mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
add 6.1.13
This commit is contained in:
parent
b4396439b2
commit
0a7e530c90
@ -120,6 +120,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||||
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||||
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md)
|
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md)
|
||||||
|
* [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_34c3ctf2017_readme_revenge.md)
|
||||||
* re
|
* re
|
||||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||||
@ -146,6 +147,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [8.1.2 Return-Oriented Programming without Returns](doc/8.1.2_rop_without_returns.md)
|
* [8.1.2 Return-Oriented Programming without Returns](doc/8.1.2_rop_without_returns.md)
|
||||||
* [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.1.3_return-oriented_rootkits.md)
|
* [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.1.3_return-oriented_rootkits.md)
|
||||||
* [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.1.4_ropdefender.md)
|
* [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.1.4_ropdefender.md)
|
||||||
|
* [8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](doc/8.1.5_data-oriented_programming.md)
|
||||||
* Symbolic Execution
|
* Symbolic Execution
|
||||||
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
|
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
|
||||||
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
|
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
|
||||||
|
36
doc/6.1.13_34c3ctf2017_readme_revenge.md
Normal file
36
doc/6.1.13_34c3ctf2017_readme_revenge.md
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# 6.1.13 pwn 34C3CTF2017 readme_revenge
|
||||||
|
|
||||||
|
- [题目复现](#题目复现)
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/writeup/6.1.13_34c3ctf2017_readme_revenge)
|
||||||
|
|
||||||
|
## 题目复现
|
||||||
|
```
|
||||||
|
$ file readme_revenge
|
||||||
|
readme_revenge: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=2f27d1b57237d1ab23f8d0fc3cd418994c5b443d, not stripped
|
||||||
|
$ checksec -f readme_revenge
|
||||||
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 3 45 readme_revenge
|
||||||
|
```
|
||||||
|
与我们经常接触了题目不同,这是一个静态链接程序,运行时不需要加载 libc。not stripped 也为调试提供了便利。
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ./readme_revenge
|
||||||
|
aaaa
|
||||||
|
Hi, aaaa. Bye.
|
||||||
|
$ ./readme_revenge
|
||||||
|
%x.%d.%p
|
||||||
|
Hi, %x.%d.%p. Bye.
|
||||||
|
$ python -c 'print "A"*2000' | ./readme_revenge
|
||||||
|
Segmentation fault (core dumped)
|
||||||
|
```
|
||||||
|
我们试着给它输入一些字符,结果被原样打印出来,而且看起来也不存在格式化字符串漏洞。但当我们输入大量字符时,触发了段错误,这倒是一个好消息。
|
||||||
|
|
||||||
|
|
||||||
|
## 题目解析
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
https://ctftime.org/task/5135
|
@ -13,6 +13,7 @@
|
|||||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
||||||
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
||||||
- [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md)
|
- [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md)
|
||||||
|
- [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_34c3ctf2017_readme_revenge.md)
|
||||||
- re
|
- re
|
||||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||||
|
1
doc/8.1.5_data-oriented_programming.md
Normal file
1
doc/8.1.5_data-oriented_programming.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
# 8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
|
@ -4,19 +4,21 @@
|
|||||||
链接:https://pan.baidu.com/s/1G-WFCzAU2VdrrsHqJzjGpw 密码:vhfw
|
链接:https://pan.baidu.com/s/1G-WFCzAU2VdrrsHqJzjGpw 密码:vhfw
|
||||||
|
|
||||||
* Return-Oriented Programming
|
* Return-Oriented Programming
|
||||||
* [8.1.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1.1_return-into-libc_without_function_calls.md)
|
* [8.1.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](8.1.1_return-into-libc_without_function_calls.md)
|
||||||
* [8.1.2 Return-Oriented Programming without Returns](doc/8.1.2_rop_without_returns.md)
|
* [8.1.2 Return-Oriented Programming without Returns](8.1.2_rop_without_returns.md)
|
||||||
* [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](doc/8.1.3_return-oriented_rootkits.md)
|
* [8.1.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms](8.1.3_return-oriented_rootkits.md)
|
||||||
* [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](doc/8.1.4_ropdefender.md)
|
* [8.1.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks](8.1.4_ropdefender.md)
|
||||||
|
* [8.1.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks](8.1.5_data-oriented_programming.md)
|
||||||
* Symbolic Execution
|
* Symbolic Execution
|
||||||
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
|
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md)
|
||||||
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
|
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md)
|
||||||
|
* Code Obfuscation
|
||||||
* Reverse Engineering
|
* Reverse Engineering
|
||||||
* [8.3 New Frontiers of Reverse Engineering](doc/8.3_new_frontiers_of_reverse_engineering.md)
|
* [8.3 New Frontiers of Reverse Engineering](8.3_new_frontiers_of_reverse_engineering.md)
|
||||||
* Android Security
|
* Android Security
|
||||||
* [8.4 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](doc/8.4_emulator_vs_real_phone.md)
|
* [8.4 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning](8.4_emulator_vs_real_phone.md)
|
||||||
* [8.5 DynaLog: An automated dynamic analysis framework for characterizing Android applications](doc/8.5_dynalog_an_automated_dynamic_analysis_framework.md)
|
* [8.5 DynaLog: An automated dynamic analysis framework for characterizing Android applications](8.5_dynalog_an_automated_dynamic_analysis_framework.md)
|
||||||
* [8.6 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](doc/8.6_malware_detection_based_on_actual_used_permissions.md)
|
* [8.6 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls](8.6_malware_detection_based_on_actual_used_permissions.md)
|
||||||
* [8.7 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](doc/8.7_detecting_malware_by_building_markov_chains.md)
|
* [8.7 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models](8.7_detecting_malware_by_building_markov_chains.md)
|
||||||
* [8.8 DroidNative: Semantic-Based Detection of Android Native Code Malware](doc/8.8_droidnative_semantic-based_detection_of_android_native_code_malware.md)
|
* [8.8 DroidNative: Semantic-Based Detection of Android Native Code Malware](8.8_droidnative_semantic-based_detection_of_android_native_code_malware.md)
|
||||||
* [8.9 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](doc/8.9_droidanalytics_signature_based_analytic_system.md)
|
* [8.9 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware](8.9_droidanalytics_signature_based_analytic_system.md)
|
||||||
|
BIN
src/writeup/6.1.13_34c3ctf2017_readme_revenge/readme_revenge
Executable file
BIN
src/writeup/6.1.13_34c3ctf2017_readme_revenge/readme_revenge
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user