For instance, your backend developer made a typo during server development. This typo introduced a stack overflow vulnerability exploitable from the client side. Common automatic checks were disabled for the sake of performance and now your server is vulnerable to anyone who can find the vulnerability.
The sample code is in samples/server/server.c
where function
handle_connection
supplies wrong buffer size to the recv(2)
at line 24:
void handle_connection(int sock)
{
char buf[16];
(void) recv(sock, buf, 128, 0); // bug is here
fprintf(stdout, "Got %s\n", buf);
close(sock);
}
Build the original server and run it:
$ cd samples/server $ make install DESTDIR=vuln cc -o server server.c -fno-stack-protector -fomit-frame-pointer $ ./vuln/server
Now let's install dependencies and build utils. Refer to installation for more details on the installation procedure and supported OSes.
For RHEL-based distros do:
$ sudo yum install -y binutils elfutils elfutils-libelf-devel nc libunwind-devel ... $ make -C ../../src ...
For Debian-based distros do:
$ sudo apt-get install -y binutils elfutils libelf-dev netcat-openbsd libunwind-dev ... $ make -C ../../src ...
Try to connect to the server using freshly installed netcat:
$ echo 'Hi!' | nc localhost 3345
The server should print on its console:
$ ./vuln/server Got Hi!
Now exploit the server via the
hack.sh
script. The script analyzes binary and builds a string that causes server's buffer to overflow. The string rewrites return address stored on the stack with the address ofyou_hacked_me
function, which prints "You hacked me!" as a server.Open another console and run
./hack.sh
there:$ ./hack.sh
Server console should print:
Got 0123456789ABCDEF01234567@ You hacked me!
This sample emulates a packaged binary network server vulnerable to return-to-libc attack.
Now build the patch for this code via `lcmake`_:
$ ../../src/libcare-patch-make --clean server.patch ... patch for $HOME/libcare/samples/server/lcmake/server is in ...
Please note that this overwrites
./server
binary file with a patch-containing file, storing the original vulnerable server into./lcmake/server
.Examine
patchroot
directory and find patches there:$ ls patchroot 2d0e03e41bd82ec8b840a973077932cb2856a5ec.kpatch
Apply patch to the running application via `libcare-ctl`_:
$ ../../src/libcare-ctl -v patch -p $(pidof server) patchroot ... 1 patch hunk(s) have been successfully applied to PID '31209'
And check the hack again,
You hacked me!
string should go away:(console2) $ ./hack.sh (console1) $ # with running ./vuln/server Got 0123456789ABCDEF@
Congratulations on going through this sample! Go on and learn how the magic of `libcare-patch-make`_ script works, read how the patch is `built under the hood`_ and how it is applied by the `libcare-ctl`_. Or even jump to our `hacking guide`_!