nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2024-10-19 01:12:52 +07:00
Code Issues Projects Releases Wiki Activity

add 7.1.9

Browse Source
This commit is contained in:
firmianay 2018-05-19 21:22:04 +08:00
parent f1c51d8ea3
commit 60c75b44da
14 changed files with 277 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
SUMMARY.md
View File

@ -167,14 +167,15 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* Mobile * Mobile
* [七、实战篇](doc/7_exploit.md) * [七、实战篇](doc/7_exploit.md)
* CVE * CVE
* [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](doc/7.1.1_tcpdump_2017-11543.md) * [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](doc/7.1.1_tcpdump_2017-11543.md)
* [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](doc/7.1.2_glibc_2015-0235.md) * [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](doc/7.1.2_glibc_2015-0235.md)
* [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](doc/7.1.3_wget_2016-4971.md) * [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](doc/7.1.3_wget_2016-4971.md)
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md) * [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](doc/7.1.4_wget_2017-13089.md)
* [7.1.5 [CVE2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md) * [7.1.5 CVE2018-1000001 glibc realpath 缓冲区下溢漏洞](doc/7.1.5_glibc_2018-1000001.md)
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md) * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md)
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md)
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](doc/7.1.8_adobe_reader_2010-2883.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md)
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md)
* Malware * Malware
* [八、学术篇](doc/8_academic.md) * [八、学术篇](doc/8_academic.md)
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md) * [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)

1
doc/2.2.2_idapro.md
View File

@ -25,6 +25,7 @@
- [SimplifyGraph](https://github.com/fireeye/SimplifyGraph) -- 简化复杂的函数流程图 - [SimplifyGraph](https://github.com/fireeye/SimplifyGraph) -- 简化复杂的函数流程图
- [bincat](https://github.com/airbus-seclab/bincat) -- 静态二进制代码分析工具包2017 Hex-Rays 插件第一名 - [bincat](https://github.com/airbus-seclab/bincat) -- 静态二进制代码分析工具包2017 Hex-Rays 插件第一名
- [golang_loader_assist](https://github.com/strazzere/golang_loader_assist) -- Golang编译的二进制文件分析助手 - [golang_loader_assist](https://github.com/strazzere/golang_loader_assist) -- Golang编译的二进制文件分析助手
- [BinDiff](https://www.zynamics.com/bindiff.html)
## 常用脚本 ## 常用脚本

2
doc/7.1.1_tcpdump_2017-11543.md
View File

@ -1,4 +1,4 @@
# 7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow # 7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.2_glibc_2015-0235.md
View File

@ -1,4 +1,4 @@
# 7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow # 7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.3_wget_2016-4971.md
View File

@ -1,4 +1,4 @@
# 7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload # 7.1.3 CVE-2016-4971 wget 任意文件上传漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.4_wget_2017-13089.md
View File

@ -1,4 +1,4 @@
# 7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow # 7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.5_glibc_2018-1000001.md
View File

@ -1,4 +1,4 @@
# 7.1.5 [CVE2018-1000001] glibc Buffer Underflow # 7.1.5 CVE2018-1000001 glibc realpath 缓冲区下溢漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.6_dnstracer_2017-9430.md
View File

@ -1,4 +1,4 @@
# 7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow # 7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

2
doc/7.1.7_binutils_2018-6323.md
View File

@ -1,4 +1,4 @@
# 7.1.7 [CVE-2018-6323] GNU binutils 2.29.1 Integer Overflow # 7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞
- [漏洞描述](#漏洞描述) - [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现) - [漏洞复现](#漏洞复现)

18
doc/7.1.9_ms_word_2010-2333.md Normal file
View File

@ -0,0 +1,18 @@
# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞
- [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现)
- [漏洞分析](#漏洞分析)
- [参考资料](#参考资料)
[下载文件](../src/exploit/7.1.9_ms_word_2010-2333)
## 漏洞描述
## 漏洞复现
## 漏洞分析
## 参考资料
- https://www.cvedetails.com/cve/CVE-2010-2333

17
doc/7_exploit.md
View File

@ -1,12 +1,13 @@
# 第七篇 实战篇 # 第七篇 实战篇
* CVE * CVE
* [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md) * [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](7.1.1_tcpdump_2017-11543.md)
* [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md) * [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](7.1.2_glibc_2015-0235.md)
* [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md) * [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](7.1.3_wget_2016-4971.md)
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md) * [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](7.1.4_wget_2017-13089.md)
* [7.1.5 [CVE2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md) * [7.1.5 CVE2018-1000001 glibc realpath 缓冲区下溢漏洞](7.1.5_glibc_2018-1000001.md)
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md) * [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md)
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md) * [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md)
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](7.1.8_adobe_reader_2010-2883.md) * [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md)
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md)
* Malware * Malware

4
doc/9.2_wintools.md
View File

@ -9,6 +9,7 @@
- [Resource Hacker](#resource-hacker) - [Resource Hacker](#resource-hacker)
- [wxHexEditor](#wxhexeditor) - [wxHexEditor](#wxhexeditor)
- [PDF Stream Dumper](#pdf-stream-dumper) - [PDF Stream Dumper](#pdf-stream-dumper)
- [EMET](#emet)
## 010 Editor ## 010 Editor
@ -39,3 +40,6 @@ http://www.wxhexeditor.org/
## PDF Stream Dumper ## PDF Stream Dumper
http://sandsprite.com/blogs/index.php?uid=7&pid=57 http://sandsprite.com/blogs/index.php?uid=7&pid=57
## EMET
https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

229
src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt Normal file
View File

@ -0,0 +1,229 @@
PDF Comment %PDF-1.5
PDF Comment %äЭ<C390>
obj 1 0
Type: /Catalog
Referencing: 2 0 R, 11 0 R, 13 0 R
<<
/P#61ge#73 2 0 R
/#54yp#65 /C#61t#61lo#67
/#4fpenAc#74io#6e 11 0 R
/#41#63r#6f#46o#72#6d 13 0 R
>>
<<
/Pages 2 0 R
/Type /Catalog
/OpenAction 11 0 R
/AcroForm 13 0 R
>>
obj 2 0
Type: /Pages
Referencing: 3 0 R, 4 0 R, 5 0 R
<<
/#4d#65d#69#61#42#6fx 3 0 R
/#52e#73#6f#75#72ce#73 4 0 R
/K#69ds [5 0 R]
/#43#6funt 1
/T#79p#65 /#50#61#67es
>>
<<
/MediaBox 3 0 R
/Resources 4 0 R
/Kids [5 0 R]
/Count 1
/Type /Pages
>>
obj 3 0
Type:
Referencing:
[0 0 595 842]
obj 4 0
Type:
Referencing: 6 0 R
<<
/#46o#6e#74 6 0 R
>>
<<
/Font 6 0 R
>>
obj 5 0
Type: /Page
Referencing: 2 0 R, 3 0 R, 4 0 R, 8 0 R
<<
/#50ar#65n#74 2 0 R
/Me#64#69aBox 3 0 R
/#52#65s#6furc#65#73 4 0 R
/C#6fntent#73 [8 0 R]
/Ty#70#65 /#50#61ge
>>
<<
/Parent 2 0 R
/MediaBox 3 0 R
/Resources 4 0 R
/Contents [8 0 R]
/Type /Page
>>
obj 6 0
Type:
Referencing: 7 0 R
<<
/F1 7 0 R
>>
<<
/F1 7 0 R
>>
obj 7 0
Type: /Font
Referencing: 9 0 R
<<
/T#79pe /F#6f#6et
/S#75#62#74ype /T#72ue#54#79#70e
/Name /#461
/B#61#73e#46ont /C#69nem#61
/Wi#64ths []
/F#6f#6e#74#44e#73cr#69#70#74or 9 0 R/#45#6e#63#6fdi#6e#67 /Ma#63#52o#6da#6e#45nc#6fd#69ng>>
<<
/Type /Font
/Subtype /TrueType
/Name /F1
/BaseFont /Cinema
/Widths []
/FontDescriptor 9 0 R
/Encoding /MacRomanEncoding
>>
obj 8 0
Type:
Referencing:
Contains stream
<<
/Length 65
>>
obj 9 0
Type: /FontDescriptor
Referencing: 10 0 R
<</#54#79#70#65/F#6f#6e#74De#73c#72#69#70tor/#46ontN#61#6de/#43ine#6d#61/Flag#73 131140/Fo#6et#42B#6f#78 [-177 -269 1123 866]/#46#6f#6et#46il#652 10 0 R>>
<<
/Type /FontDescriptor
/FontName /Cinema
/Flags 131140
/FontBBox [-177 -269 1123 866]
/FontFile2 10 0 R
>>
obj 10 0
Type:
Referencing:
Contains stream
<<
/Length 40240
/Filter /FlateDecode
/Length1 65932
>>
obj 11 0
Type: /Action
Referencing: 12 0 R
<</Ty#70e/#41#63ti#6fn/#53/J#61v#61#53#63ri#70#74/#4a#53 12 0 R>>
<<
/Type /Action
/S /JavaScript
/JS 12 0 R
>>
obj 12 0
Type:
Referencing:
Contains stream
<<
/Length 3734
/Filter [/#46la#74#65De#63#6fd#65/#41#53C#49I#48#65#78#44ec#6f#64e]
>>
obj 13 0
Type:
Referencing: 14 0 R
<</#58#46#41 14 0 R>>
<<
/XFA 14 0 R
>>
obj 14 0
Type:
Referencing:
Contains stream
<<
/Length 372
>>
xref
trailer
<<
/Size 15
/Root 1 0 R
>>
startxref 45789
PDF Comment %%EOF

BIN
src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp Normal file
View File

Binary file not shown.