l3l / simplebof Goto Github PK

[Description] This is the note of the buffer overflow class.

[Environment]

$ uname -a
Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

[Compilations]

• With ASLR, Stack protector, DEP, TURNED OFF
  gcc -fno-stack-protector -z execstack bof.c -o bof
  sudo sysctl -w kernel.randomize_va_space=0

[Usage]
./bof AAAA
./bof `python -c 'print "A" * 212 + "BBBB" + "C" * 100'`
./bof `python sploit.py`
./bof `python sploit2.py`

[gdb cheatsheets]
http://darkdust.net/files/GDB%20Cheat%20Sheet.pdf
start debugging with gdb
gdb -q bof

run program inside gdb with input from python script
r \python sploit.py``

print out sharedlibrary
info sharedlibrary

find jump esp command in between addr1 and addr2
find /b addr1, addr2, 0xff, 0xe4

print out process mapping
info proc map

print out the current register
i r

print out 20 Words (four bytes) specified in address
x/20x address

print out 5 instructions specified in address
x/5i address

set breakpoints in address
b * address

[Tools]
readelf
readelf -a bof | grep WA

ROPgadget: https://github.com/JonathanSalwan/ROPgadget
ROPgadget --binary /lib/i386-linux-gnu/libc-2.19.so > libc
cat libc | grep ": inc eax ; ret"