mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 7.1.9
This commit is contained in:
parent
f1c51d8ea3
commit
60c75b44da
17
SUMMARY.md
17
SUMMARY.md
@ -167,14 +167,15 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* Mobile
|
* Mobile
|
||||||
* [七、实战篇](doc/7_exploit.md)
|
* [七、实战篇](doc/7_exploit.md)
|
||||||
* CVE
|
* CVE
|
||||||
* [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](doc/7.1.1_tcpdump_2017-11543.md)
|
* [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](doc/7.1.1_tcpdump_2017-11543.md)
|
||||||
* [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](doc/7.1.2_glibc_2015-0235.md)
|
* [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](doc/7.1.2_glibc_2015-0235.md)
|
||||||
* [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](doc/7.1.3_wget_2016-4971.md)
|
* [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](doc/7.1.3_wget_2016-4971.md)
|
||||||
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
|
* [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](doc/7.1.4_wget_2017-13089.md)
|
||||||
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
|
* [7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞](doc/7.1.5_glibc_2018-1000001.md)
|
||||||
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
|
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](doc/7.1.6_dnstracer_2017-9430.md)
|
||||||
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
|
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](doc/7.1.7_binutils_2018-6323.md)
|
||||||
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](doc/7.1.8_adobe_reader_2010-2883.md)
|
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](doc/7.1.8_adobe_reader_2010-2883.md)
|
||||||
|
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](doc/7.1.9_ms_word_2010-2333.md)
|
||||||
* Malware
|
* Malware
|
||||||
* [八、学术篇](doc/8_academic.md)
|
* [八、学术篇](doc/8_academic.md)
|
||||||
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
|
* [8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](doc/8.1_ret2libc_without_func_calls.md)
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
- [SimplifyGraph](https://github.com/fireeye/SimplifyGraph) -- 简化复杂的函数流程图
|
- [SimplifyGraph](https://github.com/fireeye/SimplifyGraph) -- 简化复杂的函数流程图
|
||||||
- [bincat](https://github.com/airbus-seclab/bincat) -- 静态二进制代码分析工具包,2017 Hex-Rays 插件第一名
|
- [bincat](https://github.com/airbus-seclab/bincat) -- 静态二进制代码分析工具包,2017 Hex-Rays 插件第一名
|
||||||
- [golang_loader_assist](https://github.com/strazzere/golang_loader_assist) -- Golang编译的二进制文件分析助手
|
- [golang_loader_assist](https://github.com/strazzere/golang_loader_assist) -- Golang编译的二进制文件分析助手
|
||||||
|
- [BinDiff](https://www.zynamics.com/bindiff.html)
|
||||||
|
|
||||||
|
|
||||||
## 常用脚本
|
## 常用脚本
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow
|
# 7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow
|
# 7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload
|
# 7.1.3 CVE-2016-4971 wget 任意文件上传漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow
|
# 7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.5 [CVE–2018-1000001] glibc Buffer Underflow
|
# 7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow
|
# 7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# 7.1.7 [CVE-2018-6323] GNU binutils 2.29.1 Integer Overflow
|
# 7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞
|
||||||
|
|
||||||
- [漏洞描述](#漏洞描述)
|
- [漏洞描述](#漏洞描述)
|
||||||
- [漏洞复现](#漏洞复现)
|
- [漏洞复现](#漏洞复现)
|
||||||
|
18
doc/7.1.9_ms_word_2010-2333.md
Normal file
18
doc/7.1.9_ms_word_2010-2333.md
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# 7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞
|
||||||
|
|
||||||
|
- [漏洞描述](#漏洞描述)
|
||||||
|
- [漏洞复现](#漏洞复现)
|
||||||
|
- [漏洞分析](#漏洞分析)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/exploit/7.1.9_ms_word_2010-2333)
|
||||||
|
|
||||||
|
## 漏洞描述
|
||||||
|
|
||||||
|
## 漏洞复现
|
||||||
|
|
||||||
|
## 漏洞分析
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2010-2333
|
@ -1,12 +1,13 @@
|
|||||||
# 第七篇 实战篇
|
# 第七篇 实战篇
|
||||||
|
|
||||||
* CVE
|
* CVE
|
||||||
* [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
|
* [7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞](7.1.1_tcpdump_2017-11543.md)
|
||||||
* [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
|
* [7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞](7.1.2_glibc_2015-0235.md)
|
||||||
* [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
|
* [7.1.3 CVE-2016-4971 wget 任意文件上传漏洞](7.1.3_wget_2016-4971.md)
|
||||||
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
|
* [7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞](7.1.4_wget_2017-13089.md)
|
||||||
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
|
* [7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞](7.1.5_glibc_2018-1000001.md)
|
||||||
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
|
* [7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞](7.1.6_dnstracer_2017-9430.md)
|
||||||
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)
|
* [7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞](7.1.7_binutils_2018-6323.md)
|
||||||
* [7.1.8 [CVE-2010-2883] Adobe Reader 9.3.4 Stack Buffer Overflow](7.1.8_adobe_reader_2010-2883.md)
|
* [7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞](7.1.8_adobe_reader_2010-2883.md)
|
||||||
|
* [7.1.9 CVE-2010-2333 Microsoft Word RTF pFragments 栈溢出漏洞](7.1.9_ms_word_2010-2333.md)
|
||||||
* Malware
|
* Malware
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
- [Resource Hacker](#resource-hacker)
|
- [Resource Hacker](#resource-hacker)
|
||||||
- [wxHexEditor](#wxhexeditor)
|
- [wxHexEditor](#wxhexeditor)
|
||||||
- [PDF Stream Dumper](#pdf-stream-dumper)
|
- [PDF Stream Dumper](#pdf-stream-dumper)
|
||||||
|
- [EMET](#emet)
|
||||||
|
|
||||||
|
|
||||||
## 010 Editor
|
## 010 Editor
|
||||||
@ -39,3 +40,6 @@ http://www.wxhexeditor.org/
|
|||||||
|
|
||||||
## PDF Stream Dumper
|
## PDF Stream Dumper
|
||||||
http://sandsprite.com/blogs/index.php?uid=7&pid=57
|
http://sandsprite.com/blogs/index.php?uid=7&pid=57
|
||||||
|
|
||||||
|
## EMET
|
||||||
|
https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
|
||||||
|
229
src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt
Normal file
229
src/exploit/7.1.8_adobe_reader_2010-2883/dump.txt
Normal file
@ -0,0 +1,229 @@
|
|||||||
|
PDF Comment %PDF-1.5
|
||||||
|
|
||||||
|
|
||||||
|
PDF Comment %äÐ<C390>
|
||||||
|
|
||||||
|
|
||||||
|
obj 1 0
|
||||||
|
Type: /Catalog
|
||||||
|
Referencing: 2 0 R, 11 0 R, 13 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/P#61ge#73 2 0 R
|
||||||
|
/#54yp#65 /C#61t#61lo#67
|
||||||
|
/#4fpenAc#74io#6e 11 0 R
|
||||||
|
/#41#63r#6f#46o#72#6d 13 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Pages 2 0 R
|
||||||
|
/Type /Catalog
|
||||||
|
/OpenAction 11 0 R
|
||||||
|
/AcroForm 13 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 2 0
|
||||||
|
Type: /Pages
|
||||||
|
Referencing: 3 0 R, 4 0 R, 5 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/#4d#65d#69#61#42#6fx 3 0 R
|
||||||
|
/#52e#73#6f#75#72ce#73 4 0 R
|
||||||
|
/K#69ds [5 0 R]
|
||||||
|
/#43#6funt 1
|
||||||
|
/T#79p#65 /#50#61#67es
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/MediaBox 3 0 R
|
||||||
|
/Resources 4 0 R
|
||||||
|
/Kids [5 0 R]
|
||||||
|
/Count 1
|
||||||
|
/Type /Pages
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 3 0
|
||||||
|
Type:
|
||||||
|
Referencing:
|
||||||
|
|
||||||
|
[0 0 595 842]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
obj 4 0
|
||||||
|
Type:
|
||||||
|
Referencing: 6 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/#46o#6e#74 6 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Font 6 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 5 0
|
||||||
|
Type: /Page
|
||||||
|
Referencing: 2 0 R, 3 0 R, 4 0 R, 8 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/#50ar#65n#74 2 0 R
|
||||||
|
/Me#64#69aBox 3 0 R
|
||||||
|
/#52#65s#6furc#65#73 4 0 R
|
||||||
|
/C#6fntent#73 [8 0 R]
|
||||||
|
/Ty#70#65 /#50#61ge
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Parent 2 0 R
|
||||||
|
/MediaBox 3 0 R
|
||||||
|
/Resources 4 0 R
|
||||||
|
/Contents [8 0 R]
|
||||||
|
/Type /Page
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 6 0
|
||||||
|
Type:
|
||||||
|
Referencing: 7 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/F1 7 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/F1 7 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 7 0
|
||||||
|
Type: /Font
|
||||||
|
Referencing: 9 0 R
|
||||||
|
|
||||||
|
<<
|
||||||
|
/T#79pe /F#6f#6et
|
||||||
|
/S#75#62#74ype /T#72ue#54#79#70e
|
||||||
|
/Name /#461
|
||||||
|
/B#61#73e#46ont /C#69nem#61
|
||||||
|
/Wi#64ths []
|
||||||
|
/F#6f#6e#74#44e#73cr#69#70#74or 9 0 R/#45#6e#63#6fdi#6e#67 /Ma#63#52o#6da#6e#45nc#6fd#69ng>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Type /Font
|
||||||
|
/Subtype /TrueType
|
||||||
|
/Name /F1
|
||||||
|
/BaseFont /Cinema
|
||||||
|
/Widths []
|
||||||
|
/FontDescriptor 9 0 R
|
||||||
|
/Encoding /MacRomanEncoding
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 8 0
|
||||||
|
Type:
|
||||||
|
Referencing:
|
||||||
|
Contains stream
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Length 65
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 9 0
|
||||||
|
Type: /FontDescriptor
|
||||||
|
Referencing: 10 0 R
|
||||||
|
|
||||||
|
<</#54#79#70#65/F#6f#6e#74De#73c#72#69#70tor/#46ontN#61#6de/#43ine#6d#61/Flag#73 131140/Fo#6et#42B#6f#78 [-177 -269 1123 866]/#46#6f#6et#46il#652 10 0 R>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Type /FontDescriptor
|
||||||
|
/FontName /Cinema
|
||||||
|
/Flags 131140
|
||||||
|
/FontBBox [-177 -269 1123 866]
|
||||||
|
/FontFile2 10 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 10 0
|
||||||
|
Type:
|
||||||
|
Referencing:
|
||||||
|
Contains stream
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Length 40240
|
||||||
|
/Filter /FlateDecode
|
||||||
|
/Length1 65932
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 11 0
|
||||||
|
Type: /Action
|
||||||
|
Referencing: 12 0 R
|
||||||
|
|
||||||
|
<</Ty#70e/#41#63ti#6fn/#53/J#61v#61#53#63ri#70#74/#4a#53 12 0 R>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Type /Action
|
||||||
|
/S /JavaScript
|
||||||
|
/JS 12 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 12 0
|
||||||
|
Type:
|
||||||
|
Referencing:
|
||||||
|
Contains stream
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Length 3734
|
||||||
|
/Filter [/#46la#74#65De#63#6fd#65/#41#53C#49I#48#65#78#44ec#6f#64e]
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 13 0
|
||||||
|
Type:
|
||||||
|
Referencing: 14 0 R
|
||||||
|
|
||||||
|
<</#58#46#41 14 0 R>>
|
||||||
|
|
||||||
|
|
||||||
|
<<
|
||||||
|
/XFA 14 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
obj 14 0
|
||||||
|
Type:
|
||||||
|
Referencing:
|
||||||
|
Contains stream
|
||||||
|
|
||||||
|
<<
|
||||||
|
/Length 372
|
||||||
|
>>
|
||||||
|
|
||||||
|
|
||||||
|
xref
|
||||||
|
|
||||||
|
trailer
|
||||||
|
<<
|
||||||
|
/Size 15
|
||||||
|
/Root 1 0 R
|
||||||
|
>>
|
||||||
|
|
||||||
|
startxref 45789
|
||||||
|
|
||||||
|
PDF Comment %%EOF
|
||||||
|
|
||||||
|
|
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp
Normal file
BIN
src/exploit/7.1.8_adobe_reader_2010-2883/hexC0E5.tmp
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user