Download presentation
Presentation is loading. Please wait.
1
Return-to-libc Lab Zutao Zhu 09/25/2009
2
Outline Review Set-UID assignment Discuss on Buffer-overflow Lab
Return-to-libc
3
Review Set-UID assignment
Capture screen, please. Need to describe and explain in detail about the assignment To prove you have root privilege, using printf(“This is my ls\n”) is not enough “Make myprog a Set-UID root program, and run it in the root account.”
4
Review Set-UID assignment
Refer to lecture note: "To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environment variable, the runtime linker/loader (ld.so) will ignore this environment variable if the program is a Set-UID root program, unless the real UID is also zero."
5
Buffer-overflow The shell code in the stack is executed from low memory address to the high memory address. Use “disassemble main” to see the order
6
Buffer-overflow Stack frame for stack.c
Use “info frame” and make sure you are inside the function call you are interested in.
7
Return-to-libc How to get the address of “system(), exit()” system call? How to expose some strings in memory? How to get the exposed string’s address? How to provide parameters for system calls?
8
Return-to-libc Step 1. /sbin/sysctl -w kernel.randomize_va_space=0
Step 2. link /bin/sh to /bin/zsh Step 3. expose “/bin/sh” to the memory Step 4. use gdb to get the address of “system()” and “exit()”. Step 5. get the address of “/bin/sh” Step 6. calculate the offset
9
Return-to-libc Chain the system call together
10
Return-to-libc Use “id” to check the current user information
11
Reference
12
Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.