Stack6 looks at what happens when you have restrictions on the return address.
This level can be done in a couple of ways, such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.
It is strongly suggested you experiment with multiple ways of getting your code to execute here.
Let’s have a look at a excerpt from the code.
In my previous post, I used a return address which pointed to somewhere on the stack. In this challenge, that’s no longer possible since the function checks the return address & quits if the address we’ve provided is pointing to somewhere on the stack.
ROP-solution: Return oriented halting
Even though the C-code does not allow us to jump into our buffer, there’s no protection beyond that point. So what if we jumped to a location, that jumps to a location?
All we need to do is find a instruction somewhere in memory that
ret instruction. And that’s the easy part.
After figuring out how much to overwrite, we put two and two together in
python shellcode.py > shellcode
So when the
getpath executes, 4 bytes are popped of the stack
into eip & provided that eip is now pointing at another
another 4 bytes are popped of the stack & into eip. Right?
pop instruction increments the stack-pointer by 4, so we
need to place the next return address after our initial one.
There you have it. I might revisit this challenge with the ret2libc
solution later but for now - I’ve been unable to find the
system-function loaded in via libc in the executable. Looking for it
in gdb only yields
Stack6 introduces return to .text to gain code execution.
The metasploit tool “msfelfscan” can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice.
getpath function is back, and this time… it’s personal.
strdup returns the address of the allocated string in the eax register.
We can get around the return-address check if we jump to the buffer
allocated by strdup. Very much like the previous challenge, I used gdb
to set a breakpoint at the
ret instruction in getpath, took note of the
The returned address from strdup stored in eax
The value of esp before the
The address of the buffer
Now onto the Format challenges! :D
Thanks for reading!