add 6.1.8

This commit is contained in:
firmianay 2017-12-09 10:35:26 +08:00
parent 3687865931
commit 6a28dbfcb1
8 changed files with 79 additions and 1 deletions

View File

@ -79,6 +79,7 @@
- [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
- [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
- [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
- re
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -78,6 +78,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
* [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
* [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
* re
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -2,7 +2,8 @@
- [安装](#安装)
- [使用 angr](#使用-angr)
- [基础功能](#基础功能)
- [入门](#入门)
- [加载二进制文件](#加载二进制文件)
- [angr 在 CTF 中的运用](#angr-在-ctf-中的运用)
- [参考资料](#参考资料)
@ -199,6 +200,40 @@ WARNING | 2017-12-08 11:09:28,629 | cle.loader | The main binary is a position-i
>>> plt.savefig('temp.png') # 保存
```
#### 加载二进制文件
angr 的二进制加载模块称为 CLE。主类为 `cle.loader.Loader`,它导入所有的对象文件并导出一个进程内存的抽象。类 `cle.backends` 是加载器的后端,根据二进制文件类型区分为 `cle.backends.elf`、`cle.backends.pe`、`cle.backends.macho` 等。
加载对象文件和细分类型如下:
```python
>>> proj.loader.all_objects # 所有对象文件
[<ELF Object true, maps [0x400000:0x60721f]>, <ELF Object libc-2.26.so, maps [0x1000000:0x13b78cf]>, <ELF Object ld-2.26.so, maps [0x2000000:0x22260f7]>, <ELFTLSObject Object cle##tls, maps [0x3000000:0x300d010]>, <ExternObject Object cle##externs, maps [0x4000000:0x4008000]>, <KernelObject Object cle##kernel, maps [0x5000000:0x5008000]>]
```
- `proj.loader.main_object`:主对象文件
- `proj.loader.shared_objects`:共享对象文件
- `proj.loader.extern_object`:外部对象文件
- `proj.loader.all_elf_object`:所有 elf 对象文件
- `proj.loader.kernel_object`:内核对象文件
通过对这些对象文件进行操作,可以解析出相关信息:
```python
>>> obj = proj.loader.main_object
>>> hex(obj.entry) # 入口地址
'0x4013b0'
>>> hex(obj.min_addr), hex(obj.max_addr) # 起始地址和结束地址
('0x400000', '0x60721f')
>>> obj.segments # segments
<Regions: [<ELFSegment offset=0x0, flags=0x5, filesize=0x6094, vaddr=0x400000, memsize=0x6094>, <ELFSegment offset=0x6c10, flags=0x6, filesize=0x470, vaddr=0x606c10, memsize=0x610>]>
>>> obj.sections # sections
<Regions: [<Unnamed | offset 0x0, vaddr 0x400000, size 0x0>, <.interp | offset 0x238, vaddr 0x400238, size 0x1c>, <.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>,...etc
```
根据需要解析我们需要的信息:
```python
>>> obj.find_segment_containing(obj.entry) # 包含给定地址的 segments
<ELFSegment offset=0x0, flags=0x5, filesize=0x6094, vaddr=0x400000, memsize=0x6094>
>>> obj.find_section_containing(obj.entry) # 包含给定地址的 sections
<.text | offset 0x12f0, vaddr 0x4012f0, size 0x33c9>
```
## angr 在 CTF 中的运用
#### re DefcampCTF2015 entry_language

View File

@ -10,6 +10,9 @@
```
$ file game
game: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=1f9b11cb913afcbbbf9cb615709b3c62b2fdb5a2, stripped
$ checksec -f game
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 0 game
```
64 位静态链接stripped。

View File

@ -1,4 +1,19 @@
# 6.1.7 pwn 0CTF2015 freenote
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.7_pwn_0ctf2015_freenote)
## 题目解析
```
$ file freenote
freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=dd259bb085b3a4aeb393ec5ef4f09e312555a64d, stripped
$ checksec -f freenote
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote
```
## 参考资料

View File

@ -0,0 +1,22 @@
# 6.1.8 pwn DCTF2017 Flex
- [C++ 异常机制](#c-异常机制)
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.8_pwn_dctf2017_flex)
## C++ 异常机制
## 题目解析
```
$ file flex
flex: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=30a1acbc98ccf9e8f4b3d1fc06b6ba6f0cbe7c9e, stripped
$ checksec -f flex
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 flex
```
## 参考资料

View File

@ -8,6 +8,7 @@
- [6.1.5 pwn GreHackCTF2017 beerfighter](6.1.5_pwn_grehackctf2017_beerfighter.md)
- [6.1.6 pwn DefconCTF2015 fuckup](6.1.6_pwn_defconctf2015_fuckup.md)
- [6.1.7 pwn 0CTF2015 freenote](6.1.7_pwn_0ctf2015_freenote.md)
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
- re
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

Binary file not shown.