mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 6.1.8
This commit is contained in:
parent
3687865931
commit
6a28dbfcb1
@ -79,6 +79,7 @@
|
||||
- [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||
- [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
|
||||
- [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
|
||||
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -78,6 +78,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||
* [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md)
|
||||
* [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md)
|
||||
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||
* re
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -2,7 +2,8 @@
|
||||
|
||||
- [安装](#安装)
|
||||
- [使用 angr](#使用-angr)
|
||||
- [基础功能](#基础功能)
|
||||
- [入门](#入门)
|
||||
- [加载二进制文件](#加载二进制文件)
|
||||
- [angr 在 CTF 中的运用](#angr-在-ctf-中的运用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
@ -199,6 +200,40 @@ WARNING | 2017-12-08 11:09:28,629 | cle.loader | The main binary is a position-i
|
||||
>>> plt.savefig('temp.png') # 保存
|
||||
```
|
||||
|
||||
#### 加载二进制文件
|
||||
angr 的二进制加载模块称为 CLE。主类为 `cle.loader.Loader`,它导入所有的对象文件并导出一个进程内存的抽象。类 `cle.backends` 是加载器的后端,根据二进制文件类型区分为 `cle.backends.elf`、`cle.backends.pe`、`cle.backends.macho` 等。
|
||||
|
||||
加载对象文件和细分类型如下:
|
||||
```python
|
||||
>>> proj.loader.all_objects # 所有对象文件
|
||||
[<ELF Object true, maps [0x400000:0x60721f]>, <ELF Object libc-2.26.so, maps [0x1000000:0x13b78cf]>, <ELF Object ld-2.26.so, maps [0x2000000:0x22260f7]>, <ELFTLSObject Object cle##tls, maps [0x3000000:0x300d010]>, <ExternObject Object cle##externs, maps [0x4000000:0x4008000]>, <KernelObject Object cle##kernel, maps [0x5000000:0x5008000]>]
|
||||
```
|
||||
- `proj.loader.main_object`:主对象文件
|
||||
- `proj.loader.shared_objects`:共享对象文件
|
||||
- `proj.loader.extern_object`:外部对象文件
|
||||
- `proj.loader.all_elf_object`:所有 elf 对象文件
|
||||
- `proj.loader.kernel_object`:内核对象文件
|
||||
|
||||
通过对这些对象文件进行操作,可以解析出相关信息:
|
||||
```python
|
||||
>>> obj = proj.loader.main_object
|
||||
>>> hex(obj.entry) # 入口地址
|
||||
'0x4013b0'
|
||||
>>> hex(obj.min_addr), hex(obj.max_addr) # 起始地址和结束地址
|
||||
('0x400000', '0x60721f')
|
||||
>>> obj.segments # segments
|
||||
<Regions: [<ELFSegment offset=0x0, flags=0x5, filesize=0x6094, vaddr=0x400000, memsize=0x6094>, <ELFSegment offset=0x6c10, flags=0x6, filesize=0x470, vaddr=0x606c10, memsize=0x610>]>
|
||||
>>> obj.sections # sections
|
||||
<Regions: [<Unnamed | offset 0x0, vaddr 0x400000, size 0x0>, <.interp | offset 0x238, vaddr 0x400238, size 0x1c>, <.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>,...etc
|
||||
```
|
||||
根据需要解析我们需要的信息:
|
||||
```python
|
||||
>>> obj.find_segment_containing(obj.entry) # 包含给定地址的 segments
|
||||
<ELFSegment offset=0x0, flags=0x5, filesize=0x6094, vaddr=0x400000, memsize=0x6094>
|
||||
>>> obj.find_section_containing(obj.entry) # 包含给定地址的 sections
|
||||
<.text | offset 0x12f0, vaddr 0x4012f0, size 0x33c9>
|
||||
```
|
||||
|
||||
|
||||
## angr 在 CTF 中的运用
|
||||
#### re DefcampCTF2015 entry_language
|
||||
|
@ -10,6 +10,9 @@
|
||||
```
|
||||
$ file game
|
||||
game: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=1f9b11cb913afcbbbf9cb615709b3c62b2fdb5a2, stripped
|
||||
$ checksec -f game
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 0 game
|
||||
```
|
||||
64 位,静态链接,stripped。
|
||||
|
||||
|
@ -1,4 +1,19 @@
|
||||
# 6.1.7 pwn 0CTF2015 freenote
|
||||
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.7_pwn_0ctf2015_freenote)
|
||||
|
||||
## 题目解析
|
||||
```
|
||||
$ file freenote
|
||||
freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=dd259bb085b3a4aeb393ec5ef4f09e312555a64d, stripped
|
||||
$ checksec -f freenote
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
||||
|
22
doc/6.1.8_pwn_dctf2017_flex.md
Normal file
22
doc/6.1.8_pwn_dctf2017_flex.md
Normal file
@ -0,0 +1,22 @@
|
||||
# 6.1.8 pwn DCTF2017 Flex
|
||||
|
||||
- [C++ 异常机制](#c-异常机制)
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.8_pwn_dctf2017_flex)
|
||||
|
||||
## C++ 异常机制
|
||||
|
||||
## 题目解析
|
||||
```
|
||||
$ file flex
|
||||
flex: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=30a1acbc98ccf9e8f4b3d1fc06b6ba6f0cbe7c9e, stripped
|
||||
$ checksec -f flex
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 flex
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
@ -8,6 +8,7 @@
|
||||
- [6.1.5 pwn GreHackCTF2017 beerfighter](6.1.5_pwn_grehackctf2017_beerfighter.md)
|
||||
- [6.1.6 pwn DefconCTF2015 fuckup](6.1.6_pwn_defconctf2015_fuckup.md)
|
||||
- [6.1.7 pwn 0CTF2015 freenote](6.1.7_pwn_0ctf2015_freenote.md)
|
||||
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
|
BIN
src/writeup/6.1.8_pwn_dctf2017_flex/flex
Executable file
BIN
src/writeup/6.1.8_pwn_dctf2017_flex/flex
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user