diff --git a/SUMMARY.md b/SUMMARY.md index d3b5939..862827b 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -120,6 +120,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) * [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md) + * [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_34c3ctf2017_readme_revenge.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) @@ -146,6 +147,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [8.1.2 Return-Oriented Programming without Returns](doc/8.1.2_rop_without_returns.md) * [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.1.3_return-oriented_rootkits.md) * [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.1.4_ropdefender.md) + * [8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](doc/8.1.5_data-oriented_programming.md) * Symbolic Execution * [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md) * [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md) diff --git a/doc/6.1.13_34c3ctf2017_readme_revenge.md b/doc/6.1.13_34c3ctf2017_readme_revenge.md new file mode 100644 index 0000000..11a379e --- /dev/null +++ b/doc/6.1.13_34c3ctf2017_readme_revenge.md @@ -0,0 +1,36 @@ +# 6.1.13 pwn 34C3CTF2017 readme_revenge + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.13_34c3ctf2017_readme_revenge) + +## 题目复现 +``` +$ file readme_revenge +readme_revenge: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=2f27d1b57237d1ab23f8d0fc3cd418994c5b443d, not stripped +$ checksec -f readme_revenge +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 3 45 readme_revenge +``` +与我们经常接触了题目不同,这是一个静态链接程序,运行时不需要加载 libc。not stripped 也为调试提供了便利。 + +``` +$ ./readme_revenge +aaaa +Hi, aaaa. Bye. +$ ./readme_revenge +%x.%d.%p +Hi, %x.%d.%p. Bye. +$ python -c 'print "A"*2000' | ./readme_revenge +Segmentation fault (core dumped) +``` +我们试着给它输入一些字符,结果被原样打印出来,而且看起来也不存在格式化字符串漏洞。但当我们输入大量字符时,触发了段错误,这倒是一个好消息。 + + +## 题目解析 + +## 参考资料 +https://ctftime.org/task/5135 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 789a61f..8c9308e 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -13,6 +13,7 @@ - [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md) - [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md) - [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md) + - [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_34c3ctf2017_readme_revenge.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/doc/8.1.5_data-oriented_programming.md b/doc/8.1.5_data-oriented_programming.md new file mode 100644 index 0000000..fcd40e2 --- /dev/null +++ b/doc/8.1.5_data-oriented_programming.md @@ -0,0 +1 @@ +# 8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks diff --git a/doc/8_academic.md b/doc/8_academic.md index b557f15..d856ebe 100644 --- a/doc/8_academic.md +++ b/doc/8_academic.md @@ -4,19 +4,21 @@ 链接:https://pan.baidu.com/s/1G-WFCzAU2VdrrsHqJzjGpw 密码:vhfw * Return-Oriented Programming - * [8.1.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1.1_return-into-libc_without_function_calls.md) - * [8.1.2 Return-Oriented Programming without Returns](doc/8.1.2_rop_without_returns.md) - * [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.1.3_return-oriented_rootkits.md) - * [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.1.4_ropdefender.md) + * [8.1.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](8.1.1_return-into-libc_without_function_calls.md) + * [8.1.2 Return-Oriented Programming without Returns](8.1.2_rop_without_returns.md) + * [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](8.1.3_return-oriented_rootkits.md) + * [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](8.1.4_ropdefender.md) + * [8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](8.1.5_data-oriented_programming.md) * Symbolic Execution - * [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md) - * [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md) + * [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md) + * [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md) +* Code Obfuscation * Reverse Engineering - * [8.3 New Frontiers of Reverse Engineering](doc/8.3_new_frontiers_of_reverse_engineering.md) + * [8.3 New Frontiers of Reverse Engineering](8.3_new_frontiers_of_reverse_engineering.md) * Android Security - * [8.4 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](doc/8.4_emulator_vs_real_phone.md) - * [8.5 DynaLog: An automated dynamic analysis framework for characterizing Android applications](doc/8.5_dynalog_an_automated_dynamic_analysis_framework.md) - * [8.6 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](doc/8.6_malware_detection_based_on_actual_used_permissions.md) - * [8.7 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](doc/8.7_detecting_malware_by_building_markov_chains.md) - * [8.8 DroidNative: Semantic-Based Detection of Android Native Code Malware](doc/8.8_droidnative_semantic-based_detection_of_android_native_code_malware.md) - * [8.9 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](doc/8.9_droidanalytics_signature_based_analytic_system.md) + * [8.4 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](8.4_emulator_vs_real_phone.md) + * [8.5 DynaLog: An automated dynamic analysis framework for characterizing Android applications](8.5_dynalog_an_automated_dynamic_analysis_framework.md) + * [8.6 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](8.6_malware_detection_based_on_actual_used_permissions.md) + * [8.7 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](8.7_detecting_malware_by_building_markov_chains.md) + * [8.8 DroidNative: Semantic-Based Detection of Android Native Code Malware](8.8_droidnative_semantic-based_detection_of_android_native_code_malware.md) + * [8.9 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](8.9_droidanalytics_signature_based_analytic_system.md) diff --git a/src/writeup/6.1.13_34c3ctf2017_readme_revenge/readme_revenge b/src/writeup/6.1.13_34c3ctf2017_readme_revenge/readme_revenge new file mode 100755 index 0000000..7f65fff Binary files /dev/null and b/src/writeup/6.1.13_34c3ctf2017_readme_revenge/readme_revenge differ