Return-to-libc Attack Lab
王明霞 16307130350
1 Lab Overview
A common way to exploit a buffer-overflow vulnerability is to overflow the buffer
with a malicious shellcode, and then cause the vulnerable program to jump to the
shellcode that is stored in the stack. Some operating systems allow system
administrators to make stacks non-executable; therefore, jumping to the shellcode will
cause the program to fail
there exists a variant of buffer-overflow attack called the return-to-libc attack,
which does not need an executable stack; it does not even use shell code. Instead, it
causes the vulnerable program to jump to some existing code, such as the system()
function in the libc library, which is already loaded into the memory.
Our task is to develop a return-to-libc attack to exploit the vulnerability and
finally to gain the root privilege.
2 Lab Tasks
2.1 Initial Setup
关闭以下保护机制:Address Space Randomization;The StackGuard Protection Scheme;Non-
Executable Stack.
2.2 The Vulnerable Program
程序解析:retlib.c
Compile the above vulnerable program and make it set-root-uid.(为了后续 return-to-
libc 攻击能获取到 root 权限,而不是仅仅弹出一个普通用户的 shell,