我目前正在努力在Ubuntu 18.04上利用二进制文件。以下是有关二进制文件的一些信息:
使用pwntools的checksec信息:
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
其反汇编代码:
./vulnprog: file format elf32-i386
Disassembly of section .init:
0804834c <_init>:
804834c: 53 push ebx
804834d: 83 ec 08 sub esp,0x8
8048350: e8 8b 00 00 00 call 80483e0 <__x86.get_pc_thunk.bx>
8048355: 81 c3 87 1c 00 00 add ebx,0x1c87
804835b: 8b 83 18 00 00 00 mov eax,DWORD PTR [ebx+0x18]
8048361: 85 c0 test eax,eax
8048363: 74 05 je 804836a <_init+0x1e>
8048365: e8 2e 00 00 00 call 8048398 <__gmon_start__@plt>
804836a: 83 c4 08 add esp,0x8
804836d: 5b pop ebx
804836e: c3 ret
Disassembly of section .plt:
08048370 <.plt>:
8048370: ff 35 e0 9f 04 08 push DWORD PTR ds:0x8049fe0
8048376: ff 25 e4 9f 04 08 jmp DWORD PTR ds:0x8049fe4
804837c: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .plt.got:
08048380 <read@plt>:
8048380: ff 25 e8 9f 04 08 jmp DWORD PTR ds:0x8049fe8
8048386: 66 90 xchg ax,ax
08048388 <_exit@plt>:
8048388: ff 25 ec 9f 04 08 jmp DWORD PTR ds:0x8049fec
804838e: 66 90 xchg ax,ax
08048390 <puts@plt>:
8048390: ff 25 f0 9f 04 08 jmp DWORD PTR ds:0x8049ff0
8048396: 66 90 xchg ax,ax
08048398 <__gmon_start__@plt>:
8048398: ff 25 f4 9f 04 08 jmp DWORD PTR ds:0x8049ff4
804839e: 66 90 xchg ax,ax
080483a0 <__libc_start_main@plt>:
80483a0: ff 25 f8 9f 04 08 jmp DWORD PTR ds:0x8049ff8
80483a6: 66 90 xchg ax,ax
080483a8 <setvbuf@plt>:
80483a8: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc
80483ae: 66 90 xchg ax,ax
Disassembly of section .text:
080483b0 <_start>:
80483b0: 31 ed xor ebp,ebp
80483b2: 5e pop esi
80483b3: 89 e1 mov ecx,esp
80483b5: 83 e4 f0 and esp,0xfffffff0
80483b8: 50 push eax
80483b9: 54 push esp
80483ba: 52 push edx
80483bb: 68 70 85 04 08 push 0x8048570
80483c0: 68 10 85 04 08 push 0x8048510
80483c5: 51 push ecx
80483c6: 56 push esi
80483c7: 68 ab 84 04 08 push 0x80484ab
80483cc: e8 cf ff ff ff call 80483a0 <__libc_start_main@plt>
80483d1: f4 hlt
80483d2: 66 90 xchg ax,ax
80483d4: 66 90 xchg ax,ax
80483d6: 66 90 xchg ax,ax
80483d8: 66 90 xchg ax,ax
80483da: 66 90 xchg ax,ax
80483dc: 66 90 xchg ax,ax
80483de: 66 90 xchg ax,ax
080483e0 <__x86.get_pc_thunk.bx>:
80483e0: 8b 1c 24 mov ebx,DWORD PTR [esp]
80483e3: c3 ret
80483e4: 66 90 xchg ax,ax
80483e6: 66 90 xchg ax,ax
80483e8: 66 90 xchg ax,ax
80483ea: 66 90 xchg ax,ax
80483ec: 66 90 xchg ax,ax
80483ee: 66 90 xchg ax,ax
080483f0 <deregister_tm_clones>:
80483f0: b8 0f a0 04 08 mov eax,0x804a00f
80483f5: 2d 0c a0 04 08 sub eax,0x804a00c
80483fa: 83 f8 06 cmp eax,0x6
80483fd: 76 1a jbe 8048419 <deregister_tm_clones+0x29>
80483ff: b8 00 00 00 00 mov eax,0x0
8048404: 85 c0 test eax,eax
8048406: 74 11 je 8048419 <deregister_tm_clones+0x29>
8048408: 55 push ebp
8048409: 89 e5 mov ebp,esp
804840b: 83 ec 14 sub esp,0x14
804840e: 68 0c a0 04 08 push 0x804a00c
8048413: ff d0 call eax
8048415: 83 c4 10 add esp,0x10
8048418: c9 leave
8048419: f3 c3 repz ret
804841b: 90 nop
804841c: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
08048420 <register_tm_clones>:
8048420: b8 0c a0 04 08 mov eax,0x804a00c
8048425: 2d 0c a0 04 08 sub eax,0x804a00c
804842a: c1 f8 02 sar eax,0x2
804842d: 89 c2 mov edx,eax
804842f: c1 ea 1f shr edx,0x1f
8048432: 01 d0 add eax,edx
8048434: d1 f8 sar eax,1
8048436: 74 1b je 8048453 <register_tm_clones+0x33>
8048438: ba 00 00 00 00 mov edx,0x0
804843d: 85 d2 test edx,edx
804843f: 74 12 je 8048453 <register_tm_clones+0x33>
8048441: 55 push ebp
8048442: 89 e5 mov ebp,esp
8048444: 83 ec 10 sub esp,0x10
8048447: 50 push eax
8048448: 68 0c a0 04 08 push 0x804a00c
804844d: ff d2 call edx
804844f: 83 c4 10 add esp,0x10
8048452: c9 leave
8048453: f3 c3 repz ret
8048455: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
8048459: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]
08048460 <__do_global_dtors_aux>:
8048460: 80 3d 10 a0 04 08 00 cmp BYTE PTR ds:0x804a010,0x0
8048467: 75 13 jne 804847c <__do_global_dtors_aux+0x1c>
8048469: 55 push ebp
804846a: 89 e5 mov ebp,esp
804846c: 83 ec 08 sub esp,0x8
804846f: e8 7c ff ff ff call 80483f0 <deregister_tm_clones>
8048474: c6 05 10 a0 04 08 01 mov BYTE PTR ds:0x804a010,0x1
804847b: c9 leave
804847c: f3 c3 repz ret
804847e: 66 90 xchg ax,ax
08048480 <frame_dummy>:
8048480: b8 f8 9e 04 08 mov eax,0x8049ef8
8048485: 8b 10 mov edx,DWORD PTR [eax]
8048487: 85 d2 test edx,edx
8048489: 75 05 jne 8048490 <frame_dummy+0x10>
804848b: eb 93 jmp 8048420 <register_tm_clones>
804848d: 8d 76 00 lea esi,[esi+0x0]
8048490: ba 00 00 00 00 mov edx,0x0
8048495: 85 d2 test edx,edx
8048497: 74 f2 je 804848b <frame_dummy+0xb>
8048499: 55 push ebp
804849a: 89 e5 mov ebp,esp
804849c: 83 ec 14 sub esp,0x14
804849f: 50 push eax
80484a0: ff d2 call edx
80484a2: 83 c4 10 add esp,0x10
80484a5: c9 leave
80484a6: e9 75 ff ff ff jmp 8048420 <register_tm_clones>
080484ab <main>:
80484ab: 55 push ebp
80484ac: 89 e5 mov ebp,esp
80484ae: 83 ec 28 sub esp,0x28
80484b1: a1 08 a0 04 08 mov eax,ds:0x804a008
80484b6: 3d 39 05 00 00 cmp eax,0x539
80484bb: 74 07 je 80484c4 <main+0x19>
80484bd: 6a 01 push 0x1
80484bf: e8 c4 fe ff ff call 8048388 <_exit@plt>
80484c4: a1 08 a0 04 08 mov eax,ds:0x804a008
80484c9: 83 c0 01 add eax,0x1
80484cc: a3 08 a0 04 08 mov ds:0x804a008,eax
80484d1: a1 0c a0 04 08 mov eax,ds:0x804a00c
80484d6: 6a 00 push 0x0
80484d8: 6a 02 push 0x2
80484da: 6a 00 push 0x0
80484dc: 50 push eax
80484dd: e8 c6 fe ff ff call 80483a8 <setvbuf@plt>
80484e2: 83 c4 10 add esp,0x10
80484e5: 68 90 85 04 08 push 0x8048590
80484ea: e8 a1 fe ff ff call 8048390 <puts@plt>
80484ef: 83 c4 04 add esp,0x4
80484f2: 6a 40 push 0x40
80484f4: 8d 45 d8 lea eax,[ebp-0x28]
80484f7: 50 push eax
80484f8: 6a 00 push 0x0
80484fa: e8 81 fe ff ff call 8048380 <read@plt>
80484ff: 83 c4 0c add esp,0xc
8048502: 90 nop
8048503: 90 nop
8048504: c9 leave
8048505: c3 ret
8048506: 66 90 xchg ax,ax
8048508: 66 90 xchg ax,ax
804850a: 66 90 xchg ax,ax
804850c: 66 90 xchg ax,ax
804850e: 66 90 xchg ax,ax
08048510 <__libc_csu_init>:
8048510: 55 push ebp
8048511: 57 push edi
8048512: 56 push esi
8048513: 53 push ebx
8048514: e8 c7 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
8048519: 81 c3 c3 1a 00 00 add ebx,0x1ac3
804851f: 83 ec 0c sub esp,0xc
8048522: 8b 6c 24 20 mov ebp,DWORD PTR [esp+0x20]
8048526: 8d b3 18 ff ff ff lea esi,[ebx-0xe8]
804852c: e8 1b fe ff ff call 804834c <_init>
8048531: 8d 83 14 ff ff ff lea eax,[ebx-0xec]
8048537: 29 c6 sub esi,eax
8048539: c1 fe 02 sar esi,0x2
804853c: 85 f6 test esi,esi
804853e: 74 25 je 8048565 <__libc_csu_init+0x55>
8048540: 31 ff xor edi,edi
8048542: 8d b6 00 00 00 00 lea esi,[esi+0x0]
8048548: 83 ec 04 sub esp,0x4
804854b: ff 74 24 2c push DWORD PTR [esp+0x2c]
804854f: ff 74 24 2c push DWORD PTR [esp+0x2c]
8048553: 55 push ebp
8048554: ff 94 bb 14 ff ff ff call DWORD PTR [ebx+edi*4-0xec]
804855b: 83 c7 01 add edi,0x1
804855e: 83 c4 10 add esp,0x10
8048561: 39 f7 cmp edi,esi
8048563: 75 e3 jne 8048548 <__libc_csu_init+0x38>
8048565: 83 c4 0c add esp,0xc
8048568: 5b pop ebx
8048569: 5e pop esi
804856a: 5f pop edi
804856b: 5d pop ebp
804856c: c3 ret
804856d: 8d 76 00 lea esi,[esi+0x0]
08048570 <__libc_csu_fini>:
8048570: f3 c3 repz ret
Disassembly of section .fini:
08048574 <_fini>:
8048574: 53 push ebx
8048575: 83 ec 08 sub esp,0x8
8048578: e8 63 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
804857d: 81 c3 5f 1a 00 00 add ebx,0x1a5f
8048583: 83 c4 08 add esp,0x8
8048586: 5b pop ebx
8048587: c3 ret
我看到main()函数内部存在缓冲区溢出,我尝试使用一些我知道的技术来利用它:在堆栈上执行代码,ret2libc,ropgadget但他们都不起作用。如您所见,启用了NX,二进制文件是动态链接的,因此只有79个ROPgadgets,并且由于ASLR已打开,所以我无法使用retlibc。它跳转到puts()函数以打印出内存中的puts()地址以计算libc的基数,之后我不得不返回<_start>注入带有系统地址的漏洞利用字符串)函数和'/ bin / sh'字符串在内存中。
这可能是一个理想的计划,但是您可以看到在程序的主地址0x080484b6处,eax与0x0804a008中的值进行了比较,以决定继续执行。当我打印出puts()的地址后从puts()函数返回时,0x0804a008中的值增加了一个,不再是0x539,因此程序退出了。
为了解决这个问题,我尝试从puts()返回后编辑_read()函数以编辑0x0804a008的值hold,但是又出现了另一个问题:read()函数仅将64个字节读入缓冲区所以我注入地址的长度只有20个字节。
我被卡住了。我一直在寻找几天,但没有发现任何与我接近的情况。您能给我一些建议,我应该怎么做吗?
#1 楼
我不确定您想要多少扰流板,所以我暂时将其保持较短。缓冲区太短
您的主要问题在某种程度上提示了解决方案。逻辑是,如果您的缓冲区太小,那么请创建一个可以适合您整个负载的新缓冲区。
,这意味着您需要设置一个堆栈枢纽。堆栈枢轴使您可以将堆栈框架移动到其他空间更大的地方,从而设置完整的ROP链。您可以转到堆栈,堆甚至可执行文件的读写部分中的其他位置。一个不错的选择通常是可执行文件的
.data
或.bss
段,但是要在其中没有覆盖任何关键内容的地方找到一个偏移量。例如pop esp
,sub esp, 0x28
,mov esp, edi
等)。但是,在此特定程序中,已经有一条指令可以用作此的小工具。您还需要写入新的堆栈位置。该程序已导入了可用于此目的的功能。然后,使用您已经弄清楚的部分(libc泄漏,调用
system
等)可以就位以完成挑战。
评论
这个二进制文件可以在本地检查吗?我将其上传到了Google云端硬盘。这是链接:drive.google.com/open?id=1_Rjy8t0B05Yp6oFYJSdsrB6orAYh1hJZ