Practiced several system security exploits with C language in a specific Linux image Origin, most of which aim to achieve root privileges or tamper with some data, breaking the integrity or/and the confidentiality of the system. Some general techniques applied to the vulnerable custom programs include buffer overflow, integer overflow, format string tricks, double free, return-to-libc, rop. More than that, some vulnerabilities once existed in the real-world Linux versions are also exploited, including SUDO and GHTTPD.
The original VM image should be able to achieve from the Origin, tested on the virtualbox on MacOS.
The repo is more for the demo and learning, for the VM image with all programs installed and exploits compiled, please check here, on which you can directly try the exploits.
- VM user: student
- psw: student
In techniques there are 6 kinds of exploit techniques with 7 examples, the exploit code and its victim custom codea are classified into different folders. Including buffer overflow, integer overflow, doube free, format string tricks, return2libc and rop. Personally I think the rop is the most thrilling one.
- Before run, run the
before_run.shto disable ASLR (Address Space Layout Randomization, which is important to disable if we are using any absolute address in exploits) and putbasicvulnerable programs in/tmpfolder. - For the rop exploit, please run the
exploit7-run.sh. - For each source C exploit file please compile them first.
- The structure of the dir has been changed for better demo, if you are using the origin VM image, pelase check the Makefile and bash scripts to tune the paths.
For the real-world exploits, please make sure the original vulnerable versions of the programs are installed.
The Sudo format string vulnerability is found in 2012, with versions 1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected. Details in CVE-2012-0809.
Details: In the sudo_debug() implementation the program name is passed to the fprintf() function. Since the program name can be controlled by the user, user can well-design the program name and exploits the flaw with format string tricks.
- The implementation of the exploit with ASLR disabled can be checked in
sudo_exploit1.sh. - We can even apply this exploit with ASLR! With a different implementation logic, please check
sudo_exploit2.sh. Make sure the ASLR is opened for testing this implementation.
Ghttpdv1.4 has a buffer overflow vulnerability. Details in CVE-2002-1904. Where the remote attacker can overflow the buffer in the host and executes the shellcode.
To start the vulnerable ghttpd:
cd /usr/local/ghttpd
sudo execstack -s ./ghttpd
sudo ./ghttpd
- Notice GDB will be a necessary tool to exploit and learn.
- Phrack Magzine is a good place to learn all the things.
