新手来了 抱歉,您将要阅读的内容。
我目前正在开发 Ubuntu 18.04 上的二进制文件。以下是有关二进制文件的一些信息:
其使用 pwntools 的 checksec 信息:
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
其反汇编代码:
./vulnprog: file format elf32-i386
Disassembly of section .init:
0804834c <_init>:
804834c: 53 push ebx
804834d: 83 ec 08 sub esp,0x8
8048350: e8 8b 00 00 00 call 80483e0 <__x86.get_pc_thunk.bx>
8048355: 81 c3 87 1c 00 00 add ebx,0x1c87
804835b: 8b 83 18 00 00 00 mov eax,DWORD PTR [ebx+0x18]
8048361: 85 c0 test eax,eax
8048363: 74 05 je 804836a <_init+0x1e>
8048365: e8 2e 00 00 00 call 8048398 <__gmon_start__@plt>
804836a: 83 c4 08 add esp,0x8
804836d: 5b pop ebx
804836e: c3 ret
Disassembly of section .plt:
08048370 <.plt>:
8048370: ff 35 e0 9f 04 08 push DWORD PTR ds:0x8049fe0
8048376: ff 25 e4 9f 04 08 jmp DWORD PTR ds:0x8049fe4
804837c: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .plt.got:
08048380 <read@plt>:
8048380: ff 25 e8 9f 04 08 jmp DWORD PTR ds:0x8049fe8
8048386: 66 90 xchg ax,ax
08048388 <_exit@plt>:
8048388: ff 25 ec 9f 04 08 jmp DWORD PTR ds:0x8049fec
804838e: 66 90 xchg ax,ax
08048390 <puts@plt>:
8048390: ff 25 f0 9f 04 08 jmp DWORD PTR ds:0x8049ff0
8048396: 66 90 xchg ax,ax
08048398 <__gmon_start__@plt>:
8048398: ff 25 f4 9f 04 08 jmp DWORD PTR ds:0x8049ff4
804839e: 66 90 xchg ax,ax
080483a0 <__libc_start_main@plt>:
80483a0: ff 25 f8 9f 04 08 jmp DWORD PTR ds:0x8049ff8
80483a6: 66 90 xchg ax,ax
080483a8 <setvbuf@plt>:
80483a8: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc
80483ae: 66 90 xchg ax,ax
Disassembly of section .text:
080483b0 <_start>:
80483b0: 31 ed xor ebp,ebp
80483b2: 5e pop esi
80483b3: 89 e1 mov ecx,esp
80483b5: 83 e4 f0 and esp,0xfffffff0
80483b8: 50 push eax
80483b9: 54 push esp
80483ba: 52 push edx
80483bb: 68 70 85 04 08 push 0x8048570
80483c0: 68 10 85 04 08 push 0x8048510
80483c5: 51 push ecx
80483c6: 56 push esi
80483c7: 68 ab 84 04 08 push 0x80484ab
80483cc: e8 cf ff ff ff call 80483a0 <__libc_start_main@plt>
80483d1: f4 hlt
80483d2: 66 90 xchg ax,ax
80483d4: 66 90 xchg ax,ax
80483d6: 66 90 xchg ax,ax
80483d8: 66 90 xchg ax,ax
80483da: 66 90 xchg ax,ax
80483dc: 66 90 xchg ax,ax
80483de: 66 90 xchg ax,ax
080483e0 <__x86.get_pc_thunk.bx>:
80483e0: 8b 1c 24 mov ebx,DWORD PTR [esp]
80483e3: c3 ret
80483e4: 66 90 xchg ax,ax
80483e6: 66 90 xchg ax,ax
80483e8: 66 90 xchg ax,ax
80483ea: 66 90 xchg ax,ax
80483ec: 66 90 xchg ax,ax
80483ee: 66 90 xchg ax,ax
080483f0 <deregister_tm_clones>:
80483f0: b8 0f a0 04 08 mov eax,0x804a00f
80483f5: 2d 0c a0 04 08 sub eax,0x804a00c
80483fa: 83 f8 06 cmp eax,0x6
80483fd: 76 1a jbe 8048419 <deregister_tm_clones+0x29>
80483ff: b8 00 00 00 00 mov eax,0x0
8048404: 85 c0 test eax,eax
8048406: 74 11 je 8048419 <deregister_tm_clones+0x29>
8048408: 55 push ebp
8048409: 89 e5 mov ebp,esp
804840b: 83 ec 14 sub esp,0x14
804840e: 68 0c a0 04 08 push 0x804a00c
8048413: ff d0 call eax
8048415: 83 c4 10 add esp,0x10
8048418: c9 leave
8048419: f3 c3 repz ret
804841b: 90 nop
804841c: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
08048420 <register_tm_clones>:
8048420: b8 0c a0 04 08 mov eax,0x804a00c
8048425: 2d 0c a0 04 08 sub eax,0x804a00c
804842a: c1 f8 02 sar eax,0x2
804842d: 89 c2 mov edx,eax
804842f: c1 ea 1f shr edx,0x1f
8048432: 01 d0 add eax,edx
8048434: d1 f8 sar eax,1
8048436: 74 1b je 8048453 <register_tm_clones+0x33>
8048438: ba 00 00 00 00 mov edx,0x0
804843d: 85 d2 test edx,edx
804843f: 74 12 je 8048453 <register_tm_clones+0x33>
8048441: 55 push ebp
8048442: 89 e5 mov ebp,esp
8048444: 83 ec 10 sub esp,0x10
8048447: 50 push eax
8048448: 68 0c a0 04 08 push 0x804a00c
804844d: ff d2 call edx
804844f: 83 c4 10 add esp,0x10
8048452: c9 leave
8048453: f3 c3 repz ret
8048455: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
8048459: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]
08048460 <__do_global_dtors_aux>:
8048460: 80 3d 10 a0 04 08 00 cmp BYTE PTR ds:0x804a010,0x0
8048467: 75 13 jne 804847c <__do_global_dtors_aux+0x1c>
8048469: 55 push ebp
804846a: 89 e5 mov ebp,esp
804846c: 83 ec 08 sub esp,0x8
804846f: e8 7c ff ff ff call 80483f0 <deregister_tm_clones>
8048474: c6 05 10 a0 04 08 01 mov BYTE PTR ds:0x804a010,0x1
804847b: c9 leave
804847c: f3 c3 repz ret
804847e: 66 90 xchg ax,ax
08048480 <frame_dummy>:
8048480: b8 f8 9e 04 08 mov eax,0x8049ef8
8048485: 8b 10 mov edx,DWORD PTR [eax]
8048487: 85 d2 test edx,edx
8048489: 75 05 jne 8048490 <frame_dummy+0x10>
804848b: eb 93 jmp 8048420 <register_tm_clones>
804848d: 8d 76 00 lea esi,[esi+0x0]
8048490: ba 00 00 00 00 mov edx,0x0
8048495: 85 d2 test edx,edx
8048497: 74 f2 je 804848b <frame_dummy+0xb>
8048499: 55 push ebp
804849a: 89 e5 mov ebp,esp
804849c: 83 ec 14 sub esp,0x14
804849f: 50 push eax
80484a0: ff d2 call edx
80484a2: 83 c4 10 add esp,0x10
80484a5: c9 leave
80484a6: e9 75 ff ff ff jmp 8048420 <register_tm_clones>
080484ab <main>:
80484ab: 55 push ebp
80484ac: 89 e5 mov ebp,esp
80484ae: 83 ec 28 sub esp,0x28
80484b1: a1 08 a0 04 08 mov eax,ds:0x804a008
80484b6: 3d 39 05 00 00 cmp eax,0x539
80484bb: 74 07 je 80484c4 <main+0x19>
80484bd: 6a 01 push 0x1
80484bf: e8 c4 fe ff ff call 8048388 <_exit@plt>
80484c4: a1 08 a0 04 08 mov eax,ds:0x804a008
80484c9: 83 c0 01 add eax,0x1
80484cc: a3 08 a0 04 08 mov ds:0x804a008,eax
80484d1: a1 0c a0 04 08 mov eax,ds:0x804a00c
80484d6: 6a 00 push 0x0
80484d8: 6a 02 push 0x2
80484da: 6a 00 push 0x0
80484dc: 50 push eax
80484dd: e8 c6 fe ff ff call 80483a8 <setvbuf@plt>
80484e2: 83 c4 10 add esp,0x10
80484e5: 68 90 85 04 08 push 0x8048590
80484ea: e8 a1 fe ff ff call 8048390 <puts@plt>
80484ef: 83 c4 04 add esp,0x4
80484f2: 6a 40 push 0x40
80484f4: 8d 45 d8 lea eax,[ebp-0x28]
80484f7: 50 push eax
80484f8: 6a 00 push 0x0
80484fa: e8 81 fe ff ff call 8048380 <read@plt>
80484ff: 83 c4 0c add esp,0xc
8048502: 90 nop
8048503: 90 nop
8048504: c9 leave
8048505: c3 ret
8048506: 66 90 xchg ax,ax
8048508: 66 90 xchg ax,ax
804850a: 66 90 xchg ax,ax
804850c: 66 90 xchg ax,ax
804850e: 66 90 xchg ax,ax
08048510 <__libc_csu_init>:
8048510: 55 push ebp
8048511: 57 push edi
8048512: 56 push esi
8048513: 53 push ebx
8048514: e8 c7 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
8048519: 81 c3 c3 1a 00 00 add ebx,0x1ac3
804851f: 83 ec 0c sub esp,0xc
8048522: 8b 6c 24 20 mov ebp,DWORD PTR [esp+0x20]
8048526: 8d b3 18 ff ff ff lea esi,[ebx-0xe8]
804852c: e8 1b fe ff ff call 804834c <_init>
8048531: 8d 83 14 ff ff ff lea eax,[ebx-0xec]
8048537: 29 c6 sub esi,eax
8048539: c1 fe 02 sar esi,0x2
804853c: 85 f6 test esi,esi
804853e: 74 25 je 8048565 <__libc_csu_init+0x55>
8048540: 31 ff xor edi,edi
8048542: 8d b6 00 00 00 00 lea esi,[esi+0x0]
8048548: 83 ec 04 sub esp,0x4
804854b: ff 74 24 2c push DWORD PTR [esp+0x2c]
804854f: ff 74 24 2c push DWORD PTR [esp+0x2c]
8048553: 55 push ebp
8048554: ff 94 bb 14 ff ff ff call DWORD PTR [ebx+edi*4-0xec]
804855b: 83 c7 01 add edi,0x1
804855e: 83 c4 10 add esp,0x10
8048561: 39 f7 cmp edi,esi
8048563: 75 e3 jne 8048548 <__libc_csu_init+0x38>
8048565: 83 c4 0c add esp,0xc
8048568: 5b pop ebx
8048569: 5e pop esi
804856a: 5f pop edi
804856b: 5d pop ebp
804856c: c3 ret
804856d: 8d 76 00 lea esi,[esi+0x0]
08048570 <__libc_csu_fini>:
8048570: f3 c3 repz ret
Disassembly of section .fini:
08048574 <_fini>:
8048574: 53 push ebx
8048575: 83 ec 08 sub esp,0x8
8048578: e8 63 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
804857d: 81 c3 5f 1a 00 00 add ebx,0x1a5f
8048583: 83 c4 08 add esp,0x8
8048586: 5b pop ebx
8048587: c3 ret
我可以看到在 main() 函数中存在可以被利用的缓冲区溢出,我尝试使用一些我知道的技术来利用它:在堆栈上执行代码、ret2libc、ropgadget,但它们都不起作用。如您所见,NX 已启用,二进制文件是动态链接的,因此只有 79 个 ROPgadget,并且由于打开了 ASLR,我无法使用 retlibc。
我通过制作输入字符串来尝试 ret2libc,以便它跳转到 puts() 函数以打印出内存中的 puts() 地址以计算 libc 的基数,之后我不得不返回 <_start> 注入漏洞利用字符串,带有 system() 函数的地址和内存中的 '/bin/sh' 字符串。
这可能是一个理想的计划,但您可以看到,在 main 的地址 0x080484b6 处,程序将加载了 0x0804a008 中的值的 eax 与 0x539 进行比较,以决定继续。当我打印出puts()的地址后从puts()函数返回时,0x0804a008中的那个值已经增加了1,不再是0x539,所以程序退出了。
为了解决这个问题,我尝试在从 puts() 返回后跳转到 _read() 函数以编辑由 0x0804a008 保存的值,但出现了另一个问题:read() 函数仅将 64 个字节读入缓冲区,因此我注入地址的长度只有 20 个字节。
我被卡住了。我一直在寻找几天,但没有找到任何与我的案子很接近的案子。你能给我一些关于我应该如何完成这件事的建议吗?