From 0ef4c3b1d6d537f5a42037b2c6f0246e872e0f9a Mon Sep 17 00:00:00 2001 From: firmianay Date: Thu, 9 Nov 2017 13:37:04 +0800 Subject: [PATCH] add 6.1, 4.7 --- README.md | 2 ++ SUMMARY.md | 2 ++ doc/1.7.4_android_tools.md | 20 +++++++++++++++ doc/4.7_normal_gadget.md | 1 + doc/4_tips.md | 2 ++ doc/6.1_pwn_hctf2016_brop.md | 50 ++++++++++++++++++++++++++++++++++++ doc/6_writeup.md | 2 ++ 7 files changed, 79 insertions(+) create mode 100644 doc/4.7_normal_gadget.md create mode 100644 doc/6.1_pwn_hctf2016_brop.md diff --git a/README.md b/README.md index 18ec3f5..1dc7097 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,7 @@ - [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md) - [4.5 Z3 约束求解器](doc/4.5_z3.md) - [4.6 zio](doc/4.6_zio.md) + - [4.7 通用 gadget](doc/4.7_normal_gadget.md) - [五、高级篇](doc/5_advanced.md) - [5.1 Fuzz 测试](doc/5.1_fuzz.md) @@ -65,6 +66,7 @@ - [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md) - [六、题解篇](doc/6_writeup.md) + - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 00819a3..4459c38 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -52,6 +52,7 @@ * [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md) * [4.5 Z3 约束求解器](doc/4.5_z3.md) * [4.6 zio](doc/4.6_zio.md) + * [4.7 通用 gadget](doc/4.7_normal_gadget.md) * [五、高级篇](doc/5_advanced.md) * [5.1 Fuzz 测试](doc/5.1_fuzz.md) * [5.2 Pin 动态二进制插桩](doc/5.2_pin.md) @@ -61,6 +62,7 @@ * [5.6 LLVM](doc/5.6_llvm.md) * [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md) * [六、题解篇](doc/6_writeup.md) + * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) diff --git a/doc/1.7.4_android_tools.md b/doc/1.7.4_android_tools.md index 86ca120..f94ffeb 100644 --- a/doc/1.7.4_android_tools.md +++ b/doc/1.7.4_android_tools.md @@ -1 +1,21 @@ # 1.7.4 Android 常用工具 + +- [smali/baksmali](#smalibaksmali) + + +#### smali/baksmali +smali/baksmali 分别用于汇编和反汇编 dex 格式文件。地址:https://github.com/JesusFreke/smali + +使用方法: +``` +$ smali assemble app -o classes.dex + +$ baksmali disassemble app.apk -o app +``` +当然你也可以汇编和反汇编单个的文件,如汇编单个 smali 文件,反汇编单个 classes.dex 等,使用命令 `baksmali help input` 查看更多信息。 + +baksmali 还支持查看 dex/apk/oat 文件里的信息: +``` +$ baksmali list classes app.apk +$ baksmali list methods app.apk | wc -l +``` diff --git a/doc/4.7_normal_gadget.md b/doc/4.7_normal_gadget.md new file mode 100644 index 0000000..57a10c9 --- /dev/null +++ b/doc/4.7_normal_gadget.md @@ -0,0 +1 @@ +# 通用 gadget diff --git a/doc/4_tips.md b/doc/4_tips.md index e86051f..65e1351 100644 --- a/doc/4_tips.md +++ b/doc/4_tips.md @@ -5,3 +5,5 @@ - [4.3 GCC 堆栈保护技术](4.3_gcc.md) - [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md) - [4.5 Z3 约束求解器](4.5_z3.md) +- [4.6 zio](4.6_zio.md) +- [4.7 通用 gadget](4.7_normal_gadget.md) diff --git a/doc/6.1_pwn_hctf2016_brop.md b/doc/6.1_pwn_hctf2016_brop.md new file mode 100644 index 0000000..7e6da50 --- /dev/null +++ b/doc/6.1_pwn_hctf2016_brop.md @@ -0,0 +1,50 @@ +# 6.1 pwn hctf2016 brop + +出题人在 github 上开源了代码,如下: +```C +#include +#include +#include + +int i; +int check(); + +int main(void) { + setbuf(stdin, NULL); + setbuf(stdout, NULL); + setbuf(stderr, NULL); + + puts("WelCome my friend,Do you know password?"); + if(!check()) { + puts("Do not dump my memory"); + } else { + puts("No password, no game"); + } +} + +int check() { + char buf[50]; + read(STDIN_FILENO, buf, 1024); + return strcmp(buf, "aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk"); +} +``` +使用下面的语句编译,然后运行起来: +``` +$ gcc -z noexecstack -fno-stack-protector -no-pie brop.c +``` +checksec 如下: +``` +$ checksec -f a.out +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 a.out +``` +由于 socat 在程序崩溃时会断开连接,我们写一个小脚本,让程序在崩溃后立即重启,这样就模拟出了远程环境 `127.0.0.1:10001`: +```bash +#!/bin/sh +while true; do + num=`ps -ef | grep "socat" | grep -v "grep" | wc -l` + if [ $num -lt 5 ]; then + socat tcp4-listen:10001,reuseaddr,fork exec:./a.out & + fi +done +``` diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 30e070e..2d029ab 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -1 +1,3 @@ # 第六章 题解篇 + +- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)