Presentation is loading. Please wait.

Presentation is loading. Please wait.

Return-to-libc Lab Zutao Zhu 09/25/2009.

Similar presentations


Presentation on theme: "Return-to-libc Lab Zutao Zhu 09/25/2009."— Presentation transcript:

1 Return-to-libc Lab Zutao Zhu 09/25/2009

2 Outline Review Set-UID assignment Discuss on Buffer-overflow Lab
Return-to-libc

3 Review Set-UID assignment
Capture screen, please. Need to describe and explain in detail about the assignment To prove you have root privilege, using printf(“This is my ls\n”) is not enough “Make myprog a Set-UID root program, and run it in the root account.”

4 Review Set-UID assignment
Refer to lecture note: "To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environment variable, the runtime linker/loader (ld.so) will ignore this environment variable if the program is a Set-UID root program, unless the real UID is also zero."

5 Buffer-overflow The shell code in the stack is executed from low memory address to the high memory address. Use “disassemble main” to see the order

6 Buffer-overflow Stack frame for stack.c
Use “info frame” and make sure you are inside the function call you are interested in.

7 Return-to-libc How to get the address of “system(), exit()” system call? How to expose some strings in memory? How to get the exposed string’s address? How to provide parameters for system calls?

8 Return-to-libc Step 1. /sbin/sysctl -w kernel.randomize_va_space=0
Step 2. link /bin/sh to /bin/zsh Step 3. expose “/bin/sh” to the memory Step 4. use gdb to get the address of “system()” and “exit()”. Step 5. get the address of “/bin/sh” Step 6. calculate the offset

9 Return-to-libc Chain the system call together

10 Return-to-libc Use “id” to check the current user information

11 Reference

12 Questions?


Download ppt "Return-to-libc Lab Zutao Zhu 09/25/2009."

Similar presentations


Ads by Google