-
-
[旧帖] smashthestack IO level6_alt 求助 0.00雪花
-
发表于: 2014-2-20 00:21
-
最近在玩儿smashthestack IO,碰到level6_alt的时候碰到了麻烦,没想出什么好的思路
level06_alt的源代码
程序添加了SSP保护
开始想过在覆盖buff的时候同时覆盖pass,但是两者完全不在一个存储区,而且也无法覆盖掉FILE *f这个局部变量,也想过覆盖__stack_chk_fail@plt,但是貌似需要一个任意地址写的漏洞才行,求大神们指点一下
level06_alt的源代码
#include <stdio.h>
#include <sys/fcntl.h>
#include <unistd.h>
#include <string.h>
char pass[32];
int main(int argc, char * argv[])
{
char buf[32];
FILE *f;
f = fopen("/levels/level06_alt.pass", "r");
fgets(pass, 32, f);
fgets(buf, 999, stdin);
if(!strcmp(buf, pass)) {
printf("Success!\n");
setreuid(geteuid(), geteuid());
execl("/bin/sh", NULL, NULL);
}
return 0;
}
程序添加了SSP保护
(gdb) disass main
Dump of assembler code for function main:
0x08048574 <+0>: lea 0x4(%esp),%ecx
0x08048578 <+4>: and $0xfffffff0,%esp
0x0804857b <+7>: pushl -0x4(%ecx)
0x0804857e <+10>: push %ebp
0x0804857f <+11>: mov %esp,%ebp
0x08048581 <+13>: push %ebx
0x08048582 <+14>: push %ecx
0x08048583 <+15>: sub $0x40,%esp
0x08048586 <+18>: mov 0x4(%ecx),%eax
0x08048589 <+21>: mov %eax,-0x3c(%ebp) /* var_3c */
0x0804858c <+24>: mov %gs:0x14,%eax
0x08048592 <+30>: mov %eax,-0xc(%ebp) /* var_c = cookie */
0x08048595 <+33>: xor %eax,%eax
0x08048597 <+35>: movl $0x8048720,0x4(%esp)
0x0804859f <+43>: movl $0x8048722,(%esp)
0x080485a6 <+50>: call 0x8048460 <fopen@plt> /* fopen("/levels/level06_alt.pass", "r") */
0x080485ab <+55>: mov %eax,-0x30(%ebp) /* var_30 = File * f */
0x080485ae <+58>: mov -0x30(%ebp),%eax
0x080485b1 <+61>: mov %eax,0x8(%esp)
0x080485b5 <+65>: movl $0x20,0x4(%esp)
0x080485bd <+73>: movl $0x80498a0,(%esp) /* pass */
0x080485c4 <+80>: call 0x8048430 <fgets@plt> /* fgets(pass, 32, var_30) */
0x080485c9 <+85>: mov 0x8049880,%eax
0x080485ce <+90>: mov %eax,0x8(%esp)
0x080485d2 <+94>: movl $0x3e7,0x4(%esp)
0x080485da <+102>: lea -0x2c(%ebp),%eax /* var_2c = buf[32] */
0x080485dd <+105>: mov %eax,(%esp)
0x080485e0 <+108>: call 0x8048430 <fgets@plt> /* fgets(var_2c, 0x3e7, stdin) */
0x080485e5 <+113>: movl $0x80498a0,0x4(%esp)
0x080485ed <+121>: lea -0x2c(%ebp),%eax
0x080485f0 <+124>: mov %eax,(%esp)
0x080485f3 <+127>: call 0x80484a0 <strcmp@plt> /* strcmp(buff, pass)*/
0x080485f8 <+132>: test %eax,%eax
0x080485fa <+134>: jne 0x804863c <main+200>
0x080485fc <+136>: movl $0x804873b,(%esp)
0x08048603 <+143>: call 0x8048490 <puts@plt>
0x08048608 <+148>: call 0x80484b0 <geteuid@plt>
0x0804860d <+153>: mov %eax,%ebx
0x0804860f <+155>: call 0x80484b0 <geteuid@plt>
0x08048614 <+160>: mov %ebx,0x4(%esp)
0x08048618 <+164>: mov %eax,(%esp)
0x0804861b <+167>: call 0x8048480 <setreuid@plt>
0x08048620 <+172>: movl $0x0,0x8(%esp)
0x08048628 <+180>: movl $0x0,0x4(%esp)
0x08048630 <+188>: movl $0x8048744,(%esp)
0x08048637 <+195>: call 0x8048450 <execl@plt>
0x0804863c <+200>: mov $0x0,%eax
0x08048641 <+205>: mov -0xc(%ebp),%edx
0x08048644 <+208>: xor %gs:0x14,%edx
0x0804864b <+215>: je 0x8048652 <main+222>
0x0804864d <+217>: call 0x8048470 <__stack_chk_fail@plt> /* 这个要怎么bypass */
0x08048652 <+222>: add $0x40,%esp
0x08048655 <+225>: pop %ecx
0x08048656 <+226>: pop %ebx
0x08048657 <+227>: pop %ebp
0x08048658 <+228>: lea -0x4(%ecx),%esp
0x0804865b <+231>: ret
End of assembler dump.开始想过在覆盖buff的时候同时覆盖pass,但是两者完全不在一个存储区,而且也无法覆盖掉FILE *f这个局部变量,也想过覆盖__stack_chk_fail@plt,但是貌似需要一个任意地址写的漏洞才行,求大神们指点一下
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
