mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
add 6.4
This commit is contained in:
parent
a61aab02f4
commit
6689193994
@ -70,7 +70,8 @@
|
||||
- [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
- [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
||||
- [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
||||
- [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md)
|
||||
- [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
|
||||
- [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
|
||||
|
||||
- [七、附录](doc/7_appendix.md)
|
||||
- [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
|
@ -66,7 +66,8 @@
|
||||
* [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md)
|
||||
* [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md)
|
||||
* [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md)
|
||||
* [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md)
|
||||
* [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md)
|
||||
* [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md)
|
||||
* [七、附录](doc/7_appendix.md)
|
||||
* [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md)
|
||||
* [7.2 更多 Windows 工具](doc/7.2_wintools.md)
|
||||
|
@ -1 +0,0 @@
|
||||
# 6.4 pwn 0ctf2015 freenote
|
33
doc/6.4_pwn_njctf2017_233.md
Normal file
33
doc/6.4_pwn_njctf2017_233.md
Normal file
@ -0,0 +1,33 @@
|
||||
# 6.4 pwn njctf2017 233
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [SROP 原理及题目解析](#srop-原理及题目解析)
|
||||
- [Exploit](#exploit)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 题目复现
|
||||
在 6.1 中我们看到了 blind ROP,这一节中再来看一种 ROP 技术,Sigreturn Oriented Programming。
|
||||
|
||||
checksec 如下:
|
||||
```
|
||||
$ checksec -f 233
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233
|
||||
```
|
||||
把程序运行起来:
|
||||
```
|
||||
$ socat tcp4-listen:10001,reuseaddr,fork exec:./233
|
||||
```
|
||||
|
||||
|
||||
## SROP 原理及题目解析
|
||||
|
||||
## Exploit
|
||||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中:
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Framing Signals—A Return to Portable Shellcode](http://www.ieee-security.org/TC/SP2014/papers/FramingSignals-AReturntoPortableShellcode.pdf)
|
||||
- [slides: Framing Signals a return to portable shellcode](https://tc.gtisc.gatech.edu/bss/2014/r/srop-slides.pdf)
|
||||
- [Sigreturn Oriented Programming](https://www.slideshare.net/AngelBoy1/sigreturn-ori)
|
1
doc/6.5_pwn_0ctf2015_freenote.md
Normal file
1
doc/6.5_pwn_0ctf2015_freenote.md
Normal file
@ -0,0 +1 @@
|
||||
# 6.5 pwn 0ctf2015 freenote
|
@ -3,4 +3,5 @@
|
||||
- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md)
|
||||
- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md)
|
||||
- [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md)
|
||||
- [6.4 pwn 0ctf2015 freenote](./6.4_pwn_0ctf2015_freenote.md)
|
||||
- [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md)
|
||||
- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md)
|
||||
|
BIN
src/writeup/6.4_pwn_njctf2017_233/233
Executable file
BIN
src/writeup/6.4_pwn_njctf2017_233/233
Executable file
Binary file not shown.
1
src/writeup/6.4_pwn_njctf2017_233/run.sh
Executable file
1
src/writeup/6.4_pwn_njctf2017_233/run.sh
Executable file
@ -0,0 +1 @@
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:./233
|
Loading…
Reference in New Issue
Block a user