Return-to-libc Attack Lab
SEED Lab: A Hands-on Lab for Security Education
Overview
The learning objective of this lab is for students to gain the first-hand experience on an interesting attack on buffer-overflow vulnerability; this attack can bypass an existing protection scheme currently implemented in Linux operating systems. A common way to exploit a buffer-overflow vulnerability is to overflow the buffer with a malicious shellcode, and then cause the vulnerable program to jump to the shellcode that is stored in the stack. To prevent this kind of attacks, some operating systems, such as Fedora Linux, allow system administrators to make stacks non-executable; therefore, jumping to the shellcode will cause the program to fail.
Unfortunately, the above protection scheme is not fool-proof; there exists another type of attacks, the return-to-libc attack, which does not need an executable stack; it does not even use shell code. Instead, it causes the vulnerable program to jump to some existing code, such as the system() function in the libc library, which is already loaded into the memory.
In this lab, students are given a program with a buffer-overflow vulnerability; their task is to develop a return-to-libc attack to exploit the vulnerability and finally to gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in Linux to counter against the buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.
Lab Tasks
- VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.
Recommended Time
- Supervised situation (e.g. a closely-guided lab session):
- Unsupervised situation (e.g. take-home project):
Last Update (New)
- The lab was last updated on January 12, 2020.
- Instructors now need to specify the size of the buffer. This will make it difficult for students to reuse the solutions from the past.
- Two challenging tasks (Tasks 5 and 6) are added. (Warning) Task 6 is extremely challenging, so instructors may consider making it optional.
Videos (New)
- This topic is covered in my Udemy course: Computer Security: A Hands-on Approach.
File that are Needed
- retlib.c: the vulnerable program
- exploit.py: the skeleton exploit code in Python
- exploit.c: the skeleton exploit code in C
Suggested Reading
- SEED Book by Wenliang Du
(Book website)
(Chinese version)
- Aleph One. Smashing The Stack For Fun And Profit.