# gcc -fno-stack-protector -U_FORTIFY_SOURCE vortex3.c -o vortex3įrom a Python wrapper, we'll pass the previous shellcode and watch if we set correctly lpp variable after strcpy: # echo 0 > /proc/sys/kernel/randomize_va_space To reproduce the environment in the vortex labs, we need to disable ASLR (Address Space Layout Randomization) and compile without stack protector: We'll build the vortex3 source code locally, with added prints to track lpp value after overflowing buf. If we manage to place 0x08048366 in the lpp pointer (by overflowing buf), the double indirection in **lpp = (unsigned long) &buf line will add the code in buf variable to be executed as a destructor. We find 0x08048366, that points to 08049540 (first destructor function). We need an address to put in the lpp pointer, and that address to point to 0x08049540:ĭump of assembler code for function _do_global_dtors_aux: So we will change the address of the first function to be called (0x08049540). dtors vortex3Īs described in, the layout of the destructors section is as follows: To find the address of the objdump -s -j. Let's try to modify the flow with this method, by changing the destructor function, called in the last line of code ( exit(0) ). ![]() ![]() ![]() The idea is that by overflowing buf, we can modify lpp, and with this code ( **lpp = (unsigned long) &buf ) we can place the beginning of the buffer in an address referred to by an address we can control - there's a double indirection. The article from describes a bypass method for a situation similar with our code. I've taken a shellcode that does this from here, and test it from a wrapper function: /* 32 bytes setuid(0) + execve("/bin/sh",) */
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |