diff --git a/README.md b/README.md index 636b263..e07b1fc 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ - [六、附录](doc/6_appendix.md) - [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md) - [6.2 更多 Windows 工具](doc/6.2_wintools.md) - - [6.3 博客、文章和书籍](doc/6.3_books&blogs.md) + - [6.3 更多资源](doc/6.3_books&blogs.md) - [6.4 习题 write-up](doc/6.4_writeup.md) - [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md) diff --git a/SUMMARY.md b/SUMMARY.md index ab339a6..c2289cd 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -53,6 +53,6 @@ * [六、附录](doc/6_appendix.md) * [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md) * [6.2 更多 Windows 工具](doc/6.2_wintools.md) - * [6.3 博客、文章和书籍](doc/6.3_books&blogs.md) + * [6.3 更多资源](doc/6.3_books&blogs.md) * [6.4 习题 write-up](doc/6.4_writeup.md) * [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md) diff --git a/doc/3.3.1_format_string.md b/doc/3.3.1_format_string.md index 0af2e82..0daee39 100644 --- a/doc/3.3.1_format_string.md +++ b/doc/3.3.1_format_string.md @@ -268,12 +268,23 @@ Hello 32 f7f95580 565555f4 ! 通过提供和格式字符串,我们就能够控制格式化函数的行为。漏洞的利用主要有下面几种。 #### 使程序崩溃 +格式话字符串漏洞通常要在程序崩溃时才会被发现,所以利用格式化字符串漏洞最简单的方式就是使进程崩溃。在 Linux 中,存取无效的指针会引起进程收到 `SIGSEGV` 信号,从而使程序非正常终止并产生核心转储(在 Linux 基础的章节中详细介绍了核心转储)。我们知道核心转储中存储了程序崩溃时的许多重要信息,这些信息正是攻击者所需要的。 + +利用类似下面的格式字符串即可触发漏洞: +```c +printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s") +``` +- 对于每一个 `%s`,`printf()` 都要从栈中获取一个数字,把该数字视为一个地址,然后打印出地址指向的内存内容,直到出现一个 NULL 字符。 +- 因为不可能获取的每一个数字都是地址,数字所对应的内存可能并不存在。 +- 还有可能获得的数字确实是一个地址,但是该地址是被保护的。 + +#### 查看栈内容 +使程序崩溃只是验证漏洞的第一步,攻击者还可以利用格式化输出函数来获得内存的内容,为下一步漏洞利用做准备。 -#### 查看栈 #### 查看任意地址的内存 -#### 覆盖栈 +#### 覆盖栈内容 #### 覆盖任意地址内存 diff --git a/doc/6.3_books&blogs.md b/doc/6.3_books&blogs.md index d05b433..c720e70 100644 --- a/doc/6.3_books&blogs.md +++ b/doc/6.3_books&blogs.md @@ -1,33 +1,46 @@ -# 网站、文章和书籍 +# 更多资源 -- [网站](#网站) +- [课程](#课程) +- [站点](#站点) - [文章](#文章) - [书籍](#书籍) -## 网站 +## 课程 +- [Intro to Computer Systems, Summer 2017](https://www.cs.cmu.edu/~213/schedule.html) +- [Modern Binary Exploitation Spring 2015](http://security.cs.rpi.edu/courses/binexp-spring2015/) - [OpenSecurityTraining](http://opensecuritytraining.info/Welcome.html) -- [sec-wiki](https://www.sec-wiki.com/) - [Stanford Computer Security Laboratory](http://seclab.stanford.edu/) +- [CS642 Fall 2014: Computer Security](http://pages.cs.wisc.edu/~rist/642-fall-2014/) +- [Offensive Computer Security Spring 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/) +- [System Security and Binary Code Analysis](http://www.utdallas.edu/~zhiqiang.lin/spring2012.html#toc7) +- [SATSMT Summer School 2011](https://wikis.mit.edu/confluence/display/satsmtschool11/SATSMT+Summer+School+2011;jsessionid=994854C69CABD6B1DC53F381A3CFF5E8) +- [CS 161 : Computer Security Spring 2017](https://www.icir.org/vern/cs161-sp17/) +- [Introduction to Computer Security Fall 2015](https://users.ece.cmu.edu/~dbrumley/courses/18487-f15/#lectures) + + +## 站点 +- [sec-wiki](https://www.sec-wiki.com/) - [Shellcodes database for study cases](http://shell-storm.org/shellcode/) - [Corelan Team Articles](https://www.corelan.be/index.php/articles/) +- [LOW-LEVEL ATTACKS AND DEFENSES](http://www.cs.umd.edu/class/spring2014/cmsc838g/list.txt) +- [FuzzySecurity](https://www.fuzzysecurity.com/tutorials.html) +- [LiveOverflow](http://liveoverflow.com/index.html) + + +## 文章 - [Debugging Fundamentals for Exploit Development](http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/) -- [Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/) - [Introduction to return oriented programming (ROP)](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html) - [Smashing The Stack For Fun And Profit](http://insecure.org/stf/smashstack.html) - [Understanding DEP as a mitigation technology part 1](https://blogs.technet.microsoft.com/srd/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1/) +- [Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/) - [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/) -- [CS642 Fall 2014: Computer Security](http://pages.cs.wisc.edu/~rist/642-fall-2014/) -- [Offensive Computer Security Spring 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/) - [From 0x90 to 0x4c454554, a journey into exploitation.](http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html) -- [Software Modeling and Verification](http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html) -- [SATSMT Summer School 2011](https://wikis.mit.edu/confluence/display/satsmtschool11/SATSMT+Summer+School+2011;jsessionid=994854C69CABD6B1DC53F381A3CFF5E8) -- [LOW-LEVEL ATTACKS AND DEFENSES](http://www.cs.umd.edu/class/spring2014/cmsc838g/list.txt) - [Checking the boundaries of static analysis](https://docs.google.com/presentation/d/1_Te02rSqn7wuhsmkkluqWhDBoXXFVUL5Mp0dUxH0cVE/edit#slide=id.gbd819d83_120) -- [Reference Library](https://moflow.org/#%5B%5BReference%20Library%5D%5D) - [Deep Wizardry: Stack Unwinding](http://blog.reverberate.org/2013/05/deep-wizardry-stack-unwinding.html) +- [Linux (x86) Exploit Development Series](https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/) +- [Hack The Virtual Memory](https://blog.holbertonschool.com/hack-the-virtual-memory-c-strings-proc/#) -## 文章 ## 书籍 - [Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson](https://leaksource.files.wordpress.com/2014/08/hacking-the-art-of-exploitation.pdf) diff --git a/doc/6_appendix.md b/doc/6_appendix.md index 588c7ad..b69bd0e 100644 --- a/doc/6_appendix.md +++ b/doc/6_appendix.md @@ -2,6 +2,6 @@ - [6.1 更多 Linux 工具](6.1_Linuxtools.md) - [6.2 更多 Windows 工具](6.2_wintools.md) -- [6.3 博客、文章和书籍](6.3_books&blogs.md) +- [6.3 更多资源](6.3_books&blogs.md) - [6.4 习题 write-up](6.4_writeup.md) - [6.5 Linux x86-64 系统调用表](http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)