mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 07:01:09 +00:00
54 lines
4 KiB
Markdown
54 lines
4 KiB
Markdown
|
# 指针重定向
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS红队专家)</strong></a><strong>!</strong></summary>
|
|||
|
|
|
|||
|
|
支持HackTricks的其他方式:
|
|||
|
|
|
|||
|
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* 获取[**官方PEASS&HackTricks周边产品**](https://peass.creator-spring.com)
|
|||
|
|
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品
|
|||
|
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**。**
|
|||
|
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
|||
|
|
|
|||
|
|
</details>
|
|||
|
|
|
|||
|
|
## 字符串指针
|
|||
|
|
|
|||
|
|
如果一个函数调用将使用位于堆栈中的字符串的地址,可以利用缓冲区溢出来**覆盖此地址**,并在二进制文件中放入**指向不同字符串的地址**。
|
|||
|
|
|
|||
|
|
例如,如果一个**`system`**函数调用将**使用一个字符串的地址来执行命令**,攻击者可以在堆栈中放置**不同字符串的地址**,**`export PATH=.:$PATH`**,并在当前目录中创建一个**以新字符串的第一个字母命名的脚本**,因为这将由二进制文件执行。
|
|||
|
|
|
|||
|
|
您可以在以下位置找到一个**示例**:
|
|||
|
|
|
|||
|
|
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c)
|
|||
|
|
* [https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html](https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html)
|
|||
|
|
* 32位,更改堆栈中标志字符串的地址,以便通过`puts`打印出来
|
|||
|
|
|
|||
|
|
## 函数指针
|
|||
|
|
|
|||
|
|
与字符串指针相同,但应用于函数,如果**堆栈包含将被调用的函数的地址**,则可以**更改它**(例如调用**`system`**)。
|
|||
|
|
|
|||
|
|
您可以在以下位置找到一个示例:
|
|||
|
|
|
|||
|
|
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c)
|
|||
|
|
|
|||
|
|
## 参考资料
|
|||
|
|
|
|||
|
|
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS红队专家)</strong></a><strong>!</strong></summary>
|
|||
|
|
|
|||
|
|
支持HackTricks的其他方式:
|
|||
|
|
|
|||
|
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* 获取[**官方PEASS&HackTricks周边产品**](https://peass.creator-spring.com)
|
|||
|
|
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品
|
|||
|
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**。**
|
|||
|
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
|||
|
|
|
|||
|
|
</details>
|