--- title: The Attack and defense of computers listen 5 (10/14) --- 電腦攻擊與防禦 === ###### tags: `電腦攻防` `Note` - [課程資訊](https://hackmd.io/@Onebone/SkDTwUeBP/https%3A%2F%2Fhackmd.io%2F_tge1tPkTau8DDkZcIcMzg) - [發問系統](https://tlk.io/ncu-security-2020) - [Previous Note 2020/10/07](https://hackmd.io/xOx4-bR3T0avQrC0Ny8Aiw) <!-- 原來是 linked list XD --> # NOP Sled - Non-productive instructions used to increase the success rate of a BOA. - Categories: - Single byte (0x90, 0x41, 0x43, …) - Multiple byte (0x0D0D0D0D) > 事件：老師點擊筆記XD # Exploit Code Web Sites - Genral Program - This program uses the following three loop to generate the **attack string** which contains the **shell code**. ``` for(i=0;i<sizeof(buff);i+=4) *(ptr++)=jump; for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90; for(j=0;j<strlen(evil);j++) buff[i++]=evil[j]; ``` # Return-into-libc - A mutation of buffer overflow attacks. - Utilize code already resided in the attacked programs’ address space, such as **libc** functions. - Attack strings carry **entry point address(es)** of a desired **libc** function, and **parameters to the function**. - 程式變成執行檔後， 參數會存入一個唯獨的記憶體，後以傳送位址的方式被使用 - Function prolog(p.26) - 在函式前產生 - The exploit strings don’t need to contain **executable code** # Heap/Data/BSS Overflow Attacks - The **heap** is an area in memory that is dynamically allocated by the application by using a system call, such as **malloc()**. - On most systems, the heap grows up (towards higher addresses). - The **data** section initialized at compile-time. - The **bss** section contains uninitialized data. - Until it is written to, it remains zeroed (or at least from the application's point-of-view). <style> .navbar-brand > span.hidden-xs { color: transparent; } .navbar-brand > span.hidden-xs:before { content: '電腦攻防'; color: #777; position: absolute; left: 2.6%; } </style>