1

I am trying to learn binary exploitation. I can modify the binary behaviour with gdb, but I have not understood how to exploit the binary in C.

I've found some references on "Hacking - the art of exploitation", but I cannot completely figure out how to exploit the binary. Could someone show me some examples or give me a guideline?

Below is the simple code I am trying to exploit (force the app to run execl):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) 
{
  int shell= 0;


  if (shell==0) {
  printf("Bye\n");
  return 1;
  
  }

  execl("/bin/sh", "/bin/sh", "-p", (void *) NULL);
  perror("exec");
  return 1;
}

with objdump:

08048486 <main>:
 8048486:       55                      push   %ebp
 8048487:       89 e5                   mov    %esp,%ebp
 8048489:       83 ec 04                sub    $0x4,%esp
...
 80484b4:       68 68 85 04 08          push   $0x8048568
 80484b9:       68 68 85 04 08          push   $0x8048568
 80484be:       e8 8d fe ff ff          call   8048350 <execl@plt>
 80484c3:       83 c4 10                add    $0x10,%esp
...
 80484d8:       c9                      leave  
 80484d9:       c3                      ret    
 80484da:       66 90                   xchg   %ax,%ax
 80484dc:       66 90                   xchg   %ax,%ax
 80484de:       66 90                   xchg   %ax,%ax

Thank you

Improve this question
5
  • with GDB I can force the binary to execute what is at 0x8048568 (I can even modify it), but I am trying to do it with an injection script. Thank you
    – LianoQ
    Commented Jan 18, 2023 at 23:07
  • What do you mean by an "injection script"? The program doesn't take any input. Are you missing some line in the C code?
    – sudhackar
    Commented Jan 19, 2023 at 8:49
  • Hi, I mean, run a program in runtime against the binary that forces the binary to call 0x8048350 skipping "if (shell==0)"
    – LianoQ
    Commented Jan 19, 2023 at 10:50
  • What if you use IDA or Ghidra to patch the program, force it to skip the branch to printf and return 1, then generate a hex diff, then use the script to apply that hex diff?
    – raspiduino
    Commented Jan 20, 2023 at 9:50
  • I was wondering if there was a way to force the program in runtime to execute "execl" using binary privileges (setuid)
    – LianoQ
    Commented Jan 20, 2023 at 11:16

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.