diff --git a/SUMMARY.md b/SUMMARY.md index 450b54c..f3f692d 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -90,6 +90,8 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [4.10 反调试技术](doc/4.10_antidbg.md) * [4.11 指令混淆](doc/4.11_instruction_confusion.md) * [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md) + * [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md) + * [4.14 glibc tcache 机制](doc/4.14_glibc_tcache.md) * [五、高级篇](doc/5_advanced.md) * [5.0 软件漏洞分析](doc/5.0_vulnerability.md) * [5.1 模糊测试](doc/5.1_fuzzing.md) @@ -134,6 +136,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md) * [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md) * [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md) + * [6.1.15 pwn 34C3CTF2017 SimpleGC](doc/6.1.15_pwn_34c3ctf2017_simplegc.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) @@ -166,7 +169,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md) * [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md) * [8.2.3 AEG: Automatic Exploit Generation](doc/8.2.3_automatic_exploit_generation.md) - * [Address Space Layout Randomization](doc/8.3_aslr_review.md) + * Address Space Layout Randomization * [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.3.1_aslp.md) * Code Obfuscation * Reverse Engineering diff --git a/doc/4.13_io_file.md b/doc/4.13_io_file.md new file mode 100644 index 0000000..839b509 --- /dev/null +++ b/doc/4.13_io_file.md @@ -0,0 +1,8 @@ +# 4.13 利用 _IO_FILE 结构 + +- [参考资料](#参考资料) + + +## 参考资料 +- [abusing the FILE structure](https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/) +- [Play with FILE Structure - Yet Another Binary Exploit Technique](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique) diff --git a/doc/4.14_glibc_tcache.md b/doc/4.14_glibc_tcache.md new file mode 100644 index 0000000..5a37531 --- /dev/null +++ b/doc/4.14_glibc_tcache.md @@ -0,0 +1,7 @@ +# 4.14 glibc tcache 机制 + +- [参考资料](#参考资料) + + +## 参考资料 +- [thread local caching in glibc malloc](http://tukan.farm/2017/07/08/tcache/) diff --git a/doc/4_tips.md b/doc/4_tips.md index 9c3e38a..cf99b70 100644 --- a/doc/4_tips.md +++ b/doc/4_tips.md @@ -12,3 +12,5 @@ - [4.10 反调试技术](4.10_antidbg.md) - [4.11 指令混淆](4.11_instruction_confusion.md) - [4.12 利用 __stack_chk_fail](4.12_stack_chk_fail.md) +- [4.13 利用 _IO_FILE 结构](4.13_io_file.md) +- [4.14 glibc tcache 机制](4.14_glibc_tcache.md) diff --git a/doc/6.1.15_pwn_34c3ctf2017_simplegc.md b/doc/6.1.15_pwn_34c3ctf2017_simplegc.md new file mode 100644 index 0000000..575c8e4 --- /dev/null +++ b/doc/6.1.15_pwn_34c3ctf2017_simplegc.md @@ -0,0 +1,28 @@ +# 6.1.15 pwn 34C3CTF2017 SimpleGC + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [Exploit](#exploit) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.15_pwn_34c3ctf2017_simplegc) + +## 题目复现 +``` +$ file sgc +sgc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f7ef90bc896e72ba0c3191a2ce6acb732bf3b172, stripped +$ checksec -f sgc +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 sgc +$ file libc-2.26.so +libc-2.26.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6d2b609f0c8e7b338f767b08c5ac712fac809d31, for GNU/Linux 3.2.0, stripped +``` + + +## 题目解析 + +## Exploit + +## 参考资料 +- https://ctftime.org/task/5137 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index ad809d7..59134b0 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -15,6 +15,7 @@ - [6.1.12 pwn N1CTF2018 vote](6.1.12_pwn_n1ctf2018_vote.md) - [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_pwn_34c3ctf2017_readme_revenge.md) - [6.1.14 pwn 32C3CTF2015 readme](6.1.14_pwn_32c3ctf2015_readme.md) + - [6.1.15 pwn 34C3CTF2017 SimpleGC](6.1.15_pwn_34c3ctf2017_simplegc.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/doc/8.3_aslr_review.md b/doc/8.3_aslr_review.md deleted file mode 100644 index 123bcd2..0000000 --- a/doc/8.3_aslr_review.md +++ /dev/null @@ -1 +0,0 @@ -# Address Space Layout Randomization 综述 diff --git a/doc/8_academic.md b/doc/8_academic.md index 7a73f19..64c5443 100644 --- a/doc/8_academic.md +++ b/doc/8_academic.md @@ -14,7 +14,7 @@ * [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md) * [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md) * [8.2.3 AEG: Automatic Exploit Generation](8.2.3_automatic_exploit_generation.md) -* [Address Space Layout Randomization](8.3_aslr_review.md) +* Address Space Layout Randomization * [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](8.3.1_aslp.md) * Code Obfuscation * Reverse Engineering diff --git a/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/libc-2.26.so b/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/libc-2.26.so new file mode 100755 index 0000000..3dc5ae5 Binary files /dev/null and b/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/libc-2.26.so differ diff --git a/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/sgc b/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/sgc new file mode 100755 index 0000000..a26660f Binary files /dev/null and b/src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/sgc differ