mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
update blogs
This commit is contained in:
parent
167f20f63b
commit
2e2268029a
@ -57,7 +57,7 @@
|
|||||||
- [六、附录](doc/6_appendix.md)
|
- [六、附录](doc/6_appendix.md)
|
||||||
- [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
- [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
||||||
- [6.2 更多 Windows 工具](doc/6.2_wintools.md)
|
- [6.2 更多 Windows 工具](doc/6.2_wintools.md)
|
||||||
- [6.3 博客、文章和书籍](doc/6.3_books&blogs.md)
|
- [6.3 更多资源](doc/6.3_books&blogs.md)
|
||||||
- [6.4 习题 write-up](doc/6.4_writeup.md)
|
- [6.4 习题 write-up](doc/6.4_writeup.md)
|
||||||
- [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md)
|
- [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md)
|
||||||
|
|
||||||
|
@ -53,6 +53,6 @@
|
|||||||
* [六、附录](doc/6_appendix.md)
|
* [六、附录](doc/6_appendix.md)
|
||||||
* [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
* [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
||||||
* [6.2 更多 Windows 工具](doc/6.2_wintools.md)
|
* [6.2 更多 Windows 工具](doc/6.2_wintools.md)
|
||||||
* [6.3 博客、文章和书籍](doc/6.3_books&blogs.md)
|
* [6.3 更多资源](doc/6.3_books&blogs.md)
|
||||||
* [6.4 习题 write-up](doc/6.4_writeup.md)
|
* [6.4 习题 write-up](doc/6.4_writeup.md)
|
||||||
* [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md)
|
* [6.5 Linux x86-64 系统调用表](doc/6.5_syscall.md)
|
||||||
|
@ -268,12 +268,23 @@ Hello 32 f7f95580 565555f4 !
|
|||||||
通过提供和格式字符串,我们就能够控制格式化函数的行为。漏洞的利用主要有下面几种。
|
通过提供和格式字符串,我们就能够控制格式化函数的行为。漏洞的利用主要有下面几种。
|
||||||
|
|
||||||
#### 使程序崩溃
|
#### 使程序崩溃
|
||||||
|
格式话字符串漏洞通常要在程序崩溃时才会被发现,所以利用格式化字符串漏洞最简单的方式就是使进程崩溃。在 Linux 中,存取无效的指针会引起进程收到 `SIGSEGV` 信号,从而使程序非正常终止并产生核心转储(在 Linux 基础的章节中详细介绍了核心转储)。我们知道核心转储中存储了程序崩溃时的许多重要信息,这些信息正是攻击者所需要的。
|
||||||
|
|
||||||
|
利用类似下面的格式字符串即可触发漏洞:
|
||||||
|
```c
|
||||||
|
printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")
|
||||||
|
```
|
||||||
|
- 对于每一个 `%s`,`printf()` 都要从栈中获取一个数字,把该数字视为一个地址,然后打印出地址指向的内存内容,直到出现一个 NULL 字符。
|
||||||
|
- 因为不可能获取的每一个数字都是地址,数字所对应的内存可能并不存在。
|
||||||
|
- 还有可能获得的数字确实是一个地址,但是该地址是被保护的。
|
||||||
|
|
||||||
|
#### 查看栈内容
|
||||||
|
使程序崩溃只是验证漏洞的第一步,攻击者还可以利用格式化输出函数来获得内存的内容,为下一步漏洞利用做准备。
|
||||||
|
|
||||||
#### 查看栈
|
|
||||||
|
|
||||||
#### 查看任意地址的内存
|
#### 查看任意地址的内存
|
||||||
|
|
||||||
#### 覆盖栈
|
#### 覆盖栈内容
|
||||||
|
|
||||||
#### 覆盖任意地址内存
|
#### 覆盖任意地址内存
|
||||||
|
|
||||||
|
@ -1,33 +1,46 @@
|
|||||||
# 网站、文章和书籍
|
# 更多资源
|
||||||
|
|
||||||
- [网站](#网站)
|
- [课程](#课程)
|
||||||
|
- [站点](#站点)
|
||||||
- [文章](#文章)
|
- [文章](#文章)
|
||||||
- [书籍](#书籍)
|
- [书籍](#书籍)
|
||||||
|
|
||||||
|
|
||||||
## 网站
|
## 课程
|
||||||
|
- [Intro to Computer Systems, Summer 2017](https://www.cs.cmu.edu/~213/schedule.html)
|
||||||
|
- [Modern Binary Exploitation Spring 2015](http://security.cs.rpi.edu/courses/binexp-spring2015/)
|
||||||
- [OpenSecurityTraining](http://opensecuritytraining.info/Welcome.html)
|
- [OpenSecurityTraining](http://opensecuritytraining.info/Welcome.html)
|
||||||
- [sec-wiki](https://www.sec-wiki.com/)
|
|
||||||
- [Stanford Computer Security Laboratory](http://seclab.stanford.edu/)
|
- [Stanford Computer Security Laboratory](http://seclab.stanford.edu/)
|
||||||
|
- [CS642 Fall 2014: Computer Security](http://pages.cs.wisc.edu/~rist/642-fall-2014/)
|
||||||
|
- [Offensive Computer Security Spring 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)
|
||||||
|
- [System Security and Binary Code Analysis](http://www.utdallas.edu/~zhiqiang.lin/spring2012.html#toc7)
|
||||||
|
- [SATSMT Summer School 2011](https://wikis.mit.edu/confluence/display/satsmtschool11/SATSMT+Summer+School+2011;jsessionid=994854C69CABD6B1DC53F381A3CFF5E8)
|
||||||
|
- [CS 161 : Computer Security Spring 2017](https://www.icir.org/vern/cs161-sp17/)
|
||||||
|
- [Introduction to Computer Security Fall 2015](https://users.ece.cmu.edu/~dbrumley/courses/18487-f15/#lectures)
|
||||||
|
|
||||||
|
|
||||||
|
## 站点
|
||||||
|
- [sec-wiki](https://www.sec-wiki.com/)
|
||||||
- [Shellcodes database for study cases](http://shell-storm.org/shellcode/)
|
- [Shellcodes database for study cases](http://shell-storm.org/shellcode/)
|
||||||
- [Corelan Team Articles](https://www.corelan.be/index.php/articles/)
|
- [Corelan Team Articles](https://www.corelan.be/index.php/articles/)
|
||||||
|
- [LOW-LEVEL ATTACKS AND DEFENSES](http://www.cs.umd.edu/class/spring2014/cmsc838g/list.txt)
|
||||||
|
- [FuzzySecurity](https://www.fuzzysecurity.com/tutorials.html)
|
||||||
|
- [LiveOverflow](http://liveoverflow.com/index.html)
|
||||||
|
|
||||||
|
|
||||||
|
## 文章
|
||||||
- [Debugging Fundamentals for Exploit Development](http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/)
|
- [Debugging Fundamentals for Exploit Development](http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/)
|
||||||
- [Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
|
|
||||||
- [Introduction to return oriented programming (ROP)](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
|
- [Introduction to return oriented programming (ROP)](http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
|
||||||
- [Smashing The Stack For Fun And Profit](http://insecure.org/stf/smashstack.html)
|
- [Smashing The Stack For Fun And Profit](http://insecure.org/stf/smashstack.html)
|
||||||
- [Understanding DEP as a mitigation technology part 1](https://blogs.technet.microsoft.com/srd/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1/)
|
- [Understanding DEP as a mitigation technology part 1](https://blogs.technet.microsoft.com/srd/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1/)
|
||||||
|
- [Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
|
||||||
- [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/)
|
- [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/)
|
||||||
- [CS642 Fall 2014: Computer Security](http://pages.cs.wisc.edu/~rist/642-fall-2014/)
|
|
||||||
- [Offensive Computer Security Spring 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)
|
|
||||||
- [From 0x90 to 0x4c454554, a journey into exploitation.](http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html)
|
- [From 0x90 to 0x4c454554, a journey into exploitation.](http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html)
|
||||||
- [Software Modeling and Verification](http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html)
|
|
||||||
- [SATSMT Summer School 2011](https://wikis.mit.edu/confluence/display/satsmtschool11/SATSMT+Summer+School+2011;jsessionid=994854C69CABD6B1DC53F381A3CFF5E8)
|
|
||||||
- [LOW-LEVEL ATTACKS AND DEFENSES](http://www.cs.umd.edu/class/spring2014/cmsc838g/list.txt)
|
|
||||||
- [Checking the boundaries of static analysis](https://docs.google.com/presentation/d/1_Te02rSqn7wuhsmkkluqWhDBoXXFVUL5Mp0dUxH0cVE/edit#slide=id.gbd819d83_120)
|
- [Checking the boundaries of static analysis](https://docs.google.com/presentation/d/1_Te02rSqn7wuhsmkkluqWhDBoXXFVUL5Mp0dUxH0cVE/edit#slide=id.gbd819d83_120)
|
||||||
- [Reference Library](https://moflow.org/#%5B%5BReference%20Library%5D%5D)
|
|
||||||
- [Deep Wizardry: Stack Unwinding](http://blog.reverberate.org/2013/05/deep-wizardry-stack-unwinding.html)
|
- [Deep Wizardry: Stack Unwinding](http://blog.reverberate.org/2013/05/deep-wizardry-stack-unwinding.html)
|
||||||
|
- [Linux (x86) Exploit Development Series](https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/)
|
||||||
|
- [Hack The Virtual Memory](https://blog.holbertonschool.com/hack-the-virtual-memory-c-strings-proc/#)
|
||||||
|
|
||||||
## 文章
|
|
||||||
|
|
||||||
## 书籍
|
## 书籍
|
||||||
- [Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson](https://leaksource.files.wordpress.com/2014/08/hacking-the-art-of-exploitation.pdf)
|
- [Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson](https://leaksource.files.wordpress.com/2014/08/hacking-the-art-of-exploitation.pdf)
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
|
|
||||||
- [6.1 更多 Linux 工具](6.1_Linuxtools.md)
|
- [6.1 更多 Linux 工具](6.1_Linuxtools.md)
|
||||||
- [6.2 更多 Windows 工具](6.2_wintools.md)
|
- [6.2 更多 Windows 工具](6.2_wintools.md)
|
||||||
- [6.3 博客、文章和书籍](6.3_books&blogs.md)
|
- [6.3 更多资源](6.3_books&blogs.md)
|
||||||
- [6.4 习题 write-up](6.4_writeup.md)
|
- [6.4 习题 write-up](6.4_writeup.md)
|
||||||
- [6.5 Linux x86-64 系统调用表](http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
|
- [6.5 Linux x86-64 系统调用表](http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
|
||||||
|
Loading…
Reference in New Issue
Block a user