3

I was trying to attempt at return-to-libc buffer overflow attack for my Computer Software Security assignment. As far as my understanding goes, we can do these kind of attacks regardless of stack protection measures such as canaries and non-executable stack. This is because the libc functions do not reside on the stack and we just need to shift our program's control flow by overwriting the return address with the libc function address and passing suitable arguments. This figure seems to summarize the procedure I guess.

return-to-libc-demo

What my doubt is, according to the figure for second part, is the stack frame given for the libc function or is it just for a function defined in the user's program itself? I am not able to figure out the need of fake_ret. Can't we just overwrite the return address of our function by overwriting EIP with the address of say unlink and the arguments can be placed in the user's function buffer which can be used to pass to the unlink function?

Please note that by the use of user's (something), I aim at pointing to (something) which is defined by the user himself/herself in his/her program. Thanks.

yellowflash
  • 35
  • 1
  • 6

1 Answers1

2

You can write a frame for any function call, it doesn't have to be system(). However most exploits will aim for a shell if possible. The fake_ret address is simply where the execution will return to after the system() call. If you just put \x41\x41\x41\x41 there it will segfault. If you point it at exit() it will gracefully exit, or you could point it at a number of pop register followed by a ret to control execution down the stack (ROP).

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • As per your statement `If you just put \x41\x41\x41\x41 there it will segfault` > am I correct to conclude that >> If we simply use `exit()`, then the value of `fake_ret` does not matters in this case. – yellowflash Feb 09 '16 at 08:00
  • 1
    Fake_ret would have to be the address of exit, so yes the value matters if you don't want a segfault – wireghoul Feb 09 '16 at 12:34
  • Ok...so the case here is different than a simple buffer overflow with `shellcode`, where we can directly use `exit()` in our shellcode...I guess that's why `fake_ret` does not come into picture there, thanks. – yellowflash Feb 09 '16 at 12:39