sample.c
#include <stdio.h>
void main(){
int i = 0;
printf("i = %d\n",i);
if(i == 1)
printf("PASS\n");
}
Advertisements
Security
chain gadgets其實觀念很簡單
比chain function還要好想
因為function一開始會push $ebp結束會pop $ebp
所以ret之後會把pop $eip(也就是ebp上面存的seip)
如此一來function結束後就會跳到seip的位置
而chain gadgets一般沒有function的架構
所以直接執行完後ret就會pop stack下一個位置
並且執行他~
Continue Reading
The Social-Engineer Toolkit (SET) 提供一個選單介面
自動生Metasploit (msf) 的指令,
但直接打指令相對較有彈性
開啟SET
$ cd /pentest/exploits/set
$ ./set
1 Social-Engineering Attacks
1-4 Create a Payload and Listener
1-4.1 Windows Shell Reverse_TCP
Spawn a command shell on victim and send back to attacker
1-4.2 Windows Meterpreter Reverse_TCP
Spawn a meterpreter shell on victim and send back to attacker
1-4.3 Windows VNC DLL Reverse_TCP
Spawn a VNC server on victim and send back to attacker
1-4.9 Windows Meterpreter Reverse HTTPS
Tunnel communication over HTTP using SSL and use Meterpreter
從victim的電腦ps會看到一個notepad process
1-10 Powershell Attack Vectors
目標: You just have to get me the password of the "sysuser" 網址 index2.php?login=sysuser
猜測$sql="SELECT * FROM user_table WHERE user=".$_GET['login']; Continue Reading
heap overflow 1. malloc兩個空間 然後第一個overflow蓋掉第二個部分欄位 2. 然後讓第二個內存看起來已經被釋放 3. 利用free掉之後就會有呼叫unlink macro合併兩個free chunk 4. chunk3->bk = chunk2->bk 轉換成 chunk2->fd + 12 = chunk2->bk 5. 所以就可以在fd的記憶體位置寫入bk的記憶體內容, OP
前面自己組function和argv stack如下: "\xc0\xc4\x1d\x40" arg1 of function "CCCC" after function addr(第二層的seip) "\xb8\x5f\x19\x40" function addr(第一層的seip->第二層的ebp) "BBBB" old ebp "A"*0x6C var1 space 進入function addr後會push ebp到原本function addr的位置 然後把ebp指向這個位置,所以要arg1會和ebp+8的位置去要值 當function到結束前會pop ebp(把old ebp取出來) 然後ret(pop next value to eip!!!) 所以上面的CCCC就會是function結束後要跳掉的地方 ret; = pop eip; jmp eip; 之前因為只要執行function就好所以亂給CCCC, 所以現在就需要一些特殊gadget來讓我們 串聯更多function!
Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 。 FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue. Windows XP已被微軟宣告終止更新服務,因此並未列入此次更新名單。
