Mon. Aug 19th, 2019

Ethical Hacking Playground

hacking is curiosity

Stack Based 0x1

Setting up the Debugger

We need to download PEDA (Python Exploitation Development Assistance). This makes exploiting binary’s easy.


INSTALLATION:


git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Stack Overflow

Create a file called vuln.c and copy this source code into it

CODE:


#include <string.h>

void vuln(char *arg) {
    char buffer[500];
    strcpy(buffer, arg);
}

int main( int argc, char** argv ) {
    vuln(argv[1]);
    return 0;
}

Make sure to disable ASLR:

echo 0 > /proc/sys/kernel/randomize_via_space

COMPILE:

gcc -z execstack vuln.c -o vuln

Triggering The Crash

Looking at the source code, there is a buffer of 500 bytes and a vulnerable function named strcpy(); that copy’s something into the buffer without checking the boundarys

So, we can put more than 500 bytes into the buffer causing a seg fault


./vuln $(python -c 'print "A" * 600')

Finding the offset to EIP

We, now need to find the distance to the EIP, EIP is a x86 instruction that stands for Extended Instruction Pointer it’s job is to call the next instruction.

We want to control this by replacing it with our A’s -> 0x41 and then find the distance to the EIP with the command pattern arg 600 the pattern command will give us a pattern

That we can input and then run the patts command to search in memory for the EIP distance.

Controlling the EIP

The next thing we want to do is control the EIP and put B’s in there instead. B is 0x42 in hexadecimal

Popping A Shell

Now, we need to find a memory address somewhere in our nopsled and craft our payload to redirect our EIP to a return address, slide down our nops to the shellcode



Advertisements