LAB :

WE GET INPUT FROM USER AND SAVE

IT IN THE BAD FILE

And the main fun will read 300 char

from the bad file into str, then call
foo function

Inside foo we will copy the 300 char

into buff (which is only 100 char )
causing buffe overflow.

This program (vulnerable prog will be

run using set-UID (root privilege )

Note: “The 4755 is permission where: 4 : means that the binary

will be executed as the owner (usually root), you can refer to man setuid command for more
information 7 : means that the file can be written to, read by and executed by the owner 5 : that
the group can read and execute 5 : means that any user can read and execute .”
To setup the lab:

We need to compile the code, and turn off

all the counter measure that are
implemented inside the vm

Including memory randomization (0 means

turn off the randomization) and we need
to be a root to do so thus we need sudo
command

Then we compile the stack.c program, also

we need to turn off nonexecutable stack
and stack guard (using-fno stack-
protector), then we need to turn the prog
into privilege prog by changing ownership
into root and chmod to setuid

To test that stack pro has that

vulnerability, we will push random data
into the bad file 100, when run stack it will
return properly

While when pushing 160 into the bad file

we will get segmentation fault.

Now, we need

1. to construct the payload that will

be store in badfile
2. to identify the address of
ebp,return address and the offset.
3. Copy the payload into badfile to
overflow the return addres, thus
enforce the program to return to
our code
 Here is our badfile
(green) we will put
our cod in the top
of payload

All the badfile will

be copied in to the
stack including the
code

When the vulnerable prog copies the data from the paylod into the buffer in the fool function it will
overflow the return address, and we can let the program return to our code.
There are 2 challenges:

1. We need to know where to but the return address , we need to know the offset.
2. After figuring out the offset address, we need to put the address of the beginning of our code.
It is hard to know the beginning of the code and we know the program has one ending point,
thus We will add more than one ending point inside the memory before our code, and if we
could jump into one of them, we should be successful. This can be done by adding NOP

For solving the 2 challenges we need to know the ebp value and the buffer address, we can calculate the
offset for (1). Offset= ebp-buffer address+4

And if we add some value to ebp we could jump to one of the NOP.

SINCE WE HAVE THE SOUCE CODE , we can figure out these values using debugging mode using GDB
debugger.
Note 2 in the lab , thus retu=epb +120 (more than 8)

Now, we need to construct the badfile, which will be copied into the stack

Where A is the address in this rang

Note that strcopy with stop in /0 so that our code should not include any 0 (NOP IS 0x90 which map to
nothing, and we will just go to the net instruction)

But the return address might have 0 inside , thus be carful we we chose the adding value to ebp

For example if we add 68, the ret will have zero and strcopy will stop in the A area and noting after that
will be copied into the stack.

Here is the padfile which is a python code:

Now, we are ready to lunch the attack:

We have prepare the exploit program and stack, lets check them

Then run the exploit.py, that generate the content of the badfile which has 300 size

Then we run the stack

And you can see that I get new shell but not with root shell privilege
If you used id you will see that I don’t have root privilege

This is because the shell program is link to shell countermeasure (which is dsh) /bin/dsh and we will link
sh it to zch rater than dsh that does not has a countermeasure.

Then I will run the attack again we will get # which is indicator for a root

After check using id command , you can see uid=1000 and euid=0 which indicate I am A root
Now exit and Then we need to return the shell to dsh