博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    Mysql5.7版本单机版my.cnf配置文件
    查看>>
    mysql5.7的安装和Navicat的安装
    查看>>
    mysql5.7示例数据库_Linux MySQL5.7多实例数据库配置
    查看>>
    Mysql8 数据库安装及主从配置 | Spring Cloud 2
    查看>>
    mysql8 配置文件配置group 问题 sql语句group不能使用报错解决 mysql8.X版本的my.cnf配置文件 my.cnf文件 能够使用的my.cnf配置文件
    查看>>
    MySQL8.0.29启动报错Different lower_case_table_names settings for server (‘0‘) and data dictionary (‘1‘)
    查看>>
    MYSQL8.0以上忘记root密码
    查看>>
    Mysql8.0以上重置初始密码的方法
    查看>>
    mysql8.0新特性-自增变量的持久化
    查看>>
    Mysql8.0注意url变更写法
    查看>>
    Mysql8.0的特性
    查看>>
    MySQL8修改密码报错ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    查看>>
    MySQL8修改密码的方法
    查看>>
    Mysql8在Centos上安装后忘记root密码如何重新设置
    查看>>
    Mysql8在Windows上离线安装时忘记root密码
    查看>>
    MySQL8找不到my.ini配置文件以及报sql_mode=only_full_group_by解决方案
    查看>>
    mysql8的安装与卸载
    查看>>
    MySQL8,体验不一样的安装方式!
    查看>>
    MySQL: Host '127.0.0.1' is not allowed to connect to this MySQL server
    查看>>
    Mysql: 对换(替换)两条记录的同一个字段值
    查看>>