mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 6.1.15
This commit is contained in:
parent
4fdca27010
commit
6c476b1798
@ -90,6 +90,8 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [4.10 反调试技术](doc/4.10_antidbg.md)
|
* [4.10 反调试技术](doc/4.10_antidbg.md)
|
||||||
* [4.11 指令混淆](doc/4.11_instruction_confusion.md)
|
* [4.11 指令混淆](doc/4.11_instruction_confusion.md)
|
||||||
* [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md)
|
* [4.12 利用 __stack_chk_fail](doc/4.12_stack_chk_fail.md)
|
||||||
|
* [4.13 利用 _IO_FILE 结构](doc/4.13_io_file.md)
|
||||||
|
* [4.14 glibc tcache 机制](doc/4.14_glibc_tcache.md)
|
||||||
* [五、高级篇](doc/5_advanced.md)
|
* [五、高级篇](doc/5_advanced.md)
|
||||||
* [5.0 软件漏洞分析](doc/5.0_vulnerability.md)
|
* [5.0 软件漏洞分析](doc/5.0_vulnerability.md)
|
||||||
* [5.1 模糊测试](doc/5.1_fuzzing.md)
|
* [5.1 模糊测试](doc/5.1_fuzzing.md)
|
||||||
@ -134,6 +136,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md)
|
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_pwn_n1ctf2018_vote.md)
|
||||||
* [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md)
|
* [6.1.13 pwn 34C3CTF2017 readme_revenge](doc/6.1.13_pwn_34c3ctf2017_readme_revenge.md)
|
||||||
* [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md)
|
* [6.1.14 pwn 32C3CTF2015 readme](doc/6.1.14_pwn_32c3ctf2015_readme.md)
|
||||||
|
* [6.1.15 pwn 34C3CTF2017 SimpleGC](doc/6.1.15_pwn_34c3ctf2017_simplegc.md)
|
||||||
* re
|
* re
|
||||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||||
@ -166,7 +169,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
|
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](doc/8.2.1_dynamic_taint_analysis.md)
|
||||||
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
|
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](doc/8.2.2_symbolic_execution_for_software_testing.md)
|
||||||
* [8.2.3 AEG: Automatic Exploit Generation](doc/8.2.3_automatic_exploit_generation.md)
|
* [8.2.3 AEG: Automatic Exploit Generation](doc/8.2.3_automatic_exploit_generation.md)
|
||||||
* [Address Space Layout Randomization](doc/8.3_aslr_review.md)
|
* Address Space Layout Randomization
|
||||||
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.3.1_aslp.md)
|
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](doc/8.3.1_aslp.md)
|
||||||
* Code Obfuscation
|
* Code Obfuscation
|
||||||
* Reverse Engineering
|
* Reverse Engineering
|
||||||
|
8
doc/4.13_io_file.md
Normal file
8
doc/4.13_io_file.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# 4.13 利用 _IO_FILE 结构
|
||||||
|
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- [abusing the FILE structure](https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/)
|
||||||
|
- [Play with FILE Structure - Yet Another Binary Exploit Technique](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique)
|
7
doc/4.14_glibc_tcache.md
Normal file
7
doc/4.14_glibc_tcache.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# 4.14 glibc tcache 机制
|
||||||
|
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- [thread local caching in glibc malloc](http://tukan.farm/2017/07/08/tcache/)
|
@ -12,3 +12,5 @@
|
|||||||
- [4.10 反调试技术](4.10_antidbg.md)
|
- [4.10 反调试技术](4.10_antidbg.md)
|
||||||
- [4.11 指令混淆](4.11_instruction_confusion.md)
|
- [4.11 指令混淆](4.11_instruction_confusion.md)
|
||||||
- [4.12 利用 __stack_chk_fail](4.12_stack_chk_fail.md)
|
- [4.12 利用 __stack_chk_fail](4.12_stack_chk_fail.md)
|
||||||
|
- [4.13 利用 _IO_FILE 结构](4.13_io_file.md)
|
||||||
|
- [4.14 glibc tcache 机制](4.14_glibc_tcache.md)
|
||||||
|
28
doc/6.1.15_pwn_34c3ctf2017_simplegc.md
Normal file
28
doc/6.1.15_pwn_34c3ctf2017_simplegc.md
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# 6.1.15 pwn 34C3CTF2017 SimpleGC
|
||||||
|
|
||||||
|
- [题目复现](#题目复现)
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
- [Exploit](#exploit)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/writeup/6.1.15_pwn_34c3ctf2017_simplegc)
|
||||||
|
|
||||||
|
## 题目复现
|
||||||
|
```
|
||||||
|
$ file sgc
|
||||||
|
sgc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f7ef90bc896e72ba0c3191a2ce6acb732bf3b172, stripped
|
||||||
|
$ checksec -f sgc
|
||||||
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 sgc
|
||||||
|
$ file libc-2.26.so
|
||||||
|
libc-2.26.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6d2b609f0c8e7b338f767b08c5ac712fac809d31, for GNU/Linux 3.2.0, stripped
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## 题目解析
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- https://ctftime.org/task/5137
|
@ -15,6 +15,7 @@
|
|||||||
- [6.1.12 pwn N1CTF2018 vote](6.1.12_pwn_n1ctf2018_vote.md)
|
- [6.1.12 pwn N1CTF2018 vote](6.1.12_pwn_n1ctf2018_vote.md)
|
||||||
- [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_pwn_34c3ctf2017_readme_revenge.md)
|
- [6.1.13 pwn 34C3CTF2017 readme_revenge](6.1.13_pwn_34c3ctf2017_readme_revenge.md)
|
||||||
- [6.1.14 pwn 32C3CTF2015 readme](6.1.14_pwn_32c3ctf2015_readme.md)
|
- [6.1.14 pwn 32C3CTF2015 readme](6.1.14_pwn_32c3ctf2015_readme.md)
|
||||||
|
- [6.1.15 pwn 34C3CTF2017 SimpleGC](6.1.15_pwn_34c3ctf2017_simplegc.md)
|
||||||
- re
|
- re
|
||||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||||
|
@ -1 +0,0 @@
|
|||||||
# Address Space Layout Randomization 综述
|
|
@ -14,7 +14,7 @@
|
|||||||
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md)
|
* [8.2.1 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](8.2.1_dynamic_taint_analysis.md)
|
||||||
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md)
|
* [8.2.2 Symbolic Execution for Software Testing: Three Decades Later](8.2.2_symbolic_execution_for_software_testing.md)
|
||||||
* [8.2.3 AEG: Automatic Exploit Generation](8.2.3_automatic_exploit_generation.md)
|
* [8.2.3 AEG: Automatic Exploit Generation](8.2.3_automatic_exploit_generation.md)
|
||||||
* [Address Space Layout Randomization](8.3_aslr_review.md)
|
* Address Space Layout Randomization
|
||||||
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](8.3.1_aslp.md)
|
* [8.3.1 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software](8.3.1_aslp.md)
|
||||||
* Code Obfuscation
|
* Code Obfuscation
|
||||||
* Reverse Engineering
|
* Reverse Engineering
|
||||||
|
BIN
src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/libc-2.26.so
Executable file
BIN
src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/libc-2.26.so
Executable file
Binary file not shown.
BIN
src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/sgc
Executable file
BIN
src/writeup/6.1.15_pwn_34c3ctf2017_simplegc/sgc
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user