XysDiary

22-03-28

收到恒润的拒信了。投大厂杳无音信,小厂面完就拒,已经逐渐习惯了。技术不行又贪玩还楞是这样的呀。考虑三战了。

Router Day05 :HTTP

HTTP

Web server is vulnerable in router. And for communicating with the web server, HTTP protocol is essential.

For HTTP request ,I guess the writer used the IBM Doc.(https://www.ibm.com/docs/en/cics-ts/5.3?topic=protocol-http-requests)

A correctly composed HTTP request contains the following elements:
1.A request line.
2.A series of HTTP headers, or header fields.
3.A message body, if needed.

HTTP request line

Request line begins with a method,separated by spaces ,followed by requested URI and version of protocol.

1
2
Method Request-URI HTTP-Version CRLF // template
GET /software/htp/cics/index.html HTTP/1.1 // instance

CRLF means ‘Carriage return and line feed ‘.And Method can be seen from the pic below.
Image

GET: just simple coding, Using GET to submit form data introduces security risks. And it can’t submit large amouts of data.
POST: A replacement for GET. Used to submit form data to Web server.Especially large amounts of data.

HTTP message header

HTTP message is formed with C-S request and S-C response.HTTP message inclues request message and response message. We can structure this as fuzzing data. Request should be cared while responses do not.

Request message header allow clients send request as additional information and the information of client itself.
The format is like : Name +:+space+value
message header:
Accept :Tell what source c wants to acc.
Accept-ENcoding: Specify acceptable content encoding.
Cookie: Give server cookie check.
Accept-Language: Specify a language.
Authorizaiton: Prove the right of C to check some source. (S-C:401 C-S:Authrization)
Host: Specify the host and port number of the source provider. Usually taken from HTTP URL. Necessary when sending request.
User-Agent: Allow C give its OS,browser,and other attributes to S. It’s not necessary.

HTTP message body

Between header and body there is a blank line means the end of header
Body includes the submit from C of enquiry string message or etc.

Router Day04:MIPS32

MIPS Assembly language

I use the book(34-38) mentioned to learn this, while this url can also be learned:https://blog.csdn.net/ben_chong/article/details/51794392

Rs:First source operand register
Rt:Second source operand register
Rd: store destination operand for operation result

Pipeline Effect

(1)LOAD/STORE

Load Adress: load a addr or a label

1
la $Rd,Label //$Rd=Label;

Load Immediate: load a immediate into a register

1
li $Rd,imm //$Rd=imm;

Load Word: load a word type value from a given addr to a register

1
lw $Rt,offset($Rs) //$Rt=MEM[$Rs+0];

Store Word: save the value from source register to given addr

1
sw $Rt,offset($Rs) //Mem[$sp+0]=$a0;

Move: pass values from register to register

1
move $t5,$t1 //$t5=$t1;

(2)Arithmetic operation instructions

All these instructions only get register as operand No RAM addr or indirect addressing!!!
Image
For multiply and dive , HI&LO shall be used differently.

(3)Class comparison instruction

MIPS don’t get a flag register. But there is a series of instructions:SLT series of instructions.That can be used as a companion with branch instructions after compare set some register .

SLT:Signed$Rs<$Rt,$Rd=1 or $Rd=0

1
slt $Rd,$Rs,Rt

SLTI:Signed $Rs < Imm, $Rt=1 or $Rt=0

1
slti $Rt,$Rs,Imm

SLTU:Unsigned $Rs<$Rt , $Rd=1 or $Rd=0

1
sltu $Rd,$Rs,$Rt

SLTIU:UnSigned $Rs < Imm, $Rt=1 or $Rt=0

1
sltu $Rt,$Rs,Imm

In SLT when there goes 3 arguments , the first is always the one to be set 1 or 0?

(4)SYSCALL

Make a soft interrupt to make a sys call. The [system call number] puts in $v0 , arguments are in $a0~$a3.
Image

(5)Branch instruction

Jump by comparing the values between 2 registers. So to jump with imm, put imm into register first.
Image

(6)Jump instruction

Image

Data Structure Day01

To learn about Data Structure, I choose the course from Tsinghua University on Mooc.

Chapter 1

A.1

‘Computing’ & ‘Computer’

A.2

‘Rope Computer’

Input:Line L & a point on L called A

Output:Make a perpendicular to L throu A

Take 12 part equal rope ,set A+4 B , set A-3 C ;

then put A&B on rope on the ‘L’ then make a triangel.

“computer”: tool that can be used repeatedly and mechanically

A.3

‘Ruler Computer’

Router Day03:Getting Started

Something to say

Lots of things just took place in my life,and for me , like graduation,like getting into my Postgraduate Exam for the second time… However, after all this , I just woke up by seeing all my teammates getting a promising future while I just get my silver LOL account holding a 4000+hours playing score. So I just get myself some simple goals. Within 5 years, I’ll be at that Pwn2Own match . Just see it ,dudes. XySherlock is coming! From nowadays, I’ll write all my tech blogs by English. This aims at practicing my English skills and also decrease the difficulty of reading papers or just getting familiar with English.
So much for chatting, Let’s start to work for daydreaming!

Preparation

For my start, I got the book 《揭秘家用路由器0day漏洞技术》 for my router security study , if there were some foreign friends watching my blog, just don’t be envy , I felt the same as you do now when there once goes some English awesome books.XD

22/01/03-22/01/05

Learing basic operation about GCC&GDB, and find my ubuntu 16 virtual environment back .
These works are simple , while I still got some problems here.

Problems

  1. What’s the relationship between stack and stack frame and frame?
    Got some related things:
    https://zhuanlan.zhihu.com/p/77663680;
    https://blog.csdn.net/ylyuanlu/article/details/18947951;https://blog.csdn.net/yu97271486/article/details/80425089

Stack is a data structure.Every time a function call took place in this stack, the compiler uses ebp(extended base pointer) to maintain an independent stack frame on call stack.

And for using ebp there still needs some explanation. Stack is a FILO structure. The address grows from high address to low address. So EBP is sometimes called frame pointer and ESP(extended stack pointer) is called stack pointer.

  1. How X86 hardware achieves stack and heap? Tech about heap?

Learn Data structure(0/100)

  1. Why PC relative addressing moves 2 bit left and do sign extension?

About MIPS addressing I got:
https://www.cs.uregina.ca/Links/class-info/201/SPIM-AddressingMode/lecture.html
https://www.youtube.com/watch?v=Nkia4IWTEA4

For bytes coming into words, there goes the “shifting two to left” like 3(011)coming into 12(01100).

And I think there goes two images might be used often:
Image
Image

Pwn01

SCUctf2018 Pwn00

师傅选择了这道入门栈溢出来作为我玩pwn的第一道题。
先是查一下文件
image1

首先是题目 丢进IDA看了发现有个magic函数调用了system帮我们解决了问题(爽到)
然后就是调调调
image1

从IDA的结果中我们容易看到buf这个局部变量距离ebp的距离是0x20h.我们只需要传一个0x20h的数据把局部变量预留区域塞满,再填掉前一栈帧的ebp,就可以用我们写的返回地址覆盖原函数的返回地址,进而调用程序预留的后门(magic)

之后就快乐写jo本

image1

写完能跑

成了。

Pwn00(菜鸡的Pwn入门)

一、写在最开始

这是一个菜鸡学习pwn的记录。主要作用是帮助自己进行记忆因为我是金鱼精,防止自己忘记必要知识,方便复习。
当然如果这个系列的文章帮到你了,我会很荣幸。

二、入门基础知识

首先,我们需要知道函数调用的相关信息,以及栈溢出的基本知识,(在我入门的这最初一段时间里我几乎可以遇见地会一直和栈溢出死磕到底。)栈溢出的知识又有很多相关的东西。我把这篇文章命名为00是因为我将会随时修改这篇文章里面存在的基础知识。大部分会是增添。

①栈帧

Welcome

我是一个来自中国成都的二进制学习者。目前在学习逆向的过程中。水平有限,欢迎交流。

除了二进制以外的爱好是兵击(hema)和贝斯。

拼尽全力 然后 剩下的事情就是命运说了算了。

181004(隐藏进程)

一、隐藏进程:

隐藏进程:隐藏特定进程的技术(stealth process),专业术语叫Rootkit,指通过修改(Hooking)系统内核来隐藏进程、文件、注册表的一种技术。
IAT钩取通过操作进程的特定IAT值来实现API钩取,而API代码修改技术则将API代码的前五个字节修改为JMP XXXXXXXX来钩取API。
(1)正常调用API时
调用API时,首先使用CALL 指令调用API,在相应API执行完毕后,返回到调用代码的下一条指令的地址处。
(2)钩取之后:

首先把dll注入目标进程,API起始地址5个字节代码被修改为JMP XXXXXXXX(仅修改五个字节),在我们的XXXXXXXX的位置,首先把APi修改回原样然后调用一次,之后钩取。
注:当API的前五个字节是我们修改过后的时,也即API被钩取。
使用API代码修改技术可以钩取进程中使用的任意API。要钩取的API代码长度要大于五个字节但是所有API代码长度都大于5个字节。

进程隐藏,用户模式下最常用的是ntdll.ZwQuery-SystemInformation()API钩取技术。

为了隐藏某个特定进程,要潜入其他所有进程内存,钩取相关API。

用户模式下检测进程的API分为2类
1、 CreateToolhelp32Snapshot()&EnumProcess()

2、 ZwQuerySystemInformation()
该API可以获取运行中的所有进程信息(结构体),形成一个链表。操作该链表即可隐藏相关进程。
因此我们需要“全局”(global)钩取来实现钩取系统中运行的所有进程的ZwQuerySystemInformation()API。

练习实例

1、练习#1
在虚拟机中按照书上的格式使用书中提供的程序。但是注入失败。经检测发现dll注入正常,经过分析可能是虚拟机自带的procexp是魔改版本,可以保护自身不被dll注入。所以“notepad.exe”并未消失.

使用CreateToolhelp32Snapshot()获取系统中运行的所有进程的列表,然后使用Process32First()与Process32Next()将获取的进程信息存放到PROCESSENTRY32结构体变量pe中进而获取进程的PID.

在代码的注入中,分析源代码发现进程PID小于100的程序我们就没有操作。(系统进程)

这段代码中,我们先创建名为”.SHARE”的共享内存节区,然后创建g_szProcName缓冲区,最后再由导出函数SetProcName()将要隐藏的进程名称保存到g_szProcName中。

JMP加地址 E9 XXXXXXXX 其中XXXXXXXX=要跳转的地址-当前指令地址-当前指令长度

###二、全局API钩取
全局API钩取针对的进程为:(1)当前运行的所有进程(2)将来要运行的所有进程
Kernel32.CreateProcess()被用来创建新进程。因此如果钩取了Kernel32.CreateProcess()那么之后父进程使用它创建的所有子进程都会被注入。
但是要注意(1)还要钩取CreateProcessA()、CreateProcessW()2个API(ASCII和Unicode版本) (2)微软部分软件会调用CreateProcessInternalA/W这两个上述API内部的函数。(若可能,尽量钩取低级API) 。
ntdll.ZwResumeThread()API ,比CreateProcess()更低级,钩取效果更好。
ZwResumeThread()函数在进程创建后,主线程运行前被调用执行(在CreateProcess()API内部调用执行)。但该API尚未被公开,可能会被更改,因此可能在未来的时间钩取操作无法运行。

练习实例

按照书中所说我们把”stealth2.dll”导入系统目录的system32文件夹,并运行了程序

这次和书中的预期结果相同,procExp进程和任务管理器中的“notepad.exe”进程隐藏了。
与实验1的不同是在本次的stealth2.dll中,添加了钩取CreateProcessA()和CreateProcessW()API的代码.
值得注意的是钩取尚未公开的API时,一定要检查它在当前的OS版本中能否正常运行。

###三、 利用“热补丁”技术钩取API
API代码修改技术修改过后的API每次被在程序内部调用时,我们的钩取函数就会被调用执行,不断的“脱钩”/挂钩。造成整体性能地下,更严重的是在多线程环境下还会产生运行时错误。当一个线程尝试运行某段代码时,若另一线程正在对该段代码进行“写”操作,这时就会出现冲突,最后引发运行时错误。
因此,我们需要“热补丁”(Hot Patch/Hot Fix)技术比修改5个字节代码的方法更稳定。热补丁将会修改7个字节代码。
常用API的起始代码部分会以”MOV EDI,EDI”开始(IA-32:0x8BFF),API代码上方有5个NOP指令(IA-32:0x90)。
MOV EDI,EDI 2个字节,NOP 1个字节。 这七个字节的指令没有任何意义。
我们将API起始代码之前的5个字节修改为FAR JMP指令,跳转到用户钩取函数处,然后将API其实代码的2个字节修改为SHORT JMP指令。通过这种我们称为“二次跳转”的技术就完成了对指定API的钩取操作。通过热补丁技术钩取的API并未对原API进行修改,可以用”原API地址+2”开始执行原API。

练习实例

按照书中的实验原理很容易理解,我们来看源码。

在这里的pBuf【5】申明为{0xE9,0},之后使用两次memcpy函数先把 “JMP XXXXXXXX”的XXXXXXX写进去,然后把整个“JMP XXXXXXXX”写到API前的那五个字节。然后用memcpy把MOV EDI,EDI替换为JMP YY指令。
值得注意的是热补丁API钩取技术使用时必须满足它的使用条件。如果不满足使用条件那么就只能使用五字节代码修改技术。
Ntdll.dll中提供的API代码都较短,钩取这些API的时候有一种非常好的方法,将原API备份到用户内存区域,然后使用5字节代码修改技术修改原API的起始部分。 由于API代码较短且代码内部地址无依赖性,因此非常适合使用这一技术钩取。但这一技术需要处理重定位的问题。