- Disable address space layout randomization (-w for current session) (ASLR: Technique that is used to increase the difficulty of performing a buffer overflow attack that requires the attacker to know the location of an executable in memory)
sudo sysctl -w kernel.randomize_va_space=0
- Disable ASLR persistently across system restarts
sudo sysctl kernel.randomize_va_space=0
Inside /src
- Execute shellcode with user priviledges
gcc call_shellcode.c -o call_shellcode -z execstack
- -z execstack: can execute commands within stack
./call_shellcode
- Execute shellcode with root priviledges
sudo chown root call_shellcode
sudo chmod 4755 call_shellcode
./call_shellcode
- -z execstack: ability to execute instructions within the stack
- -fno-stack-protector: use of stack guard for protecting stack overwrite
gcc stack.c -o stack -z execstack -fno-stack-protector
- -root priviledges
chmod 4755 stack
- Creates 'badfile', fills it with NOP (0x90) instructions.
- 'badfile' should have shellcode and the address of shellcode
- Run exploit to create the badfile
gcc exploit.c -o exploit
./exploit
- Compile stack.c with debug flags activated
gcc stack.c -o stack_gdb -g -z execstack -fno-stack-protector
-
Run stack_gdb in debug mode
-
Set breakpoint to bof and run
-
Print the address of buffer[] and the content of ebp register
-
The addresses distance is 0x20 bytes
-
Since ASLR is off, the same addresses will be used everytime stack.c executes, so we change exploit.c accordingly
-
Change the return address to 0xbffff1d0 (0x20 from the start of buffer[] + 0x04 bytes for Previous Frame Pointer + 0x04 bytes for Return Address) which means at least 0x28 bytes upper the buffer[] address
-
Finally, we execute stack, using badfile as input, so that we get root shell
