pie绕过

pie PIE(Position Independent Executable,可移植执行码)是一种特殊的执行文件格式,常用于保护程序执行空间的受限和安全性。使用 PIE 能够让加载到内存的代码不会固定地映射到特定的地址,每次加载时都能让其他程序更难预测它想要加载到哪里。 代码重定位的例子有:加载时技术(load-ti……

阅读全文

stack canary泄露方法

什么是canary security cookies,Assume that at the beginning of a function call (e.g. during its prologue) we are saving a value in the function’s stack frame, we would expect (! if everything went well !) to read the same value just before the function exits or namely at its epilogue. If the value has changed, then the execution of the program will be terminated and an error message will be displayed. [1] Obviously, this protection mechanism is added by the compiler during the compilation process. For the GNU Compiler Collection (gcc), it is implemented via the StackGuard extension which was added to gcc 2.7.2.2 [1] Bypass stack canary 漏洞程……

阅读全文

字符串漏洞:任意写

vuln.c #include <stdio.h> int auth = 0; int main() { char password[100]; puts("Password: "); fgets(password, sizeof password, stdin); printf(password); printf("Auth is %i\n", auth); if(auth == 10) { puts("Authenticated!"); } } 程序分析 程序保护 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln $ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_write/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments 栈布局 $ ./vuln Password: %p %p %p %p %p %p %p %p %p %p %p 0x64 0xf7e1d620 0x804918d 0xf7ffdbac 0x1 0xf7fc17c0 0x25207025 0x70252070 0x20702520 0x25207025 0x70252070 Auth is 0 ascii hex % 0x25 " " 0x20 p 0x70 第7个dword存放格式化字符串 3. 构建利用栈 栈偏移 栈内容……

阅读全文

字符串漏洞: 任意读

任意读 vuln.c #include <stdio.h> int main(void) { char buffer[200]; gets(buffer); printf(buffer); return 0; } 漏洞分析 编译程序 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln 分析程序 程序保护 └─$ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_read/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments r2 debug vuln └─$ r2 -d -A ./vuln glibc.fc_offset = 0x00148 experimental analysis. [0xf7fe4450]> s main;pdf ; DATA XREFS from entry0 @ 0x8049086, 0x804908c ┌ 83: int main (char **argv); │ ; var int32_t var_d0h @ ebp-0xd0 │ ; var int32_t var_8h @ ebp-0x8 │ ; arg char **argv @ esp+0xf4 │ 0x08049172 8d4c2404 sub esp, 0xc │ 0x080491a7 8d8530ffffff lea eax, [var_d0h] │ 0x080491ad 50 push eax │ 0x080491ae……

阅读全文

use after free

配置docker环境 ### pull ubuntu 16.04 image sudo docker pull ubuntu:16.04 ### 进入终端 sudo docker run -ti --rm ubuntu:16.04 /bin/bash ### 安装gcc apt update && apt install gcc ### gcc 版本 root@687e398bdbdb:/# gcc --version gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609 Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ### 安装 radare2 apt install radare2 漏洞程序 #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> struct data { char name[64]; }; struct fp { void (*fp)(); char __pad[64 - sizeof(unsigned long)]; }; void winner() { printf("Congratulations, you have passed this level\n"); } void nowinner() { printf( "level has……

阅读全文

stack pivoiting

1 what stack pivoiting是一种栈空间转移技术 2 why 有时候缓冲区有长度限制,不利于在栈上配置rop gadget(空间不够)! 3 how 3.1 pop rsp gadget 这种情形比较少见,遇到了相当幸运~ 3.2 xchg , rsp pop <reg> <=== return pointer <reg value> xchg <rag>, rsp 3.3 leave;ret leave相当于: mov rsp,rbp pop rbp 加上ret就等于: mov rsp,rbp pop rbp pop rip 覆盖rbp,然后栈中的ri……

阅读全文