Linux binary exploitation
This the program code :
#include <stdio.h>
#include <unistd.h>int helper() {
system(“touch pwnd.txt”);
}int overflow()
{
char buffer[500];
int userinput;
userinput = read(0, buffer, 700);
printf(“\nUser provided %d bytes. Buffer content is: %s\n”, userinput, buffer);
return 0;
}
int main (int argc, char * argv[])
{
overflow();
return 0;
}
You can use gcc to compile it
First thing we need to do to check program security
Ok no protection on the program
Let’s run it in gdb-peda
We can check program function with info function command
Our first task to run helper function and run system(“touch pwnd.txt”); , so let’s check her address , but first you need to disable ASLR with this command
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
ASLR will change the address every time you run the program i will explain later how to bypass it
you need to know memory address work with little endian like :
0x004011b9 will be \xb9\x11\x40\00
now we need to control EIP to make him execute our helper function ,so we can use pattern create to determine which offset overwrite EIP
now we know after 516 buffer we can control EIP , let’s try to run helper function
good it work now let’s try to run shell code instead of run helper function
we can generate shellcode with msfvenom but we need to avoid bad characters it will stop our shell code , so we can use -b for this
now we need to identify EIP,first you need to know ESP is the stack pointer and EIP take address from him
now we know A start with 8 byte from 0xbffff330 we can add them to get EIP address address to control it
we need to add NOP(\x90)no operation before our shell code this will make shell code more stable
let’s run it then check the stack
it work you need to run nc on attacker machine and you will retrieve the reverse shell