Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Determine the shellcode needed to implement a return to system call attack that

ID: 3742988 • Letter: D

Question

Determine the shellcode needed to implement a return to system call attack that calls system(“whoami; cat /etc/shadow; exit;”), targeting the same vulnerable program in the code below. You need to identify the location of the standard library system() function on the target system by tracing a suitable test program with a debugger. You then need to determine the correct sequence of address and data values to use in the attack string. Experiment with running this attack.

int main()
{
int a[10];
clrscr();
for(int i = 0; i<=20; i++)
   a[i] = i*5; // STACK OVERFLOW HERE
return 0;
}

int main()
{
int a[10];
clrscr();
for(int i = 0; i<=20; i++)
   a[i] = i*5; // STACK OVERFLOW HERE
return 0;
}

Explanation / Answer

Answer: Shellcode to retun to system call. We will use execve() to run the executible file ie the script with a valid filename which can be invoked.

#include <unistd.h>

int main(int argc, char*argv[ ])

{

   char *MyshellName[2];

MyshellName[0] = "/bin/sh";

MyshellName[1] = NULL;

   execve(MyshellName[0], MyshellName, NULL);

   return 0;

}

When a function is exited then the execution points to the saved address on the stack. however the attacker can leverage the exploit and change the saved address of the stack. He/she can now point to the contents of the buffer ovrflown.The attacker can insert malicious code. For example let the stack be as follows

The code execve() expects to find the populated stack. as below:

arg 0 will be interpreted as pointer to the zero terminated char string of executible file to be run by execve()

The shellcode can be inserted into the main code as below:

#include <unistd.h>

char shellcode[] = "C……………………………………………" ;

/*Use Hexadecimal opcodes for character array type*/

int main(int argc, char **argv)

{

/*create function test pointer*/

int (*test)();

test= (int (*)()) shellcode;

(int)(*test)();

}

Address contents at the address of the stack pointer 
  0x06fff8b8
  0x05fff860
  0x06fff8b4
0 
  0x06fff8b0
  0x05fff864
  0x06fff8ac
  0x05fff868
  0x06fff8a8
address of execve()

Related Questions

Determine the quantity of each chemical that you are going to use for preparing
Question #1082423
Determine the radius of^238_92 U nucleus. A) 9.27 times 10^-15 m b) 7.39 times 1
Question #1620168
Determine the radius of^238_92 U nucleus. A) 9.27 times 10^-15 m b) 7.39 times 1
Question #1622270
Determine the range of annual cash inflows for each of the two projects. Assume
Question #2722136
Determine the range of mass m over which the system is in equilibrium (a) if the
Question #1862924
Determine the rate constant K from only the reaction data below. The reaction is
Question #1072232
Determine the rate constant for each of the following first-order reactions: A r
Question #502362
Determine the rate constant for the hydrolysis of alpha-phenylethyl chloride in
Question #889080
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Determine the set of prime numbers between 2 -100. There are 25 of these. Your p
Next
Determine the shift in based on the observations made for the following chemical

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.