diff --git a/SUMMARY.md b/SUMMARY.md index e94f29a..249d7d6 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -100,7 +100,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [4.7 通用 gadget](doc/4.7_common_gadget.md) * [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md) * [4.9 shellcode 开发](doc/4.9_shellcode.md) - * 4.10 + * [4.10 跳转导向编程(JOP)](doc/4.10_jop.md) * 4.11 * [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md) * [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md) @@ -240,6 +240,9 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](doc/8.42_taintcheck.md) * [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](doc/8.43_dta++.md) * [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](doc/8.44_multiverse.md) + * [8.45 Ramblr: Making Reassembly Great Again](doc/8.45_ramblr.md) + * [8.46 FreeGuard: A Faster Secure Heap Allocator](doc/8.46_freeguard.md) + * [8.47 Jump-Oriented Programming: A New Class of Code-Reuse Attack](doc/8.47_jop.md) * [九、附录](doc/9_appendix.md) * [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md) * [9.2 更多 Windows 工具](doc/9.2_wintools.md) diff --git a/doc/3.1.6_heap_exploit_1.md b/doc/3.1.6_heap_exploit_1.md index f5ec327..0843d7c 100644 --- a/doc/3.1.6_heap_exploit_1.md +++ b/doc/3.1.6_heap_exploit_1.md @@ -1091,8 +1091,8 @@ int main() { fprintf(stderr, "The first one: %p\n", &fake_chunks[0]); fprintf(stderr, "The second one: %p\n", &fake_chunks[4]); - fake_chunks[1] = 0x20; // the size - fake_chunks[5] = 0x1234; // nextsize + fake_chunks[1] = 0x20; // the size + fake_chunks[5] = 0x1234; // nextsize fake_chunks[2] = 0x4141414141414141LL; fake_chunks[6] = 0x4141414141414141LL; @@ -1277,6 +1277,8 @@ Freeing the overwritten pointer. #3 0x4009b8 in _start (/home/firmyy/how2heap/a.out+0x4009b8) ``` +house-of-spirit 在 libc-2.26 下的利用可以查看章节 4.14。 + ## 参考资料 - [how2heap](https://github.com/shellphish/how2heap) diff --git a/doc/4.10_jop.md b/doc/4.10_jop.md new file mode 100644 index 0000000..f8cf23f --- /dev/null +++ b/doc/4.10_jop.md @@ -0,0 +1 @@ +# 4.10 跳转导向编程(JOP) diff --git a/doc/4_tips.md b/doc/4_tips.md index 3a5c886..e9ff340 100644 --- a/doc/4_tips.md +++ b/doc/4_tips.md @@ -8,8 +8,8 @@ * [4.6 one-gadget RCE](4.6_one-gadget_rce.md) * [4.7 通用 gadget](4.7_common_gadget.md) * [4.8 使用 DynELF 泄露函数地址](4.8_dynelf.md) -* [4.9 shellcode 开发](doc/4.9_shellcode.md) -* 4.10 +* [4.9 shellcode 开发](4.9_shellcode.md) +* [4.10 跳转导向编程(JOP)](4.10_jop.md) * 4.11 * [4.12 利用 __stack_chk_fail](4.12_stack_chk_fail.md) * [4.13 利用 _IO_FILE 结构](4.13_io_file.md) diff --git a/doc/5.3.1_angr.md b/doc/5.3.1_angr.md index 3543278..d21a8e6 100644 --- a/doc/5.3.1_angr.md +++ b/doc/5.3.1_angr.md @@ -246,7 +246,7 @@ angr 提供了大量函数用于程序分析,在这些函数在 `Project.analy >>> plt.savefig('temp.png') # 保存 ``` -#### 加载二进制文件 +#### 二进制文件加载器 我们知道 angr 是高度模块化的,接下来我们就分别来看看这些组成模块,其中用于二进制加载模块称为 CLE。主类为 `cle.loader.Loader`,它导入所有的对象文件并导出一个进程内存的抽象。类 `cle.backends` 是加载器的后端,根据二进制文件类型区分为 `cle.backends.elf`、`cle.backends.pe`、`cle.backends.macho` 等。 首先我们来看加载器的一些常用参数: diff --git a/doc/6.1.17_pwn_secconctf2016_jmper.md b/doc/6.1.17_pwn_secconctf2016_jmper.md index e64729b..2190238 100644 --- a/doc/6.1.17_pwn_secconctf2016_jmper.md +++ b/doc/6.1.17_pwn_secconctf2016_jmper.md @@ -145,7 +145,7 @@ int setjmp(jmp_buf env); void longjmp(jmp_buf env, int val); ``` -- `setjmp()`:将函数在此处的上下文保存到 `jmp_buf` 结构体,以供 longjmp 从此结构体中恢复 +- `setjmp()`:将函数在此处的上下文保存到 `jmp_buf` 结构体,以供 longjmp 从此结构体中恢复上下文 - `env`:保存上下文的 `jmp_buf` 结构体变量 - 如果直接调用该函数,返回值为 0。如果该函数从 longjmp 调用返回,返回值根据 longjmp 的参数决定。 - `longjmp()`:从 `jmp_buf` 结构体中恢复由 setjmp 函数保存的上下文,该函数不返回,而是从 setjmp 函数中返回 diff --git a/doc/8.10_aeg.md b/doc/8.10_aeg.md index 4729623..8b6b578 100644 --- a/doc/8.10_aeg.md +++ b/doc/8.10_aeg.md @@ -1,7 +1,7 @@ # 8.10 AEG: Automatic Exploit Generation -论文:http://security.ece.cmu.edu/aeg/aeg-current.pdf +[paper](http://security.ece.cmu.edu/aeg/aeg-current.pdf) ## 简介 - 这篇论文向我们展示了如何将控制流劫持攻击的漏洞利用生成模型化为一个形式化验证问题。 diff --git a/doc/8.11_aslp.md b/doc/8.11_aslp.md index 469a95b..efce91f 100644 --- a/doc/8.11_aslp.md +++ b/doc/8.11_aslp.md @@ -1,6 +1,6 @@ # 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software -论文:https://www.acsac.org/2006/papers/44.pdf +[paper](https://www.acsac.org/2006/papers/44.pdf) ## 简介 diff --git a/doc/8.12_aslr_on_the_line.md b/doc/8.12_aslr_on_the_line.md index e6bdd63..71c57be 100644 --- a/doc/8.12_aslr_on_the_line.md +++ b/doc/8.12_aslr_on_the_line.md @@ -1,6 +1,6 @@ # 8.12 ASLR on the Line: Practical Cache Attacks on the MMU -论文:https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf +[paper](https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf) ## 简介 diff --git a/doc/8.13_reverse_engineering.md b/doc/8.13_reverse_engineering.md index 177a9ce..6d72226 100644 --- a/doc/8.13_reverse_engineering.md +++ b/doc/8.13_reverse_engineering.md @@ -1,7 +1,7 @@ # 8.13 New Frontiers of Reverse Engineering -论文:http://reversingproject.info/project_repository/reversing_references/pdf/new_frontiers_of_reverse_engineering.pdf +[paper](http://reversingproject.info/project_repository/reversing_references/pdf/new_frontiers_of_reverse_engineering.pdf) ## What is your take-away message from this paper? This paper briefly presents an overview of the field of reverse engineering, reviews main achievements and areas of application, and highlights key open research issues for the future. diff --git a/doc/8.14_detecting_memory_allocators.md b/doc/8.14_detecting_memory_allocators.md index 6ab90dd..4cab45e 100644 --- a/doc/8.14_detecting_memory_allocators.md +++ b/doc/8.14_detecting_memory_allocators.md @@ -1,6 +1,6 @@ # 8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries -论文:https://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf +[paper](https://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf) ## 简介 diff --git a/doc/8.15_emu_vs_real.md b/doc/8.15_emu_vs_real.md index d0ee817..d20459e 100644 --- a/doc/8.15_emu_vs_real.md +++ b/doc/8.15_emu_vs_real.md @@ -1,7 +1,7 @@ # 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning -论文:https://pure.qub.ac.uk/portal/files/127232616/IWSPA_codaspy_2017.pdf +[paper](https://pure.qub.ac.uk/portal/files/127232616/IWSPA_codaspy_2017.pdf) ## What is your take-away message from this paper? The authors present an investigation of machine learning based malware detection using dynamic analysis on real devices. diff --git a/doc/8.16_dynalog.md b/doc/8.16_dynalog.md index 957e41b..d1f1f98 100644 --- a/doc/8.16_dynalog.md +++ b/doc/8.16_dynalog.md @@ -1,7 +1,7 @@ # 8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications -论文:https://pure.qub.ac.uk/portal/files/93998809/DynaLog_2016.pdf +[paper](https://pure.qub.ac.uk/portal/files/93998809/DynaLog_2016.pdf) ## What is your take-away message from this paper? The authors presented DynaLog, a framework that enable automated mass dynamic analysis of applications in order to characterize them for analysis and potential detection of malicious behaviour. diff --git a/doc/8.17_actual_permissions.md b/doc/8.17_actual_permissions.md index 2264976..ac33a3a 100644 --- a/doc/8.17_actual_permissions.md +++ b/doc/8.17_actual_permissions.md @@ -1,7 +1,7 @@ # 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls -论文:http://waset.org/publications/10005499 +[paper](http://waset.org/publications/10005499) ## What is your take-away message from this paper? The paper put forward a machine learning detection method that based on the actually used Permissions Combination and API calls. diff --git a/doc/8.18_malware_markov.md b/doc/8.18_malware_markov.md index a2cc5c7..f424cfb 100644 --- a/doc/8.18_malware_markov.md +++ b/doc/8.18_malware_markov.md @@ -1,7 +1,7 @@ # 8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models -论文:http://discovery.ucl.ac.uk/1532047/1/Stringhini_mamadroid.pdf +[paper](http://discovery.ucl.ac.uk/1532047/1/Stringhini_mamadroid.pdf) ## What is your take-away message from this paper? This paper presented an Android malware detection system based on modeling the sequences of API calls as Markov chains. diff --git a/doc/8.19_droidnative.md b/doc/8.19_droidnative.md index 9bb367d..993b352 100644 --- a/doc/8.19_droidnative.md +++ b/doc/8.19_droidnative.md @@ -1,7 +1,7 @@ # 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware -论文:http://pages.cs.wisc.edu/~vrastogi/static/papers/aqrcr17.pdf +[paper](http://pages.cs.wisc.edu/~vrastogi/static/papers/aqrcr17.pdf) ## What is your take-away message from this paper? The paper proposed DroidNative for detection of both bytecode and native code Android malware variants. diff --git a/doc/8.1_ret2libc_without_calls.md b/doc/8.1_ret2libc_without_calls.md index b6bf655..cbefaf1 100644 --- a/doc/8.1_ret2libc_without_calls.md +++ b/doc/8.1_ret2libc_without_calls.md @@ -1,7 +1,7 @@ # 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) -论文:https://hovav.net/ucsd/dist/geometry.pdf +[paper](https://hovav.net/ucsd/dist/geometry.pdf) ## 简介 论文提出了一种 return-into-libc 的攻击方法,以对抗针对传统代码注入攻击的防御技术(W⊕X)。它不会调用到完整的函数,而是通过将一些被称作 gadgets 的指令片段组合在一起,形成指令序列,以达到任意代码执行的效果。这一技术为返回导向编程(Return-Oriented Programming)奠定了基础。 diff --git a/doc/8.20_droidanalytics.md b/doc/8.20_droidanalytics.md index edd658d..088828f 100644 --- a/doc/8.20_droidanalytics.md +++ b/doc/8.20_droidanalytics.md @@ -1,7 +1,7 @@ # 8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware -论文:https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/TRUST13DROIDANALYTICS.pdf +[paper](https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/TRUST13DROIDANALYTICS.pdf) ## What is your take-away message from this paper? The authors present DroidAnalytics, an Android malware analytic system for malware collection, signature generation, information retrieval, and malware association based on similarity score. Furthermore, DroidAnalytics can efficiently detect zero-day repackaged malware. diff --git a/doc/8.21_tracing_to_detect_spraying.md b/doc/8.21_tracing_to_detect_spraying.md index 9d40522..550ca43 100644 --- a/doc/8.21_tracing_to_detect_spraying.md +++ b/doc/8.21_tracing_to_detect_spraying.md @@ -1,6 +1,6 @@ # 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks -论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cristalli.pdf +[paper](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cristalli.pdf) ## 简介 diff --git a/doc/8.22_memory_checking.md b/doc/8.22_memory_checking.md index e13d1c6..6885e17 100644 --- a/doc/8.22_memory_checking.md +++ b/doc/8.22_memory_checking.md @@ -1,6 +1,6 @@ # 8.22 Practical Memory Checking With Dr. Memory -论文:http://groups.csail.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf +[paper](http://groups.csail.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf) ## 简介 diff --git a/doc/8.23_current_anti-rop.md b/doc/8.23_current_anti-rop.md index d187531..4cdc4df 100644 --- a/doc/8.23_current_anti-rop.md +++ b/doc/8.23_current_anti-rop.md @@ -1,6 +1,6 @@ # 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses -论文:https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf +[paper](https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf) ## 简介 diff --git a/doc/8.24_runtime_re-randomization.md b/doc/8.24_runtime_re-randomization.md index 51d49d3..ccc1251 100644 --- a/doc/8.24_runtime_re-randomization.md +++ b/doc/8.24_runtime_re-randomization.md @@ -1,6 +1,6 @@ # 8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization -论文:https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/aslr-clone-wars.pdf +[paper](https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/aslr-clone-wars.pdf) ## 简介 diff --git a/doc/8.25_angr.md b/doc/8.25_angr.md index b40723f..134cc8a 100644 --- a/doc/8.25_angr.md +++ b/doc/8.25_angr.md @@ -1,7 +1,10 @@ # 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis -论文:https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf +[paper](https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf) +[slides](https://docs.google.com/presentation/d/1t7KaCMc73z7WdV7EcL0z9TSHlT_kjdMdSrPHtpA6ezc/edit#slide=id.ga5363f155_3_76) +[video](https://www.youtube.com/watch?v=ONuLsVcaHB8) +[source](https://github.com/angr/angr) ## 简介 这篇文章提出了一个二进制分析框架,并实现了许多现有的分析技术。通过将这些技术系统化地实现,可以让其他研究人员直接利用并开发新的技术。此外,在统一框架中实现这些技术可以更直接地进行比较,并确定各自的优缺点。 diff --git a/doc/8.26_driller.md b/doc/8.26_driller.md index 0125458..3d00d3c 100644 --- a/doc/8.26_driller.md +++ b/doc/8.26_driller.md @@ -1,7 +1,7 @@ # 8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution -论文:http://cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf +[paper](http://cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf) ## 简介 这篇文章提出了 Driller,这是一种混合漏洞挖掘工具,它以互补的方式将模糊测试和选择性混合执行结合起来,以发现隐藏更深的漏洞。模糊测试用于探索程序空间的不同区间,并使用混合执行来生成满足不同区间的输入。 diff --git a/doc/8.27_firmalice.md b/doc/8.27_firmalice.md index ccf676c..7f0b3f5 100644 --- a/doc/8.27_firmalice.md +++ b/doc/8.27_firmalice.md @@ -1,7 +1,9 @@ # 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware -论文:https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf +[paper](https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf) +[slides](https://docs.google.com/presentation/d/1kwObiKZsPSpxM0uZByzeRTaLC7RS1E2C7UR6HxD7Y1Y/edit#slide=id.g1d1712ddc1_0_0) +[video](https://www.youtube.com/watch?v=Fi_S2F7ud_g) ## 简介 这篇文章提出了 Firmalice,一种二进制分析框架,以支持对嵌入式设备上所运行的固件进行分析。Firmalice 构建在符号执行引擎之上,并且提供了程序切片之类的技术来提高其可扩展性。此外,Firmalice 构建了一种新型的认证旁路漏洞模型,基于攻击者的能力来确定执行特权操作所需要的输入。 diff --git a/doc/8.28_cross_arch_bug.md b/doc/8.28_cross_arch_bug.md index 543b39c..fb7def3 100644 --- a/doc/8.28_cross_arch_bug.md +++ b/doc/8.28_cross_arch_bug.md @@ -1,9 +1,12 @@ # 8.28 Cross-Architecture Bug Search in Binary Executables -论文:https://christian-rossow.de/publications/crossarch-ieee2015.pdf +[paper](https://christian-rossow.de/publications/crossarch-ieee2015.pdf) +[video](https://www.youtube.com/watch?v=1LELf0Ml1-w) ## 简介 +这篇文章提出了一个系统来导出已知漏洞的漏洞签名(bug signatures),然后可以利用这些签名来查找不同 CPU 架构(x86、ARM和MIPS)上的其他二进制文件中的漏洞。 + ## 方法 diff --git a/doc/8.29_dynamic_hooks.md b/doc/8.29_dynamic_hooks.md index f744735..b5b5b2d 100644 --- a/doc/8.29_dynamic_hooks.md +++ b/doc/8.29_dynamic_hooks.md @@ -1,6 +1,6 @@ # 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data -论文:https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-vogl.pdf +[paper](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-vogl.pdf) ## 简介 diff --git a/doc/8.2_rop_without_ret.md b/doc/8.2_rop_without_ret.md index 810ed01..ba9c490 100644 --- a/doc/8.2_rop_without_ret.md +++ b/doc/8.2_rop_without_ret.md @@ -1,7 +1,7 @@ # 8.2 Return-Oriented Programming without Returns -论文:https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf +[paper](https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) ## 简介 论文提出了一种不依赖于使用 return 指令的 ROP 技术。这种攻击方法是在 libc 中找到一些特定的指令序列,来替代 return 指令,完成和 return 同样的工作。这些指令具备图灵完备性,已经在 (x86)Linux 和 (ARM)Android 中被证实。 @@ -70,3 +70,89 @@ pop %eax; jmp *(%eax) 下图是一个函数调用的示例: ![](../pic/8.2_function.png) + +通过 gadget 来实现函数调用一方面可以调用正常的返回导向指令序列,另一方面可以调用合法的函数(需要移动栈指针以及处理返回值)。在函数调用之前,栈指针应该被移动到一个新的位置,以防改写栈上的其他 gadget。如果函数执行时栈指针位于位置 n,那么 k 个参数应该被保存在 n+4, n+8, ... , n+4k。然后函数调用 gadget 从而调用函数 A -> fun(arg1, arg2, ..., argn)。 + +1. 装载寄存器 esi, ebp 和 eax。 + +- 将 catalog 中 call-jump 序列的地址装入 esi 寄存器: +``` +pop %esi; or $0xf3, %al; jmp *(%edx); + +# call-jump 序列: call *-0x56000A00(%ecx); add %bh, %bl; inc %ebc; add %bj, %dh; jmp *%edi; +``` +- 将 catalog 中 leave-jump 序列的地址装入 ebp 寄存器: +``` +pop %ebp; or $0xf3, %al; jmp *(%edx); + +# leave-jump 序列:leave; sar %cl, %bl; jmp *-0x7d(%ebp); +``` +- 将值 0xb+n 装入 eax 寄存器: +``` +pop %eax; sub %dh, %bl; jmp *(%edx); +``` + +2. call-jump 序列的地址位于地址 n,将值 0x38 装入寄存器 esi,并加上栈指针的值。此时 esi 保存了一个地址,在函数调用返回时会将栈指针设置为该地址。 +``` +mov %esi, -0xB(%eax); jmp *(%edx); + +pop %esi; or $0xf3, %al; jmp *(%edx); + +add %esp, %esi; jmp *(%edx); +``` + +3. 将函数返回时栈指针的值赋值给 ebp。 + +- 先将函数返回的栈指针保存到 esi 指向的内存中: +``` +pop %eax; sub %dh, %bl; jmp *(%edx); + +mov %esi, -0xB(%eax); jmp *(%edx); +``` +- 将上一步存放的栈指针取出来放入 edi 寄存器: +``` +pop %eax; sub %dh, %bl; jmp *(%edx); + +mov -0xD(%eax), %edi; jmp *(%edx); +``` +- 通过 xchg 交换 edi 和 ebp: +``` +xchg %ebp, %edi; jmp *(%edx); +``` +此时,edi 中保存 leave-jump 序列的地址,ebp 保存函数返回后的栈指针地址。 + +4. 将 `pop %ebx; jmp *(%ebx);` 序列的地址装入 esi,保存函数地址的指针(加上偏移量)装入 ecx,将值 n 装入 eax。交换 esp 和 eax 的值,使得栈指针被设置为 n。 +``` +pop %esi; or $0xf3, %al; jmp *(%edx); + +pop %ecx; cmp %dh, %dh; jmp *(%edx); + +pop %eax; sub %dh, %bl; jmp *(%edx); + +xchg %esp, %eax; dec %ebx; std; jmp *0(%esi); +``` + +5. 由于 n 保存了 call-jump 序列的地址,此时 call-jump 序列被调用,即函数被间接调用。函数返回后,eax 保存了返回值。由于 edi 保存了 leave-jump 序列的地址,因此 leave-jump 序列被调用,将 ebp 赋值给 esp,并从栈顶 pop 出新的 ebp: +``` +pop %ebx; jmp *(%ebx); + +call *-0x56000A00(%ecx); add %bh, %bl; inc %ebc; add %bj, %dh; jmp *%edi; + +leave; sar %cl, %bl; jmp *-0x7d(%ebp); +``` +此时 ebp 指向 `pop %ebx; jmp *(%ebx);`,然后 jmp 过去。 + +6. 将 eax 里的返回值保存到内存: +``` +pop %ebx; jmp *(%ebx); + +pop %edx; jmp *(%edx); + +xchg %esi, %eax; and %dh, %dh; jmp *(%edx); + +pop %eax; sub %dh, %bl; jmp *(%edx); + +mov &esi, -0xB(%eax); jmp *(%edx); +``` + +在另一篇论文里,几乎同时提出了这种基于 jmp 指令的攻击方法,即跳转导向编程(Jump-Oriented Programming),参考章节 8.47。 diff --git a/doc/8.30_prevent_brute_force_canary.md b/doc/8.30_prevent_brute_force_canary.md index 5ccb728..8c317aa 100644 --- a/doc/8.30_prevent_brute_force_canary.md +++ b/doc/8.30_prevent_brute_force_canary.md @@ -1,6 +1,6 @@ # 8.30 Preventing brute force attacks against stack canary protection on networking servers -论文:http://hmarco.org/data/Preventing_brute_force_attacks_against_stack_canary_protection_on_networking_servers.pdf +[paper](http://hmarco.org/data/Preventing_brute_force_attacks_against_stack_canary_protection_on_networking_servers.pdf) ## 简介 diff --git a/doc/8.31_wysinwyx.md b/doc/8.31_wysinwyx.md index 21ba4b0..ff8c396 100644 --- a/doc/8.31_wysinwyx.md +++ b/doc/8.31_wysinwyx.md @@ -1,6 +1,6 @@ # 8.31 WYSINWYX What You See Is Not What You eXecute -论文:http://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf +[paper](http://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf) ## 简介 diff --git a/doc/8.32_mayhem.md b/doc/8.32_mayhem.md index 959f76f..e8c2215 100644 --- a/doc/8.32_mayhem.md +++ b/doc/8.32_mayhem.md @@ -1,6 +1,6 @@ # 8.32 Unleashing MAYHEM on Binary Code -论文:http://www.cse.psu.edu/~trj1/cse597-s13/docs/binary_mayhem_oakland_12.pdf +[paper](http://www.cse.psu.edu/~trj1/cse597-s13/docs/binary_mayhem_oakland_12.pdf) ## 简介 diff --git a/doc/8.33_ucklee.md b/doc/8.33_ucklee.md index 02d842b..fff015e 100644 --- a/doc/8.33_ucklee.md +++ b/doc/8.33_ucklee.md @@ -1,6 +1,6 @@ # 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code -论文:https://cseweb.ucsd.edu/~dstefan/cse291-winter18/papers/ucklee.pdf +[paper](https://cseweb.ucsd.edu/~dstefan/cse291-winter18/papers/ucklee.pdf) ## 简介 diff --git a/doc/8.34_veritesting.md b/doc/8.34_veritesting.md index 56010c6..dc2729a 100644 --- a/doc/8.34_veritesting.md +++ b/doc/8.34_veritesting.md @@ -1,6 +1,6 @@ # 8.34 Enhancing Symbolic Execution with Veritesting -论文:https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf +[paper](https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf) ## 简介 diff --git a/doc/8.35_q.md b/doc/8.35_q.md index 69ae7c6..2ab910d 100644 --- a/doc/8.35_q.md +++ b/doc/8.35_q.md @@ -1,6 +1,6 @@ # 8.35 Q: Exploit Hardening Made Easy -论文:http://static.usenix.org/legacy/events/sec11/tech/full_papers/Schwartz.pdf +[paper](http://static.usenix.org/legacy/events/sec11/tech/full_papers/Schwartz.pdf) ## 简介 diff --git a/doc/8.36_survey_symbolic_execution.md b/doc/8.36_survey_symbolic_execution.md index 9c5e41a..c53944f 100644 --- a/doc/8.36_survey_symbolic_execution.md +++ b/doc/8.36_survey_symbolic_execution.md @@ -1,6 +1,6 @@ # 8.36 A Survey of Symbolic Execution Techniques -论文:http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf +[paper](http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf) ## 简介 diff --git a/doc/8.37_cute.md b/doc/8.37_cute.md index 6154b7c..f06eb67 100644 --- a/doc/8.37_cute.md +++ b/doc/8.37_cute.md @@ -1,6 +1,6 @@ # 8.37 CUTE: A Concolic Unit Testing Engine for C -论文:http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf +[paper](http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf) ## 简介 diff --git a/doc/8.38_tainteraser.md b/doc/8.38_tainteraser.md index 720813f..2e8a99d 100644 --- a/doc/8.38_tainteraser.md +++ b/doc/8.38_tainteraser.md @@ -1,6 +1,6 @@ # 8.38 TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking -论文:http://people.eecs.berkeley.edu/~dawnsong/papers/2011%20tainteraser%20p142-zhu.pdf +[paper](http://people.eecs.berkeley.edu/~dawnsong/papers/2011%20tainteraser%20p142-zhu.pdf) ## 简介 diff --git a/doc/8.39_dart.md b/doc/8.39_dart.md index eb9287a..4e49523 100644 --- a/doc/8.39_dart.md +++ b/doc/8.39_dart.md @@ -1,6 +1,6 @@ # 8.39 DART: Directed Automated Random Testing -论文:https://web.eecs.umich.edu/~weimerw/2011-6610/reading/p213-godefroid.pdf +[paper](https://web.eecs.umich.edu/~weimerw/2011-6610/reading/p213-godefroid.pdf) ## 简介 diff --git a/doc/8.3_rop_rootkits.md b/doc/8.3_rop_rootkits.md index c66f18e..a7dc649 100644 --- a/doc/8.3_rop_rootkits.md +++ b/doc/8.3_rop_rootkits.md @@ -1,7 +1,7 @@ # 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms -论文:https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf +[paper](https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf) ## 简介 本论文设计并实现了一个能够自动化构建 ROP 指令序列的攻击系统。由于系统使用的指令序列来自内核已有的代码,而不需要进行代码注入,所以能够绕过内核代码完整性保护机制。 diff --git a/doc/8.40_exe.md b/doc/8.40_exe.md index 8817605..19b5d51 100644 --- a/doc/8.40_exe.md +++ b/doc/8.40_exe.md @@ -1,6 +1,6 @@ # 8.40 EXE: Automatically Generating Inputs of Death -论文:https://web.stanford.edu/~engler/exe-ccs-06.pdf +[paper](https://web.stanford.edu/~engler/exe-ccs-06.pdf) ## 简介 diff --git a/doc/8.41_intpatch.md b/doc/8.41_intpatch.md index b391c7c..7e76ede 100644 --- a/doc/8.41_intpatch.md +++ b/doc/8.41_intpatch.md @@ -1,6 +1,6 @@ # 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time -论文:https://llvm.org/pubs/2010-09-ESORICS-FixOverflows.pdf +[paper](https://llvm.org/pubs/2010-09-ESORICS-FixOverflows.pdf) ## 简介 diff --git a/doc/8.42_taintcheck.md b/doc/8.42_taintcheck.md index 1ca31b3..5e6b1ef 100644 --- a/doc/8.42_taintcheck.md +++ b/doc/8.42_taintcheck.md @@ -1,6 +1,6 @@ # 8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software -论文:http://valgrind.org/docs/newsome2005.pdf +[paper](http://valgrind.org/docs/newsome2005.pdf) ## 简介 diff --git a/doc/8.43_dta++.md b/doc/8.43_dta++.md index 1458631..45958b3 100644 --- a/doc/8.43_dta++.md +++ b/doc/8.43_dta++.md @@ -1,6 +1,6 @@ # 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation -论文:http://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf +[paper](http://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf) ## 简介 diff --git a/doc/8.44_multiverse.md b/doc/8.44_multiverse.md index 40e30fd..68cbcda 100644 --- a/doc/8.44_multiverse.md +++ b/doc/8.44_multiverse.md @@ -1,6 +1,6 @@ # 8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics -http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf +[paper](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf) ## 简介 diff --git a/doc/8.45_ramblr.md b/doc/8.45_ramblr.md new file mode 100644 index 0000000..84479ec --- /dev/null +++ b/doc/8.45_ramblr.md @@ -0,0 +1,8 @@ +# 8.45 Ramblr: Making Reassembly Great Again + + +[paper](https://www.cs.ucsb.edu/~vigna/publications/2017_NDSS_Ramblr.pdf) +[slides](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ndss2017_10-5-wang_slides.pdf) +[video](https://www.youtube.com/watch?v=_BIamPJE8EQ) + +## 简介 diff --git a/doc/8.46_freeguard.md b/doc/8.46_freeguard.md new file mode 100644 index 0000000..d6b595a --- /dev/null +++ b/doc/8.46_freeguard.md @@ -0,0 +1,9 @@ +# 8.46 FreeGuard: A Faster Secure Heap Allocator + + +[paper](http://web.cse.ohio-state.edu/~lin.3021/file/CCS17c.pdf) +[slides](https://www.utdallas.edu/~zxl111930/file/CCS17c.pptx) +[video](https://www.youtube.com/watch?v=fR9Dyzl7Rhw) +[source](https://github.com/UTSASRG/FreeGuard) + +## 简介 diff --git a/doc/8.47_jop.md b/doc/8.47_jop.md new file mode 100644 index 0000000..ef8f18e --- /dev/null +++ b/doc/8.47_jop.md @@ -0,0 +1,6 @@ +# 8.47 Jump-Oriented Programming: A New Class of Code-Reuse Attack + + +[paper](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) + +## 简介 diff --git a/doc/8.4_ropdefender.md b/doc/8.4_ropdefender.md index 6a737b5..7bb8278 100644 --- a/doc/8.4_ropdefender.md +++ b/doc/8.4_ropdefender.md @@ -1,7 +1,7 @@ # 8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks -论文:https://www.ei.ruhr-uni-bochum.de/media/trust/veroeffentlichungen/2010/12/14/HGI-TR-2010-001.pdf +[paper](https://www.ei.ruhr-uni-bochum.de/media/trust/veroeffentlichungen/2010/12/14/HGI-TR-2010-001.pdf) ## 简介 论文设计并实现了工具 ROPdefender,可以动态地检测传统的 ROP 攻击(基于return指令)。ROPdefender 可以由用户来执行,而不依赖于源码、调试信息等在现实中很难获得的信息。 diff --git a/doc/8.5_dop.md b/doc/8.5_dop.md index 4e5af27..8d94772 100644 --- a/doc/8.5_dop.md +++ b/doc/8.5_dop.md @@ -1,6 +1,6 @@ # 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks -论文:https://www.comp.nus.edu.sg/~shweta24/publications/dop_oakland16.pdf +[paper](https://www.comp.nus.edu.sg/~shweta24/publications/dop_oakland16.pdf) ## 简介 diff --git a/doc/8.6_brop.md b/doc/8.6_brop.md index 82b16d9..e970120 100644 --- a/doc/8.6_brop.md +++ b/doc/8.6_brop.md @@ -1,6 +1,6 @@ # 8.6 Hacking Blind -论文:http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf +[paper](http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf) ## 简介 diff --git a/doc/8.7_jit-rop_defenses.md b/doc/8.7_jit-rop_defenses.md index 9da8452..f9be08e 100644 --- a/doc/8.7_jit-rop_defenses.md +++ b/doc/8.7_jit-rop_defenses.md @@ -1,6 +1,6 @@ # 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses -论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_maisuradze.pdf +[paper](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_maisuradze.pdf) ## 简介 diff --git a/doc/8.8_dta_and_fse.md b/doc/8.8_dta_and_fse.md index bbd0799..386ce4d 100644 --- a/doc/8.8_dta_and_fse.md +++ b/doc/8.8_dta_and_fse.md @@ -1,6 +1,6 @@ # 8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) -论文:https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf +[paper](https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf) ## 简介 diff --git a/doc/8.9_symbolic_execution.md b/doc/8.9_symbolic_execution.md index 5b04c83..1af8a3e 100644 --- a/doc/8.9_symbolic_execution.md +++ b/doc/8.9_symbolic_execution.md @@ -1,7 +1,7 @@ # 8.9 Symbolic Execution for Software Testing: Three Decades Later -论文:https://people.eecs.berkeley.edu/~ksen/papers/cacm13.pdf +[paper](https://people.eecs.berkeley.edu/~ksen/papers/cacm13.pdf) ## 简介 近几年符号执行因其在生成高覆盖率的测试用例和发现复杂软件漏洞的有效性再次受人关注。这篇文章对现代符号执行技术进行了概述,讨论了这些技术在路径探索,约束求解和内存建模方面面临的主要挑战,并讨论了几个主要从作者自己的工作中获得的解决方案。 diff --git a/doc/8_academic.md b/doc/8_academic.md index dd4c2ba..d4db64f 100644 --- a/doc/8_academic.md +++ b/doc/8_academic.md @@ -47,3 +47,6 @@ * [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](8.42_taintcheck.md) * [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](8.43_dta++.md) * [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](8.44_multiverse.md) +* [8.45 Ramblr: Making Reassembly Great Again](8.45_ramblr.md) +* [8.46 FreeGuard: A Faster Secure Heap Allocator](8.46_freeguard.md) +* [8.47 Jump-Oriented Programming: A New Class of Code-Reuse Attack](8.47_jop.md) diff --git a/src/others/3.1.6_heap_exploit/house_of_spirit.c b/src/others/3.1.6_heap_exploit/house_of_spirit.c index 5e96581..08e7a54 100644 --- a/src/others/3.1.6_heap_exploit/house_of_spirit.c +++ b/src/others/3.1.6_heap_exploit/house_of_spirit.c @@ -11,8 +11,8 @@ int main() { fprintf(stderr, "The first one: %p\n", &fake_chunks[0]); fprintf(stderr, "The second one: %p\n", &fake_chunks[4]); - fake_chunks[1] = 0x20; // the size - fake_chunks[5] = 0x1234; // nextsize + fake_chunks[1] = 0x20; // the size + fake_chunks[5] = 0x1234; // nextsize fake_chunks[2] = 0x4141414141414141LL; fake_chunks[6] = 0x4141414141414141LL;