本文共 2107 字,大约阅读时间需要 7 分钟。
The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:
ssize_t sub_8048484() { char buf; setbuf(stdin, &buf); return read(0, &buf, 0x100u); // Overflow here} To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.
The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.
Using the provided exploit code, the following steps can be taken:
Identify the libc base
After successful exploitation, we can leak the memory address of thewrite function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target. Calculate libc_base
Once thewrite function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc. Identify system() Function
Withlibc_base, we can find the system() function's address and eventually gain a shell using /bin/sh. The provided remote exploit code demonstrates how to:
write function's address.write function's base, hence determining the libc_base.system() for shelling out by leveraging binsh from libc.By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.
转载地址:http://amppz.baihongyu.com/