Bypass ASLR+NX Part 2

hi guys today we will continue in ways to bypass ASLR and NX if you dont know what means  please read 
Part 1 will will find way to control EIP  and in this part we will focus on another technique called Ret2eax.
before going to explain it we need to understand what EAX and what it's purpose in program.
EAX is general purpose register used in arithmetic calc and store results of  arithmetic  operations and function return value , like  C built in function   strcpy will save string pointer in EAX without assign it  EAX will save  pointer  to buffer .

we will take example to login system use strcmp to compare between two strings return 0 if  two strings are same or return 1 if not equal .

run it

simple program user enter password compare it using strcmp you notice that strcmp we compare it to 0 if condition True i.e return 0 will print "you Login in" else "Ops LOL" .

now we going to open program in gdb.

we disassemble main we find call to login let disassemble login

ok will see two breakpoints one in call strcmpt at address 0x08048436 and another on jne  at address 0x08048440  now we going to explain it  eax store pointer to string that store in stack and then made test eax,eax if both equal will return 0  will set    ZF=1 else  where compare is false  will set ZF=0 and we came to JNE is check ZF=0(when condition false will set ZF=0) if not equal will jump to execute from 0x08048454 this instructions will print "OPS LOL" i made it in Red (false) but when ZF=1 will continue to execute instructions  that will print "You Login in" i made it in Green. we can bypass it if we use wrong password  set breakpoint in test eax,eax and write wrong string like AAAA. we analysis stack  to figure out values.
you can see in local variable local EBP-0xd store value it's string 1234 that hardcode inside program after that load this string from EBP-0xd lea eax,[ebp-0xd] and then push eax in stack the second argument push in stack ebp+0x8 this parameter to string function after push two values then we call strcmp it perform compare and return value at EAX if EAX=0 at test eax,eax we will login 

set eax=0 in order to bypass password check

now this first part is to understand value that return from eax now we go to understand string pointer that save in EAX , think in strcmp like this cmp src,dest where src is "1234" that value hardcode in program and dest is argv (user value supply by user ) as we know dest=AAAA src="1234".
dest=dest-src (eax=eax-ebp+0x8) EAX also point to buffer.

EAX store 0xbffff647 it's pointer point to  string buffer  (AAAA)

Vulnerable program

now we going to our main program will go to exploit it but before that we have note this exploit work when function that return value have't command after it.

we will open program in gdb and disassemble main and vul functions and set same breakpoints 

dissemble vul function 

now we will but some strings to look at eax to figure out  EAX store pointer point to buffer  

let us examine EAX to find strings that store in EAX but why this string store in EAX because we use strcpy this return pointer to string as we explain it in begin. after we find where our input store now it's time to find way to call or jump to eax both redirect execution to string buffer,to make this exploit reliable we will add some nops before and after shellcode and finally address to call eax .

examine EAX.

stack layout looks like

payload structure 


we build test exploit our shellcode is \xcc interrupt instruction 

we execute interrupt instruction successfully now we can replace it with  our   shellcode 

Final exploit 

BOom we have shell

thanks for reading i see you in next write up in ASLR+NX series.


  1. I tried exploiting the binary with the ret2eax method and i get

    0xbffff22c in ?? ()
    cannot find bounds of current function


Post a Comment

Popular posts from this blog

python input vulnerability

Bypass ASLR+NX Part 1

Code injection