当前位置:网站首页>Attack and defense world - PWN learning notes

Attack and defense world - PWN learning notes

2022-07-07 12:23:00 hcjtn

PWN Learning notes

One , Stack introduction

Stack : Stack is a data structure in computer system , It stores data according to the principle of "first in, second out" , The data entered first is pushed to the bottom of the stack , The last data is at the top of the stack , When you need to read data, pop up the data from the top of the stack ( The last data is read by the first ), It's a special linear table . Stack operation commonly used is stack entry (PUSH), Out of the stack (POP), There are also commonly used marks for the top and bottom of the stack .

Into the stack (PUSH): Putting a data on the stack is called entering the stack (PUSH)

Out of the stack (POP): Take a data out of the stack and call it out of the stack (POP)

To the top of the stack : Common registers ESP,ESP It's a stack pointer register , It has a pointer in its memory , The pointer always points to the top of the top stack frame of the system stack .

At the bottom of the stack : Common registers EBP,EBP Is the base pointer register , It has a pointer in its memory , The pointer always points to the bottom of the top stack frame of the system stack .

Two , Stack overflow

1. Assembly level function call process :

Every call to every function , Each has its own stack frame , All kinds of information needed are maintained in this stack frame . register ebp Point to the bottom of the current stack frame ( High address ), register esp Point to the top of the current stack frame ( Low address ).

img

  1. Stack overflow : The character length written by the user exceeds the character length of the variable itself, resulting in buffer overflow and rewriting of useful storage units , Write arbitrary data to these units , Generally, it will only lead to accidents such as program crash , But if you write carefully prepared data to these units , It can make our data replace the original code to execute the program , Cause the code we want to be executed .

    3、 ... and , Common function

img

Four , file information

  1. View file information :file

    1. Check the file program :checksec

      Arch File attribute

      RELEO Bind dynamic symbols to reduce pairs GOT attack

      Stack canary stack Protect

      NX Unenforceable

      PIE Address randomization

  2. Production view header information :readelf-h

  3. function : run

  4. Select File :gdb

  5. Look at the stack data :stack

  6. Check the position of the string :search‘ character string ’

5、 ... and ,ROP

1. Definition :( Baidu )ROP Its full name is Return-oriented Programming( Return oriented programming ) It is a new attack based on code reuse technology , An attacker extracts instruction fragments from an existing library or executable , Build malicious code .ROP Attack the same Buffer overflow attack , Format string vulnerability attacks are different , It's a new way to attack , It uses code reuse technology .

2.ROP Attack prevention :ROP The attack program mainly uses the vulnerability of stack overflow to attack hijacking .

6、 ... and , Pile up

1. Definition :

​ The memory that needs to be allocated and released when data is running .( Variable size )

2.chunk( Structure of memory block )

  • chunk start:chunk From

  • size :chunk Size

  • memory:malloc Wait for the function to return to the user chunk Data pointer

3.glbic( Heap management )

  • arena: Refers to the heap memory area native , Not structure .
  • malloc_state: Manage the state of the heap , Information ,bins Linked list

4,bins

  • Used to manage free memory blocks , Usually use the linked list structure 0 management

7、 ... and ,Glibc Heap

  1. Memory allocation is divided into : Dynamic allocation and static allocation .
  2. ptmalloc data structure
  3. malloc/free summary

8、 ... and , Formatted string

  1. Concept : In the process of programming , Allow coders to pass special placeholders , The rule string that integrates or extracts the relevant corresponding information .

  2. Format strings are divided into format input and format output .

  3. Common formatting string constants :printf fprintf …

  4. Format string vulnerability summary The user can read the memory by controlling the format string , Modify the memory value ( utilize %n Write to the specified memory address ), The application crashed .

Nine ,PLT and GOT surface

  1. linux The build process : Preprocessing , compile , assembly , link

  2. Dynamic compilation and static compilation

    ​ Dynamic compilation features : Avoid the waste of space , But the efficiency of dynamic compilation is lower than that of static compilation .

  3. GOT surface : The real address is stored in the table , Seven fields need to be dynamically modified , It's writable

  4. Library function :stdio,ctype, string etc.

Ten , Common instructions

  1. see file :file file name
  2. Check the documents :checksec --file= file name
  3. Run the file :./ file name

11、 ... and , exp Script

  • from pwn import* Import function library ( Application pwn Tools )
  • context() Easy to find mistakes
  • def main () The main function
  • hcj=remote(” “) long-range
  • payload= Output data
  • hcj.recvuntil(” “) Where to receive
  • hcj. sendlineafter(" ",) Execute to which sentence to send a piece of data
  • hcj.sendline(" ") Send a piece of data
  • hcj.interactive() Accept

Add :gets Functions must be loopholes

Reference list :

https://blog.csdn.net/weixin_43847969/article/details/104390904?spm=1001.2014.3001.5506

https://blog.csdn.net/qq_41988448/article/details/103124339?spm=1001.2014.3001.5506

The rest of the information is from the Internet

原网站

版权声明
本文为[hcjtn]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202130618306285.html

随机推荐