从零开始学逆向：理解ret2libc-1

人工智能我来了

已于 2024-02-22 08:57:08 修改

阅读量1.6k

点赞数 26

CC 4.0 BY-SA版权

分类专栏：逆向二进制 Re 文章标签：网络安全安全系统安全安全架构

于 2024-02-19 00:00:00 首次发布

本文链接：https://blog.csdn.net/weixin_44626085/article/details/136140830

本文介绍了如何从零开始学习逆向工程中的ret2libc技术，详细分析了一道相关题目，涉及程序的安全保护、ida静态分析、栈溢出利用，以及通过gdb确定关键地址。最终展示了利用exp进行漏洞利用的过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1.题目信息

题目下载链接：https://pan.baidu.com/s/1DzkmINus__xu3_qkwoIPwQ 提取码：0000

2.解题分析

ret2libc即劫持程序的控制流，使其执行libc中的函数，一般是返回到某个函数的plt处，或者某个函数的具体位置（函数对应got表的内容），大多情况下是执行system('/bin/sh')。

2.1 首先查看一下程序开了哪些安全保护

root@pwn_test1604:/ctf/work/wolf# cd ret2libc/                                                                                                                                                                     
root@pwn_test1604:/ctf/work/wolf/ret2libc# ls                                                                                                                                                                      
ret2libc1                                                                                                                                                                                                          
root@pwn_test1604:/ctf/work/wolf/ret2libc# checksec ./ret2libc1                                                                                                                                                    
[*] '/ctf/work/wolf/ret2libc/ret2libc1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
root@pwn_test1604:/ctf/work/wolf/ret2libc#

程序是小端序32位，开了NX防护。

2.2 接着使用ida查看一下程序

2.3 程序有明显的栈溢出，在plt表中发现有system函数的地址和/bin/sh字符串

2.4 通过gdb调试确定字符串s的地址离ebp有多少字节

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1                                                                                                                                                                       
Copyright (C) 2016 Free Software Foundation, Inc.                                                                                                                                                                  
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./ret2libc1...done.
pwndbg> r
Starting program: /ctf/work/wolf/ret2libc/ret2libc1 
RET2LIBC >_<
AAAA
[Inferior 1 (process 161) exited normally]
pwndbg> b main
Breakpoint 1 at 0x8048621: file ret2libc1.c, line 21.
pwndbg> r
Starting program: /ctf/work/wolf/ret2libc/ret2libc1 

Breakpoint 1, main () at ret2libc1.c:21
21      ret2libc1.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 EAX  0xf7fc6dbc (environ) —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'
 EBX  0x0
 ECX  0xdf200d50
 EDX  0xffffd724 ◂— 0x0
 EDI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
 ESI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0
 EBP  0xffffd6f8 ◂— 0x0
 ESP  0xffffd670 —▸ 0xf7ffcd00 (_rtld_global_ro) ◂— 0x0
 EIP  0x8048621 (main+9) ◂— mov    eax, dword ptr [0x804a060]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x8048621 <main+9>     mov    eax, dword ptr [0x804a060]
   0x8048626 <main+14>    mov    dword ptr [esp + 0xc], 0
   0x804862e <main+22>    mov    dword ptr [esp + 8], 2
   0x8048636 <main+30>    mov    dword ptr [esp + 4], 0
   0x804863e <main+38>    mov    dword ptr [esp], eax
   0x8048641 <main+41>    call   setvbuf@plt <0x80484a0>
 
   0x8048646 <main+46>    mov    eax, dword ptr [stdin@@GLIBC_2.0] <0x804a040>
   0x804864b <main+51>    mov    dword ptr [esp + 0xc], 0
   0x8048653 <main+59>    mov    dword ptr [esp + 8], 1
   0x804865b <main+67>    mov    dword ptr [esp + 4], 0
   0x8048663 <main+75>    mov    dword ptr [esp], eax
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp  0xffffd670 —▸ 0xf7ffcd00 (_rtld_global_ro) ◂— 0x0
01:0004│      0xffffd674 —▸ 0xffffd79c —▸ 0xffffd8f1 ◂— 'LESSOPEN=| /usr/bin/lesspipe %s'
02:0008│      0xffffd678 ◂— 0xe0
03:000c│      0xffffd67c ◂— 0x0
04:0010│      0xffffd680 —▸ 0xf7ffd000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x23f40
05:0014│      0xffffd684 —▸ 0xf7ffd918 ◂— 0x0
06:0018│      0xffffd688 —▸ 0xffffd6a0 ◂— 0xffffffff
07:001c│      0xffffd68c —▸ 0x8048312 ◂— pop    edi /* '__libc_start_main' */
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f