Estaba siguiendo el tutorial http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf para bypassear el HW DEP mediante el método ret2libc.
Éste es el código a explotar:
Código
#include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char *argv[]) { char buff[5]; if (argc != 2) { } return 0; }
El caso es que según pone en el tutorial, con 32 Aes sobreescribiríamos completamente el RET ADDRESS, pero en el tutorial, el autor hace uso de un sistema de 32 bits, y yo estoy usando la última versión de Kali, de 64 bits.
Con 30 Aes, me faltan 2 Aes para sobreescribir todo el RET ADDRESS, pero con o más de 31 Aes, siempre muestra 0x0000000000400655. ¿Qué pasa?
Citar
root@Kali:~/Desktop/Exploits# ulimit -c unlimited
root@Kali:~/Desktop/Exploits# gcc -ggdb retlib.c -o retlib
root@Kali:~/Desktop/Exploits# ./retlib `perl -e 'print "A"x30'`
Exploiting via returning into libc function
You typed [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
Violación de segmento (`core' generado)
root@Kali:~/Desktop/Exploits# gdb -q -c ./core
[New LWP 19019]
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff7adfe000
Core was generated by `./retlib AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000414141414141 in ?? ()
(gdb) q
root@Kali:~/Desktop/Exploits# ./retlib `perl -e 'print "A"x31'`
Exploiting via returning into libc function
You typed [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
Violación de segmento (`core' generado)
root@Kali:~/Desktop/Exploits# gdb -q -c ./core
[New LWP 19023]
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff5fffe000
Core was generated by `./retlib AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000400655 in ?? ()
(gdb) q
root@Kali:~/Desktop/Exploits# gcc -ggdb retlib.c -o retlib
root@Kali:~/Desktop/Exploits# ./retlib `perl -e 'print "A"x30'`
Exploiting via returning into libc function
You typed [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
Violación de segmento (`core' generado)
root@Kali:~/Desktop/Exploits# gdb -q -c ./core
[New LWP 19019]
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff7adfe000
Core was generated by `./retlib AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000414141414141 in ?? ()
(gdb) q
root@Kali:~/Desktop/Exploits# ./retlib `perl -e 'print "A"x31'`
Exploiting via returning into libc function
You typed [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
Violación de segmento (`core' generado)
root@Kali:~/Desktop/Exploits# gdb -q -c ./core
[New LWP 19023]
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff5fffe000
Core was generated by `./retlib AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000400655 in ?? ()
(gdb) q
Muchas gracias