Linux exploit development part 3 (rev 2) - Real app demo

This is a quick tutorial on how to bypass DEP using the ret2libc technique from the part 3 of my
tutorial series, if you have not read that paper I suggest you do before this one:

Linux exploit development part 3 - ret2libc

NOTE:
* This paper will not cover any technical aspects.
* This paper will not teach you how to make buffer overflows.
* I will not be held responsible for anything you do using this knowledge.

Requirements:
* The knowledge necessary for this demonstration can be found in the previous
mentioned paper.
* You will need a Debian Squeeze
* GDB knowledge
* checksec.sh
* A vulnerable application (HT Editor <= 2.0.18)

Going trough this paper without possesing the required knowledge may not be beneficial for
you.

Let’s star!
Compiling and checking our vulnerable application.

We can find our vulnerable application on exploit-db as well as sourceforge.

Now that we have our vulnerable application let’s compile it. If you remember in the last
demonstration of part 2 we had to edit the Makefile in order to turn DEP/NX off, we will skip that
part now.
Just check that the configure result matches.

Figure 1.

Than simply continue installing it with make and make install.

Our application is installed, let’s see what protections is has. We use the checksec.sh script.

Figure 2.

As we see we have only NX enabled and the other protections are disabled, so we are going to
attempt bypassing NX using the ret2libc technique.
Open the application in the debugger.

So we know from our previous tutorials that we can trigger an exception if we send a junk of
4108 , let us quickly verify that.

Figure 3.

When the exception is triggered our registers look like this:

Figure 4,

If we analyze ESP we can see that it has been overwritten

 Figure 5.

Find addresses of system(), /bin/bash and exit().

After some tries we determine that we need an offset of 4080 to overwrite EIP, which means
that our exploit will look like this:

##############################
4080 junk + the address of system() + exit() + /bin/bash
##############################

While searching for the addresses we will notice that exit() contains a null byte so that makes
the address unusable but if you continue to search you can see that at 0xb7d48304 we have
exit+4 which we can use.

Figure 6.

We have system() and exit() now we need to find out the address of /bin/bash.
 Figure 7.

Figure 8.

As you can see we have everything we need to make our exploit, it should look like this:

##############################
4080 junk + system() + exit() + bin/bash
##############################
Let’s have fun!

Figure 9.

Figure 10.

Figure 11.

Video demonstration: Linux exploit development part 3 (rev 2) - Real app demo (video)