I followed the tutorial Part 1,Part 2, and Part 3. The exploitable code from the tutorials are stacksmash. Associated tools and utilities have been added to this repo and will be put into the image once it is built with the docker build command. The one thing that is dynamic is the location of the ENV variable for the attack.
sudo docker build -t ndd/427hax .
sudo docker run --privileged -it ndd/427hax /bin/bash
Make the stacksmash directory.
You want to generate strings for input to overflow the buffer. These can be generated by the input/genvalidptrret.py. Note that this file doesn't generate the 400 A file or the 400 input patter with the BBBBB at the 104 offset (I created in400A.txt and in400safe.txt for these in the repo if you want). You can get that by modifying the script or looking at the blog post. Also note that you need to find the right env location of the injected shellcode before generating the workable input string that will transition control properly.
Note that if you have security solutions turned on they will defeat your attack.
- Address space layout randomization can be disabled by issuing the following command:
sudo sysctl -w kernel.randomize_va_space=0
But only if you've given proper authority to the conainter through privileged
creation with the --privileged
flag.
-
Do not do canary
-
Do not do non-executable stack
Please look at the stacksmash Makefile for how these are generated.
I went through the sequence of operations as indicated in lecture. This is somewhat a follow along with the blog post and may be of interest.
-
Eddie Kholer Background on Assembly and Low-Level Code:
-
Vasileios Kemerlis @ Brown on Hacking. Basically all the links from the first few lectures are useful:
From stack overlow:
Passing arguments to variadic functions is more complicated. See x86-64 ELF ABI, section 3.5.7. Otherwise, x86-64 passes its first 6 arguments using registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 (excluding float / vector arguments).
From the specification, %rax = 0 means that the variable argument list has no (0) floating-point arguments passed in vector registers. Your approach is wrong, as the first argument (e.g., the nul-terminated string: "Hello\n") must be passed in %rdi, and %rax must be zero when the function is called.