Buffer Note
Buffer Note
Now, we need
When the vulnerable prog copies the data from the paylod into the buffer in the fool function it will
overflow the return address, and we can let the program return to our code.
There are 2 challenges:
1. We need to know where to but the return address , we need to know the offset.
2. After figuring out the offset address, we need to put the address of the beginning of our code.
It is hard to know the beginning of the code and we know the program has one ending point,
thus We will add more than one ending point inside the memory before our code, and if we
could jump into one of them, we should be successful. This can be done by adding NOP
For solving the 2 challenges we need to know the ebp value and the buffer address, we can calculate the
offset for (1). Offset= ebp-buffer address+4
And if we add some value to ebp we could jump to one of the NOP.
SINCE WE HAVE THE SOUCE CODE , we can figure out these values using debugging mode using GDB
debugger.
Note 2 in the lab , thus retu=epb +120 (more than 8)
Now, we need to construct the badfile, which will be copied into the stack
But the return address might have 0 inside , thus be carful we we chose the adding value to ebp
For example if we add 68, the ret will have zero and strcopy will stop in the A area and noting after that
will be copied into the stack.
We have prepare the exploit program and stack, lets check them
Then run the exploit.py, that generate the content of the badfile which has 300 size
And you can see that I get new shell but not with root shell privilege
If you used id you will see that I don’t have root privilege
This is because the shell program is link to shell countermeasure (which is dsh) /bin/dsh and we will link
sh it to zch rater than dsh that does not has a countermeasure.
Then I will run the attack again we will get # which is indicator for a root
After check using id command , you can see uid=1000 and euid=0 which indicate I am A root
Now exit and Then we need to return the shell to dsh