Sat. Oct 19th, 2019

Ethical Hacking Playground

hacking is curiosity

Stack Based 0x2

Setting up the Debugger

We need to download PEDA (Python Exploitation Development Assistance). This makes exploiting binary’s easy.

 

INSTALLATION:


git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Stack Overflow

Create a file called auth.c and copy this source code into it

CODE:


#include  <string.h>
#include <stdio.h>

int main(int argc, char **argv) {
  char buff[15];
  int auth = 0;
  
  printf("\nEnter password: ");
  gets(buff);

  if (strcmp(buff, "password") != 0) {
    printf("\nAccess denied\n");
  } else {
    auth = 1;
  }

  // Let's bypass this check!
  if (auth) {
    printf("\nAccess granted\n");
  }

  return 0;
}

 

COMPILE:

gcc auth.c -o auth

 

EXPLOIT:

Pretend this is a real life application that allows the client to login, but due to the fact that this app uses a vulnerable function gets();We can overwrite the stack and cause a successful login.

This is the bug of the vulnerable function gets();

Never use gets(). Because it is impossible to tell without knowing the
data in advance how many characters gets() will read, and because
gets() will continue to store characters past the end of the buffer, it
is extremely dangerous to use. It has been used to break computer se‐
curity. Use fgets() instead.

So, all we need to do is to write over the 15 bytes into the stack and we will successfully login to the app

Advertisements