This book’s C part is very fascinating. Along with the author, you can actually achieve a set of note take and search tools for multiuser, and an interesting game. What’s more, some linux/unix knowledge will be learned.
So I tried it.
To try these interesting things written in five years ago is not easy on my x86_64 gentoo linux. There are tons of difference and I’m always confused by what I don’t know. However, I was so happy with such interesting things after so much pains.
This book makes C fascinating to me! I’m so desired to be a C hacker!
Thanks to the author–Jon Erickson! Even too simple and fundamental, the book open the door to a interesting world for me.
TOC
- toc
{: toc}
Experiment Notes on A 64-bit Machine
Format for Pointer
pointer/address to be %p not 0x%08x.
Compile 32-bit Programs on a x86_64 Machine
By default, gentoo linux amd64 will set multilib USE flag. You’ll have a multilib glibc and gcc. Then to compile and link a program with gcc, just add -m32 parameter to gcc.
1 | gcc -m32 test.c |
Built-in Functions in Gcc
gcc actually have some functions built into it. It will use its built in version for some functions like printf. Even if you forget include header files, it will be compiled but give out a warning.
1 | ~/Work/project/hack ⮀ gcc -g -m32 -o firstprog firstprog.c |
Disable SSP
To test hacking skills like stack overflow and so on on a modern x86_64 machine. You have to cheat.To disable the stack smashing prevention(SSP) by gcc, you can simply specify a parameter -fno-stack-protector
1 | gcc -fno-stack-protector test.c |
Disable Executable Space Protection
To let the stack be executable, you have two choices:
- add
-z execstackparameter to gcc when compiling. - Using
execstackto set executable stack flag of ELF binaries and shared libraries
Both will work, It depend on you which to choose.
Disable ASLR
If you check the book carefully later, you’ll find some technics to prevent exploitation. One of them is ASLR.
To disable (Address space layout randomization)ASLR globally:
1 | echo 0 > /proc/sys/kernel/randomize_va_space |
Or just run the binary file using setarch.
Please refer to the References and man setarch.
The virtual Memory
One of my observation is that if you run a 32-bit program on 64-bit system, the address in the memory will differ a lot from just 32-bit system.
According to my experience, the memory address ranges from about 0x804a014 to 0xffffdff8, .data and .bss will locate at around 0x804axxx. But the stack bottom will be at around 0xff7fcxxx. What’s important is that environment variables will be at the bottom of memory until 0xffffdff8. 0xffffdff8 will be the filename of the execute file.
There are some other differences from the book. One of these is the length of file change 1, the address of environment variable for shellcode will change 1 byte.
I don’t know why things like this, I’ll try to find more about it and ask it at StackOverflow. But that’s what I get after several tests, your machine may differ.
About dtors section
I find I can’t success on the exploitation about dtors. The destruction function address will be in .fini_array section. Note: objdump will show addresses in little endian. So address 0x08048473 will looks like that:
1 | Contents of section .fini_array: |
Furthermore, because of cpu’s NX feature, when you try to modify .dtors or fini_array section, you’ll just get a segfault.
libnet-1.0 on amd64
Last thing I have to mentioned is that libnet-1.0 use too much u_long. u_long will take 8 bytes on a 64-bit machine but 4 bytes on a 32-bit one.
You have to care about that because it will build tcp header with incorrect length of source address and destination address.
I don’t know how nemesis(which depends on libnet-1.0) works well on amd64 machines…
To compile and link with libnet-1.0 on gentoo amd64 architecture, try something like this:
1 | gcc `libnet-1.0-config --defines` -o rst_hijack rst_hijack.c -lnet-1.0 -lpcap |
Enable IP Forward
When you want to try arp sproofing or arp poisoning, enable the ip forward for the kernel:
1 | echo 1 > /proc/sys/net/ipv4/ip_forward |
drop previledge
bash version 2 will drop previlege when run with setuid. So lots of root shell will falls to normal user without setresuid.
Some other things
Examine by man before you try the program in this book.
For example, in update_info, add (void *) in to avoid warning. In connectback_shell.s the connect syscall won’t save file descriptor in eax. Lots of include was lost in this book…
Some Other Thoughts on This Book
Amazing!!When You first get a root shell in an exploitation, you can’t stop jumping out of the chair! The book is simple and introductory, but both interesting and insight. I really like it.
Hacker’s Tools
Man is most important, Google is the second.
Prof. Li Yinong
Consult to man if you are stuck, then search in google(NOT BAIDU).
- gcc to compile
- gdb to debug/attach, use as calculation and so on.
- objdump to be used as a disassembler to view executable in assembly form
- nm to list symbols in many kinds of files
- perl for one line exploitation
- python for one line exploitation
- hexdump to dump binary files into hex
- shell to facilitate with exploitation.
- many unix tools like od/sed/awk/bc and so on may be useful.
About net hack, You may like to use:
- libnet to inject packets
- libpcap to capture packets
- tcpdump to capture and show packets
- dsniff to sniff the net and arp poison
- netcat, wow, swiss knife
- telnet, a good client to use
- ettercap/nessus/metasploit and so on.
Some References
About exploitation:
- Return-oriented programming on 64-bit Linux
- Stack Smashing On A Modern Linux System
- The Stack-based Buffer Overflow Hands-on Tutorials
- Anatomy of a Program in Memory
- COMPILER, ASSEMBLER, LINKER AND LOADER: A BRIEF STORY
- Discuss on stack exchange
- Shellcode/buffer overflow lab
- C Function Call Conventions and the Stack
- Linux下缓冲区溢出攻击的原理及对策(中文)
About packet capture and injection:
- Network Security Tools(chapter 10 and 11 are about libnet/libpcap)
- Programming with pcap
- The Sniffer’s Guide to Raw Traffic
About arpspoofing:
About shellcode