当前位置:网站首页>Attack and defense world - PWN learning notes
Attack and defense world - PWN learning notes
2022-07-07 12:23:00 【hcjtn】
PWN Learning notes
One , Stack introduction
Stack : Stack is a data structure in computer system , It stores data according to the principle of "first in, second out" , The data entered first is pushed to the bottom of the stack , The last data is at the top of the stack , When you need to read data, pop up the data from the top of the stack ( The last data is read by the first ), It's a special linear table . Stack operation commonly used is stack entry (PUSH), Out of the stack (POP), There are also commonly used marks for the top and bottom of the stack .
Into the stack (PUSH): Putting a data on the stack is called entering the stack (PUSH)
Out of the stack (POP): Take a data out of the stack and call it out of the stack (POP)
To the top of the stack : Common registers ESP,ESP It's a stack pointer register , It has a pointer in its memory , The pointer always points to the top of the top stack frame of the system stack .
At the bottom of the stack : Common registers EBP,EBP Is the base pointer register , It has a pointer in its memory , The pointer always points to the bottom of the top stack frame of the system stack .
Two , Stack overflow
1. Assembly level function call process :
Every call to every function , Each has its own stack frame , All kinds of information needed are maintained in this stack frame . register ebp Point to the bottom of the current stack frame ( High address ), register esp Point to the top of the current stack frame ( Low address ).
Stack overflow : The character length written by the user exceeds the character length of the variable itself, resulting in buffer overflow and rewriting of useful storage units , Write arbitrary data to these units , Generally, it will only lead to accidents such as program crash , But if you write carefully prepared data to these units , It can make our data replace the original code to execute the program , Cause the code we want to be executed .
3、 ... and , Common function
Four , file information
View file information :file
Check the file program :checksec
Arch File attribute
RELEO Bind dynamic symbols to reduce pairs GOT attack
Stack canary stack Protect
NX Unenforceable
PIE Address randomization
Production view header information :readelf-h
function : run
Select File :gdb
Look at the stack data :stack
Check the position of the string :search‘ character string ’
5、 ... and ,ROP
1. Definition :( Baidu )ROP Its full name is Return-oriented Programming( Return oriented programming ) It is a new attack based on code reuse technology , An attacker extracts instruction fragments from an existing library or executable , Build malicious code .ROP Attack the same Buffer overflow attack , Format string vulnerability attacks are different , It's a new way to attack , It uses code reuse technology .
2.ROP Attack prevention :ROP The attack program mainly uses the vulnerability of stack overflow to attack hijacking .
6、 ... and , Pile up
1. Definition :
The memory that needs to be allocated and released when data is running .( Variable size )
2.chunk( Structure of memory block )
chunk start:chunk From
size :chunk Size
memory:malloc Wait for the function to return to the user chunk Data pointer
3.glbic( Heap management )
- arena: Refers to the heap memory area native , Not structure .
- malloc_state: Manage the state of the heap , Information ,bins Linked list
4,bins
- Used to manage free memory blocks , Usually use the linked list structure 0 management
7、 ... and ,Glibc Heap
- Memory allocation is divided into : Dynamic allocation and static allocation .
- ptmalloc data structure
- malloc/free summary
8、 ... and , Formatted string
Concept : In the process of programming , Allow coders to pass special placeholders , The rule string that integrates or extracts the relevant corresponding information .
Format strings are divided into format input and format output .
Common formatting string constants :printf fprintf …
Format string vulnerability summary The user can read the memory by controlling the format string , Modify the memory value ( utilize %n Write to the specified memory address ), The application crashed .
Nine ,PLT and GOT surface
linux The build process : Preprocessing , compile , assembly , link
Dynamic compilation and static compilation
Dynamic compilation features : Avoid the waste of space , But the efficiency of dynamic compilation is lower than that of static compilation .
GOT surface : The real address is stored in the table , Seven fields need to be dynamically modified , It's writable
Library function :stdio,ctype, string etc.
Ten , Common instructions
- see file :file file name
- Check the documents :checksec --file= file name
- Run the file :./ file name
11、 ... and , exp Script
- from pwn import* Import function library ( Application pwn Tools )
- context() Easy to find mistakes
- def main () The main function
- hcj=remote(” “) long-range
- payload= Output data
- hcj.recvuntil(” “) Where to receive
- hcj. sendlineafter(" ",) Execute to which sentence to send a piece of data
- hcj.sendline(" ") Send a piece of data
- hcj.interactive() Accept
Add :gets Functions must be loopholes
Reference list :
https://blog.csdn.net/weixin_43847969/article/details/104390904?spm=1001.2014.3001.5506
https://blog.csdn.net/qq_41988448/article/details/103124339?spm=1001.2014.3001.5506
The rest of the information is from the Internet
边栏推荐
- Simple network configuration for equipment management
- 112.网络安全渗透测试—[权限提升篇10]—[Windows 2003 LPK.DDL劫持提权&msf本地提权]
- Sonar:Cognitive Complexity认知复杂度
- Processing strategy of message queue message loss and repeated message sending
- Tutorial on principles and applications of database system (010) -- exercises of conceptual model and data model
- Steps of redis installation and self startup configuration under CentOS system
- 【玩转 RT-Thread】 RT-Thread Studio —— 按键控制电机正反转、蜂鸣器
- Tutorial on principles and applications of database system (009) -- conceptual model and data model
- Unity map auto match material tool map auto add to shader tool shader match map tool map made by substance painter auto match shader tool
- SwiftUI 4 新功能之掌握 WeatherKit 和 Swift Charts
猜你喜欢
Completion report of communication software development and Application
Sign up now | oar hacker marathon phase III midsummer debut, waiting for you to challenge
数据库系统原理与应用教程(009)—— 概念模型与数据模型
[neural network] convolutional neural network CNN [including Matlab source code 1932]
【神经网络】卷积神经网络CNN【含Matlab源码 1932期】
【全栈计划 —— 编程语言之C#】基础入门知识一文懂
Processing strategy of message queue message loss and repeated message sending
[texture feature extraction] LBP image texture feature extraction based on MATLAB local binary mode [including Matlab source code 1931]
Superscalar processor design yaoyongbin Chapter 8 instruction emission excerpt
关于 Web Content-Security-Policy Directive 通过 meta 元素指定的一些测试用例
随机推荐
免备案服务器会影响网站排名和权重吗?
Typescript interface inheritance
Camera calibration (1): basic principles of monocular camera calibration and Zhang Zhengyou calibration
Ask about the version of flinkcdc2.2.0, which supports concurrency. Does this concurrency mean Multiple Parallelism? Now I find that mysqlcdc is full
Fleet tutorial 15 introduction to GridView Basics (tutorial includes source code)
MATLAB實現Huffman編碼譯碼含GUI界面
Present pod information to the container through environment variables
EPP+DIS学习之路(2)——Blink!闪烁!
DOM parsing XML error: content is not allowed in Prolog
SwiftUI Swift 内功之如何在 Swift 中进行自动三角函数计算
Processing strategy of message queue message loss and repeated message sending
Rationaldmis2022 array workpiece measurement
Introduction to three methods of anti red domain name generation
Tutorial on principles and applications of database system (009) -- conceptual model and data model
idea 2021中文乱码
<No. 8> 1816. Truncate sentences (simple)
PowerShell cs-utf-16le code goes online
Visual Studio 2019 (LocalDB)\MSSQLLocalDB SQL Server 2014 数据库版本为852无法打开,此服务器支持782版及更低版本
数据库系统原理与应用教程(009)—— 概念模型与数据模型
盘点JS判断空对象的几大方法