diff --git a/SUMMARY.md b/SUMMARY.md index 7bdf5bf..9ef3bdd 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -167,14 +167,15 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * Mobile * [七、实战篇](doc/7_exploit.md) * CVE - * [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](doc/7.1.1_tcpdump_2017-11543.md) - * [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](doc/7.1.2_glibc_2015-0235.md) - * [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](doc/7.1.3_wget_2016-4971.md) - * [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md) - * [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md) - * [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md) - * [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md) - * [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](doc/7.1.8_adobe_reader_2010-2883.md) + * [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](doc/7.1.1_tcpdump_2017-11543.md) + * [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](doc/7.1.2_glibc_2015-0235.md) + * [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](doc/7.1.3_wget_2016-4971.md) + * [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](doc/7.1.4_wget_2017-13089.md) + * [7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞](doc/7.1.5_glibc_2018-1000001.md) + * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md) + * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md) + * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md) + * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md) * Malware * [八、学术篇](doc/8_academic.md) * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md) diff --git a/doc/2.2.2_idapro.md b/doc/2.2.2_idapro.md index ca1d029..9563162 100644 --- a/doc/2.2.2_idapro.md +++ b/doc/2.2.2_idapro.md @@ -25,6 +25,7 @@ - [SimplifyGraph](https://github.com/fireeye/SimplifyGraph) -- 简化复杂的函数流程图 - [bincat](https://github.com/airbus-seclab/bincat) -- 静态二进制代码分析工具包,2017 Hex-Rays 插件第一名 - [golang_loader_assist](https://github.com/strazzere/golang_loader_assist) -- Golang编译的二进制文件分析助手 +- [BinDiff](https://www.zynamics.com/bindiff.html) ## 常用脚本 diff --git a/doc/7.1.1_tcpdump_2017-11543.md b/doc/7.1.1_tcpdump_2017-11543.md index 9585493..32ed7ce 100644 --- a/doc/7.1.1_tcpdump_2017-11543.md +++ b/doc/7.1.1_tcpdump_2017-11543.md @@ -1,4 +1,4 @@ -# 7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow +# 7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.2_glibc_2015-0235.md b/doc/7.1.2_glibc_2015-0235.md index 9a2683d..e526170 100644 --- a/doc/7.1.2_glibc_2015-0235.md +++ b/doc/7.1.2_glibc_2015-0235.md @@ -1,4 +1,4 @@ -# 7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow +# 7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.3_wget_2016-4971.md b/doc/7.1.3_wget_2016-4971.md index 40470a4..cd72310 100644 --- a/doc/7.1.3_wget_2016-4971.md +++ b/doc/7.1.3_wget_2016-4971.md @@ -1,4 +1,4 @@ -# 7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload +# 7.1.3 CVE-2016-4971 wget 任意文件上传漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.4_wget_2017-13089.md b/doc/7.1.4_wget_2017-13089.md index c76c9eb..2c7e491 100644 --- a/doc/7.1.4_wget_2017-13089.md +++ b/doc/7.1.4_wget_2017-13089.md @@ -1,4 +1,4 @@ -# 7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow +# 7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.5_glibc_2018-1000001.md b/doc/7.1.5_glibc_2018-1000001.md index f2341a4..50a79a6 100644 --- a/doc/7.1.5_glibc_2018-1000001.md +++ b/doc/7.1.5_glibc_2018-1000001.md @@ -1,4 +1,4 @@ -# 7.1.5 [CVE–2018-1000001] glibc Buffer Underflow +# 7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.6_dnstracer_2017-9430.md b/doc/7.1.6_dnstracer_2017-9430.md index a285e97..9daedea 100644 --- a/doc/7.1.6_dnstracer_2017-9430.md +++ b/doc/7.1.6_dnstracer_2017-9430.md @@ -1,4 +1,4 @@ -# 7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow +# 7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.7_binutils_2018-6323.md b/doc/7.1.7_binutils_2018-6323.md index 9ae149e..daf8f87 100644 --- a/doc/7.1.7_binutils_2018-6323.md +++ b/doc/7.1.7_binutils_2018-6323.md @@ -1,4 +1,4 @@ -# 7.1.7 [CVE-2018-6323] GNU binutils 2.29.1 Integer Overflow +# 7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞 - [漏洞描述](#漏洞描述) - [漏洞复现](#漏洞复现) diff --git a/doc/7.1.9_ms_word_2010-2333.md b/doc/7.1.9_ms_word_2010-2333.md new file mode 100644 index 0000000..36df6c8 --- /dev/null +++ b/doc/7.1.9_ms_word_2010-2333.md @@ -0,0 +1,18 @@ +# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞 + +- [漏洞描述](#漏洞描述) +- [漏洞复现](#漏洞复现) +- [漏洞分析](#漏洞分析) +- [参考资料](#参考资料) + + +[下载文件](../src/exploit/7.1.9_ms_word_2010-2333) + +## 漏洞描述 + +## 漏洞复现 + +## 漏洞分析 + +## 参考资料 +- https://www.cvedetails.com/cve/CVE-2010-2333 diff --git a/doc/7_exploit.md b/doc/7_exploit.md index cd20588..1bc60cf 100644 --- a/doc/7_exploit.md +++ b/doc/7_exploit.md @@ -1,12 +1,13 @@ # 第七篇 实战篇 * CVE - * [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md) - * [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md) - * [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md) - * [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md) - * [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md) - * [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md) - * [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md) - * [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](7.1.8_adobe_reader_2010-2883.md) + * [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](7.1.1_tcpdump_2017-11543.md) + * [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](7.1.2_glibc_2015-0235.md) + * [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](7.1.3_wget_2016-4971.md) + * [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](7.1.4_wget_2017-13089.md) + * [7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞](7.1.5_glibc_2018-1000001.md) + * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md) + * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md) + * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md) + * [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md) * Malware diff --git a/doc/9.2_wintools.md b/doc/9.2_wintools.md index cfbab3f..0e7010a 100644 --- a/doc/9.2_wintools.md +++ b/doc/9.2_wintools.md @@ -9,6 +9,7 @@ - [Resource Hacker](#resource-hacker) - [wxHexEditor](#wxhexeditor) - [PDF Stream Dumper](#pdf-stream-dumper) +- [EMET](#emet) ## 010 Editor @@ -39,3 +40,6 @@ http://www.wxhexeditor.org/ ## PDF Stream Dumper http://sandsprite.com/blogs/index.php?uid=7&pid=57 + +## EMET +https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt b/src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt new file mode 100644 index 0000000..d0be83a --- /dev/null +++ b/src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt @@ -0,0 +1,229 @@ +PDF Comment %PDF-1.5 + + +PDF Comment %Э + + +obj 1 0 + Type: /Catalog + Referencing: 2 0 R, 11 0 R, 13 0 R + +<< +/P#61ge#73 2 0 R +/#54yp#65 /C#61t#61lo#67 +/#4fpenAc#74io#6e 11 0 R +/#41#63r#6f#46o#72#6d 13 0 R +>> + + + << + /Pages 2 0 R + /Type /Catalog + /OpenAction 11 0 R + /AcroForm 13 0 R + >> + + +obj 2 0 + Type: /Pages + Referencing: 3 0 R, 4 0 R, 5 0 R + +<< +/#4d#65d#69#61#42#6fx 3 0 R +/#52e#73#6f#75#72ce#73 4 0 R +/K#69ds [5 0 R] +/#43#6funt 1 +/T#79p#65 /#50#61#67es +>> + + + << + /MediaBox 3 0 R + /Resources 4 0 R + /Kids [5 0 R] + /Count 1 + /Type /Pages + >> + + +obj 3 0 + Type: + Referencing: + +[0 0 595 842] + + + + +obj 4 0 + Type: + Referencing: 6 0 R + +<< +/#46o#6e#74 6 0 R +>> + + + << + /Font 6 0 R + >> + + +obj 5 0 + Type: /Page + Referencing: 2 0 R, 3 0 R, 4 0 R, 8 0 R + +<< +/#50ar#65n#74 2 0 R +/Me#64#69aBox 3 0 R +/#52#65s#6furc#65#73 4 0 R +/C#6fntent#73 [8 0 R] +/Ty#70#65 /#50#61ge +>> + + + << + /Parent 2 0 R + /MediaBox 3 0 R + /Resources 4 0 R + /Contents [8 0 R] + /Type /Page + >> + + +obj 6 0 + Type: + Referencing: 7 0 R + +<< +/F1 7 0 R +>> + + + << + /F1 7 0 R + >> + + +obj 7 0 + Type: /Font + Referencing: 9 0 R + +<< +/T#79pe /F#6f#6et +/S#75#62#74ype /T#72ue#54#79#70e +/Name /#461 +/B#61#73e#46ont /C#69nem#61 +/Wi#64ths [] +/F#6f#6e#74#44e#73cr#69#70#74or 9 0 R/#45#6e#63#6fdi#6e#67 /Ma#63#52o#6da#6e#45nc#6fd#69ng>> + + + << + /Type /Font + /Subtype /TrueType + /Name /F1 + /BaseFont /Cinema + /Widths [] + /FontDescriptor 9 0 R + /Encoding /MacRomanEncoding + >> + + +obj 8 0 + Type: + Referencing: + Contains stream + + << + /Length 65 + >> + + +obj 9 0 + Type: /FontDescriptor + Referencing: 10 0 R + +<> + + + << + /Type /FontDescriptor + /FontName /Cinema + /Flags 131140 + /FontBBox [-177 -269 1123 866] + /FontFile2 10 0 R + >> + + +obj 10 0 + Type: + Referencing: + Contains stream + + << + /Length 40240 + /Filter /FlateDecode + /Length1 65932 + >> + + +obj 11 0 + Type: /Action + Referencing: 12 0 R + +<> + + + << + /Type /Action + /S /JavaScript + /JS 12 0 R + >> + + +obj 12 0 + Type: + Referencing: + Contains stream + + << + /Length 3734 + /Filter [/#46la#74#65De#63#6fd#65/#41#53C#49I#48#65#78#44ec#6f#64e] + >> + + +obj 13 0 + Type: + Referencing: 14 0 R + +<> + + + << + /XFA 14 0 R + >> + + +obj 14 0 + Type: + Referencing: + Contains stream + + << + /Length 372 + >> + + +xref + +trailer + << + /Size 15 + /Root 1 0 R + >> + +startxref 45789 + +PDF Comment %%EOF + + diff --git a/src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp b/src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp new file mode 100644 index 0000000..c1aa485 Binary files /dev/null and b/src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp differ