mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 6.1, 4.7
This commit is contained in:
parent
bd2d914729
commit
0ef4c3b1d6
@ -54,6 +54,7 @@
|
|||||||
- [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
- [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||||
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||||
- [4.6 zio](doc/4.6_zio.md)
|
- [4.6 zio](doc/4.6_zio.md)
|
||||||
|
- [4.7 通用 gadget](doc/4.7_normal_gadget.md)
|
||||||
|
|
||||||
- [五、高级篇](doc/5_advanced.md)
|
- [五、高级篇](doc/5_advanced.md)
|
||||||
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||||
@ -65,6 +66,7 @@
|
|||||||
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||||
|
|
||||||
- [六、题解篇](doc/6_writeup.md)
|
- [六、题解篇](doc/6_writeup.md)
|
||||||
|
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||||
|
|
||||||
- [七、附录](doc/7_appendix.md)
|
- [七、附录](doc/7_appendix.md)
|
||||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||||
|
@ -52,6 +52,7 @@
|
|||||||
* [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
* [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||||
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||||
* [4.6 zio](doc/4.6_zio.md)
|
* [4.6 zio](doc/4.6_zio.md)
|
||||||
|
* [4.7 通用 gadget](doc/4.7_normal_gadget.md)
|
||||||
* [五、高级篇](doc/5_advanced.md)
|
* [五、高级篇](doc/5_advanced.md)
|
||||||
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||||
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
||||||
@ -61,6 +62,7 @@
|
|||||||
* [5.6 LLVM](doc/5.6_llvm.md)
|
* [5.6 LLVM](doc/5.6_llvm.md)
|
||||||
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||||
* [六、题解篇](doc/6_writeup.md)
|
* [六、题解篇](doc/6_writeup.md)
|
||||||
|
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||||
* [七、附录](doc/7_appendix.md)
|
* [七、附录](doc/7_appendix.md)
|
||||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||||
|
@ -1 +1,21 @@
|
|||||||
# 1.7.4 Android 常用工具
|
# 1.7.4 Android 常用工具
|
||||||
|
|
||||||
|
- [smali/baksmali](#smalibaksmali)
|
||||||
|
|
||||||
|
|
||||||
|
#### smali/baksmali
|
||||||
|
smali/baksmali 分别用于汇编和反汇编 dex 格式文件。地址:https://github.com/JesusFreke/smali
|
||||||
|
|
||||||
|
使用方法:
|
||||||
|
```
|
||||||
|
$ smali assemble app -o classes.dex
|
||||||
|
|
||||||
|
$ baksmali disassemble app.apk -o app
|
||||||
|
```
|
||||||
|
当然你也可以汇编和反汇编单个的文件,如汇编单个 smali 文件,反汇编单个 classes.dex 等,使用命令 `baksmali help input` 查看更多信息。
|
||||||
|
|
||||||
|
baksmali 还支持查看 dex/apk/oat 文件里的信息:
|
||||||
|
```
|
||||||
|
$ baksmali list classes app.apk
|
||||||
|
$ baksmali list methods app.apk | wc -l
|
||||||
|
```
|
||||||
|
1
doc/4.7_normal_gadget.md
Normal file
1
doc/4.7_normal_gadget.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
# 通用 gadget
|
@ -5,3 +5,5 @@
|
|||||||
- [4.3 GCC 堆栈保护技术](4.3_gcc.md)
|
- [4.3 GCC 堆栈保护技术](4.3_gcc.md)
|
||||||
- [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md)
|
- [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md)
|
||||||
- [4.5 Z3 约束求解器](4.5_z3.md)
|
- [4.5 Z3 约束求解器](4.5_z3.md)
|
||||||
|
- [4.6 zio](4.6_zio.md)
|
||||||
|
- [4.7 通用 gadget](4.7_normal_gadget.md)
|
||||||
|
50
doc/6.1_pwn_hctf2016_brop.md
Normal file
50
doc/6.1_pwn_hctf2016_brop.md
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
# 6.1 pwn hctf2016 brop
|
||||||
|
|
||||||
|
出题人在 github 上开源了代码,如下:
|
||||||
|
```C
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
int i;
|
||||||
|
int check();
|
||||||
|
|
||||||
|
int main(void) {
|
||||||
|
setbuf(stdin, NULL);
|
||||||
|
setbuf(stdout, NULL);
|
||||||
|
setbuf(stderr, NULL);
|
||||||
|
|
||||||
|
puts("WelCome my friend,Do you know password?");
|
||||||
|
if(!check()) {
|
||||||
|
puts("Do not dump my memory");
|
||||||
|
} else {
|
||||||
|
puts("No password, no game");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int check() {
|
||||||
|
char buf[50];
|
||||||
|
read(STDIN_FILENO, buf, 1024);
|
||||||
|
return strcmp(buf, "aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk");
|
||||||
|
}
|
||||||
|
```
|
||||||
|
使用下面的语句编译,然后运行起来:
|
||||||
|
```
|
||||||
|
$ gcc -z noexecstack -fno-stack-protector -no-pie brop.c
|
||||||
|
```
|
||||||
|
checksec 如下:
|
||||||
|
```
|
||||||
|
$ checksec -f a.out
|
||||||
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
|
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 a.out
|
||||||
|
```
|
||||||
|
由于 socat 在程序崩溃时会断开连接,我们写一个小脚本,让程序在崩溃后立即重启,这样就模拟出了远程环境 `127.0.0.1:10001`:
|
||||||
|
```bash
|
||||||
|
#!/bin/sh
|
||||||
|
while true; do
|
||||||
|
num=`ps -ef | grep "socat" | grep -v "grep" | wc -l`
|
||||||
|
if [ $num -lt 5 ]; then
|
||||||
|
socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
```
|
@ -1 +1,3 @@
|
|||||||
# 第六章 题解篇
|
# 第六章 题解篇
|
||||||
|
|
||||||
|
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
|
||||||
|
Loading…
Reference in New Issue
Block a user