diff --git a/README.md b/README.md index 2c58ba7..06d2eff 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,8 @@ - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) - [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - - [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) + - [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) + - [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 73fc4d2..2e6e148 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -66,7 +66,8 @@ * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) * [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) * [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - * [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) + * [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) + * [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) diff --git a/doc/6.4_pwn_0ctf2015_freenote.md b/doc/6.4_pwn_0ctf2015_freenote.md deleted file mode 100644 index 1d9ca32..0000000 --- a/doc/6.4_pwn_0ctf2015_freenote.md +++ /dev/null @@ -1 +0,0 @@ -# 6.4 pwn 0ctf2015 freenote diff --git a/doc/6.4_pwn_njctf2017_233.md b/doc/6.4_pwn_njctf2017_233.md new file mode 100644 index 0000000..e695a0b --- /dev/null +++ b/doc/6.4_pwn_njctf2017_233.md @@ -0,0 +1,33 @@ +# 6.4 pwn njctf2017 233 + +- [题目复现](#题目复现) +- [SROP 原理及题目解析](#srop-原理及题目解析) +- [Exploit](#exploit) +- [参考资料](#参考资料) + + +## 题目复现 +在 6.1 中我们看到了 blind ROP,这一节中再来看一种 ROP 技术,Sigreturn Oriented Programming。 + +checksec 如下: +``` +$ checksec -f 233 +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233 +``` +把程序运行起来: +``` +$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 +``` + + +## SROP 原理及题目解析 + +## Exploit +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中: + + +## 参考资料 +- [Framing Signals—A Return to Portable Shellcode](http://www.ieee-security.org/TC/SP2014/papers/FramingSignals-AReturntoPortableShellcode.pdf) +- [slides: Framing Signals a return to portable shellcode](https://tc.gtisc.gatech.edu/bss/2014/r/srop-slides.pdf) +- [Sigreturn Oriented Programming](https://www.slideshare.net/AngelBoy1/sigreturn-ori) diff --git a/doc/6.5_pwn_0ctf2015_freenote.md b/doc/6.5_pwn_0ctf2015_freenote.md new file mode 100644 index 0000000..f220569 --- /dev/null +++ b/doc/6.5_pwn_0ctf2015_freenote.md @@ -0,0 +1 @@ +# 6.5 pwn 0ctf2015 freenote diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 5f160cc..7326414 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -3,4 +3,5 @@ - [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md) - [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md) - [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md) -- [6.4 pwn 0ctf2015 freenote](./6.4_pwn_0ctf2015_freenote.md) +- [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md) +- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md) diff --git a/src/writeup/6.4_pwn_njctf2017_233/233 b/src/writeup/6.4_pwn_njctf2017_233/233 new file mode 100755 index 0000000..5a039dd Binary files /dev/null and b/src/writeup/6.4_pwn_njctf2017_233/233 differ diff --git a/src/writeup/6.4_pwn_njctf2017_233/run.sh b/src/writeup/6.4_pwn_njctf2017_233/run.sh new file mode 100755 index 0000000..a0396e2 --- /dev/null +++ b/src/writeup/6.4_pwn_njctf2017_233/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:./233