ret2libc(b33f adv_pwn)
Author: 堇姬Naup
一些工具
找libc offset
libc_leak-libc_base(vmmap)=offset
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
libc offset:
https://libc.blukat.me/
https://github.com/scwuaptx/Pwngdb
version:
Ubuntu 16.04: Glibc 2.23
Ubuntu 18.04: Glibc 2.27
Ubuntu 20.04: Glibc 2.31
Ubuntu 22.04: Glibc 2.35
What is ret2libc
- 倘若能得知 library 被 map 到的隨機起始地址 (base address),則可以計算出 libc 中 function 的位置,便能調⽤ library 中的函式。
- 關鍵為 bypass ASLR,找出 libc 的隨機 base
- 透過 information leak 漏洞,洩漏 memory 上的內容,獲取屬於 libcsegment 的 address
- 此 address 會是隨機的 base address 加上⼀固定位移植 ofset (不同版本的 libc ofset 不同)
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
libc base
通常開頭7f
,結尾e80
題目
知道libc
他說他Dockerfile裡面用Ubuntu 22.04
所以libc版本是2.35
checksec
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
source code分析
開始解
首先因為有ASLR,所以要找出libc base
這裡有oob(簡單來說就是沒有對index檢查,arr[i] (int)
= *(arr + i *sizeof(int)),輸入不在範圍的可以leak 任何記憶體)
嘗試輸入幾次後可以發現15會leak一個libc adress
接著用libc base扣掉他找offset
libc leak:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
libc base:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
找出offset
找libc裡面的/bin/sh
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
接下來要堆ROP(用libc裡面的,全部都要+libc base)
目標 |
地址 |
pop rdi ; ret |
0x2a3e5 |
/bin/sh |
0x1d8678 |
ret |
0x2a3e5+0x1 |
system |
0x50d70 |
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
stack
script
感謝
感謝國外隊友Tomer大老幫我釐清問題
順便附上他的解法
一些資料
https://hackmd.io/@u1f383/S1CNu-1SO
https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc