1. Return-to-libc Lab
Zutao Zhu
09/25/2009

2. Outline Review Set-UID assignment Discuss on Buffer-overflow Lab
Return-to-libc

3. Review Set-UID assignment
Capture screen, please.
Need to describe and explain in detail about the assignment
To prove you have root privilege, using printf(“This is my ls\n”) is not enough
“Make myprog a Set-UID root program, and run it in the root account.”

4. Review Set-UID assignment
Refer to lecture note: "To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environment variable, the runtime linker/loader (ld.so) will ignore this environment variable if the program is a Set-UID root program, unless the real UID is also zero."

5. Buffer-overflow
The shell code in the stack is executed from low memory address to the high memory address.
Use “disassemble main” to see the order

6. Buffer-overflow Stack frame for stack.c
Use “info frame” and make sure you are inside the function call you are interested in.

7. Return-to-libc
How to get the address of “system(), exit()” system call?
How to expose some strings in memory?
How to get the exposed string’s address?
How to provide parameters for system calls?

8. Return-to-libc Step 1. /sbin/sysctl -w kernel.randomize_va_space=0
Step 2. link /bin/sh to /bin/zsh
Step 3. expose “/bin/sh” to the memory
Step 4. use gdb to get the address of “system()” and “exit()”.
Step 5. get the address of “/bin/sh”
Step 6. calculate the offset

9. Return-to-libc
Chain the system call together

10. Return-to-libc
Use “id” to check the current user information

11. Reference

12. Questions?