当前位置:网站首页>Attack and defense world - PWN learning notes
Attack and defense world - PWN learning notes
2022-07-07 12:23:00 【hcjtn】
PWN Learning notes
One , Stack introduction
Stack : Stack is a data structure in computer system , It stores data according to the principle of "first in, second out" , The data entered first is pushed to the bottom of the stack , The last data is at the top of the stack , When you need to read data, pop up the data from the top of the stack ( The last data is read by the first ), It's a special linear table . Stack operation commonly used is stack entry (PUSH), Out of the stack (POP), There are also commonly used marks for the top and bottom of the stack .
Into the stack (PUSH): Putting a data on the stack is called entering the stack (PUSH)
Out of the stack (POP): Take a data out of the stack and call it out of the stack (POP)
To the top of the stack : Common registers ESP,ESP It's a stack pointer register , It has a pointer in its memory , The pointer always points to the top of the top stack frame of the system stack .
At the bottom of the stack : Common registers EBP,EBP Is the base pointer register , It has a pointer in its memory , The pointer always points to the bottom of the top stack frame of the system stack .
Two , Stack overflow
1. Assembly level function call process :
Every call to every function , Each has its own stack frame , All kinds of information needed are maintained in this stack frame . register ebp Point to the bottom of the current stack frame ( High address ), register esp Point to the top of the current stack frame ( Low address ).
Stack overflow : The character length written by the user exceeds the character length of the variable itself, resulting in buffer overflow and rewriting of useful storage units , Write arbitrary data to these units , Generally, it will only lead to accidents such as program crash , But if you write carefully prepared data to these units , It can make our data replace the original code to execute the program , Cause the code we want to be executed .
3、 ... and , Common function
Four , file information
View file information :file
Check the file program :checksec
Arch File attribute
RELEO Bind dynamic symbols to reduce pairs GOT attack
Stack canary stack Protect
NX Unenforceable
PIE Address randomization
Production view header information :readelf-h
function : run
Select File :gdb
Look at the stack data :stack
Check the position of the string :search‘ character string ’
5、 ... and ,ROP
1. Definition :( Baidu )ROP Its full name is Return-oriented Programming( Return oriented programming ) It is a new attack based on code reuse technology , An attacker extracts instruction fragments from an existing library or executable , Build malicious code .ROP Attack the same Buffer overflow attack , Format string vulnerability attacks are different , It's a new way to attack , It uses code reuse technology .
2.ROP Attack prevention :ROP The attack program mainly uses the vulnerability of stack overflow to attack hijacking .
6、 ... and , Pile up
1. Definition :
The memory that needs to be allocated and released when data is running .( Variable size )
2.chunk( Structure of memory block )
chunk start:chunk From
size :chunk Size
memory:malloc Wait for the function to return to the user chunk Data pointer
3.glbic( Heap management )
- arena: Refers to the heap memory area native , Not structure .
- malloc_state: Manage the state of the heap , Information ,bins Linked list
4,bins
- Used to manage free memory blocks , Usually use the linked list structure 0 management
7、 ... and ,Glibc Heap
- Memory allocation is divided into : Dynamic allocation and static allocation .
- ptmalloc data structure
- malloc/free summary
8、 ... and , Formatted string
Concept : In the process of programming , Allow coders to pass special placeholders , The rule string that integrates or extracts the relevant corresponding information .
Format strings are divided into format input and format output .
Common formatting string constants :printf fprintf …
Format string vulnerability summary The user can read the memory by controlling the format string , Modify the memory value ( utilize %n Write to the specified memory address ), The application crashed .
Nine ,PLT and GOT surface
linux The build process : Preprocessing , compile , assembly , link
Dynamic compilation and static compilation
Dynamic compilation features : Avoid the waste of space , But the efficiency of dynamic compilation is lower than that of static compilation .
GOT surface : The real address is stored in the table , Seven fields need to be dynamically modified , It's writable
Library function :stdio,ctype, string etc.
Ten , Common instructions
- see file :file file name
- Check the documents :checksec --file= file name
- Run the file :./ file name
11、 ... and , exp Script
- from pwn import* Import function library ( Application pwn Tools )
- context() Easy to find mistakes
- def main () The main function
- hcj=remote(” “) long-range
- payload= Output data
- hcj.recvuntil(” “) Where to receive
- hcj. sendlineafter(" ",) Execute to which sentence to send a piece of data
- hcj.sendline(" ") Send a piece of data
- hcj.interactive() Accept
Add :gets Functions must be loopholes
Reference list :
https://blog.csdn.net/weixin_43847969/article/details/104390904?spm=1001.2014.3001.5506
https://blog.csdn.net/qq_41988448/article/details/103124339?spm=1001.2014.3001.5506
The rest of the information is from the Internet
边栏推荐
- SwiftUI Swift 内功之如何在 Swift 中进行自动三角函数计算
- 《通信软件开发与应用》课程结业报告
- 112. Network security penetration test - [privilege promotion article 10] - [Windows 2003 lpk.ddl hijacking rights lifting & MSF local rights lifting]
- Have you ever met flick Oracle CDC, read a table without update operation, and read it repeatedly every ten seconds
- 源代码防泄密中的技术区别再哪里
- Summed up 200 Classic machine learning interview questions (with reference answers)
- Steps of redis installation and self startup configuration under CentOS system
- Matlab implementation of Huffman coding and decoding with GUI interface
- Swiftui tutorial how to realize automatic scrolling function in 2 seconds
- Rationaldmis2022 advanced programming macro program
猜你喜欢
【数据聚类】基于多元宇宙优化DBSCAN实现数据聚类分析附matlab代码
PowerShell cs-utf-16le code goes online
Rationaldmis2022 array workpiece measurement
Nuclear boat (I): when "male mothers" come into reality, can the biotechnology revolution liberate women?
解决 Server returns invalid timezone. Go to ‘Advanced’ tab and set ‘serverTimezone’ property manually
小红书微服务框架及治理等云原生业务架构演进案例
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
Introduction and application of smoothstep in unity: optimization of dissolution effect
《通信软件开发与应用》课程结业报告
随机推荐
111.网络安全渗透测试—[权限提升篇9]—[Windows 2008 R2内核溢出提权]
112.网络安全渗透测试—[权限提升篇10]—[Windows 2003 LPK.DDL劫持提权&msf本地提权]
(待会删)yyds,付费搞来的学术资源,请低调使用!
NPC Jincang was invited to participate in the "aerospace 706" I have an appointment with aerospace computer "national Partner Conference
防红域名生成的3种方法介绍
数据库系统原理与应用教程(011)—— 关系数据库
30. Feed shot named entity recognition with self describing networks reading notes
【紋理特征提取】基於matlab局部二值模式LBP圖像紋理特征提取【含Matlab源碼 1931期】
超标量处理器设计 姚永斌 第9章 指令执行 摘录
112. Network security penetration test - [privilege promotion article 10] - [Windows 2003 lpk.ddl hijacking rights lifting & MSF local rights lifting]
消息队列消息丢失和消息重复发送的处理策略
Up meta - Web3.0 world innovative meta universe financial agreement
5V串口接3.3V单片机串口怎么搞?
数据库系统原理与应用教程(009)—— 概念模型与数据模型
<No. 9> 1805. 字符串中不同整数的数目 (简单)
Introduction and application of smoothstep in unity: optimization of dissolution effect
Introduction to three methods of anti red domain name generation
Upgrade from a tool to a solution, and the new site with praise points to new value
Common locking table processing methods in Oracle
<No. 9> 1805. Number of different integers in the string (simple)