Monthly Archives: June 2016

ASLR总结

0x00 ASLR总结

对于Linux系统,有下表:

ASLR Level -fPIC -pie Code Stack Heap comment
0 Yes Fixed Fixed Fixed None
0 No Fixed Fixed Fixed None
1 Yes Rand Rand Rand Base address of heap is located immediately after the end of code segment
1 No Fixed Rand Fixed Base address of heap is located immediately after the end of code segment
2 (default) Yes Rand Rand Rand Base address of heap is fully randomized and has nothing to do with code segment
2 (default) No Fixed Rand Rand Base address of heap is fully randomized and has nothing to do with code segment

在Android上使用frida和cydia substrate

0x00 背景

Android上使用frida比iOS稍微麻烦些,这里仅说一下一些坑。另外再贴一个使用cydia substrate进行hook的文章链接。

0x01 注意点

  1. windows上安装frida时要用easy_install fridapip install frida的frida无法正常工作,frida-ps -U时会显示”failed to create process”。

  2. 启动frida-server后还要进行端口转发。

    adb forward tcp:27042 tcp:27042
    adb forward tcp:27043 tcp:27043
    
  3. frida使用了ptrace进行hook,如果要hook的程序有本身就attach了ptrace进程,则frida无法正常工作,此时我们采取以下策略:
    1. 在app启动前使用while循环一直尝试attach gdb debugger,然后启动app,这样可以保证app启动后我们的gdb先attach上,app自己的ptrace会attach失败。
    2. 把gdb detach掉,此时app已经没有任何ptrace attach了。
    3. 启动frida hook脚本,可以正常hook了。

0x02 使用Cydia Substrate

有些人不知道,其实cydia substrate不光能在iOS上用,还能在安卓上用。
非常好的文章:https://koz.io/android-substrate-c-hooking/

xxs相关的坑

0x00 总结一下xss相关的坑

  1. innerHTML写出的<script> tag 不会触发xss, 但是javascript scheme会被触发,下面这个例子里,只有alert(2)被触发了。
    <div id = "tag1"> </div>
    <div id = "tag2"> </div>
    
    <script> document.getElementById("tag1").innerHTML="<script>alert(1)<\/script>"</script>
    <script> document.getElementById("tag2").innerHTML="<iframe src='javascript:alert(2)'><\/iframe>"</script> 
    

    这个行为在HTML5中已经标准化https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#Security_considerations
    Continue reading