查找栈溢出的点
gdb-peda$ bt
#0 0xf7fd8430 in __kernel_vsyscall ()
#1 0xf7e47ea9 in __GI_raise (sig=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2 0xf7e49407 in __GI_abort () at abort.c:89
#3 0xf7e8337c in __libc_message (do_abort=0x2, fmt=0xf7f7a2c7 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xf7f13708 in __GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:37
#5 0xf7f118f8 in __GI___chk_fail () at chk_fail.c:28
#6 0xf7f10eef in __strcpy_chk (dest=0xffffcf6b "", src=0xffffd55d 'A' <repeats 200 times>..., destlen=0x401) at strcpy_chk.c:30
#7 0x08048f26 in strcpy (__src=0xffffd55d 'A' <repeats 200 times>..., __dest=0xffffcf6b "") at /usr/include/i386-linux-gnu/bits/string3.h:110
#8 main (argc=<optimized out>, argv=<optimized out>) at dnstracer.c:1622
#9 0xf7e34637 in __libc_start_main (main=0x8048c00 <main>, argc=0x3, argv=0xffffd434, init=0x804b960 <__libc_csu_init>, fini=0x804b9c0 <__libc_csu_fini>,
rtld_fini=0xf7fe8880 <_dl_fini>, stack_end=0xffffd42c) at ../csu/libc-start.c:291
#10 0x0804920a in _start ()
dnstracer.c中漏洞代码如下
...
if (argv[0] == NULL) usage();
// check for a trailing dot
strcpy(argv0, argv[0]);
...
checksec
>>> from pwn import *
[!] Pwntools does not support 32-bit Python. Use a 64-bit release.
>>> print ELF('/usr/local/bin/dnstracer').checksec()
[*] '/usr/local/bin/dnstracer'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
FORTIFY: Enabled
Exploit
首先修改 Makefile,关掉栈保护,同时避免 gcc 使用安全函数 __strcpy_chk() 替换 strcpy(),修改编译选项如下:
$ vim Makefile
CC = gcc -fno-stack-protector -z execstack -D_FORTIFY_SOURCE=0
$ make && sudo make install
checksec
>>> from pwn import *
[!] Pwntools does not support 32-bit Python. Use a 64-bit release.
>>> print ELF('dnstracer').checksec()
[*] '/home/dnstracer-1.9/dnstracer'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
关掉ASLR
# echo 0 > /proc/sys/kernel/randomize_va_space