当前位置:网站首页>Learn winpwn (2) -- GS protection from scratch
Learn winpwn (2) -- GS protection from scratch
2022-07-06 11:21:00 【azraelxuemo】
List of articles
GS protection mechanism
Study windows pwn The first protection mechanism to recognize is GS, He corresponds to linux Under the canary Protect .
His purpose is , stay old_ebp Insert a piece of data before , And then pop ebp Check the data before , If it's not right , Indicates that a stack overflow has occurred , Then end the execution
How to open GS Protect
Get into vs2022, Click item
Select Properties , You can see that the security check is enabled ![
You can choose to disable checking
close GS Stack structure of
Take the following simple function as an example
( Be careful , Due to the problem of compilation optimization , The generated code may not be exactly the same , But generally consistent )
The corresponding general function call is
push ebp
mov ebp,esp
pop ebp
ret
When a function is called , First of all be push Parameters , then call, Corresponding stack structure
And then we push ebp, So the complete structure
Turn on GS Stack structure of
First of all, make sure
Not all functions are applied GS, The following situations will not apply GS
- . Function does not contain a buffer
- Functions are marked with unprotected keywords
- Function contains embedded assembly code in the first statement
- Buffer is not 8 Byte type and size not greater than 4 Bytes
For example, our function above , Turn on GS after , There is no change
But introduce #pragma strict_gs_check(on) You can add... To any type of function Security Cookie.( But it proves that , Like ours backdoor Still won't be affected )
Then let's directly use the official example of Microsoft
#pragma strict_gs_check(on)
void** ReverseArray(void** pData,
size_t cData)
{
void* pReversed[20];
for (size_t j = 0, i = cData; i; --i, ++j)
pReversed[j] = pData[i];
for (size_t i = 0; i < cData; ++i)
pData[i] = pReversed[i];
return pData;
}
Here we first make a sub esp,60h Because our parameters ,gs Protection is used ebp To address , So as invisible
Here we can see through the compilation GS The algorithm of
data Part of the securiy_cookie^now_ebp It's the current gs value
Similarly, at the end , Also put gs^now_ebp And then call __security_check_cookie()
This code is very concise , Just compare , If it's different, jump to failure
This is the addition of GS Protected stack structure
How to judge whether the program has GS Protect
Originally intended to use winchecksec
But it turns out , Not reliable at all
Or honestly see for yourself , Because some functions are on GS Protecting him is not necessarily necessary
The key is to look at disassembly
Is there any at the beginning xor register ,ebp( The register must be security cookie)push register
But should pay attention to , This GS The value of is not necessarily in ebp-4, If set seh Handle , This gs be located ebp-0x1c It's about
how bypass GS
Format string vulnerability
If you can see printf(buf),buf controllable
Then you can exploit the format string vulnerability , Introduce more than one %p( The quantity should be controlled ) that will do
···
#define _CRT_SECURE_NO_WARNINGS
#include<stdio.h>
int main()
{
char tmp[20];
scanf("%s",tmp);
printf(tmp);
return 0;
}
···
By debugging , find printf Stack when calling , You can see the top is us printf Parameters of , That's the address , So every item in it starts from the next address after the parameter , That is to say 00affc38 The content of corresponds to the first %p
that 00affc58 yes ebp, So it needs to leak to 00affc54 The location of , That's what we need 8 individual %p
Then rerun , Due to stack randomization , The address may be different
When performing the push ebp after ,esp Point to the current parameter
You can see this time gs yes 0073fed0 The value of the location , See if it can leak
Just the last one , At this time, you only need to intercept the string
Then when the stack overflows , We can directly put the original gs Fill in the value of , Then jump to the address of the back door
Copy \x00 truncation
Here I use something similar web The direction of the \x00 truncation
Because we often see such copied code
int copy(char* a, int len) {
setbuf(stdout, 0);
setbuf(stdin, 0);
int i;
for (i = 0; i < len; i++) {
char tmp = getchar();
if (tmp == '\n') {
*(char*)(a + i) = '\0';
break;
}
else {
*(char *)(a + i )= tmp;
}
}
return i;
}
This code is copying , And then if \n It's over and replaced with \0, There seems to be no leak on the surface
Let's actually take a look
#define _CRT_SECURE_NO_WARNINGS
#include<stdio.h>
int copy(char* a, int len) {
setbuf(stdout, 0);
setbuf(stdin, 0);
int i;
for (i = 0; i < len; i++) {
char tmp = getchar();
if (tmp == '\n') {
*(char*)(a + i) = '\0';
break;
}
else {
*(char*)(a + i) = tmp;
}
}
return i;
}
int main()
{
char tmp[20];
copy(tmp, 20);
printf("%s", tmp);
return 0;
}
When the input 20 individual 0 after , You can see , Finally, there are many garbled codes , What's going on , Let's debug
When the input 20 individual 61 after , Found the stack full , But no 00 truncation , So once printf(*
%s") Because I can't see \x00, He will always output , Output all the following data , Until I met the first one \x00
This can be used winpwn Of u32 To convert
The code looks like this
io.sendline("a"*19+"@")
io.recvuntil("@")
u32(io.recv(4))
Now that I know gs, Then it can be disclosed casually
边栏推荐
- MySQL other hosts cannot connect to the local database
- 02 staff information management after the actual project
- L2-007 家庭房产 (25 分)
- LeetCode #461 汉明距离
- Django running error: error loading mysqldb module solution
- When you open the browser, you will also open mango TV, Tiktok and other websites outside the home page
- Error reporting solution - io UnsupportedOperation: can‘t do nonzero end-relative seeks
- Invalid global search in idea/pychar, etc. (win10)
- Invalid default value for 'create appears when importing SQL_ Time 'error reporting solution
- JDBC principle
猜你喜欢
Introduction and use of automatic machine learning framework (flaml, H2O)
When you open the browser, you will also open mango TV, Tiktok and other websites outside the home page
【博主推荐】C#MVC列表实现增删改查导入导出曲线功能(附源码)
How to build a new project for keil5mdk (with super detailed drawings)
[recommended by bloggers] C WinForm regularly sends email (with source code)
LeetCode #461 汉明距离
Invalid global search in idea/pychar, etc. (win10)
Unable to call numpy in pycharm, with an error modulenotfounderror: no module named 'numpy‘
Error connecting to MySQL database: 2059 - authentication plugin 'caching_ sha2_ The solution of 'password'
【博主推荐】asp.net WebService 后台数据API JSON(附源码)
随机推荐
Did you forget to register or load this tag
QT creator support platform
Windows下安装MongDB教程、Redis教程
Armv8-a programming guide MMU (2)
Mysql 其他主机无法连接本地数据库
机器学习--人口普查数据分析
【博主推荐】SSM框架的后台管理系统(附源码)
Django running error: error loading mysqldb module solution
The virtual machine Ping is connected to the host, and the host Ping is not connected to the virtual machine
AcWing 179. Factorial decomposition problem solution
软件测试-面试题分享
虚拟机Ping通主机,主机Ping不通虚拟机
JDBC原理
数数字游戏
02 staff information management after the actual project
QT creator specifies dependencies
AI benchmark V5 ranking
Deoldify project problem - omp:error 15:initializing libiomp5md dll,but found libiomp5md. dll already initialized.
Punctual atom stm32f103zet6 download serial port pin
[Thesis Writing] how to write function description of jsp online examination system