博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    Mysql 拼接多个字段作为查询条件查询方法
    查看>>
    mysql 排序id_mysql如何按特定id排序
    查看>>
    Mysql 提示:Communication link failure
    查看>>
    mysql 插入是否成功_PDO mysql:如何知道插入是否成功
    查看>>
    Mysql 数据库InnoDB存储引擎中主要组件的刷新清理条件:脏页、RedoLog重做日志、Insert Buffer或ChangeBuffer、Undo Log
    查看>>
    mysql 数据库中 count(*),count(1),count(列名)区别和效率问题
    查看>>
    mysql 数据库备份及ibdata1的瘦身
    查看>>
    MySQL 数据库备份种类以及常用备份工具汇总
    查看>>
    mysql 数据库存储引擎怎么选择?快来看看性能测试吧
    查看>>
    MySQL 数据库操作指南:学习如何使用 Python 进行增删改查操作
    查看>>
    MySQL 数据库的高可用性分析
    查看>>
    MySQL 数据库设计总结
    查看>>
    Mysql 数据库重置ID排序
    查看>>
    Mysql 数据类型一日期
    查看>>
    MySQL 数据类型和属性
    查看>>
    mysql 敲错命令 想取消怎么办?
    查看>>
    Mysql 整形列的字节与存储范围
    查看>>
    mysql 断电数据损坏,无法启动
    查看>>
    MySQL 日期时间类型的选择
    查看>>
    Mysql 时间操作(当天,昨天,7天,30天,半年,全年,季度)
    查看>>