Four. Client attack client attacks have a significantly different identity from server-side attacks, which means that malicious data sent by an attacker to a user's host does not directly overflow the service process in the user's system, but requires a combination of some social engineering techniques, Entice client users to access these malicious data and attack indirectly. 4.1 client penetration attack security mechanisms ①DEP &NBSP ; The basic principle of DEP (Data Execution Protection) is that the operating system sets the properties of the memory page to indicate that the memory page where the data resides is not executable. ②ASLR ASLR (address space layout random The system is running the program without a fixed base site loading process and related working library files. includes: randomization of heap addresses, randomization of stack base address, randomization of base address of PE file image, randomization of PEB,TEB addresses. 4.2. Penetration attacks for browsers 4.2.1 browser penetration &N Bsp Penetration attacks on the browser itself and penetration of embedded third-party plugins 4.2.2 heap injection &NB Sp client penetration attacks often use this technique. Before the overflow vulnerability, the attacker requested a large number of memory blocks filled with empty instructions in the heap, each with a trailing shellcode, and then, on overflow, modified the return address after overflow to this space. In browser attacks, it is common to use JavaScript scripts for heap injection. This is no longer a detailed description of heap jetting technology. &NBSp  4.2.3MSF Automatic browser attack  METASPLOIT Framework Package Contains some modules for the browser and plug-in, and also provides the auxiliary module SERVER/BROWSER--AUTOPWN, which after receiving a request from the browser, it will do three operations: Extract browser fingerprint, automated infiltration, listing the infiltration module, but he will not list the use of third-party plug-in modules Because it cannot extract the fingerprint to the plugin. 4.3 penetration attacks on applications for such security vulnerabilities, attackers generally maliciously construct malformed files that conform to the normal file format, To exploit the exploit. 4.3.1 memory attack technology implementation of ROP attack After overflow program, the attacker does not execute the shellcode in the stack, but looks for some special instruction blocks in the module, with the stack parameters, the return address and other data, to connect these orphaned instruction blocks to achieve certain functions, and finally complete the target of remote code execution. But under the constraints of harsh bad characters, the difficulty of implementation is too great, according to this idea, there are now a lot of techniques around dep 1. Set the memory page that contains shellcode to the executable state. 2. First use the VirtualAlloc function to open up a memory space with execute permissions, and then copy the shellcode into this code
3. The DEP mechanism is switched off directly by some functions, and the zwsetinformation function is commonly used
"Metasploit Penetration test Devil Training Camp" study notes chapter sixth-Client penetration