-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
213 lines (126 loc) · 6.36 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
<!DOCTYPE html>
<!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]-->
<!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]-->
<!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="no-js" lang="en"><!--<![endif]-->
<head>
<meta charset="utf-8">
<title>My Octopress Blog</title>
<meta name="author" content="Your Name">
<meta name="description" content="This post records my effort to study return-to-libc attack.
Hope you will find some of the content helpful. Introduction Return-to-libc attack is an …">
<!-- http://t.co/dKP3o1e -->
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="http://movingname.github.io">
<link href="/favicon.png" rel="icon">
<link href="/stylesheets/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
<link href="/atom.xml" rel="alternate" title="My Octopress Blog" type="application/atom+xml">
<script src="/javascripts/modernizr-2.0.js"></script>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>!window.jQuery && document.write(unescape('%3Cscript src="./javascripts/lib/jquery.min.js"%3E%3C/script%3E'))</script>
<script src="/javascripts/octopress.js" type="text/javascript"></script>
<!--Fonts from Google"s Web font directory at http://google.com/webfonts -->
<link href="http://fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
<link href="http://fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
</head>
<body >
<header role="banner"><hgroup>
<h1><a href="/">My Octopress Blog</a></h1>
<h2>A blogging framework for hackers.</h2>
</hgroup>
</header>
<nav role="navigation"><ul class="subscription" data-subscription="rss">
<li><a href="/atom.xml" rel="subscribe-rss" title="subscribe via RSS">RSS</a></li>
</ul>
<form action="http://google.com/search" method="get">
<fieldset role="search">
<input type="hidden" name="q" value="site:movingname.github.io" />
<input class="search" type="text" name="q" results="0" placeholder="Search"/>
</fieldset>
</form>
<ul class="main-navigation">
<li><a href="/">Blog</a></li>
<li><a href="/blog/archives">Archives</a></li>
</ul>
</nav>
<div id="main">
<div id="content">
<div class="blog-index">
<article>
<header>
<h1 class="entry-title"><a href="/blog/2013/06/30/return-to-libc-attack/">Return-to-libc-Attack</a></h1>
<p class="meta">
<time datetime="2013-06-30T18:45:00-04:00" pubdate data-updated="true">Jun 30<span>th</span>, 2013</time>
</p>
</header>
<div class="entry-content"><p>This post records my effort to study return-to-libc attack.
Hope you will find some of the content helpful.</p>
<h2>Introduction</h2>
<p>Return-to-libc attack is an advanced form of the “classical” buffer overflow attack.
Unlike the classical buffer overflow attack, return-to-libc attack does not require
an executable stack to hold injected shellcode. Instead, it reuse existing codes(such as libc)
inside the victim system to achieve the attacker’s goals.</p>
<p>To launch a Return-to-libc attack, the attacker will overwrite the return address of current
stack frame to be the address of a libc function, such as system(). The attacker also needs to
overwrite desired parameters to the right memory location.</p>
<p>For example, if the return address points to system() and the parameter is “/bin/sh”, then the
victim system actually executes system(“/bin/sh”) to invoke a shell when the vulnerable function
returns. If the program has root privilege(<em>TODO</em>: check), the newly invoked shell might also has
root privilege and is controlled by the attacker.</p>
<h2>Practice</h2>
<p>We can use SEED lab to practice a return-to-libc attack. Here, I will
provide some tips for finishing the lab. So please first read the document
provided in <a href="http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Return_to_libc/">SEED-rlibc</a>.</p>
<p><strong>(Tip 1)</strong>. To know exactly where the buffer locates, we can use gdb to debug the
vulnerable program. The following commands will be useful:</p>
<ul>
<li>info frame, see <a href="http://www.chemie.fu-berlin.de/chemnet/use/info/gdb/gdb_7.html">GDB-stack</a></li>
<li>x\nfw <em>addr</em>, see <a href="http://www.delorie.com/gnu/docs/gdb/gdb_56.html">GDB-examine</a></li>
</ul>
<p><strong>(Tip 2)</strong>. When creating the badfile, we can use the od -x <em>filename</em> command to
output the badfile in hex.</p>
<p><strong>(Tip 3)</strong>. To get the correct result, please spend enough time reading 3.3 of
the lab document.</p>
<p><strong>(Unsolved Question 1)</strong>. I used several test to find out the address of MYSHELL.
Can I directly get the address of that variable?</p>
<ul>
<li><p>The first idea is to use gdb to display the memory area holding environment variables.
However, gdb says that I do not have the permission.</p></li>
<li><p>The second idea coms from a <a href="http://security.stackexchange.com/questions/13194/finding-environment-variables-with-gdb-to-exploit-a-buffer-overflow">stackOverflow thread</a>. But it does not work for me.</p></li>
</ul>
<h2>References</h2>
</div>
</article>
<div class="pagination">
<a href="/blog/archives">Blog Archives</a>
</div>
</div>
<aside class="sidebar">
<section>
<h1>Recent Posts</h1>
<ul id="recent_posts">
<li class="post">
<a href="/blog/2013/06/30/return-to-libc-attack/">Return-to-libc-Attack</a>
</li>
</ul>
</section>
</aside>
</div>
</div>
<footer role="contentinfo"><p>
Copyright © 2013 - Your Name -
<span class="credit">Powered by <a href="http://octopress.org">Octopress</a></span>
</p>
</footer>
<script type="text/javascript">
(function(){
var twitterWidgets = document.createElement('script');
twitterWidgets.type = 'text/javascript';
twitterWidgets.async = true;
twitterWidgets.src = 'http://platform.twitter.com/widgets.js';
document.getElementsByTagName('head')[0].appendChild(twitterWidgets);
})();
</script>
</body>
</html>