Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Return to libc finding pointers

Tags:

c

gdb

For a class in software security I've got to make a simple return to libc attack. I managed to make a perl script that completes the attack given the correct pointers to system(), exit() and the /bin/sh string. I found these pointers using gdb "p system" etc. Now I want to make the exploit a bit more "dynamic" by writing a c program that finds the adres of system() and exit() at run time. How do I do this? I tried "&system" but that doesn't seem to be giving me the correct adress at all.

Edit: The system does NOT have ASLR enabled.

like image 484
maigelm Avatar asked Dec 21 '13 03:12

maigelm

People also ask

How do I find my LIBC address?

You can easily check this by running gdb–>b main–>info proc mappings a couple of times and comparing the offsets. If they are different, your executable is probably running under ASLR. Assuming there is no ASLR protection, using gdb–>b main–>info proc mappings should give you the base address of the libc SO.

What is a buffer overflow that uses the return to libc attack?

A "return-to-libc" attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process executable memory, bypassing the no-execute bit feature (if present) and ridding the ...

Is bin sh in libc?

The string “/bin/sh” will also be present in the libc, and thus getting a pointer is just to note the address of this string.

What is a return to libc exploit?

Return-to-libc is an exploit that countered Data Execution Prevention (DEP), which in turn was added as a memory protection scheme in operating systems as a counter to shellcode injection.

1 Answers

You may easily find the addresses using binutils - objdump or readelf, but only addresses of the symbols the binary is actually using. The unused symbols are not linked with the libc library.

Say you want to hack the ls command:

objdump -d `which ls` | less

you will find this section:

0000000000402910 <exit@plt>:
  402910:       ff 25 da 89 21 00       jmpq   *0x2189da(%rip)        # 61b2f0 <_fini+0x208704>
  402916:       68 5e 00 00 00          pushq  $0x5e
  40291b:       e9 00 fa ff ff          jmpq   402320 <_init+0x10>

So now you have the address: 0x402910 is the jump address of the exit() function (the one you would get printed if you tried printf("%x\n", exit);.

Regarding system, ls is not using this symbol so you cannot access it this way, as it is not linked.

like image 59
Tomas Avatar answered Nov 26 '22 16:11

Tomas
Sign in to Comment

Related questions

Finding if a string is an iterative substring Algorithm in C?
How should I manage dependencies in C or C++ open source projects?
Scoring a string based on how English-like it is
subnormal IEEE 754 floating point numbers support on iOS ARM devices (iPhone 4)
Bitwise shift to generate all possible permutations in C [duplicate]
How to initialise a binary semaphore in C
Override Ctrl-C
How do I ensure lrint is inlined in gcc?
custom data type in C
Arrays of strings in Fortran-C bridges using iso_c_binding
embedding mono with C# "out parameters"
How to make gcc warn about returning the address of local variables?
CRC-32 field in zip
what does WINAPI stand for
Initialize a struct with struct types inside
connect() returns "Operation now in progress" on blocking socket?
Multidimensional arrays allocated through calloc
Oracle Pro*C/OCI install handlers for SIGSEGV/SIGABRT and friends - why, and how to disable?
How are global variables in shared libraries linked?
Combining large C and C++ programs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!