add 6.1.15

This commit is contained in:
firmianay 2018-04-14 20:52:17 +08:00
parent 4fdca27010
commit 6c476b1798
10 changed files with 51 additions and 3 deletions

View File

@ -90,6 +90,8 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [4.10 反调试技术](doc/4.10_antidbg.md)
* [4.11 指令混淆](doc/4.11_instruction_confusion.md)
* [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md)
* [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md)
* [4.14 glibc tcache 机制](doc/4.14_glibc_tcache.md)
* [五、高级篇](doc/5_advanced.md)
* [5.0 软件漏洞分析](doc/5.0_vulnerability.md)
* [5.1 模糊测试](doc/5.1_fuzzing.md)
@ -134,6 +136,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md)
* [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md)
* [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md)
* [6.1.15 pwn 34C3CTF2017 SimpleGC](doc/6.1.15_pwn_34c3ctf2017_simplegc.md)
* re
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
@ -166,7 +169,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
* [8.2.3 AEG: Automatic Exploit Generation](doc/8.2.3_automatic_exploit_generation.md)
* [Address Space Layout Randomization](doc/8.3_aslr_review.md)
* Address Space Layout Randomization
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.3.1_aslp.md)
* Code Obfuscation
* Reverse Engineering

8
doc/4.13_io_file.md Normal file
View File

@ -0,0 +1,8 @@
# 4.13 利用 _IO_FILE 结构
- [参考资料](#参考资料)
## 参考资料
- [abusing the FILE structure](https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/)
- [Play with FILE Structure - Yet Another Binary Exploit Technique](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique)

7
doc/4.14_glibc_tcache.md Normal file
View File

@ -0,0 +1,7 @@
# 4.14 glibc tcache 机制
- [参考资料](#参考资料)
## 参考资料
- [thread local caching in glibc malloc](http://tukan.farm/2017/07/08/tcache/)

View File

@ -12,3 +12,5 @@
- [4.10 反调试技术](4.10_antidbg.md)
- [4.11 指令混淆](4.11_instruction_confusion.md)
- [4.12 利用 __stack_chk_fail](4.12_stack_chk_fail.md)
- [4.13 利用 _IO_FILE 结构](4.13_io_file.md)
- [4.14 glibc tcache 机制](4.14_glibc_tcache.md)

View File

@ -0,0 +1,28 @@
# 6.1.15 pwn 34C3CTF2017 SimpleGC
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [Exploit](#exploit)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.15_pwn_34c3ctf2017_simplegc)
## 题目复现
```
$ file sgc
sgc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f7ef90bc896e72ba0c3191a2ce6acb732bf3b172, stripped
$ checksec -f sgc
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 sgc
$ file libc-2.26.so
libc-2.26.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6d2b609f0c8e7b338f767b08c5ac712fac809d31, for GNU/Linux 3.2.0, stripped
```
## 题目解析
## Exploit
## 参考资料
- https://ctftime.org/task/5137

View File

@ -15,6 +15,7 @@
- [6.1.12 pwn N1CTF2018 vote](6.1.12_pwn_n1ctf2018_vote.md)
- [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_pwn_34c3ctf2017_readme_revenge.md)
- [6.1.14 pwn 32C3CTF2015 readme](6.1.14_pwn_32c3ctf2015_readme.md)
- [6.1.15 pwn 34C3CTF2017 SimpleGC](6.1.15_pwn_34c3ctf2017_simplegc.md)
- re
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

View File

@ -1 +0,0 @@
# Address Space Layout Randomization 综述

View File

@ -14,7 +14,7 @@
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md)
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md)
* [8.2.3 AEG: Automatic Exploit Generation](8.2.3_automatic_exploit_generation.md)
* [Address Space Layout Randomization](8.3_aslr_review.md)
* Address Space Layout Randomization
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](8.3.1_aslp.md)
* Code Obfuscation
* Reverse Engineering

Binary file not shown.

Binary file not shown.