mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
some fix
This commit is contained in:
parent
905356bea6
commit
0a65d4f9fa
@ -50,11 +50,12 @@
|
||||
- [四、技巧篇](doc/4_tips.md)
|
||||
- [4.1 AWD模式](doc/4.1_AWD.md)
|
||||
- [4.2 Linux 命令行技巧](doc/4.2_Linux_terminal_tips.md)
|
||||
- [4.3 GCC 堆栈保护技术](doc/4.3_gcc.md)
|
||||
- [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||
- [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
|
||||
- [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
|
||||
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
- [4.6 zio](doc/4.6_zio.md)
|
||||
- [4.7 通用 gadget](doc/4.7_common_gadget.md)
|
||||
- [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
|
||||
|
||||
- [五、高级篇](doc/5_advanced.md)
|
||||
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
@ -68,7 +69,8 @@
|
||||
- [六、题解篇](doc/6_writeup.md)
|
||||
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
- [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
||||
- [6.3 pwn 0ctf2015 freenote](doc/6.3_pwn_0ctf2015_freenote.md)
|
||||
- [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
||||
- [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md)
|
||||
|
||||
- [七、附录](doc/7_appendix.md)
|
||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
|
@ -48,11 +48,12 @@
|
||||
* [四、技巧篇](doc/4_tips.md)
|
||||
* [4.1 AWD模式](doc/4.1_AWD.md)
|
||||
* [4.2 Linux 命令行技巧](doc/4.2_Linux_terminal_tips.md)
|
||||
* [4.3 GCC 堆栈保护技术](doc/4.3_gcc.md)
|
||||
* [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||
* [4.3 GCC 编译参数解析](doc/4.3_gcc_arg.md)
|
||||
* [4.4 GCC 堆栈保护技术](doc/4.4_gcc_sec.md)
|
||||
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
* [4.6 zio](doc/4.6_zio.md)
|
||||
* [4.7 通用 gadget](doc/4.7_common_gadget.md)
|
||||
* [4.8 使用 DynELF 泄露函数地址](doc/4.8_dynelf.md)
|
||||
* [五、高级篇](doc/5_advanced.md)
|
||||
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
||||
@ -64,7 +65,8 @@
|
||||
* [六、题解篇](doc/6_writeup.md)
|
||||
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
* [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
||||
* [6.3 pwn 0ctf2015 freenote](doc/6.3_pwn_0ctf2015_freenote.md)
|
||||
* [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
||||
* [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md)
|
||||
* [七、附录](doc/7_appendix.md)
|
||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||
|
@ -42,6 +42,22 @@ long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);
|
||||
- RSP 协议数据的基本格式为: `$..........#xx`
|
||||
- gdbserver 的启动方式相当于运行并调试一个新创建的进程
|
||||
|
||||
注意,在你将 gdb attach 到一个进程时,可能会出现这样的问题:
|
||||
```
|
||||
gdb-peda$ attach 9091
|
||||
Attaching to process 9091
|
||||
ptrace: Operation not permitted.
|
||||
```
|
||||
这是因为开启了内核参数 `ptrace_scope`:
|
||||
```
|
||||
$ cat /proc/sys/kernel/yama/ptrace_scope
|
||||
1
|
||||
```
|
||||
1 表示 True,此时普通用户进程是不能对其他进程进行 attach 操作的,当然你可以用 root 权限启动 gdb,但最好的办法还是关掉它:
|
||||
```
|
||||
# echo 0 > /proc/sys/kernel/yama/ptrace_scope
|
||||
```
|
||||
|
||||
#### 断点的实现
|
||||
断点的功能是通过内核信号实现的,在 x86 架构上,内核向某个地址打入断点,实际上就是往该地址写入断点指令 `INT 3`,即 `0xCC`。目标程序运行到这条指令之后会触发 `SIGTRAP` 信号,gdb 捕获这个信号,并根据目标程序当前停止的位置查询 gdb 维护的断点链表,若发现在该地址确实存在断点,则可判定为断点命中。
|
||||
|
||||
|
1
doc/4.3_gcc_arg.md
Normal file
1
doc/4.3_gcc_arg.md
Normal file
@ -0,0 +1 @@
|
||||
# 4.3 GCC 编译参数解析
|
@ -1 +0,0 @@
|
||||
# 4.4 使用 DynELF 泄露函数地址
|
@ -1,4 +1,4 @@
|
||||
# 4.3 GCC 堆栈保护技术
|
||||
# 4.4 GCC 堆栈保护技术
|
||||
|
||||
- [技术简介](#技术简介)
|
||||
- [编译参数](#编译参数)
|
9
doc/4.8_dynelf.md
Normal file
9
doc/4.8_dynelf.md
Normal file
@ -0,0 +1,9 @@
|
||||
# 4.8 使用 DynELF 泄露函数地址
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Resolving remote functions using leaks](https://docs.pwntools.com/en/stable/dynelf.html)
|
||||
- [Finding Function's Load Address](http://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html)
|
||||
- [借助DynELF实现无libc的漏洞利用小结](http://bobao.360.cn/learning/detail/3298.html)
|
@ -2,8 +2,9 @@
|
||||
|
||||
- [4.1 AWD模式](4.1_AWD.md)
|
||||
- [4.2 Linux 命令行技巧](4.2_Linux_terminal_tips.md)
|
||||
- [4.3 GCC 堆栈保护技术](4.3_gcc.md)
|
||||
- [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md)
|
||||
- [4.3 GCC 编译参数解析](4.3_gcc_arg.md)
|
||||
- [4.4 GCC 堆栈保护技术](4.4_gcc_sec.md)
|
||||
- [4.5 Z3 约束求解器](4.5_z3.md)
|
||||
- [4.6 zio](4.6_zio.md)
|
||||
- [4.7 通用 gadget](4.7_common_gadget.md)
|
||||
- [4.8 使用 DynELF 泄露函数地址](4.8_dynelf.md)
|
||||
|
@ -1 +0,0 @@
|
||||
# 6.3 pwn 0ctf2015 freenote
|
54
doc/6.3_pwn_xdctf2015_pwn200.md
Normal file
54
doc/6.3_pwn_xdctf2015_pwn200.md
Normal file
@ -0,0 +1,54 @@
|
||||
# 6.3 pwn xdctf2015 pwn200
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析)
|
||||
- [Exploit](#exploit)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 题目复现
|
||||
出题人在博客里贴出了源码,如下:
|
||||
```C
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
void vuln()
|
||||
{
|
||||
char buf[100];
|
||||
setbuf(stdin, buf);
|
||||
read(0, buf, 256);
|
||||
}
|
||||
int main()
|
||||
{
|
||||
char buf[100] = "Welcome to XDCTF2015~!\n";
|
||||
|
||||
setbuf(stdout, buf);
|
||||
write(1, buf, strlen(buf));
|
||||
vuln();
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
使用下面的语句编译:
|
||||
```
|
||||
$ gcc -m32 -fno-stack-protector pwn200.c
|
||||
```
|
||||
checksec 如下:
|
||||
```
|
||||
$ checksec -f a.out
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 a.out
|
||||
```
|
||||
在开启 ASLR 的情况下把程序运行起来:
|
||||
```
|
||||
$ socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
|
||||
```
|
||||
这题提供了二进制文件而没有提供 libc.so,而且也默认找不到,所以只能依靠 DynELF 来做。
|
||||
|
||||
|
||||
## ret2dl-resolve 原理及题目解析
|
||||
|
||||
## Exploit
|
||||
|
||||
## 参考资料
|
||||
- [Return-to-dl-resolve](http://pwn4.fun/2016/11/09/Return-to-dl-resolve/)
|
1
doc/6.4_pwn_0ctf2015_freenote.md
Normal file
1
doc/6.4_pwn_0ctf2015_freenote.md
Normal file
@ -0,0 +1 @@
|
||||
# 6.4 pwn 0ctf2015 freenote
|
@ -2,4 +2,5 @@
|
||||
|
||||
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
|
||||
- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md)
|
||||
- [6.3 pwn 0ctf2015 freenote](./6.3_pwn_0ctf2015_freenote.md)
|
||||
- [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md)
|
||||
- [6.4 pwn 0ctf2015 freenote](./6.4_pwn_0ctf2015_freenote.md)
|
||||
|
Loading…
Reference in New Issue
Block a user