fix

SUMMARY.md

@@ -68,13 +68,14 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
     * [3.1.4 返回导向编程（ROP）（x86）](doc/3.1.4_rop_x86.md)
     * [3.1.5 返回导向编程（ROP）（ARM）](doc/3.1.5_rop_arm.md)
-    * [3.1.6 Linux 堆利用（上）](doc/3.1.6_heap_exploit_1.md)
-    * [3.1.7 Linux 堆利用（中）](doc/3.1.7_heap_exploit_2.md)
-    * [3.1.8 Linux 堆利用（下）](doc/3.1.8_heap_exploit_3.md)
-    * [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
-    * [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
-    * [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
-    * [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
+    * [3.1.6 Linux 堆利用（一）](doc/3.1.6_heap_exploit_1.md)
+    * [3.1.7 Linux 堆利用（二）](doc/3.1.7_heap_exploit_2.md)
+    * [3.1.8 Linux 堆利用（三）](doc/3.1.8_heap_exploit_3.md)
+    * [3.1.9 Linux 堆利用（四）](doc/3.1.9_heap_exploit_4.md)
+    * [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md)
+    * [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md)
+    * [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md)
+    * [3.1.13 竞争条件](doc/3.1.13_race_condition.md)
   * Reverse
     * [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md)
     * [3.2.2 脱壳技术（PE）](doc/3.2.2_pe_unpack.md)
@@ -163,6 +164,7 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
     * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md)
     * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
+    * [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md)
   * Reverse
     * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
     * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

doc/3.1.10_kernel_rop.md

@@ -1,4 +1,4 @@
-# 3.1.9 内核 ROP
+# 3.1.10 内核 ROP
 
 - [参考资料](#参考资料)
 

doc/3.1.11_linux_kernel_exploit.md

@@ -1,4 +1,4 @@
-# 3.1.10 Linux 内核漏洞利用
+# 3.1.11 Linux 内核漏洞利用
 
 - [从用户态到内核态](#从用户态到内核态)
 - [内核漏洞分类](#内核漏洞分类)

doc/3.1.12_race_condition.md

@@ -1 +0,0 @@
-# 3.1.12 竞争条件

doc/3.1.12_windows_kernel_exploit.md

@@ -1,4 +1,4 @@
-# 3.1.11 Windows 内核漏洞利用
+# 3.1.12 Windows 内核漏洞利用
 
 - [参考资料](#参考资料)
 

doc/3.1.13_race_condition.md

@@ -0,0 +1 @@
+# 3.1.13 竞争条件

doc/3.1.9_heap_exploit_4.md

@@ -0,0 +1,19 @@
+# 3.1.9 Linux 堆利用（四）
+
+- [house_of_rabbit](#house_of_rabbit)
+- [house_of_roman](#house_of_roman)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/Others/3.1.6_heap_exploit)
+
+#### house_of_rabbit
+
+#### house_of_roman
+
+
+## 参考资料
+- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235)
+- https://github.com/shift-crops/House_of_Rabbit
+- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
+- https://github.com/romanking98/House-Of-Roman

doc/3_topics.md

@@ -6,13 +6,14 @@
   * [3.1.3 栈溢出](3.1.3_stack_overflow.md)
   * [3.1.4 返回导向编程（ROP）（x86）](3.1.4_rop_x86.md)
   * [3.1.5 返回导向编程（ROP）（ARM）](3.1.5_rop_arm.md)
-  * [3.1.6 Linux 堆利用（上）](3.1.6_heap_exploit_1.md)
-  * [3.1.7 Linux 堆利用（中）](3.1.7_heap_exploit_2.md)
-  * [3.1.8 Linux 堆利用（下）](3.1.8_heap_exploit_3.md)
-  * [3.1.9 内核 ROP](3.1.9_kernel_rop.md)
-  * [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md)
-  * [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md)
-  * [3.1.12 竞争条件](3.1.12_race_condition.md)
+  * [3.1.6 Linux 堆利用（一）](3.1.6_heap_exploit_1.md)
+  * [3.1.7 Linux 堆利用（二）](3.1.7_heap_exploit_2.md)
+  * [3.1.8 Linux 堆利用（三）](3.1.8_heap_exploit_3.md)
+  * [3.1.9 Linux 堆利用（四）](3.1.9_heap_exploit_4.md)
+  * [3.1.10 内核 ROP](3.1.10_kernel_rop.md)
+  * [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md)
+  * [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md)
+  * [3.1.13 竞争条件](3.1.13_race_condition.md)
 * Reverse
   * [3.2.1 patch 二进制文件](3.2.1_patch_binary.md)
   * [3.2.2 脱壳技术（PE）](3.2.2_pe_unpack.md)

doc/6.1.16_pwn_hitbctf2017_1000levels.md

@@ -15,7 +15,7 @@ $ file 1000levels
 $ checksec -f 1000levels
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No      0               6       1000levels
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```
@@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system
 
 对于第一个问题，我们有不需要参数的 one-gadget 可以用，通过将输入的第二个数设置为偏移，即可通过程序的计算将 system 修改为 one-gadget。
 ```
-$ one_gadget libc.so.6 
+$ one_gadget libc-2.23.so 
 0x45216	execve("/bin/sh", rsp+0x30, environ)
 constraints:
   rax == NULL
@@ -456,7 +456,7 @@ firmy
 from pwn import *
 
 #context.log_level = 'debug'
-io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
 
 one_gadget = 0x4526a
 system_offset = 0x45390

doc/6.1.18_pwn_hitbctf2017_sentosa.md

@@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin
 $ checksec -f sentosa 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               3       sentosa
-$ strings libc.so.6| grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```
@@ -715,8 +715,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def start_proj(length, name, price, area, capacity):
     io.sendlineafter("Exit\n", '1')

doc/6.1.19_pwn_hitbctf2018_gundam.md

@@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link
 $ checksec -f gundam
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     0               4       gundam
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.26.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
 Compiled by GNU CC version 6.4.0 20171010.
 ```
@@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10
 0x555555757b60: 0x0000000000000000      0x0000000000000000
 gdb-peda$ vmmap libc
 Start              End                Perm      Name
-0x00007ffff79f8000 0x00007ffff7bce000 r-xp      /home/firmy/gundam/libc.so.6
-0x00007ffff7bce000 0x00007ffff7dce000 ---p      /home/firmy/gundam/libc.so.6
-0x00007ffff7dce000 0x00007ffff7dd2000 r--p      /home/firmy/gundam/libc.so.6
-0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p      /home/firmy/gundam/libc.so.6
+0x00007ffff79f8000 0x00007ffff7bce000 r-xp      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7bce000 0x00007ffff7dce000 ---p      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7dce000 0x00007ffff7dd2000 r--p      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p      /home/firmy/gundam/libc-2.26.so
 gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000
 $1 = 0x3dac78
 ```
@@ -696,9 +696,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
 #elf = ELF('gundam')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.26.so')
 
 def build(name):
     io.sendlineafter("choice : ", '1')

doc/6.1.1_pwn_hctf2016_brop.md

@@ -274,19 +274,19 @@ def dump_memory(buf_size, stop_addr, gadgets_addr, puts_plt, start_addr, end_add
 ```
 $ r2 -B 0x400000 code.bin
 [0x00400630]> pd 14 @ 0x4005e7
-     ::::   0x004005e7      25240a2000     and eax, 0x200a24                                                                                                                          
-     ::::   0x004005ec      0f1f4000       nop dword [rax]                                                                                                                            
-     ::::   0x004005f0      ff25220a2000   jmp qword [0x00601018]      ; [0x601018:8]=-1                                                                                              
-     ::::   0x004005f6      6800000000     push 0                                                                                                                                     
-     `====< 0x004005fb      e9e0ffffff     jmp 0x4005e0                                                                                                                               
-      :::   0x00400600      ff251a0a2000   jmp qword [0x00601020]      ; [0x601020:8]=-1                                                                                              
-      :::   0x00400606      6801000000     push 1                      ; 1                                                                                                            
-      `===< 0x0040060b      e9d0ffffff     jmp 0x4005e0                                                                                                                               
-       ::   0x00400610      ff25120a2000   jmp qword [0x00601028]      ; [0x601028:8]=-1                                                                                              
-       ::   0x00400616      6802000000     push 2                      ; 2                                                                                                            
-       `==< 0x0040061b      e9c0ffffff     jmp 0x4005e0                                                                                                                               
-        :   0x00400620      ff250a0a2000   jmp qword [0x00601030]      ; [0x601030:8]=-1                                                                                              
-        :   0x00400626      6803000000     push 3                      ; 3                                                                                                            
+     ::::   0x004005e7      25240a2000     and eax, 0x200a24
+     ::::   0x004005ec      0f1f4000       nop dword [rax]
+     ::::   0x004005f0      ff25220a2000   jmp qword [0x00601018]      ; [0x601018:8]=-1
+     ::::   0x004005f6      6800000000     push 0
+     `====< 0x004005fb      e9e0ffffff     jmp 0x4005e0
+      :::   0x00400600      ff251a0a2000   jmp qword [0x00601020]      ; [0x601020:8]=-1
+      :::   0x00400606      6801000000     push 1                      ; 1
+      `===< 0x0040060b      e9d0ffffff     jmp 0x4005e0
+       ::   0x00400610      ff25120a2000   jmp qword [0x00601028]      ; [0x601028:8]=-1
+       ::   0x00400616      6802000000     push 2                      ; 2
+       `==< 0x0040061b      e9c0ffffff     jmp 0x4005e0
+        :   0x00400620      ff250a0a2000   jmp qword [0x00601030]      ; [0x601030:8]=-1
+        :   0x00400626      6803000000     push 3                      ; 3
         `=< 0x0040062b      e9b0ffffff     jmp 0x4005e0
 ```
 于是我们就得到了 puts@got 地址 `0x00601018`。可以看到该表中还有其他几个函数，根据程序的功能大概可以猜到，无非就是 setbuf、read 之类的，在后面的过程中如果实在无法确定 libc，这些信息可能会有用。

doc/6.1.21_pwn_hitconctf2016_secret_holder.md

@@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
 $ checksec -f SecretHolder
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               2       SecretHolder
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -554,9 +554,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SecretHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020b0
 big_ptr = 0x006020a0

doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md

@@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
 $ checksec -f SleepyHolder
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               2       SleepyHolder
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -525,9 +525,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SleepyHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020d0
 big_ptr = 0x006020c0

doc/6.1.24_hitconctf2016_house_of_orange.md

@@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical
 $ checksec -f houseoforange
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               3       houseoforange
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -744,8 +744,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def build(size, name):
     io.sendlineafter("Your choice : ", '1')

doc/6.1.26_pwn_34c3ctf2017_300.md

@@ -15,7 +15,7 @@ $ file 300
 $ checksec -f 300
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     0               2       300
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.24.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
 Compiled by GNU CC version 6.3.0 20170406.
 ```
@@ -434,12 +434,6 @@ def pwn():
 ```
 python exp.py
 [+] Starting local process './300': pid 5158
-[*] '/home/firmyy/300/libc.so.6'
-    Arch:     amd64-64-little
-    RELRO:    Partial RELRO
-    Stack:    Canary found
-    NX:       NX enabled
-    PIE:      PIE enabled
 [*] libc_base address: 0x7efdcef24000
 [*] heap address: 0x5624a7a3c000
 [*] _IO_list_all address: 0x7efdcf2e6500
@@ -462,8 +456,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
+libc = ELF('libc-2.24.so')
 
 def alloc(idx):
     io.sendlineafter("free\n", '1')

doc/6.1.28_pwn_asisctf2016_b00ks.md

@@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke
 $ checksec -f b00ks
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No      0               2       b00ks
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```

doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md

@@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam
 $ checksec -f ghost_in_the_heap 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               2       ghost_in_the_heap
-$ strings libc.so.6 | grep "GNU C"       
+$ strings libc-2.24.so | grep "GNU C"       
 GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
 Compiled by GNU CC version 6.3.0 20170406.
 ```

doc/6.1.31_pwn_hitbctf2018_mutepig.md

@@ -0,0 +1,30 @@
+# 6.1.31 pwn HITBCTF2018 mutepig
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig)
+
+## 题目复现
+```
+$ file mutepig 
+mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped
+[firmy@firmy-pc mutepip]$ checksec -f mutepig 
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               1       mutepig
+$ strings libc-2.23.so | grep "GNU C"
+GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
+Compiled by GNU CC version 8.1.0.
+```
+64 位程序，开启了 Canary 和 NX。
+
+
+## 题目解析
+
+## 漏洞利用
+
+## 参考资料
+- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn

doc/6.1.7_pwn_0ctf2015_freenote.md

@@ -15,6 +15,9 @@ freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
 $ checksec -f freenote 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY  Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes      0               2       freenote
+$ strings libc-2.19.so | grep "GNU C"
+GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.
+Compiled by GNU CC version 4.8.2.
 ```
 因为没有 PIE，即使本机开启 ASLR 也没有关系。
 
@@ -101,7 +104,7 @@ Aborted
 
 在 Ubuntu 14.04 上把程序跑起来：
 ```
-$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
+$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
 ```
 
 
@@ -713,10 +716,10 @@ Start              End                Offset             Perm Path
 0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap]
 gef➤  vmmap libc
 Start              End                Offset             Perm Path
-0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc.so.6_1
-0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc.so.6_1
-0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc.so.6_1
-0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc.so.6_1
+0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so
+0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so
+0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so
+0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so
 ```
 
 为了泄漏堆地址，我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk，所以我们创建 4 个笔记，可以看到由初始化阶段创建的 Notes 和 Note 结构体：
@@ -840,7 +843,7 @@ gef➤  x/20gx 0x00007ffff7dd37b8-0x78
 ```
 我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`，但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移：
 ```
-$ readelf -s libc.so.6_1 | grep __malloc_hook
+$ readelf -s libc-2.19.so | grep __malloc_hook
   1079: 00000000003be740     8 OBJECT  WEAK   DEFAULT   31 __malloc_hook@@GLIBC_2.2.5
 ```
 因为偏移是不变的，我们总是可以计算出 libc 的地址：
@@ -1045,9 +1048,9 @@ firmy
 ```python
 from pwn import *
 
-io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
+io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
 elf = ELF('freenote')
-libc = ELF('libc.so.6_1')
+libc = ELF('libc-2.19.so')
 
 def newnote(x):
     io.recvuntil("Your choice: ")

doc/6.1.8_pwn_dctf2017_flex.md

@@ -131,7 +131,7 @@ $ ldd flex
 |           0x00401161      31c0           xor eax, eax
 |           0x00401163      bf47454000     mov edi, str.FlexMD5_bruteforce_tool_V0.1 ; 0x404547 ; "FlexMD5 bruteforce tool V0.1"
 |           0x00401168      e863faffff     call sym.imp.puts           ; int puts(const char *s)
-|           0x0040116d      bf64454000     mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)"                                                            
+|           0x0040116d      bf64454000     mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)"
 |           0x00401172      e859faffff     call sym.imp.puts           ; int puts(const char *s)
 |           0x00401177      488d85e0feff.  lea rax, [local_120h]
 |           0x0040117e      be04000000     mov esi, 4
@@ -457,12 +457,6 @@ Bingo!!!
 ```
 $ python2 exp.py 
 [+] Opening connection to 127.0.0.1 on port 10001: Done
-[*] '/usr/lib/libc-2.26.so'
-    Arch:     amd64-64-little
-    RELRO:    Full RELRO
-    Stack:    Canary found
-    NX:       NX enabled
-    PIE:      PIE enabled
 [*] Switching to interactive mode
 $ whoami
 firmy

doc/6.1.9_pwn_rhme3_exploitation.md

@@ -16,6 +16,9 @@ main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
 $ checksec -f main.bin 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               10      main.bin
+$ strings libc-2.23.so | grep "GNU C" 
+GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
+Compiled by GNU CC version 5.4.0 20160609.
 ```
 64 位程序，保护措施除了 PIE 都开启了。
 
@@ -42,7 +45,7 @@ $ python2 -c 'print "90"*33' > nop.txt
 
 最后把它运行起来：
 ```
-socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
+socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &
 ```
 
 
@@ -952,7 +955,7 @@ p.recvuntil('Name: ')
 
 leak    = u64(p.recv(6).ljust(8, '\x00'))
 libc    = leak - 0x3c4b78   # 0x3c4b78 = leak - libc
-system  = libc + 0x045390   # $ readelf -s libc.so.6 | grep system@
+system  = libc + 0x045390   # $ readelf -s libc-2.23.so | grep system@
 
 log.info("leak   => 0x%x" % leak)
 log.info("libc   => 0x%x" % libc)

doc/6_writeup.md

@@ -31,6 +31,7 @@
   * [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
   * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md)
   * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
+  * [6.1.31 pwn HITBCTF2018 mutepig](6.1.31_pwn_hitbctf2018_mutepig.md)
 * Reverse
   * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
   * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py

@@ -3,7 +3,7 @@
 from pwn import *
 
 #context.log_level = 'debug'
-io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
 
 one_gadget = 0x4526a
 system_offset = 0x45390

src/writeup/6.1.18_pwn_hitbctf2017_sentosa/exp.py

@@ -4,8 +4,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def start_proj(length, name, price, area, capacity):
     io.sendlineafter("Exit\n", '1')

src/writeup/6.1.19_pwn_hitbctf2018_gundam/exp.py

@@ -4,9 +4,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
 #elf = ELF('gundam')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.26.so')
 
 def build(name):
     io.sendlineafter("choice : ", '1')

src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/exp.py

@@ -4,9 +4,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SecretHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020b0
 big_ptr = 0x006020a0

src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/exp.py

@@ -4,9 +4,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SleepyHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020d0
 big_ptr = 0x006020c0

src/writeup/6.1.24_hitconctf2016_house_of_orange/exp.py

@@ -4,8 +4,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def build(size, name):
     io.sendlineafter("Your choice : ", '1')

src/writeup/6.1.26_pwn_34c3ctf2017_300/exp.py

@@ -4,8 +4,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
+libc = ELF('libc-2.24.so')
 
 def alloc(idx):
     io.sendlineafter("free\n", '1')

src/writeup/6.1.7_pwn_0ctf2015_freenote/exp.py

@@ -2,9 +2,9 @@
 
 from pwn import *
 
-io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
+io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
 elf = ELF('freenote')
-libc = ELF('libc.so.6_1')
+libc = ELF('libc-2.19.so')
 
 def newnote(x):
     io.recvuntil("Your choice: ")

src/writeup/6.1.7_pwn_0ctf2015_freenote/run.sh

@@ -1 +1 @@
-socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
+socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &

src/writeup/6.1.9_pwn_rhme3_exploitation/exp.py

@@ -63,7 +63,7 @@ p.recvuntil('Name: ')
 
 leak    = u64(p.recv(6).ljust(8, '\x00'))
 libc    = leak - 0x3c4b78   # 0x3c4b78 = leak - libc
-system  = libc + 0x045390   # $ readelf -s libc.so.6 | grep system@
+system  = libc + 0x045390   # $ readelf -s libc-2.23.so | grep system@
 
 log.info("leak   => 0x%x" % leak)
 log.info("libc   => 0x%x" % libc)

src/writeup/6.1.9_pwn_rhme3_exploitation/run.sh

@@ -1 +1 @@
-socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
+socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &