This commit is contained in:
firmianay 2017-11-19 15:04:12 +08:00
parent a61aab02f4
commit 6689193994
8 changed files with 41 additions and 4 deletions

View File

@ -70,7 +70,8 @@
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
- [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) - [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
- [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
- [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) - [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
- [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
- [七、附录](doc/7_appendix.md) - [七、附录](doc/7_appendix.md)
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)

View File

@ -66,7 +66,8 @@
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
* [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) * [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
* [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) * [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
* [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) * [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
* [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
* [七、附录](doc/7_appendix.md) * [七、附录](doc/7_appendix.md)
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
* [7.2 更多 Windows 工具](doc/7.2_wintools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md)

View File

@ -1 +0,0 @@
# 6.4 pwn 0ctf2015 freenote

View File

@ -0,0 +1,33 @@
# 6.4 pwn njctf2017 233
- [题目复现](#题目复现)
- [SROP 原理及题目解析](#srop-原理及题目解析)
- [Exploit](#exploit)
- [参考资料](#参考资料)
## 题目复现
在 6.1 中我们看到了 blind ROP这一节中再来看一种 ROP 技术Sigreturn Oriented Programming。
checksec 如下:
```
$ checksec -f 233
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233
```
把程序运行起来:
```
$ socat tcp4-listen:10001,reuseaddr,fork exec:./233
```
## SROP 原理及题目解析
## Exploit
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中:
## 参考资料
- [Framing Signals—A Return to Portable Shellcode](http://www.ieee-security.org/TC/SP2014/papers/FramingSignals-AReturntoPortableShellcode.pdf)
- [slides: Framing Signals a return to portable shellcode](https://tc.gtisc.gatech.edu/bss/2014/r/srop-slides.pdf)
- [Sigreturn Oriented Programming](https://www.slideshare.net/AngelBoy1/sigreturn-ori)

View File

@ -0,0 +1 @@
# 6.5 pwn 0ctf2015 freenote

View File

@ -3,4 +3,5 @@
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md) - [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md) - [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md)
- [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md) - [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md)
- [6.4 pwn 0ctf2015 freenote](./6.4_pwn_0ctf2015_freenote.md) - [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md)
- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md)

Binary file not shown.

View File

@ -0,0 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:./233