This repo contains a C code to demonstrate exploitation of buffer overflow during unsafe copy operation.
OS Used:
- SEEDLAB, Ubuntu 16.04 32-bit (Should work on any 32-bit or i386 architecture)
Demonstration:
- Login as normal user(i.e. not as
root) - First disable virtual address randomization
sudo sysctl -w kernel.randomize_va_space=0- Now debug
demo.cwith gdb to know the return address to exploit and its offset from buffer to exploit
debug.sh demo.c- You should be in gdb console now. Finding address and offset from gdb using following commands
b foo
run
p $ebp
p &buffer
p/d $1-$2
qNote address of ebp from p $ebp and offset from buffer from p/d $1-$2
- After quitting from gdb console modify ebp address, and offset updating following lines in
exploit.py
ebp_offset = <offset_obtained_from_gdb>
addr_ebp = <address_of_ebp_obtained_from_gdb>- Finally run the attack using
run.sh
run.sh- If everything is okay, a bash would be opened as root. Check using
whoamiResources used:
- shellcode and
demo.cfrom SEEDLAB