unlink exploit
……
包含标签 pwn 的文章
字符串漏洞: 任意读
任意读 vuln.c #include <stdio.h> int main(void) { char buffer[200]; gets(buffer); printf(buffer); return 0; } 漏洞分析 编译程序 gcc -m32 -no-pie -fno-stack-protector -z execstack vuln.c -o vuln 分析程序 程序保护 └─$ checksec --file=./vuln [*] '/home/kali/exploits/str_arb_read/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments r2 debug vuln └─$ r2 -d -A ./vuln glibc.fc_offset = 0x00148 experimental analysis. [0xf7fe4450]> s main;pdf ; DATA XREFS from entry0 @ 0x8049086, 0x804908c ┌ 83: int main (char **argv); │ ; var int32_t var_d0h @ ebp-0xd0 │ ; var int32_t var_8h @ ebp-0x8 │ ; arg char **argv @ esp+0xf4 │ 0x08049172 8d4c2404 sub esp, 0xc │ 0x080491a7 8d8530ffffff lea eax, [var_d0h] │ 0x080491ad 50 push eax │ 0x080491ae……
double free
……
use after free
配置docker环境 ### pull ubuntu 16.04 image sudo docker pull ubuntu:16.04 ### 进入终端 sudo docker run -ti --rm ubuntu:16.04 /bin/bash ### 安装gcc apt update && apt install gcc ### gcc 版本 root@687e398bdbdb:/# gcc --version gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609 Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ### 安装 radare2 apt install radare2 漏洞程序 #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> struct data { char name[64]; }; struct fp { void (*fp)(); char __pad[64 - sizeof(unsigned long)]; }; void winner() { printf("Congratulations, you have passed this level\n"); } void nowinner() { printf( "level has……
stack pivoiting
1 what stack pivoiting是一种栈空间转移技术 2 why 有时候缓冲区有长度限制,不利于在栈上配置rop gadget(空间不够)! 3 how 3.1 pop rsp gadget 这种情形比较少见,遇到了相当幸运~ 3.2 xchg , rsp pop <reg> <=== return pointer <reg value> xchg <rag>, rsp 3.3 leave;ret leave相当于: mov rsp,rbp pop rbp 加上ret就等于: mov rsp,rbp pop rbp pop rip 覆盖rbp,然后栈中的ri……
ret2reg
……
ret2plt
PLT, or Procedure Linkage Table. These are stubs that look up the addresses in the .got.plt section, and either jump to the right address, or trigger the code in the linker to look up the address. (If the address has not been filled in to .got.plt yet.) 漏洞程序 #include <stdio.h> void vuln() { puts("Come get me"); char buffer[20]; gets(buffer); } int main() { vuln(); return 0; } 32位ret2plt plt分析 程序保护 //gcc source.c -o vuln-32 -no-pie -fno-stack-protector -z execstack -m32 └─$ checksec --file=./vuln-32 [*] '/home/kali/exploits/ret2plt/vuln-32' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) plt节 .plt节可执行 [0xf7fe4450]> iS~.plt 10 0x000002f0 0x18 0x080482f0 0x18……
利用got覆盖执行shellcode
漏洞程序 // gcc source.c -o vuln -no-pie -fno-stack-protector -z execstack -m32 #include <stdio.h> void vuln() { char buffer[20]; puts("Give me the input"); gets(buffer); } int main() { vuln(); return 0; }……
缓冲区溢出01-溢出漏洞
缓冲区溢出 一个自带缓冲区溢出bug的代码 greeting函数存在buffer overflow $ gdb -q meet warning: ~/gef/gef.py: No such file or directory warning: ~/gef/scripts/helpme.py: No such file or directory Reading symbols from meet... (gdb) list 1 // meet.c 2 #include <stdio.h> // needed for screen printing 3 #include <string.h> // needed for strcpy 4 void greeting(char *temp1,char *temp2){ // greeting function to say hello 5 char name[400]; // string variable to hold the name 6 strcpy(name, temp2); // copy argument to name with the infamous strcpy 7 printf("Hello %s %s\n", temp1, name); // print out the greeting 8 } 9 int main(int argc, char * argv[]){ // note the format for arguments……
缓冲区溢出02-shellcode
weekness programe // meet.c #include <stdio.h> // needed for screen printing #include <string.h> // needed for strcpy void greeting(char *temp1,char *temp2){ // greeting function to say hello char name[400]; // string variable to hold the name strcpy(name, temp2); // copy argument to name with the infamous strcpy printf("Hello %s %s\n", temp1, name); // print out the greeting } int main(int argc, char * argv[]){ // note the format for arguments greeting(argv[1], argv[2]); // call function, pass title & name printf("Bye %s %s\n", argv[1], argv[2]); // say "bye" } // exit program stack frame | name[400] | ebp | eip | temp1 | temp2 | disassemble greeting (gdb) disass greeting Dump of assembler code for function greeting: 0x56556201 <+0>: push %ebp 0x56556202 <+1>: mov %esp,%ebp 0x56556204 <+3>: push %ebx 0x56556205 <+4>: sub $0x190,%esp 0x5655620b <+10>: call 0x565560c0 <__x86.get_pc_thunk.bx> 0x56556210 <+15>: add……