分类 pwn 中的文章

字符串漏洞:任意写

vuln.c #include <stdio.h> int auth = 0; int main() { char password[100]; puts("Password: "); fgets(password, sizeof password, stdin); printf(password); printf("Auth is %i\n", auth); if(auth == 10) { puts("Authenticated!"); } } 程序分析 程序保护 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln $ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_write/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments 栈布局 $ ./vuln Password: %p %p %p %p %p %p %p %p %p %p %p 0x64 0xf7e1d620 0x804918d 0xf7ffdbac 0x1 0xf7fc17c0 0x25207025 0x70252070 0x20702520 0x25207025 0x70252070 Auth is 0 ascii hex % 0x25 " " 0x20 p 0x70 第7个dword存放格式化字符串 3. 构建利用栈 栈偏移 栈内容……

阅读全文

字符串漏洞: 任意读

任意读 vuln.c #include <stdio.h> int main(void) { char buffer[200]; gets(buffer); printf(buffer); return 0; } 漏洞分析 编译程序 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln 分析程序 程序保护 └─$ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_read/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments r2 debug vuln └─$ r2 -d -A ./vuln glibc.fc_offset = 0x00148 experimental analysis. [0xf7fe4450]> s main;pdf ; DATA XREFS from entry0 @ 0x8049086, 0x804908c ┌ 83: int main (char **argv); │ ; var int32_t var_d0h @ ebp-0xd0 │ ; var int32_t var_8h @ ebp-0x8 │ ; arg char **argv @ esp+0xf4 │ 0x08049172 8d4c2404 sub esp, 0xc │ 0x080491a7 8d8530ffffff lea eax, [var_d0h] │ 0x080491ad 50 push eax │ 0x080491ae……

阅读全文

use after free

配置docker环境 ### pull ubuntu 16.04 image sudo docker pull ubuntu:16.04 ### 进入终端 sudo docker run -ti --rm ubuntu:16.04 /bin/bash ### 安装gcc apt update && apt install gcc ### gcc 版本 root@687e398bdbdb:/# gcc --version gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609 Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ### 安装 radare2 apt install radare2 漏洞程序 #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> struct data { char name[64]; }; struct fp { void (*fp)(); char __pad[64 - sizeof(unsigned long)]; }; void winner() { printf("Congratulations, you have passed this level\n"); } void nowinner() { printf( "level has……

阅读全文

stack pivoiting

1 what stack pivoiting是一种栈空间转移技术 2 why 有时候缓冲区有长度限制,不利于在栈上配置rop gadget(空间不够)! 3 how 3.1 pop rsp gadget 这种情形比较少见,遇到了相当幸运~ 3.2 xchg , rsp pop <reg> <=== return pointer <reg value> xchg <rag>, rsp 3.3 leave;ret leave相当于: mov rsp,rbp pop rbp 加上ret就等于: mov rsp,rbp pop rbp pop rip 覆盖rbp,然后栈中的ri……

阅读全文

ret2plt

PLT, or Procedure Linkage Table. These are stubs that look up the addresses in the .got.plt section, and either jump to the right address, or trigger the code in the linker to look up the address. (If the address has not been filled in to .got.plt yet.) 漏洞程序 #include <stdio.h> void vuln() { puts("Come get me"); char buffer[20]; gets(buffer); } int main() { vuln(); return 0; } 32位ret2plt plt分析 程序保护 //gcc source.c -o vuln-32 -no-pie -fno-stack-protector -z execstack -m32 └─$ checksec --file=./vuln-32 [*] '/home/kali/exploits/ret2plt/vuln-32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) plt节 .plt节可执行 [0xf7fe4450]> iS~.plt 10 0x000002f0 0x18 0x080482f0 0x18……

阅读全文

利用got覆盖执行shellcode

漏洞程序 // gcc source.c -o vuln -no-pie -fno-stack-protector -z execstack -m32 #include <stdio.h> void vuln() { char buffer[20]; puts("Give me the input"); gets(buffer); } int main() { vuln(); return 0; }……

阅读全文