mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
add 6.1, 4.7
This commit is contained in:
parent
bd2d914729
commit
0ef4c3b1d6
@ -54,6 +54,7 @@
|
||||
- [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||
- [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
- [4.6 zio](doc/4.6_zio.md)
|
||||
- [4.7 通用 gadget](doc/4.7_normal_gadget.md)
|
||||
|
||||
- [五、高级篇](doc/5_advanced.md)
|
||||
- [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
@ -65,6 +66,7 @@
|
||||
- [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||
|
||||
- [六、题解篇](doc/6_writeup.md)
|
||||
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
|
||||
- [七、附录](doc/7_appendix.md)
|
||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
|
@ -52,6 +52,7 @@
|
||||
* [4.4 使用 DynELF 泄露函数地址](doc/4.4_dynelf.md)
|
||||
* [4.5 Z3 约束求解器](doc/4.5_z3.md)
|
||||
* [4.6 zio](doc/4.6_zio.md)
|
||||
* [4.7 通用 gadget](doc/4.7_normal_gadget.md)
|
||||
* [五、高级篇](doc/5_advanced.md)
|
||||
* [5.1 Fuzz 测试](doc/5.1_fuzz.md)
|
||||
* [5.2 Pin 动态二进制插桩](doc/5.2_pin.md)
|
||||
@ -61,6 +62,7 @@
|
||||
* [5.6 LLVM](doc/5.6_llvm.md)
|
||||
* [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md)
|
||||
* [六、题解篇](doc/6_writeup.md)
|
||||
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
* [七、附录](doc/7_appendix.md)
|
||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||
|
@ -1 +1,21 @@
|
||||
# 1.7.4 Android 常用工具
|
||||
|
||||
- [smali/baksmali](#smalibaksmali)
|
||||
|
||||
|
||||
#### smali/baksmali
|
||||
smali/baksmali 分别用于汇编和反汇编 dex 格式文件。地址:https://github.com/JesusFreke/smali
|
||||
|
||||
使用方法:
|
||||
```
|
||||
$ smali assemble app -o classes.dex
|
||||
|
||||
$ baksmali disassemble app.apk -o app
|
||||
```
|
||||
当然你也可以汇编和反汇编单个的文件,如汇编单个 smali 文件,反汇编单个 classes.dex 等,使用命令 `baksmali help input` 查看更多信息。
|
||||
|
||||
baksmali 还支持查看 dex/apk/oat 文件里的信息:
|
||||
```
|
||||
$ baksmali list classes app.apk
|
||||
$ baksmali list methods app.apk | wc -l
|
||||
```
|
||||
|
1
doc/4.7_normal_gadget.md
Normal file
1
doc/4.7_normal_gadget.md
Normal file
@ -0,0 +1 @@
|
||||
# 通用 gadget
|
@ -5,3 +5,5 @@
|
||||
- [4.3 GCC 堆栈保护技术](4.3_gcc.md)
|
||||
- [4.4 使用 DynELF 泄露函数地址](4.4_dynelf.md)
|
||||
- [4.5 Z3 约束求解器](4.5_z3.md)
|
||||
- [4.6 zio](4.6_zio.md)
|
||||
- [4.7 通用 gadget](4.7_normal_gadget.md)
|
||||
|
50
doc/6.1_pwn_hctf2016_brop.md
Normal file
50
doc/6.1_pwn_hctf2016_brop.md
Normal file
@ -0,0 +1,50 @@
|
||||
# 6.1 pwn hctf2016 brop
|
||||
|
||||
出题人在 github 上开源了代码,如下:
|
||||
```C
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
|
||||
int i;
|
||||
int check();
|
||||
|
||||
int main(void) {
|
||||
setbuf(stdin, NULL);
|
||||
setbuf(stdout, NULL);
|
||||
setbuf(stderr, NULL);
|
||||
|
||||
puts("WelCome my friend,Do you know password?");
|
||||
if(!check()) {
|
||||
puts("Do not dump my memory");
|
||||
} else {
|
||||
puts("No password, no game");
|
||||
}
|
||||
}
|
||||
|
||||
int check() {
|
||||
char buf[50];
|
||||
read(STDIN_FILENO, buf, 1024);
|
||||
return strcmp(buf, "aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk");
|
||||
}
|
||||
```
|
||||
使用下面的语句编译,然后运行起来:
|
||||
```
|
||||
$ gcc -z noexecstack -fno-stack-protector -no-pie brop.c
|
||||
```
|
||||
checksec 如下:
|
||||
```
|
||||
$ checksec -f a.out
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 a.out
|
||||
```
|
||||
由于 socat 在程序崩溃时会断开连接,我们写一个小脚本,让程序在崩溃后立即重启,这样就模拟出了远程环境 `127.0.0.1:10001`:
|
||||
```bash
|
||||
#!/bin/sh
|
||||
while true; do
|
||||
num=`ps -ef | grep "socat" | grep -v "grep" | wc -l`
|
||||
if [ $num -lt 5 ]; then
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
|
||||
fi
|
||||
done
|
||||
```
|
@ -1 +1,3 @@
|
||||
# 第六章 题解篇
|
||||
|
||||
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
|
||||
|
Loading…
Reference in New Issue
Block a user