you’ve been using in this lab has the non-executable stack support by default. To compile a C program, just use the -z noexecstack option to mark the stack segment non-executable. Re-compile the vulnerable program stack2.c from lab 1:

$ make stack2

perform a buffer-overflow attack as you do in Lab1, can you succeed any more? What do you observe?


It can not succeed any more ! A segment fault will be happened…

In stack2.c file, I change the

RET

into the first address of buffer in a stack, and we turn off the

execstack

option, the OS will see the value of this stack as a address rather than the instructions. In many cases, the value of this stack will be beyond the memory address of this program, then a segment will be happened….

Understand the Stack

To know how to conduct the return-to-libc attack, it is essential to understand how the stack works. We use a small C program to understand the effects of a function invocation on the stack.

[code]#include <stdio.h>
void foo(int x)
{
  printf("Hello world: %d\n", x);
}

int main()
{
  foo(1);
  return 0;
}

We can use “gcc -S foobar.c” to compile this program to the assembly code. The resulting file foobar.s will look like the following:



The stack looks like the following:




leave This instruction implicitly performs two instructions:

mov  %ebp, %esp

pop %ebp

ret This instruction simply pops the return address out of the stack, and then jump to the return address. The current stack is depicted in Figure(f).

Exercise 2 :

Use gdb to smash the function stack, the C program offered you here is exec3.c. As follows:



As you can see, the command system(“ls”) constructed by gdb runs smoothly, but not perfect. What triggered the “SIGSEG” fault? Modify the process memory in gdb just likeabove, to to let the process exit gracefully.


We modify

RET

into the value of

system

function and pass

ls

to it. It will call

system("ls")

when the

fun

calls end. Because of changing

RET

directly, we lost the next instruction address(

EIP

) and it will be unknown. So it will trigger the

SIGSEG

fault after calling

system("ls")

.

If we want to let the process exit gracefully, we can call

exit(0)

after calling

system("ls")

, it just likes this :

Ret-to-libc Attack

Till now, you already know how the function call stack is organized and how to find the library function address. So you can try to attack the Touchstone web server using ret-to-libc.

Exercise 3 :

Now, try to perform a return-to-libc attack by contructing and sending a malicious request containing your shellcode. Your shellcode can still delete a file from the web server, or can do something else.