GEF for linux ready, type `gef' to start, `gef config' to configureĦ7 commands loaded for GDB Fedora 8.0.1-33.fc27 using Python engine 3.6ĭump of assembler code for function main: Let's disassemble the main function in our binary, break it down, and talk about what happens at an assembler level. If the output is a positive number, it's enabled. An easy way to determine if ASLR is enabled (it likely is if you didn't expliclity disable it) is to cat /proc/sys/kernel/randomize_va_space. Other linux distributions may require a different approach. On Fedora, Debian, and Ubuntu, ASLR can be disabled by adding kernel.randomize_va_space = 0 to /etc/nf or echo 0 > /proc/sys/kernel/randomize_va_space. -mpreferred-stack-boundary=2: aligns the stack boundary in our binary to 4 bytes.ĪSLR can't be disabled via a compiler flag because it's a feature that's carried out and managed by the kernel.-o sof: Output (compiled) binary name will be sof.-z execstack: Makes stack frames executable.-fno-stack-protector: Disables stack smashing protectors (SSP).-g: Produces debugging information about the program that GDB (GNU Debugger) can use to aid us.Gcc -g -Wall -mpreferred-stack-boundary=2 -fno-stack-protector -m32 -I. I also pass an option along to make the binary 32-bit. PIE and RelRO are disabled on my system by default. #include įor the sake of simplicity and keeping this article to a sane length, I disable common buffer overflow protection (BOP) mechanisms including ASLR, Canaries, and NX bit. Without boundary checking around strcpy() to make sure the length of argv isn't greater than the width of the buffer, we can overrun the buffer and overwrite assembler instructions with our own. strcpy() will take whatever is in argv and copy it into buf. This is what makes the code vulnerable to a stack overflow attack. The source below uses strcpy with no boundary checking. To practice carrying out a SOF, we create a vulnerable binary. If you want to know how these work, I would recommend watching stack and call stack. For the sake of time, I'm not going to type out how these two things work in great detail. To have a good understanding about how stack overflows work, it's extremely helpful to know how stack data structures work, and more importantly - how the call stack works. We're going to use the system and exit sys calls for demonstration. It involves making sys calls to the functions provided to us by libc (standard c library). This method of exploitation is great because it doesn't require the use of your typical shellcode. In this walk-through, I'm going to cover the ret2libc (return-to-libc) method. A stack buffer overflow occurs when a program writes to a memory address on it's call stack outside of the intended structure / space.
0 Comments
Leave a Reply. |