Graphics Programs Reference
In-Depth Information
(gdb) break main
Breakpoint 1 at 0x804837a
(gdb) run
Starting program: /home/matrix/booksrc/dummy
Breakpoint 1, 0x0804837a in main ()
(gdb) print system
$1 = {<text variable, no debug info>} 0xb7ed0d80 <system>
(
gdb) quit
Here, a dummy program is created that uses the
system()
function.
After it's compiled, the binary is opened in a debugger and a breakpoint is
set at the beginning. The program is executed, and then the location of the
system()
function is displayed. In this case, the
system()
function is located
at
0xb7ed0d80
.
Armed with that knowledge, we can direct program execution into the
system()
function of libc. However, the goal here is to cause the vulnerable
program to execute
system("/bin/sh")
to provide a shell, so an argument
must be supplied. When returning into libc, the return address and function
arguments are read off the stack in what should be a familiar format: the
return address followed by the arguments. On the stack, the return-into-libc
call should look something like this:
Function address
Return address
Argument 1
Argument 2
Argument 3 ...
Directly after the address of the desired libc function is the address to
which execution should return after the libc call. After that, all of the function
arguments come in sequence.
In this case, it doesn't really matter where the execution returns to after
the libc call, since it will be opening an interactive shell. Therefore, these
four bytes can just be a placeholder value of
FAKE
. There is only one argument,
which should be a pointer to the string
/bin/sh
. This string can be stored
anywhere in memory; an environment variable is an excellent candidate.
In the output below, the string is prefixed with several spaces. This will
act similarly to a NOP sled, providing us with some wiggle room, since
system(" /bin/sh")
is the same as
system(" /bin/sh")
.
reader@hacking:~/booksrc $ export BINSH=" /bin/sh"
reader@hacking:~/booksrc $ ./getenvaddr BINSH ./vuln
BINSH will be at 0xbffffe5b
r
eader@hacking:~/booksrc $
So the
system()
address is
0xb7ed0d80
, and the address for the
/bin/sh
string will be
0xbffffe5b
when the program is executed. That means the
return address on the stack should be overwritten with a series of addresses,
beginning with
0xb7ecfd80
, followed by
FAKE
(since it doesn't matter where
execution goes after the
system()
call), and concluding with
0xbffffe5b
.
