博客
关于我
攻防世界-pwn-200-Writeup
阅读量:572 次
发布时间:2019-03-09

本文共 2103 字,大约阅读时间需要 7 分钟。

pwn-200 Vulnerability Analysis

Overview of the Issue

The sub_8048484 function in the provided code is vulnerable to a stack overflow attack. This function reads data into a buffer using read(0, &buf, 0x100u) which can cause a stack overflow if not handled correctly. The vulnerable code is:

ssize_t sub_8048484() {    char buf;    setbuf(stdin, &buf);    return read(0, &buf, 0x100u); // Overflow here}

Exploiting the Vulnerability

To exploit this vulnerability, we need to analyze how the stack buffer works. The function uses a single-byte buffer and attempts to read data directly into the stack without proper bounds checking. Exploiting this requires understanding how the stack is structured and how overflow affects it.

The key to this exploit is to identify the location where the return address is stored after the stack overflow. By overwriting the return address, we can control the program's flow and gain arbitrary code execution.

Finding libc Base

Using the provided exploit code, the following steps can be taken:

  • Identify the libc base

    After successful exploitation, we can leak the memory address of the write function from libc6-i386_2.23-0ubuntu11_amd64.so. This is done by sending a crafted payload that forces the program to use the overwritten return address as the write function's target.

  • Calculate libc_base

    Once the write function's address is identified, we subtract the libc.symbols['write'] value from it to get the base address of libc.

  • Identify system() Function

    With libc_base, we can find the system() function's address and eventually gain a shell using /bin/sh.

  • Exploit Execution

    The provided remote exploit code demonstrates how to:

  • Bypass stack guard pages by sending a payload that triggers the stack overflow.
  • Update the return address to point to the write function's address.
  • Read the leaked memory address to find the write function's base, hence determining the libc_base.
  • Use system() for shelling out by leveraging binsh from libc.
  • By following these steps, a full RDI (Remote Differential Exploit) can be achieved, allowing for full control over the system.

    转载地址:http://amppz.baihongyu.com/

    你可能感兴趣的文章
    mysql 表的操作
    查看>>
    mysql 视图,视图更新删除
    查看>>
    MySQL 触发器
    查看>>
    mysql 让所有IP访问数据库
    查看>>
    mysql 记录的增删改查
    查看>>
    MySQL 设置数据库的隔离级别
    查看>>
    MySQL 证明为什么用limit时,offset很大会影响性能
    查看>>
    Mysql 语句操作索引SQL语句
    查看>>
    MySQL 误操作后数据恢复(update,delete忘加where条件)
    查看>>
    MySQL 调优/优化的 101 个建议!
    查看>>
    mysql 转义字符用法_MySql 转义字符的使用说明
    查看>>
    mysql 输入密码秒退
    查看>>
    mysql 递归查找父节点_MySQL递归查询树状表的子节点、父节点具体实现
    查看>>
    mysql 通过查看mysql 配置参数、状态来优化你的mysql
    查看>>
    mysql 里对root及普通用户赋权及更改密码的一些命令
    查看>>
    Mysql 重置自增列的开始序号
    查看>>
    mysql 锁机制 mvcc_Mysql性能优化-事务、锁和MVCC
    查看>>
    MySQL 错误
    查看>>
    mysql 随机数 rand使用
    查看>>
    MySQL 面试题汇总
    查看>>