PWN Learning notes

One , Stack introduction

Stack ： Stack is a data structure in computer system , It stores data according to the principle of "first in, second out" , The data entered first is pushed to the bottom of the stack , The last data is at the top of the stack , When you need to read data, pop up the data from the top of the stack （ The last data is read by the first ）, It's a special linear table . Stack operation commonly used is stack entry （PUSH）, Out of the stack （POP）, There are also commonly used marks for the top and bottom of the stack .

Into the stack （PUSH）： Putting a data on the stack is called entering the stack （PUSH）

Out of the stack （POP）： Take a data out of the stack and call it out of the stack （POP）

To the top of the stack ： Common registers ESP,ESP It's a stack pointer register , It has a pointer in its memory , The pointer always points to the top of the top stack frame of the system stack .

At the bottom of the stack ： Common registers EBP,EBP Is the base pointer register , It has a pointer in its memory , The pointer always points to the bottom of the top stack frame of the system stack .

Two , Stack overflow

1. Assembly level function call process ：

Every call to every function , Each has its own stack frame , All kinds of information needed are maintained in this stack frame . register ebp Point to the bottom of the current stack frame （ High address ）, register esp Point to the top of the current stack frame （ Low address ）.

2. Stack overflow ： The character length written by the user exceeds the character length of the variable itself, resulting in buffer overflow and rewriting of useful storage units , Write arbitrary data to these units , Generally, it will only lead to accidents such as program crash , But if you write carefully prepared data to these units , It can make our data replace the original code to execute the program , Cause the code we want to be executed .

   3、 ... and , Common function

​

​

Four , file information

1. View file information ：file

   2. Check the file program ：checksec

      Arch File attribute

      RELEO Bind dynamic symbols to reduce pairs GOT attack

      Stack canary stack Protect

      NX Unenforceable

      PIE Address randomization

2. Production view header information ：readelf-h

3. function ： run

4. Select File ：gdb

5. Look at the stack data ：stack

6. Check the position of the string ：search‘ character string ’

5、 ... and ,ROP

1. Definition ：（ Baidu )ROP Its full name is Return-oriented Programming（ Return oriented programming ） It is a new attack based on code reuse technology , An attacker extracts instruction fragments from an existing library or executable , Build malicious code .ROP Attack the same Buffer overflow attack , Format string vulnerability attacks are different , It's a new way to attack , It uses code reuse technology .

2.ROP Attack prevention ：ROP The attack program mainly uses the vulnerability of stack overflow to attack hijacking .

6、 ... and , Pile up

1. Definition ：

​ The memory that needs to be allocated and released when data is running .（ Variable size ）

2.chunk（ Structure of memory block ）

• chunk start：chunk From

• size ：chunk Size

• memory：malloc Wait for the function to return to the user chunk Data pointer

3.glbic( Heap management )

• arena： Refers to the heap memory area native , Not structure .
• malloc_state: Manage the state of the heap , Information ,bins Linked list

4,bins

• Used to manage free memory blocks , Usually use the linked list structure 0 management

7、 ... and ,Glibc Heap

1. Memory allocation is divided into ： Dynamic allocation and static allocation .
2. ptmalloc data structure
3. malloc/free summary

8、 ... and , Formatted string

1. Concept ： In the process of programming , Allow coders to pass special placeholders , The rule string that integrates or extracts the relevant corresponding information .

2. Format strings are divided into format input and format output .

3. Common formatting string constants ：printf fprintf …

4. Format string vulnerability summary The user can read the memory by controlling the format string , Modify the memory value （ utilize %n Write to the specified memory address ）, The application crashed .

Nine ,PLT and GOT surface

1. linux The build process ： Preprocessing , compile , assembly , link

2. Dynamic compilation and static compilation

   ​ Dynamic compilation features ： Avoid the waste of space , But the efficiency of dynamic compilation is lower than that of static compilation .

3. GOT surface ： The real address is stored in the table , Seven fields need to be dynamically modified , It's writable

4. Library function ：stdio,ctype, string etc.

Ten , Common instructions

1. see file ：file file name
2. Check the documents ：checksec --file= file name
3. Run the file ：./ file name

11、 ... and , exp Script

• from pwn import* Import function library （ Application pwn Tools ）
• context（） Easy to find mistakes
• def main （） The main function
• hcj=remote（” “） long-range
• payload= Output data
• hcj.recvuntil（” “） Where to receive
• hcj. sendlineafter(" ",) Execute to which sentence to send a piece of data
• hcj.sendline(" ") Send a piece of data
• hcj.interactive() Accept

Add ：gets Functions must be loopholes

Reference list ：

https://blog.csdn.net/weixin_43847969/article/details/104390904?spm=1001.2014.3001.5506

https://blog.csdn.net/qq_41988448/article/details/103124339?spm=1001.2014.3001.5506

The rest of the information is from the Internet