diff --git a/SUMMARY.md b/SUMMARY.md index 1ff8630..0121f0d 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -61,13 +61,14 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [3.3.1 格式化字符串漏洞](doc/3.3.1_format_string.md) * [3.3.2 整数溢出](doc/3.3.2_integer_overflow.md) * [3.3.3 栈溢出](doc/3.3.3_stack_overflow.md) - * [3.3.4 返回导向编程(ROP)](doc/3.3.4_rop.md) - * [3.3.5 Linux 堆利用(上)](doc/3.3.5_heap_exploit_1.md) - * [3.3.6 Linux 堆利用(中)](doc/3.3.6_heap_exploit_2.md) - * [3.3.7 Linux 堆利用(下)](doc/3.3.7_heap_exploit_3.md) - * [3.3.8 内核 ROP](doc/3.3.8_kernel_rop.md) - * [3.3.9 Linux 内核漏洞利用](doc/3.3.9_linux_kernel_exploit.md) - * [3.3.10 Windows 内核漏洞利用](doc/3.3.10_windows_kernel_exploit.md) + * [3.3.4 返回导向编程(ROP)(x86)](doc/3.3.4_rop_x86.md) + * [3.3.5 返回导向编程(ROP)(ARM)](doc/3.3.5_rop_arm.md) + * [3.3.6 Linux 堆利用(上)](doc/3.3.6_heap_exploit_1.md) + * [3.3.7 Linux 堆利用(中)](doc/3.3.7_heap_exploit_2.md) + * [3.3.8 Linux 堆利用(下)](doc/3.3.8_heap_exploit_3.md) + * [3.3.9 内核 ROP](doc/3.3.9_kernel_rop.md) + * [3.3.10 Linux 内核漏洞利用](doc/3.3.10_linux_kernel_exploit.md) + * [3.3.11 Windows 内核漏洞利用](doc/3.3.11_windows_kernel_exploit.md) * [3.4 Web](doc/3.4_web.md) * [3.4.1 SQL 注入利用](doc/3.4.1_sql_injection.md) * [3.4.2 XSS 漏洞利用](doc/3.4.2_xss.md) @@ -78,7 +79,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [4.2 Linux 命令行技巧](doc/4.2_Linux_terminal_tips.md) * [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md) * [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md) - * 4.5 + * [4.5 ROP 防御技术](doc/4.5_defense_rop.md) * [4.6 one-gadget RCE](doc/4.6_one-gadget_rce.md) * [4.7 通用 gadget](doc/4.7_common_gadget.md) * [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md) diff --git a/doc/3.3.9_linux_kernel_exploit.md b/doc/3.3.10_linux_kernel_exploit.md similarity index 78% rename from doc/3.3.9_linux_kernel_exploit.md rename to doc/3.3.10_linux_kernel_exploit.md index fc97e46..72d7a77 100644 --- a/doc/3.3.9_linux_kernel_exploit.md +++ b/doc/3.3.10_linux_kernel_exploit.md @@ -1,4 +1,4 @@ -# 3.3.9 Linux 内核漏洞利用 +# 3.3.10 Linux 内核漏洞利用 - [参考资料](#参考资料) diff --git a/doc/3.3.10_windows_kernel_exploit.md b/doc/3.3.11_windows_kernel_exploit.md similarity index 86% rename from doc/3.3.10_windows_kernel_exploit.md rename to doc/3.3.11_windows_kernel_exploit.md index 0009790..6bfe0c6 100644 --- a/doc/3.3.10_windows_kernel_exploit.md +++ b/doc/3.3.11_windows_kernel_exploit.md @@ -1,4 +1,4 @@ -# 3.3.10 Windows 内核漏洞利用 +# 3.3.11 Windows 内核漏洞利用 - [参考资料](#参考资料) diff --git a/doc/3.3.4_rop.md b/doc/3.3.4_rop_x86.md similarity index 99% rename from doc/3.3.4_rop.md rename to doc/3.3.4_rop_x86.md index fa54d18..d19e0f9 100644 --- a/doc/3.3.4_rop.md +++ b/doc/3.3.4_rop_x86.md @@ -1454,3 +1454,4 @@ print io.recvall() - [64-bit Linux Return-Oriented Programming](http://crypto.stanford.edu/~blynn/rop/) - [Introduction to return oriented programming (ROP)](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html) - [Return-Oriented Programming:Systems, Languages, and Applications](https://cseweb.ucsd.edu/~hovav/dist/rop.pdf) +- [Practical Return-Oriented Programming](https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) diff --git a/doc/3.3.5_rop_arm.md b/doc/3.3.5_rop_arm.md new file mode 100644 index 0000000..5661f89 --- /dev/null +++ b/doc/3.3.5_rop_arm.md @@ -0,0 +1,7 @@ +# 3.3.5 返回导向编程(ROP)(ARM) + +- [参考资料](#参考资料) + + +## 参考资料 +- [Return Oriented Programming for the ARM Architecture](http://zma.es/Reversing-Exploiting/ROP/Return%20Oriented%20Programming%20for%20ARM.pdf) diff --git a/doc/3.3.5_heap_exploit_1.md b/doc/3.3.6_heap_exploit_1.md similarity index 99% rename from doc/3.3.5_heap_exploit_1.md rename to doc/3.3.6_heap_exploit_1.md index 23614e3..4888081 100644 --- a/doc/3.3.5_heap_exploit_1.md +++ b/doc/3.3.6_heap_exploit_1.md @@ -1,4 +1,4 @@ -# 3.3.5 Linux 堆利用(上) +# 3.3.6 Linux 堆利用(上) - [Linux 堆简介](#linux-堆简介) - [how2heap](#how2heap) @@ -28,7 +28,7 @@ $ cd how2heap $ make ``` -请注意,下文中贴出的代码是我简化过的,剔除和修改了一些不必要的注释和代码,以方便学习。另外,正如章节 4.3 中所讲的,添加编译参数 `CFLAGS += -fsanitize=address` 可以检测内存错误。[下载文件](../src/Others/3.3.5_heap_exploit) +请注意,下文中贴出的代码是我简化过的,剔除和修改了一些不必要的注释和代码,以方便学习。另外,正如章节 4.3 中所讲的,添加编译参数 `CFLAGS += -fsanitize=address` 可以检测内存错误。[下载文件](../src/Others/3.3.6_heap_exploit) #### first_fit ```c diff --git a/doc/3.3.6_heap_exploit_2.md b/doc/3.3.7_heap_exploit_2.md similarity index 99% rename from doc/3.3.6_heap_exploit_2.md rename to doc/3.3.7_heap_exploit_2.md index 0dfa294..55e72e5 100644 --- a/doc/3.3.6_heap_exploit_2.md +++ b/doc/3.3.7_heap_exploit_2.md @@ -1,4 +1,4 @@ -# 3.3.6 Linux 堆利用(中) +# 3.3.7 Linux 堆利用(中) - [how2heap](#how2heap) - [poison_null_byte](#poison_null_byte) @@ -7,7 +7,7 @@ - [overlapping_chunks_2](#overlapping_chunks_2) -[下载文件](../src/Others/3.3.5_heap_exploit) +[下载文件](../src/Others/3.3.6_heap_exploit) ## how2heap #### poison_null_byte diff --git a/doc/3.3.7_heap_exploit_3.md b/doc/3.3.8_heap_exploit_3.md similarity index 99% rename from doc/3.3.7_heap_exploit_3.md rename to doc/3.3.8_heap_exploit_3.md index 80f689b..c7bdfb1 100644 --- a/doc/3.3.7_heap_exploit_3.md +++ b/doc/3.3.8_heap_exploit_3.md @@ -1,4 +1,4 @@ -# 3.3.7 Linux 堆利用(下) +# 3.3.8 Linux 堆利用(下) - [how2heap](#how2heap) - [house_of_force](#house_of_force) @@ -8,7 +8,7 @@ - [参考资料](#参考资料) -[下载文件](../src/Others/3.3.5_heap_exploit) +[下载文件](../src/Others/3.3.6_heap_exploit) ## how2heap #### house_of_force diff --git a/doc/3.3.8_kernel_rop.md b/doc/3.3.9_kernel_rop.md similarity index 95% rename from doc/3.3.8_kernel_rop.md rename to doc/3.3.9_kernel_rop.md index a316516..10256c1 100644 --- a/doc/3.3.8_kernel_rop.md +++ b/doc/3.3.9_kernel_rop.md @@ -1,4 +1,4 @@ -# 3.3.8 内核 ROP +# 3.3.9 内核 ROP - [参考资料](#参考资料) diff --git a/doc/3.3_pwn.md b/doc/3.3_pwn.md index dcc28bd..159085a 100644 --- a/doc/3.3_pwn.md +++ b/doc/3.3_pwn.md @@ -3,10 +3,11 @@ - [3.3.1 格式化字符串漏洞](3.3.1_format_string.md) - [3.3.2 整数溢出](3.3.2_integer_overflow.md) - [3.3.3 栈溢出](3.3.3_stack_overflow.md) -- [3.3.4 返回导向编程(ROP)](3.3.4_rop.md) -- [3.3.5 Linux 堆利用(上)](3.3.5_heap_exploit_1.md) -- [3.3.6 Linux 堆利用(中)](3.3.6_heap_exploit_2.md) -- [3.3.7 Linux 堆利用(下)](3.3.7_heap_exploit_3.md) -- [3.3.8 内核 ROP](3.3.8_kernel_rop.md) -- [3.3.9 Linux 内核漏洞利用](3.3.9_linux_kernel_exploit.md) -- [3.3.10 Windows 内核漏洞利用](3.3.10_windows_kernel_exploit.md) +- [3.3.4 返回导向编程(ROP)(x86)](3.3.4_rop_x86.md) +- [3.3.5 返回导向编程(ROP)(ARM)](3.3.5_rop_arm.md) +- [3.3.6 Linux 堆利用(上)](3.3.6_heap_exploit_1.md) +- [3.3.7 Linux 堆利用(中)](3.3.7_heap_exploit_2.md) +- [3.3.8 Linux 堆利用(下)](3.3.8_heap_exploit_3.md) +- [3.3.9 内核 ROP](3.3.9_kernel_rop.md) +- [3.3.10 Linux 内核漏洞利用](3.3.10_linux_kernel_exploit.md) +- [3.3.11 Windows 内核漏洞利用](3.3.11_windows_kernel_exploit.md) diff --git a/doc/3_topics.md b/doc/3_topics.md index a22cc8e..d41bbb4 100644 --- a/doc/3_topics.md +++ b/doc/3_topics.md @@ -7,11 +7,14 @@ - [3.3.1 格式化字符串漏洞](3.3.1_format_string.md) - [3.3.2 整数溢出](3.3.2_integer_overflow.md) - [3.3.3 栈溢出](3.3.3_stack_overflow.md) - - [3.3.4 返回导向编程(ROP)](3.3.4_rop.md) - - [3.3.5 Linux 堆利用(上)](3.3.5_heap_exploit_1.md) - - [3.3.6 Linux 堆利用(中)](3.3.6_heap_exploit_2.md) - - [3.3.7 Linux 堆利用(下)](3.3.7_heap_exploit_3.md) - - [3.3.8 Windows 内核漏洞利用](3.3.8_windows_kernel_exploit.md) + - [3.3.4 返回导向编程(ROP)(x86)](3.3.4_rop_x86.md) + - [3.3.5 返回导向编程(ROP)(ARM)](3.3.5_rop_arm.md) + - [3.3.6 Linux 堆利用(上)](3.3.6_heap_exploit_1.md) + - [3.3.7 Linux 堆利用(中)](3.3.7_heap_exploit_2.md) + - [3.3.8 Linux 堆利用(下)](3.3.8_heap_exploit_3.md) + - [3.3.9 内核 ROP](3.3.9_kernel_rop.md) + - [3.3.10 Linux 内核漏洞利用](3.3.10_linux_kernel_exploit.md) + - [3.3.11 Windows 内核漏洞利用](3.3.11_windows_kernel_exploit.md) - [3.4 Web](3.4_web.md) - [3.4.1 SQL 注入利用](3.4.1_sql_injection.md) - [3.4.2 XSS 漏洞利用](3.4.2_xss.md) diff --git a/doc/4.5_defense_rop.md b/doc/4.5_defense_rop.md new file mode 100644 index 0000000..5a1ede5 --- /dev/null +++ b/doc/4.5_defense_rop.md @@ -0,0 +1,45 @@ +# 4.5 ROP 防御技术 + +- [早期的防御技术](#早期的防御技术) +- [没有 return 的 ROP](#没有-return-的-rop) +- [参考资料](#参考资料) + + +## 早期的防御技术 +前面我们已经学过各种 ROP 技术,但同时很多防御技术也被提出来,这一节我们就来看一下这些技术。 + +我们知道正常程序的指令流执行和 ROP 的指令流执行有很大不同,至少有下面两点: +- ROP 执行流就会包含了很多 return 指令,而且之间只间隔了几条其他指令 +- ROP 利用 return 指令来 unwind 堆栈,却没有对应的 call 指令 + +以上面两点差异作为基础,研究人员提出了很多 ROP 检测和防御技术: +- 针对第一点差异,可以检测程序执行中是否有频繁 return 的指令流,作为报警的依据 +- 针对第二点差异,可以通过 call 和 return 指令来查找正常程序中通常都存在的后进先出栈里维护的不变量,判断其是否异常 +- 还有更极端的,在编译器层面重写二进制文件,消除里面的 return 指令 + +所以其实这些早期的防御技术都默认了一个前提,即 ROP 中必定存在 return 指令。 + + +## 没有 return 的 ROP +后来又有人提出了不依赖于 return 指令的 ROP,使得早期的防御技术完全失效。return 指令的作用主要有两个:第一通过间接跳转改变执行流,第二是更新寄存器状态。在 x86 和 ARM 中都存在一些指令序列,也能够完成这些工作,它们首先更新全局状态(如栈指针),然后根据更新后的状态加载下一条指令序列的地址,最后跳转过去执行(把它叫做 update-load-branch 指令序列)。这样就避免的 return 指令的使用。 + +就像下面这样,`x` 代表任意的通用寄存器: +``` +pop x +jmp *x +``` +`r6` 通用寄存器里是更新后的状态: +``` +adds r6, #4 +ldr r5, [r6, #124] +blx r5 +``` + +由于 update-load-branch 指令序列相比 return 指令更加稀少,所以需要把它作为 trampoline 重复利用。在构造 ROP 链时,选择以 trampoline 为目标的间接跳转指令结束的指令序列。当一个 gadget 执行结束后,跳转到 trampoline,trampoline 更新程序全局状态,并将程序控制交给下一个 gadget,这样就形成了 ROP 链。 + +![](../pic/4.5_rop_without_ret.png) + + +## 参考资料 +- [Return-Oriented Programming without Returns](https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) +- [Analysis of Defenses against Return Oriented Programming](http://www.eit.lth.se/sprapport.php?uid=829) diff --git a/doc/4_tips.md b/doc/4_tips.md index f3b5de4..981cb2a 100644 --- a/doc/4_tips.md +++ b/doc/4_tips.md @@ -4,7 +4,7 @@ - [4.2 Linux 命令行技巧](4.2_Linux_terminal_tips.md) - [4.3 GCC 编译参数解析](4.3_gcc_arg.md) - [4.4 GCC 堆栈保护技术](4.4_gcc_sec.md) -- 4.5 +- [4.5 ROP 防御技术](4.5_defense_rop.md) - [4.6 one-gadget RCE](4.6_one-gadget_rce.md) - [4.7 通用 gadget](4.7_common_gadget.md) - [4.8 使用 DynELF 泄露函数地址](4.8_dynelf.md) diff --git a/doc/5.5_clang.md b/doc/5.5_clang.md index 7c6657d..c3acd32 100644 --- a/doc/5.5_clang.md +++ b/doc/5.5_clang.md @@ -31,13 +31,16 @@ $ svn co http://llvm.org/svn/llvm-project/test-suite/trunk test-suite # optional $ cd ../.. && cd llvm $ $ mkdir build && cd build +$ cmake -G Ninja ../ +$ cmake --build . +$ cmake --build . --target install ``` ## 内部实现 Clang 前端的主要流程如下: ``` - Driver -> Lex -> Parse -> Sema -> CodeGen (LLVM IR) +Driver -> Lex -> Parse -> Sema -> CodeGen (LLVM IR) ``` diff --git a/doc/6.1.12_n1ctf2018_vote.md b/doc/6.1.12_n1ctf2018_vote.md index a06c70d..394d045 100644 --- a/doc/6.1.12_n1ctf2018_vote.md +++ b/doc/6.1.12_n1ctf2018_vote.md @@ -27,12 +27,13 @@ $ ./vote 5: Exit Action: ``` - 然后就可以把它运行起来了: ``` $ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" & ``` +另外出题人在 github 开源了题目的代码,感兴趣的也可以看一下。 + ## 题目解析 #### Exploit diff --git a/pic/4.5_rop_without_ret.png b/pic/4.5_rop_without_ret.png new file mode 100644 index 0000000..eeefca0 Binary files /dev/null and b/pic/4.5_rop_without_ret.png differ diff --git a/src/Others/3.3.5_heap_exploit/Makefile b/src/Others/3.3.6_heap_exploit/Makefile similarity index 100% rename from src/Others/3.3.5_heap_exploit/Makefile rename to src/Others/3.3.6_heap_exploit/Makefile diff --git a/src/Others/3.3.5_heap_exploit/fastbin_dup.c b/src/Others/3.3.6_heap_exploit/fastbin_dup.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/fastbin_dup.c rename to src/Others/3.3.6_heap_exploit/fastbin_dup.c diff --git a/src/Others/3.3.5_heap_exploit/fastbin_dup_into_stack.c b/src/Others/3.3.6_heap_exploit/fastbin_dup_into_stack.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/fastbin_dup_into_stack.c rename to src/Others/3.3.6_heap_exploit/fastbin_dup_into_stack.c diff --git a/src/Others/3.3.5_heap_exploit/first_fit.c b/src/Others/3.3.6_heap_exploit/first_fit.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/first_fit.c rename to src/Others/3.3.6_heap_exploit/first_fit.c diff --git a/src/Others/3.3.5_heap_exploit/house_of_einherjar.c b/src/Others/3.3.6_heap_exploit/house_of_einherjar.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/house_of_einherjar.c rename to src/Others/3.3.6_heap_exploit/house_of_einherjar.c diff --git a/src/Others/3.3.5_heap_exploit/house_of_force.c b/src/Others/3.3.6_heap_exploit/house_of_force.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/house_of_force.c rename to src/Others/3.3.6_heap_exploit/house_of_force.c diff --git a/src/Others/3.3.5_heap_exploit/house_of_lore.c b/src/Others/3.3.6_heap_exploit/house_of_lore.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/house_of_lore.c rename to src/Others/3.3.6_heap_exploit/house_of_lore.c diff --git a/src/Others/3.3.5_heap_exploit/house_of_orange.c b/src/Others/3.3.6_heap_exploit/house_of_orange.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/house_of_orange.c rename to src/Others/3.3.6_heap_exploit/house_of_orange.c diff --git a/src/Others/3.3.5_heap_exploit/house_of_spirit.c b/src/Others/3.3.6_heap_exploit/house_of_spirit.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/house_of_spirit.c rename to src/Others/3.3.6_heap_exploit/house_of_spirit.c diff --git a/src/Others/3.3.5_heap_exploit/overlapping_chunks.c b/src/Others/3.3.6_heap_exploit/overlapping_chunks.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/overlapping_chunks.c rename to src/Others/3.3.6_heap_exploit/overlapping_chunks.c diff --git a/src/Others/3.3.5_heap_exploit/overlapping_chunks_2.c b/src/Others/3.3.6_heap_exploit/overlapping_chunks_2.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/overlapping_chunks_2.c rename to src/Others/3.3.6_heap_exploit/overlapping_chunks_2.c diff --git a/src/Others/3.3.5_heap_exploit/poison_null_byte.c b/src/Others/3.3.6_heap_exploit/poison_null_byte.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/poison_null_byte.c rename to src/Others/3.3.6_heap_exploit/poison_null_byte.c diff --git a/src/Others/3.3.5_heap_exploit/unsafe_unlink.c b/src/Others/3.3.6_heap_exploit/unsafe_unlink.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/unsafe_unlink.c rename to src/Others/3.3.6_heap_exploit/unsafe_unlink.c diff --git a/src/Others/3.3.5_heap_exploit/unsorted_bin_attack.c b/src/Others/3.3.6_heap_exploit/unsorted_bin_attack.c similarity index 100% rename from src/Others/3.3.5_heap_exploit/unsorted_bin_attack.c rename to src/Others/3.3.6_heap_exploit/unsorted_bin_attack.c