Skip to content

Latest commit

 

History

History
131 lines (84 loc) · 3.63 KB

README.rst

File metadata and controls

131 lines (84 loc) · 3.63 KB
Raw

Sample samples/server

For instance, your backend developer made a typo during server development. This typo introduced a stack overflow vulnerability exploitable from the client side. Common automatic checks were disabled for the sake of performance and now your server is vulnerable to anyone who can find the vulnerability.

The sample code is in samples/server/server.c where function handle_connection supplies wrong buffer size to the recv(2) at line 24:

void handle_connection(int sock)
{
    char buf[16];

    (void) recv(sock, buf, 128, 0); // bug is here
            fprintf(stdout, "Got %s\n", buf);
    close(sock);
}

  1. Build the original server and run it:

    $ cd samples/server

    $ make install DESTDIR=vuln cc -o server server.c -fno-stack-protector -fomit-frame-pointer $ ./vuln/server

  2. Now let's install dependencies and build utils. Refer to installation for more details on the installation procedure and supported OSes.

    For RHEL-based distros do:

    $ sudo yum install -y binutils elfutils elfutils-libelf-devel nc libunwind-devel
...
$ make -C ../../src
...

    For Debian-based distros do:

    $ sudo apt-get install -y binutils elfutils libelf-dev netcat-openbsd libunwind-dev
...
$ make -C ../../src
...

  3. Try to connect to the server using freshly installed netcat:

    $ echo 'Hi!' | nc localhost 3345

    The server should print on its console:

    $ ./vuln/server
Got Hi!

  4. Now exploit the server via the hack.sh script. The script analyzes binary and builds a string that causes server's buffer to overflow. The string rewrites return address stored on the stack with the address of you_hacked_me function, which prints "You hacked me!" as a server.

    Open another console and run ./hack.sh there:

    $ ./hack.sh

    Server console should print:

    Got 0123456789ABCDEF01234567@
You hacked me!

    This sample emulates a packaged binary network server vulnerable to return-to-libc attack.

  5. Now build the patch for this code via lcmake:

    $ ../../src/libcare-patch-make --clean server.patch
...
patch for $HOME/libcare/samples/server/lcmake/server is in ...

    Please note that this overwrites ./server binary file with a patch-containing file, storing the original vulnerable server into ./lcmake/server.

  6. Examine patchroot directory and find patches there:

    $ ls patchroot
2d0e03e41bd82ec8b840a973077932cb2856a5ec.kpatch

  7. Apply patch to the running application via libcare-ctl:

    $ ../../src/libcare-ctl -v patch -p $(pidof server) patchroot
...
1 patch hunk(s) have been successfully applied to PID '31209'

  8. And check the hack again, You hacked me! string should go away:

    (console2) $ ./hack.sh
(console1) $ # with running ./vuln/server
Got 0123456789ABCDEF@

Congratulations on going through this sample! Go on and learn how the magic of libcare-patch-make script works, read how the patch is built under the hood and how it is applied by the libcare-ctl. Or even jump to our hacking guide!