Bypass ASLR+NX Part 2
hi guys today we will continue in ways to bypass ASLR and NX if you dont know what means please read
Part 1 will will find way to control EIP and in this part we will focus on another technique called Ret2eax.
before going to explain it we need to understand what EAX and what it's purpose in program.
EAX is general purpose register used in arithmetic calc and store results of arithmetic operations and function return value , like C built in function strcpy will save string pointer in EAX without assign it EAX will save pointer to buffer .
we will take example to login system use strcmp to compare between two strings return 0 if two strings are same or return 1 if not equal .
simple program user enter password compare it using strcmp you notice that strcmp we compare it to 0 if condition True i.e return 0 will print "you Login in" else "Ops LOL" .
now we going to open program in gdb.
we disassemble main we find call to login let disassemble login
ok will see two breakpoints one in call strcmpt at address 0x08048436 and another on jne at address 0x08048440 now we going to explain it eax store pointer to string that store in stack and then made test eax,eax if both equal will return 0 will set ZF=1 else where compare is false will set ZF=0 and we came to JNE is check ZF=0(when condition false will set ZF=0) if not equal will jump to execute from 0x08048454 this instructions will print "OPS LOL" i made it in Red (false) but when ZF=1 will continue to execute instructions that will print "You Login in" i made it in Green. we can bypass it if we use wrong password set breakpoint in test eax,eax and write wrong string like AAAA. we analysis stack to figure out values.
you can see in local variable local EBP-0xd store value it's string 1234 that hardcode inside program after that load this string from EBP-0xd lea eax,[ebp-0xd] and then push eax in stack the second argument push in stack ebp+0x8 this parameter to string function after push two values then we call strcmp it perform compare and return value at EAX if EAX=0 at test eax,eax we will login
set eax=0 in order to bypass password check
now this first part is to understand value that return from eax now we go to understand string pointer that save in EAX , think in strcmp like this cmp src,dest where src is "1234" that value hardcode in program and dest is argv (user value supply by user ) as we know dest=AAAA src="1234".
dest=dest-src (eax=eax-ebp+0x8) EAX also point to buffer.
EAX store 0xbffff647 it's pointer point to string buffer (AAAA)
now we going to our main program will go to exploit it but before that we have note this exploit work when function that return value have't command after it.
we will open program in gdb and disassemble main and vul functions and set same breakpoints
dissemble vul function
now we will but some strings to look at eax to figure out EAX store pointer point to buffer
let us examine EAX to find strings that store in EAX but why this string store in EAX because we use strcpy this return pointer to string as we explain it in begin. after we find where our input store now it's time to find way to call or jump to eax both redirect execution to string buffer,to make this exploit reliable we will add some nops before and after shellcode and finally address to call eax .
stack layout looks like
we build test exploit our shellcode is \xcc interrupt instruction
we execute interrupt instruction successfully now we can replace it with our shellcode
BOom we have shell
thanks for reading i see you in next write up in ASLR+NX series.