A simple example program vulnerable to a return-to-libc attack via a stack buffer overflow which overwrites a function return address.
We workaround (via compiler flags and wrappers) ASLR and stack protectors, modern exploit mitigation mechanisms that would prevent this specific example from working (aka. being exploited).
(if you can call it that)
make
# run the program normally (inputs shorter than 10 are fine)
./vuln
# generate attack input
./ref/write > evil.txt
# exploit!
./vuln < evil.txt
Makefile
makesref/vuln
with-fno-stack-protector
and makesref/write
normally.vuln
is a wrapper script that runsref/vuln
with ASLR disabled viasetarch ... -R
vuln.c
contains the source code for the vulnerable program.- For inputs shorter than 10 characters in length, the program is well-behaved and will print the length of the input it received.
write.c
contains code that can be used to generate an attack input.- When passed to
vuln
, the generated input should result in "PWNED!!!!" being printed. - This assumes the C library function
puts
will be loaded at address0x7fffffffffff
whenvuln
is run. This address should be changed to the real address which can be found by runningref/vuln
in a debugger (e.g. in gdb,break puts
).
- When passed to