博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    mysql 权限登录问题:ERROR 1045 (28000): Access denied for user ‘root‘@‘localhost‘ (using password: YES)
    查看>>
    MYSQL 查看最大连接数和修改最大连接数
    查看>>
    MySQL 查看有哪些表
    查看>>
    mysql 查看锁_阿里/美团/字节面试官必问的Mysql锁机制,你真的明白吗
    查看>>
    MySql 查询以逗号分隔的字符串的方法(正则)
    查看>>
    MySQL 查询优化:提速查询效率的13大秘籍(避免使用SELECT 、分页查询的优化、合理使用连接、子查询的优化)(上)
    查看>>
    mysql 查询数据库所有表的字段信息
    查看>>
    【Java基础】什么是面向对象?
    查看>>
    mysql 查询,正数降序排序,负数升序排序
    查看>>
    MySQL 树形结构 根据指定节点 获取其下属的所有子节点(包含路径上的枝干节点和叶子节点)...
    查看>>
    mysql 死锁 Deadlock found when trying to get lock; try restarting transaction
    查看>>
    mysql 死锁(先delete 后insert)日志分析
    查看>>
    MySQL 死锁了,怎么办?
    查看>>
    MySQL 深度分页性能急剧下降,该如何优化?
    查看>>
    MySQL 深度分页性能急剧下降,该如何优化?
    查看>>
    MySQL 添加列,修改列,删除列
    查看>>
    mysql 添加索引
    查看>>
    MySQL 添加索引,删除索引及其用法
    查看>>
    mysql 状态检查,备份,修复
    查看>>
    MySQL 用 limit 为什么会影响性能?
    查看>>