Security Summer School

User Tools

Site Tools

session:solution:12

This is an old revision of the document!

Table of Contents

Session 12 Solutions

Gadget Tut

TODO

Echo Service

The log file created with script is this. You may use cat over the script file to print it.

By going through the echo_service.c file we see that in the echo_service() function we use read() for reading 4096 bytes when we only have 1024 available for a the buf buffer. We can use this to create a return-oriented programming (ROP) attack.

Let's first consider our steps.

  1. We will create a payload that overflows the buf buffer and rewrites the return address of the echo_service() function triggering the attack (the ROP chain).
  2. We will update the payload issue the following calls through the ROP chain, as also indicated in the task:
    1. dup2(sockfd, 1);
    2. dup2(sockfd, 0);
    3. system(“/bin/sh”);
  3. We will start the server and then we will use netcat to send the payload to the server to trigger the attack.

We aim for the stack to be the one below: 

0x00000000
...
start address of buf
...
+--------------------------------+
|   dup2() address               |   <--- return address for echo_service()
+--------------------------------+
|   pop_pop_ret gadget address   |
+--------------------------------+
|   4                            |
+--------------------------------+
|   1                            |
+--------------------------------+
|   dup2() address               |
+--------------------------------+
|   pop_pop_ret gadget address   |
+--------------------------------+
|   4                            |
+--------------------------------+
|   0                            |
+--------------------------------+
|   system() address             |
+--------------------------------+
|   junk                         |
+--------------------------------+
|   "/bin/sh" address            |
+--------------------------------+

...
0xFFFFFFFF

In the above figure we will overflow the buf buffer and overwrite the return address for the echo_service() function with the first part of the ROP chain: the address of the dup2() function. Once the dup2() function returns it will call a ROP gadget that pops two values: the dup2() function arguments (4 is sockfd and 0 and 1 are standard input and standard output file descriptors respectively). Then another dup2() function gets called and then system(“/bin/sh”). Because this needs the address of the /bin/sh string it could only happen on non-ASLR enabled system; but we'll use some tricks to trick it into running on an ASLR-enabled system as well.

session/solution/12.1437654295.txt.gz · Last modified: by Razvan Deaconescu