Scribd
Upload
93 views

Return To Libc

This document discusses a return-to-libc attack to defeat a non-executable stack countermeasure. The attack involves 3 tasks: 1) Finding the address of the system() function, 2) Finding the address of the "/bin/sh" string, and 3) Constructing arguments for system() by overwriting the return address to point to system() and placing the "/bin/sh" address as an argument. Understanding how registers like EBP and ESP change during function calls is key to launching the attack successfully.

Uploaded by

sahilmahajan
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
93 views

Return To Libc

This document discusses a return-to-libc attack to defeat a non-executable stack countermeasure. The attack involves 3 tasks: 1) Finding the address of the system() function, 2) Finding the address of the "/bin/sh" string, and 3) Constructing arguments for system() by overwriting the return address to point to system() and placing the "/bin/sh" address as an argument. Understanding how registers like EBP and ESP change during function calls is key to launching the attack successfully.

Uploaded by

sahilmahajan
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Return-to-libc Attacks

Outline
● Non-executable Stack countermeasure
● How to defeat the countermeasure
● Tasks involved in the attack
● Function Prologue and Epilogue
● Launching attack
Non-executable Stack
Running shellcode in C program

Calls shellcode
Non-executable Stack
● With executable stack

● With non-executable stack


How to Defeat This Countermeasure
Jump to existing code: e.g. libc library.

Function: system(cmd): cmd argument is a command which gets executed.


Environment Setup

This code has potential buffer


overflow problem in vul_func()
Buffer overflow
problem
Environment Setup
“Non executable stack” countermeasure is switched on, StackGuard protection is
switched off and address randomization is turned off.

Root owned Set-UID program.


Overview of the Attack
Task A : Find address of system().

● To overwrite return address with system()’s address.

Task B : Find address of the “/bin/sh” string.

● To run command “/bin/sh” from system()

Task C : Construct arguments for system()

● To find location in the stack to place “/bin/sh” address (argument for system())
Task A : To Find system()’s Address.
● Debug the vulnerable program using gdb
● Using p (print) command, print address of system() and exit().
Task B : To Find “/bin/sh” String Address
Export an environment variable called “MYSHELL” with value
“/bin/sh”.

MYSHELL is passed to the vulnerable program as an environment


variable, which is stored on the stack.

We can find its address.


Task B : To Find “/bin/sh” String Address

Export “MYSHELL” environment


variable and execute the code.

Code to display address of environment variable


Task B : Some Considerations
● Address of “MYSHELL” environment variable is
sensitive to the length of the program name.
● If the program name is changed from env55 to
env77, we get a different address.
Task C : Argument for system()
● Arguments are accessed with respect to ebp.
● Argument for system() needs to be on the stack.

Need to know where exactly ebp is


after we have “returned” to
system(), so we can put the
argument at ebp + 8.

Frame for the system() function


Task C : Argument for system()
Function Prologue

esp : Stack pointer


ebp : Frame Pointer
Task C : Argument for system()
Function Epilogue

esp : Stack pointer


ebp : Frame Pointer
Function Prologue and Epilogue example

2
1 Function prologue

2 Function epilogue
8(%ebp) ⇒ %ebp + 8
How to Find system()’s Argument Address?
Change ebp and esp

Modified Use of
vul_func() system()
Return system()’s
epilogue prologue
Address argument

● In order to find the system() argument, we need to understand how the


ebp and esp registers change with the function calls.
● Between the time when return address is modified and system argument
is used, vul_func() returns and system() prologue begins.
Memory Map to Understand system() Argument
Flow Chart to understand
system() argument
Return address is
ebp is replaced by esp
changed to system() Jump to system()
after vul_func() epilogue
address.

“/bin/sh” is stored in ebp is set to current system() prologue is


ebp+8 value of esp executed

Check the memory map

ebp + 4 is treated as return address of system(). We can


put exit() address so that on system() return exit() is
called and the program doesn’t crash.
Malicious Code

ebp + 12

ebp + 8

ebp + 4
Launch the attack
● Execute the exploit code and then the vulnerable code
Summary
● The Non-executable-stack mechanism can be bypassed

● To conduct the attack, we need to understand low-level details about function


invocation

● The technique can be further generalized to Return Oriented Programming


(ROP), which is not covered in the book. See Problem 5.8.

You might also like