博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    Mysql插入数据从指定选项中随机选择、插入时间从指定范围随机生成、Navicat使用存储过程模拟插入测试数据
    查看>>
    MYSQL搜索引擎
    查看>>
    mysql操作数据表的命令_MySQL数据表操作命令
    查看>>
    mysql操作日志记录查询_如何使用SpringBoot AOP 记录操作日志、异常日志?
    查看>>
    MySQL支持的事务隔离级别,以及悲观锁和乐观锁的原理和应用场景?
    查看>>
    mysql支持表情
    查看>>
    MySQL支撑百万级流量高并发的网站部署详解
    查看>>
    MySQL改动rootpassword的多种方法
    查看>>
    mysql数据分组索引_MYSQL之索引配置方法分类
    查看>>
    mysql数据取差,mysql屏蔽主外键关联关系
    查看>>
    MySQL数据和Redis缓存一致性方案详解
    查看>>
    MySQL数据和Redis缓存一致性方案详解
    查看>>
    Mysql数据库 InnoDB存储引擎中Master Thread的执行流程
    查看>>
    MySQL数据库 范式
    查看>>
    Mysql数据库B-Tree索引
    查看>>
    mysql数据库io空闲_mysql数据库磁盘io高的排查
    查看>>
    mysql数据库root密码忘记,查看或修改的解决方法
    查看>>
    MySQL数据库SQL注入靶场sqli通关实战(附靶场安装包)
    查看>>
    MYSQL数据库下载安装(Windows版本)
    查看>>
    MySQL数据库与Informix:能否创建同名表?
    查看>>