Buffer Overflow
char name[16];
gets(name)
[低地址] buffer (char buf[24]) local variables saved RBP saved RIP [高地址]
void stupid(char *s){
char buf[24];
strcpy(buf,s);
}
如何计算offset
- pwntools cyclic (cyclic -l)
- gdb
buffer overflow 目标
- 覆盖重要变量
- 覆盖结构体 / 函数指针
- 覆盖 saved RIP
stack canary
- canary的最后一个字节是null
- leak canary
ASLR & NX
shellcode
website: https://x64.syscall.sh/
弹 shell -> /bin/sh -> shellcode
shellcode用途
- execve("/bin/sh")
- 打开文件、读写文件
- 反弹shell(reverse shell)
- socket reuse
- 下载第二阶段的payload(staged payload)CS
- egghunter -> payload
- mprotect 修改内存权限
PIC
xor rdi, rdi
mov rax, 60
syscall
Syscall
参数 寄存器
arg1 RDI
arg2 RSI
arg3 RDX
arg4 RCX
arg5 R8
arg6 R9
mov rdi, binsh_addr
mov rsi, 0
mov rdx, 0
mov rax, 59
syscall
NOP Sled
- NOP 0x90
- xchg ead, eax