diff --git a/source/_posts/x86basic.md b/source/_posts/x86basic.md index 60201949..c9ef1d67 100644 --- a/source/_posts/x86basic.md +++ b/source/_posts/x86basic.md @@ -18,7 +18,7 @@ categories: Pwn二进制漏洞 - Metasploit框架-[下载](https://www.metasploit.com/) - 靶机–Windows XP sp3 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png) - 函数调用与栈:调用、返回 - 寄存器与函数栈帧:ESP、EBP - 函数栈帧:局部变量、栈帧状态值、函数返回地址 @@ -46,7 +46,7 @@ voidfunc(int a, int b, int c) * pop ebp * RETN【弹出返回地址,跳转】 3. 栈帧结构 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png) # 0x01 简单栈溢出 @@ -63,7 +63,7 @@ voidfunc(int a, int b, int c) > `quit` ## 漏洞点 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png) **产生崩溃** 将输出的1024个A发送给靶机程序 @@ -71,44 +71,44 @@ voidfunc(int a, int b, int c) python -c "print('A' * 1024)" telnet 192.168.64.138 4242 ``` -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png) ## 关闭防御措施 使用**PESecurity**检查可执行文件本身的防御措施开启情况 注意设置:Set-ExecutionPolicyUnrestricted -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png) **ASLR和DEP** ASLR在xp下不用考虑,DEP可通过修改boot.ini中的nonexecute来完成(AlwaysOff、OptOut) -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png) ## 整体的攻击流程 1. 任意非00的指令覆盖buffer和EBP 2. 从程序已经加载的dll中获取他们的jmp esp指令地址。 3. 使用jmp esp的指令地址覆盖ReturnAddress 4. 从下一行开始填充Shellcode -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/%E5%9B%BE%E7%89%875.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png) ## 确定溢出点的位置 1. 生成字符序列 **pattern_create.rb** -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/%E5%9B%BE%E7%89%876.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png) 2. 发送给目标程序 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/%E5%9B%BE%E7%89%877.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png) 3. 计算偏移量 **pattern_offset.rb** -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/%E5%9B%BE%E7%89%878.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png) 4. 确定payload结构 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/%E5%9B%BE%E7%89%879.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png) ## 寻找jmp esp跳板 1. OD附加进程看一下服务器加载了哪些模块 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/%E5%9B%BE%E7%89%8710.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png) 2. 查找JMP ESP指令的地址 在这里选择了ws2_32.dll作为对象,通过Metasploit的msfbinscan进行搜索 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png) ## 自动化攻击 ```ruby= @@ -226,7 +226,7 @@ vim -bz.txt - 将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中,并处于运行状态。 - 发送溢出字符序列 - 查看Easy File Sharing Web Server 7.2溢出地址 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png) 3. 计算偏移量 计算catch块偏移量&计算下一条SEH记录偏移量 @@ -325,7 +325,7 @@ Server username: WHU-3E3EECEBFD1\Administrator > **漏洞点** ![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png) ## 设置DEP保护 -![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png) +![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png) *构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode* ## 计算偏移量