欢迎来到天天文库
浏览记录
ID:9820138
大小:305.00 KB
页数:65页
时间:2018-05-10
《从vulnerability 到exploit为metasploit写插件》由会员上传分享,免费在线阅读,更多相关内容在行业资料-天天文库。
1、从漏洞到利用代码为Metasploit写插件SaumilShah本人简介#whoami16:08up4:26,1user,loadaverages:0.280.400.33USERTTYFROMLOGIN@IDLEWHATsaumilconsole-11:430:05bash•SaumilShah-“krafty”ceo,net-squaresolutionssaumil@saumil.net“WEB黑客–攻击和防御”的作者2从漏洞到利用FuzzingDebuggerAttackVectorEIP=0x41414141
2、ReliableEIPreturnaddressFinalShellcodeBadcharactersTestShellcodeWorkingexploit(INT3)ShellcodeHandlingINT3?3CPU寄存器•Intel32-bitx86寄存器:EAXESPaccumulatorstackpointerEBXEBPbasebasepointerECXESIcountersourceindexEDXEDIdatadestinationindexEIPinstructionpointer4进程内存映射0x
3、08000000.text.data.bssheap-malloc’eddata…vheap^stack…main()localvarsargc**argv**envpcmdlinearguments0xc0000000environmentvars5栈溢出•错误条件:当大块数据尝试写入小的区块时(堆栈上的本地VAR).charbuffer[128];strcpy(buffer,argv[1]);•如果“argv[1]”超过128字节将会发生什么?6victim1.c溢出示例•非常简单,提交超过128字节的字符串$./
4、victim1AAAAAAAAAAAAAAAAA……AAAAAAAAASegmentationfault(coredumped)$•调试victim1.c$gdb(gdb)targetcorecoreCorewasgeneratedby`./victim1AAAAAAA……AAAA'.Programterminatedwithsignal11,Segmentationfau#00x41414141in??()(gdb)7范例victim1.c调试•栈溢出后的寄存器内容:(gdb)inforegistersesp0xbf
5、fffb24-1073743068ebp0x414141411094795585esi0x4000ae601073786464edi0xbffffb74-1073742988eip0x414141411094795585•EIP的值是0x41414141,也就是”AAAA”•EIP被溢出缓冲区中的数据覆盖。8调用函数•当一个函数被调用时,以下内容将被压到堆栈中:–函数参数–保存的寄存器值,如EIP和EBP•当函数返回时,EIP从堆栈中弹出,恢复正常的程序流程。9调用一个函数main(){:pushstrfunc1(st
6、r)CALL:(pushEIP):pushEBP:}func1(str){:::}RET(popEIP)10Victim内存映象-拷贝之前.text.data.bssTopofstackESPfunc1::buffer[128]savedEBPframe0-func1()savedEIPptrtoparam1main()localvarsframe1-main()Bottomofstackenvp,argv,etc…11Victim内存映象-拷贝之后.text.data.bssTopofstackESPAAAAAAAA
7、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfunc1::buffer[128]Stackframeforfunc1()savedEBPAAAAsavedEIPAAAAptrtoparam1main()localvarsBottomofstackenvp,argv,etc…12堆栈被溢出.text.data.bssPOPAAAAAAAAAAAAAAAAAAAfunc1::buffer[128]当func1返回AAAAAAAAAAAAAAAAAAAEIP会弹出savedEBPAAAAEIP=0x41414
8、141savedEIPAAAA(“AAAA”)TopofstackESPptrtoparam1main()localvarsBottomofstackenvp,argv,etc…13堆栈溢出后的寄存器值•当func1()返回,EIP和EBP从堆栈中弹出(gdb)inforegistersesp0xbffffa24-10737433
此文档下载收益归作者所有