博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    mysql创建数据库指定字符集
    查看>>
    MySql创建数据表
    查看>>
    MySQL创建新用户以及ERROR 1396 (HY000)问题解决
    查看>>
    MySQL创建用户与授权
    查看>>
    MySQL创建用户报错:ERROR 1396 (HY000): Operation CREATE USER failed for 'slave'@'%'
    查看>>
    MySQL创建索引时提示“Specified key was too long; max key length is 767 bytes”
    查看>>
    mysql初始密码错误问题
    查看>>
    Mysql删除重复数据通用SQL
    查看>>
    mysql判断某一张表是否存在的sql语句以及方法
    查看>>
    mysql加入安装策略_一键安装mysql5.7及密码策略修改方法
    查看>>
    mysql加强(1)~用户权限介绍、分别使用客户端工具和命令来创建用户和分配权限
    查看>>
    mysql加强(3)~分组(统计)查询
    查看>>
    mysql加强(4)~多表查询:笛卡尔积、消除笛卡尔积操作(等值、非等值连接),内连接(隐式连接、显示连接)、外连接、自连接
    查看>>
    mysql加强(5)~DML 增删改操作和 DQL 查询操作
    查看>>
    mysql加强(6)~子查询简单介绍、子查询分类
    查看>>
    mysql加强(7)~事务、事务并发、解决事务并发的方法
    查看>>
    MySQL千万级多表关联SQL语句调优
    查看>>
    mysql千万级大数据SQL查询优化
    查看>>
    MySQL千万级大表优化策略
    查看>>
    MySQL单实例或多实例启动脚本
    查看>>