in this article I will try to exploitation to back-track 5. The first thing to do is turn off "LINUK ASLR".
to check the value ASLR you can perform the command "cat /proc/sys/kernel/randomize_va_space" Here we can see that the SLR is still alive.
Now we try to turn off ASLR. with the command "echo 0 > /proc/sys/kernel/randomize_va_space"
Now we try mengulai command to see the value of ASLR
on all linux based operating systems are not the same. I will try to give you the solution that fails to turn off ASLR:
- echo 0> / proc / sys / kernel / exec-shield # turn it off .. | echo 1> / proc / sys / kernel / exec-shield # turn it on
- echo 0> / proc / sys / kernel / randomize_va_space # turn it off .. | echo 1> / proc / sys / kernel / randomize_va_space # turn it on
- sudo bash -c "echo 0 > /path/to/file" # turn it off ..| sudo bash -c "echo 0 > /path/to/file" # turn it on
after we managed to turn off ASLR, then we are compiling the application.
create a fuzzer as below. and save it with '.c'
fuzz_Vulnerable:
next, after saving. then we will trigger a buffer overflow. follow the instructions below.
I try to explain a little
the use of GCC to program (C + +). for more complete explanation you can see in the console and type man gcc.
GDB, the GNU Project debugger, allows you to see what is going on `inside' another program while it executes -- or what another program was doing at the moment it crashed.
GDB can do four main kinds of things (plus other things in support of these) to help you catch bugs in the act:
- Start your program, specifying anything that might affect its behavior.
- Make your program stop on specified conditions.
- Examine what has happened, when your program has stopped.
- Change things in your program, so you can experiment with correcting the effects of one bug and go on to learn about another.
okey., it is a bit of knowledge., that here the author is still in the learning stage.
then type the command as below :
Now we have a vulnerable program.
then we open the GDB to find the necessary offset to override
then repeat again. running python
 |
| yaap., the program received., proceed again as below |
 |
| Now we have successfully overwrite the register EIP |
ya., using the info registers we can see all the registers in the "x / FTM ADDRESS"
the register ESP contains the buffer we are evil.
and the registers EBP and EIP was overwritten / x41
we can find out the address of the ESP before the strcpy function.
with our finance last 200 bytes can be pushed on the stack.
thing we need to know how we will work around the 200 byte shellcode and then we overwrite the EIP with the address of ESP address ..
now let’s try to find out the ESP address and subtract 200 bytes from it.
Next we use the gdb command list, then do the break point
let's try to repeat the command above 'just to be sure'
okey., subtract 200 bytes of the ESP: 0xbffff14c-200 = 0xbffff14c.now we know we need to overwrite EIP 508 byteyaap., now we try to arrange exploitation.we have a total of 508 bytes to overwrite EIP:323 garbage bytes shellcode + 45 bytes = 368 bytes508 bytes - 368 bytes = 140 bytesso we have room for 140 bytes shellcode.
then we divide 140 by 4 "in accordance with memory addresses (\x41\ x41\x41\ x41)" and the result is 35.
Now we enter the final stage
who wants to generate payload you can get below (save it with '. c')
generate payload:
I keep up with the name 'payload.c'
Now we try to run it
run the following command: $ (python-c 'print "\ X90" * 323 + "Your_payload" + "\ x6c \ xf0 \ xFF \ xbf '* 35')
consequently exploit success., and we have entered in the root
Tidak ada komentar:
Posting Komentar