Microsoft Word – 2.5-demo code injection.docx
1
MSc Advanced Cyber Security
7CCSONSE Security Engineering
Demonstration of code injection program in Week 2
This document provides the steps to run the vulnerable program in the Week 2 2.4.4. Follow the
steps below, you can edit and run the program in the module VM.
Step1: Log in your VM
this can be done by the following command on a terminal on your operation system;
$ ssh .kcl.ac.uk
You may be asked for inputting your password.
Step2: Write the shellcode
Use command $ vi shellcode.s to create the shellcode. The demo code is shown follow. For
detailed explanation of how the code be implemented, please check the webinar.
.data
.globl shellcode_start
shellcode_start:
jmp stringbinls
back:
pop %ebx
mov $0xb, %eax
mov $0x0, %edx
mov %ebx, 0x8(%ebx)
movl $0x0, 0xc(%ebx)
lea 0x8(%ebx), %ecx
movb $0x0, 0x7(%ebx)
int $0x80
stringbinls:
call back
.string “/bin/ls”
2
Fig.1 Shellcode demo
Step3: Write an exploit program
We use $ vi exploit.c to create the exploit program.
Here, we first generate a shellcode function pointer *f which point to the start address of our
shellcode. Then we execute the f function.
#include
extern char shellcode_start[];
int main(void){
void (*f)(void) = (void(*)(void))shellcode_start;
f();
}
Fig.2 Exploit program
3
Step4: Compile the exploit file in your VM
We use gcc command to compile the program. This package has already been installed on your VM.
To make a clear effect of the targeted code, we firstly set flags for the compiling process.
$ export CFLAGS=”-m32 -fno-stack-protector -z execstack -fno-PIE -no-pie –
g”
The explanation for each flag here can refer the previous demonstration document.
We use $ export to ensure the environment variable CFLAGS to be passed to child processes (gcc
compiling process).
We use the following command to compile the code:
$ gcc -o exploit exploit.c shellcode.s $CFLAGS
Here the -o flag set the output path and filename, also the environment variable CFLAGS is used.
Fig.2 shows the compiling process.
Fig.3 Compile the program
Step4: Check the disassemble instructions
We use gdb to disassemble instructions of the compiled executable.
$ gdb -q exploit
If we disassemble the code from shellcode _start to shellcode _start+0x30, we can see the result as
Fig.4.
We use $ x/s 0x804a03d to convert the content here to string. It is exactly the shellcode
“bin/ls” we set before.
4
Fig.4 Disassemble the program
Step4: Execute the exploit program
$ ./exploit
Fig.5 shows the execute result of the exploit program.
End of the demonstration