add 6.1, 4.7

This commit is contained in:
firmianay 2017-11-09 13:37:04 +08:00
parent bd2d914729
commit 0ef4c3b1d6
7 changed files with 79 additions and 0 deletions

View File

@ -54,6 +54,7 @@
- [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
- [4.6 zio](doc/4.6_zio.md)
- [4.7 通用 gadget](doc/4.7_normal_gadget.md)
- [五、高级篇](doc/5_advanced.md)
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
@ -65,6 +66,7 @@
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
- [六、题解篇](doc/6_writeup.md)
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
- [七、附录](doc/7_appendix.md)
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)

View File

@ -52,6 +52,7 @@
* [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
* [4.6 zio](doc/4.6_zio.md)
* [4.7 通用 gadget](doc/4.7_normal_gadget.md)
* [五、高级篇](doc/5_advanced.md)
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
@ -61,6 +62,7 @@
* [5.6 LLVM](doc/5.6_llvm.md)
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
* [六、题解篇](doc/6_writeup.md)
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
* [七、附录](doc/7_appendix.md)
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)

View File

@ -1 +1,21 @@
# 1.7.4 Android 常用工具
- [smali/baksmali](#smalibaksmali)
#### smali/baksmali
smali/baksmali 分别用于汇编和反汇编 dex 格式文件。地址https://github.com/JesusFreke/smali
使用方法:
```
$ smali assemble app -o classes.dex
$ baksmali disassemble app.apk -o app
```
当然你也可以汇编和反汇编单个的文件,如汇编单个 smali 文件,反汇编单个 classes.dex 等,使用命令 `baksmali help input` 查看更多信息。
baksmali 还支持查看 dex/apk/oat 文件里的信息:
```
$ baksmali list classes app.apk
$ baksmali list methods app.apk | wc -l
```

1
doc/4.7_normal_gadget.md Normal file
View File

@ -0,0 +1 @@
# 通用 gadget

View File

@ -5,3 +5,5 @@
- [4.3 GCC 堆栈保护技术](4.3_gcc.md)
- [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md)
- [4.5 Z3 约束求解器](4.5_z3.md)
- [4.6 zio](4.6_zio.md)
- [4.7 通用 gadget](4.7_normal_gadget.md)

View File

@ -0,0 +1,50 @@
# 6.1 pwn hctf2016 brop
出题人在 github 上开源了代码,如下:
```C
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int i;
int check();
int main(void) {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
setbuf(stderr, NULL);
puts("WelCome my friend,Do you know password?");
if(!check()) {
puts("Do not dump my memory");
} else {
puts("No password, no game");
}
}
int check() {
char buf[50];
read(STDIN_FILENO, buf, 1024);
return strcmp(buf, "aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk");
}
```
使用下面的语句编译,然后运行起来:
```
$ gcc -z noexecstack -fno-stack-protector -no-pie brop.c
```
checksec 如下:
```
$ checksec -f a.out
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 a.out
```
由于 socat 在程序崩溃时会断开连接,我们写一个小脚本,让程序在崩溃后立即重启,这样就模拟出了远程环境 `127.0.0.1:10001`
```bash
#!/bin/sh
while true; do
num=`ps -ef | grep "socat" | grep -v "grep" | wc -l`
if [ $num -lt 5 ]; then
socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
fi
done
```

View File

@ -1 +1,3 @@
# 第六章 题解篇
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)