diff --git a/README.md b/README.md index 697d580..7f800dc 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,7 @@ - [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md) - [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) - [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) + - [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) - re - [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/SUMMARY.md b/SUMMARY.md index 5fa9247..e31f314 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -78,6 +78,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md) * [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) * [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) + * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/5.3_angr.md b/doc/5.3_angr.md index b4a9859..1e63306 100644 --- a/doc/5.3_angr.md +++ b/doc/5.3_angr.md @@ -2,7 +2,8 @@ - [安装](#安装) - [使用 angr](#使用-angr) - - [基础功能](#基础功能) + - [入门](#入门) + - [加载二进制文件](#加载二进制文件) - [angr 在 CTF 中的运用](#angr-在-ctf-中的运用) - [参考资料](#参考资料) @@ -199,6 +200,40 @@ WARNING | 2017-12-08 11:09:28,629 | cle.loader | The main binary is a position-i >>> plt.savefig('temp.png') # 保存 ``` +#### 加载二进制文件 +angr 的二进制加载模块称为 CLE。主类为 `cle.loader.Loader`,它导入所有的对象文件并导出一个进程内存的抽象。类 `cle.backends` 是加载器的后端,根据二进制文件类型区分为 `cle.backends.elf`、`cle.backends.pe`、`cle.backends.macho` 等。 + +加载对象文件和细分类型如下: +```python +>>> proj.loader.all_objects # 所有对象文件 +[, , , , , ] +``` +- `proj.loader.main_object`:主对象文件 +- `proj.loader.shared_objects`:共享对象文件 +- `proj.loader.extern_object`:外部对象文件 +- `proj.loader.all_elf_object`:所有 elf 对象文件 +- `proj.loader.kernel_object`:内核对象文件 + +通过对这些对象文件进行操作,可以解析出相关信息: +```python +>>> obj = proj.loader.main_object +>>> hex(obj.entry) # 入口地址 +'0x4013b0' +>>> hex(obj.min_addr), hex(obj.max_addr) # 起始地址和结束地址 +('0x400000', '0x60721f') +>>> obj.segments # segments +, ]> +>>> obj.sections # sections +, <.interp | offset 0x238, vaddr 0x400238, size 0x1c>, <.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>,...etc +``` +根据需要解析我们需要的信息: +```python +>>> obj.find_segment_containing(obj.entry) # 包含给定地址的 segments + +>>> obj.find_section_containing(obj.entry) # 包含给定地址的 sections +<.text | offset 0x12f0, vaddr 0x4012f0, size 0x33c9> +``` + ## angr 在 CTF 中的运用 #### re DefcampCTF2015 entry_language diff --git a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md index 639446f..598b9bc 100644 --- a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md +++ b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md @@ -10,6 +10,9 @@ ``` $ file game game: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=1f9b11cb913afcbbbf9cb615709b3c62b2fdb5a2, stripped +$ checksec -f game +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 0 game ``` 64 位,静态链接,stripped。 diff --git a/doc/6.1.7_pwn_0ctf2015_freenote.md b/doc/6.1.7_pwn_0ctf2015_freenote.md index b0223f4..1061f9d 100644 --- a/doc/6.1.7_pwn_0ctf2015_freenote.md +++ b/doc/6.1.7_pwn_0ctf2015_freenote.md @@ -1,4 +1,19 @@ # 6.1.7 pwn 0CTF2015 freenote +- [题目解析](#题目解析) +- [参考资料](#参考资料) + [下载文件](../src/writeup/6.1.7_pwn_0ctf2015_freenote) + +## 题目解析 +``` +$ file freenote +freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=dd259bb085b3a4aeb393ec5ef4f09e312555a64d, stripped +$ checksec -f freenote +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote +``` + + +## 参考资料 diff --git a/doc/6.1.8_pwn_dctf2017_flex.md b/doc/6.1.8_pwn_dctf2017_flex.md new file mode 100644 index 0000000..14ac121 --- /dev/null +++ b/doc/6.1.8_pwn_dctf2017_flex.md @@ -0,0 +1,22 @@ +# 6.1.8 pwn DCTF2017 Flex + +- [C++ 异常机制](#c-异常机制) +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.8_pwn_dctf2017_flex) + +## C++ 异常机制 + +## 题目解析 +``` +$ file flex +flex: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=30a1acbc98ccf9e8f4b3d1fc06b6ba6f0cbe7c9e, stripped +$ checksec -f flex +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 flex +``` + + +## 参考资料 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 624d182..febd9df 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -8,6 +8,7 @@ - [6.1.5 pwn GreHackCTF2017 beerfighter](6.1.5_pwn_grehackctf2017_beerfighter.md) - [6.1.6 pwn DefconCTF2015 fuckup](6.1.6_pwn_defconctf2015_fuckup.md) - [6.1.7 pwn 0CTF2015 freenote](6.1.7_pwn_0ctf2015_freenote.md) + - [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.8_pwn_dctf2017_flex/flex b/src/writeup/6.1.8_pwn_dctf2017_flex/flex new file mode 100755 index 0000000..cb8e158 Binary files /dev/null and b/src/writeup/6.1.8_pwn_dctf2017_flex/flex differ