保护信息检查
没有开启NX 、PIE等保护
漏洞分析
ida 分析:
# 栈分析
.text:00400930 var_244 = -0x244
.text:00400930 var_242 = -0x242
.text:00400930 var_50 = -0x50 #sprintf 缓冲区
.text:00400930 var_4E = -0x4E
.text:00400930 var_1C = -0x1C
.text:00400930 var_18 = -0x18
.text:00400930 var_16 = -0x16
.text:00400930 var_14 = -0x14
.text:00400930 var_8 = -8
.text:00400930 var_4 = -4 # 保存 ra
.text:00400930 arg_0 = 0
.text:00400930 arg_4 = 4
.text:00400930
.text:00400930 li $gp, 0x489E0
.text:00400938 addu $gp, $t9
.text:0040093C addiu $sp, var_270
.text:00400940 sw $ra, 0x270+var_4($sp)
#漏洞分析
read(fd, 0x270+var_244, 0x1f4) # 可以读取0x1f4字节
.text:00400CE8 lw $gp, 0x270+var_258($fp)
.text:00400CEC addiu $v0, $fp, 0x270+var_244
.text:00400CF0 lw $a0, 0x270+var_24C($fp) # fd
.text:00400CF4 move $a1, $v0 # buf
.text:00400CF8 li $a2, 0x1F4 # nbytes
.text:00400CFC la $t9, read
.text:00400D00 nop
.text:00400D04 jalr $t9 ; read
.text:00400D08 nop
sprintf((char *)&0x270+var_50,"nom nom nom, you sent me %s",&0x270+var_244);
.text:00400D0C lw $gp, 0x270+var_258($fp)
.text:00400D10 addiu $v0, $fp, 0x270+var_50
.text:00400D14 addiu $v1, $fp, 0x270+var_244
.text:00400D18 move $a0, $v0 # s
.text:00400D1C li $v0, 0x400000
.text:00400D20 nop
.text:00400D24 addiu $a1, $v0, (aNomNomNomYouSe - 0x400000) # "nom nom nom, you sent me %s"
.text:00400D28 move $a2, $v1
.text:00400D2C la $t9, sprintf
.text:00400D30 nop
.text:00400D34 jalr $t9 ; sprintf
.text:00400D38 nop
根据栈的情况:
var_50 = -0x50 #sprintf 缓冲区
var_4 = -4 # 保存 ra
read(fd, 0x270+var_244, 0x1f4) # 可以读取0x1f4字节
sprintf((char *)&0x270+var_50,"nom nom nom, you sent me %s",&0x270+var_244);
代码分析可知,没有对var_50 缓冲区进行条件检查,只需要向var_50 位置写入0x50字节便可覆盖 ra
padding = 0x50 - 0x4 = 0x4c
over_ra = 0x4 #覆盖ra
而且 var_244缓冲区可存放 0x1f4 字节,因此sprintf 可造成 var_50 缓冲区溢出,覆盖 ra 等值。
构造rop
1.查找基地址
没有开启 NX 以及 PIE 保护,所以可以通过调试查看 libc_addr。
1.1gdb调试
-
qemu-mipsel调试
mira@ubuntu:squashfs-root$ qemu-mipsel -g 1234 -L ./ pwnable/ShellCode_Required/socket_bof 8888 #开启新终端,gdb调试 mira@ubuntu:ShellCode_Required$ gdb-multiarch ./socket_bof pwndbg> b *0x00400930 pwndbg> target remote 127.0.0.1:1234
-
挂载根文件系统,gdbserver 调试
root@debian-mipsel:chandler# mount -o bind /dev/ ./squashfs-root/dev/ root@debian-mipsel:chandler# mount -t proc /proc/ ./squashfs-root/proc/ root@debian-mipsel:chandler# chroot ./squashfs-root sh
查看文件系统中运行的进程:
root@debian-mipsel:chandler# chroot ./squashfs-root sh BusyBox v1.7.2 (2016-03-09 22:33:37 CST) built-in shell (msh) Enter 'help' for a list of built-in commands. # ps PID Uid VSZ Stat Command 1 0 2632 S init [2] 2 0 SW [kthreadd] 3 0 SW [ksoftirqd/0] 5 0 SW [kworker/u:0] 6 0 SW [watchdog/0] 7 0 SW< [cpuset] 8 0 SW< [khelper] 9 0 SW [kdevtmpfs] 10 0 SW< [netns] ...... 2295 0 2796 S /sbin/getty 38400 tty6 2296 0 4504 S /bin/login -- 2300 0 5148 S dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/d 2341 0 7660 S /usr/sbin/sshd 2344 0 6084 S -bash 2391 0 SW [kworker/0:0] 2479 0 1844 S sh 2480 0 1748 R ps
gdbserver远程调试,开启监听端口:
# ./lsb_mipsel_gdbserver 10.0.0.2:1234 ./pwnable/ShellCode_Required/socket_bof Process ./pwnable/ShellCode_Required/socket_bof created; pid = 2491 Listening on port 1234
本地 gdb调试:
mira@ubuntu:ShellCode_Required$ gdb-multiarch ./socket_bof pwndbg> b main Breakpoint 1 at 0x400958 pwndbg> target remote 10.0.0.2:1234
-
本地ssh 连接:
mira@ubuntu:~$ ssh root@10.0.0.2
1.2查看内存映射:
-
gdb 调试,通过vmmap 查看
pwndbg> vmmap LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x400000 0x402000 r-xp 2000 0 /pwnable/ShellCode_Required/socket_bof 0x441000 0x442000 rw-p 1000 1000 /pwnable/ShellCode_Required/socket_bof 0x77ee2000 0x77f1d000 r-xp 3b000 0 /lib/libc.so.0 0x77f1d000 0x77f5d000 ---p 40000 0 0x77f5d000 0x77f5e000 rw-p 1000 3b000 /lib/libc.so.0 0x77f5e000 0x77f62000 rw-p 4000 0 0x77f62000 0x77f72000 r-xp 10000 0 /lib/libgcc_s.so.1 0x77f72000 0x77fb1000 ---p 3f000 0 0x77fb1000 0x77fb2000 rw-p 1000 f000 /lib/libgcc_s.so.1 0x77fb2000 0x77fb7000 r-xp 5000 0 /lib/ld-uClibc.so.0 0x77ff5000 0x77ff6000 rw-p 1000 0 0x77ff6000 0x77ff7000 r--p 1000 4000 /lib/ld-uClibc.so.0 0x77ff7000 0x77ff8000 rw-p 1000 5000 /lib/ld-uClibc.so.0 0x7fdf2000 0x7fff7000 rwxp 205000 0 [stack] 0x7fff7000 0x7fff8000 r-xp 1000 0 [vdso]
可知基地址libc.so.0: libc_addr