add 6.1.28 and fix

SUMMARY.md

@@ -147,10 +147,11 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
     * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
     * [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
-    * [6.1.24 pwn HCTF2017 babyprintf](doc/6.1.24_pwn_hctf2017_babyprintf.md)
-    * [6.1.25 pwn 34C3CTF2017 300](doc/6.1.25_pwn_34c3ctf2017_300.md)
-    * [6.1.26 pwn SECCONCTF2016 tinypad](doc/6.1.26_pwn_secconctf2016_tinypad.md)
-    * [6.1.27 pwn ASISCTF2016 b00ks](doc/6.1.27_pwn_asisctf2016_b00ks.md)
+    * [6.1.24 pwn HITCONCTF2016 House_of_Orange](doc/6.1.24_hitconctf2016_house_of_orange.md)
+    * [6.1.25 pwn HCTF2017 babyprintf](doc/6.1.25_pwn_hctf2017_babyprintf.md)
+    * [6.1.26 pwn 34C3CTF2017 300](doc/6.1.26_pwn_34c3ctf2017_300.md)
+    * [6.1.27 pwn SECCONCTF2016 tinypad](doc/6.1.27_pwn_secconctf2016_tinypad.md)
+    * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
   * Reverse
     * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
     * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

doc/6.1.24_hitconctf2016_house_of_orange.md

@@ -0,0 +1,30 @@
+# 6.1.24 pwn HITCONCTF2016 House_of_Orange
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.24_hitconctf2016_house_of_orange)
+
+## 题目复现
+```
+$ file houseoforange 
+houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a58bda41b65d38949498561b0f2b976ce5c0c301, stripped
+$ checksec -f houseoforange
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               3       houseoforange
+$ strings libc.so.6 | grep "GNU C"
+GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
+Compiled by GNU CC version 5.3.1 20160413.
+```
+64 位程序，保护全开，默认开启 ASLR。
+
+
+## 题目解析
+
+## 漏洞利用
+
+## 参考资料
+- https://ctftime.org/task/4811

doc/6.1.24_pwn_hctf2017_babyprintf.md

@@ -1,30 +0,0 @@
-# 6.1.24 pwn HCTF2017 babyprintf
-
-- [题目复现](#题目复现)
-- [题目解析](#题目解析)
-- [漏洞利用](#漏洞利用)
-- [参考资料](#参考资料)
-
-
-[下载文件](../src/writeup/6.1.24_pwn_hctf2017_babyprintf)
-
-## 题目复现
-```
-$ file babyprintf 
-babyprintf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5652f65b98094d8ab456eb0a54d37d9b09b4f3f6, stripped
-$ checksec -f babyprintf
-RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
-Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     1               2       babyprintf
-$ strings libc-2.24.so | grep "GNU C"
-GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
-Compiled by GNU CC version 6.3.0 20170406.
-```
-64 位程序，开启了 canary 和 NX，默认开启 ASLR。
-
-
-## 题目解析
-
-## 漏洞利用
-
-## 参考资料
-- https://github.com/spineee/hctf/tree/master/2017/babyprintf

doc/6.1.25_pwn_hctf2017_babyprintf.md

@@ -0,0 +1,136 @@
+# 6.1.25 pwn HCTF2017 babyprintf
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.25_pwn_hctf2017_babyprintf)
+
+## 题目复现
+```
+$ file babyprintf 
+babyprintf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5652f65b98094d8ab456eb0a54d37d9b09b4f3f6, stripped
+$ checksec -f babyprintf
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     1               2       babyprintf
+$ strings libc-2.24.so | grep "GNU C"
+GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
+Compiled by GNU CC version 6.3.0 20170406.
+```
+64 位程序，开启了 canary 和 NX，默认开启 ASLR。
+
+
+## 题目解析
+#### main
+```
+[0x00400850]> pdf @ main
+            ;-- section..text:
+/ (fcn) main 130
+|   main ();
+|           ; DATA XREF from 0x0040086d (entry0)
+|           0x004007c0      push rbx                                   ; [14] -r-x section size 706 named .text
+|           0x004007c1      xor eax, eax
+|           0x004007c3      call sub.setbuf_950                        ; void setbuf(FILE *stream,
+|       ,=< 0x004007c8      jmp 0x400815
+        |   0x004007ca      nop word [rax + rax]
+|       |   ; JMP XREF from 0x00400832 (main)
+|      .--> 0x004007d0      mov edi, eax
+|      :|   0x004007d2      call sym.imp.malloc                        ;  void *malloc(size_t size)
+|      :|   0x004007d7      mov esi, str.string:                       ; 0x400aa4 ; "string: "
+|      :|   0x004007dc      mov rbx, rax
+|      :|   0x004007df      mov edi, 1
+|      :|   0x004007e4      xor eax, eax
+|      :|   0x004007e6      call sym.imp.__printf_chk
+|      :|   0x004007eb      mov rdi, rbx
+|      :|   0x004007ee      xor eax, eax
+|      :|   0x004007f0      call sym.imp.gets                          ; char*gets(char *s)
+|      :|   0x004007f5      mov esi, str.result:                       ; 0x400aad ; "result: "
+|      :|   0x004007fa      mov edi, 1
+|      :|   0x004007ff      xor eax, eax
+|      :|   0x00400801      call sym.imp.__printf_chk
+|      :|   0x00400806      mov rsi, rbx
+|      :|   0x00400809      mov edi, 1
+|      :|   0x0040080e      xor eax, eax
+|      :|   0x00400810      call sym.imp.__printf_chk
+|      :|   ; JMP XREF from 0x004007c8 (main)
+|      :`-> 0x00400815      mov esi, str.size:                         ; 0x400a94 ; "size: "
+|      :    0x0040081a      mov edi, 1
+|      :    0x0040081f      xor eax, eax
+|      :    0x00400821      call sym.imp.__printf_chk
+|      :    0x00400826      xor eax, eax
+|      :    0x00400828      call sub._IO_getc_990
+|      :    0x0040082d      cmp eax, 0x1000
+|      `==< 0x00400832      jbe 0x4007d0
+|           0x00400834      mov edi, str.too_long                      ; 0x400a9b ; "too long"
+|           0x00400839      call sym.imp.puts                          ; int puts(const char *s)
+|           0x0040083e      mov edi, 1
+\           0x00400843      call sym.imp.exit                          ; void exit(int status)
+```
+
+#### read
+```
+[0x00400850]> pdf @ sub._IO_getc_990 
+/ (fcn) sub._IO_getc_990 122
+|   sub._IO_getc_990 ();
+|           ; CALL XREF from 0x00400828 (main)
+|           0x00400990      push rbp
+|           0x00400991      push rbx
+|           0x00400992      xor ebx, ebx
+|           0x00400994      sub rsp, 0x28                              ; '('
+|           0x00400998      mov rax, qword fs:[0x28]                   ; [0x28:8]=-1 ; '(' ; 40
+|           0x004009a1      mov qword [rsp + 0x18], rax
+|           0x004009a6      xor eax, eax
+|           0x004009a8      nop dword [rax + rax]
+|           ; JMP XREF from 0x004009ce (sub._IO_getc_990)
+|       .-> 0x004009b0      mov rdi, qword [obj.stdin]                 ; [0x601090:8]=0
+|       :   0x004009b7      movsxd rbp, ebx
+|       :   0x004009ba      call sym.imp._IO_getc
+|       :   0x004009bf      cmp al, 0xa                                ; 10
+|       :   0x004009c1      mov byte [rsp + rbx], al
+|      ,==< 0x004009c4      je 0x400a05
+|      |:   0x004009c6      add rbx, 1
+|      |:   0x004009ca      cmp rbx, 9                                 ; 9
+|      |`=< 0x004009ce      jne 0x4009b0
+|      |    0x004009d0      cmp byte [rsp + 9], 0xa                    ; [0xa:1]=255 ; 10
+|      |,=< 0x004009d5      je 0x400a00
+|      ||   ; JMP XREF from 0x00400a09 (sub._IO_getc_990)
+|     .---> 0x004009d7      xor edx, edx
+|     :||   0x004009d9      xor esi, esi
+|     :||   0x004009db      mov rdi, rsp
+|     :||   0x004009de      call sym.imp.strtoul                       ; long strtoul(const char *str, char**endptr, int base)
+|     :||   0x004009e3      mov rcx, qword [rsp + 0x18]                ; [0x18:8]=-1 ; 24
+|     :||   0x004009e8      xor rcx, qword fs:[0x28]
+|    ,====< 0x004009f1      jne 0x400a0b
+|    |:||   0x004009f3      add rsp, 0x28                              ; '('
+|    |:||   0x004009f7      pop rbx
+|    |:||   0x004009f8      pop rbp
+|    |:||   0x004009f9      ret
+     |:||   0x004009fa      nop word [rax + rax]
+|    |:||   ; JMP XREF from 0x004009d5 (sub._IO_getc_990)
+|    |:|`-> 0x00400a00      mov ebp, 9
+|    |:|    ; JMP XREF from 0x004009c4 (sub._IO_getc_990)
+|    |:`--> 0x00400a05      mov byte [rsp + rbp], 0
+|    |`===< 0x00400a09      jmp 0x4009d7
+|    |      ; JMP XREF from 0x004009f1 (sub._IO_getc_990)
+\    `----> 0x00400a0b      call sym.imp.__stack_chk_fail              ; void __stack_chk_fail(void)
+```
+
+
+## 漏洞利用
+
+开启 ASLR，Bingo!!!
+```
+
+```
+
+#### exploit
+完整 exp 如下：
+```python
+
+```
+
+
+## 参考资料
+- https://github.com/spineee/hctf/tree/master/2017/babyprintf

doc/6.1.26_pwn_34c3ctf2017_300.md

@@ -1,4 +1,4 @@
-# 6.1.25 pwn 34C3CTF2017 300
+# 6.1.26 pwn 34C3CTF2017 300
 
 - [题目复现](#题目复现)
 - [题目解析](#题目解析)
@@ -6,7 +6,7 @@
 - [参考资料](#参考资料)
 
 
-[下载文件](../src/writeup/6.1.25_pwn_34c3ctf2017_300)
+[下载文件](../src/writeup/6.1.26_pwn_34c3ctf2017_300)
 
 ## 题目复现
 ```

doc/6.1.27_pwn_secconctf2016_tinypad.md

@@ -1,4 +1,4 @@
-# 6.1.26 pwn SECCONCTF2016 tinypad
+# 6.1.27 pwn SECCONCTF2016 tinypad
 
 - [题目复现](#题目复现)
 - [题目解析](#题目解析)
@@ -6,7 +6,7 @@
 - [参考资料](#参考资料)
 
 
-[下载文件](../src/writeup/6.1.26_pwn_secconctf2016_tinypad)
+[下载文件](../src/writeup/6.1.27_pwn_secconctf2016_tinypad)
 
 ## 题目复现
 ```

doc/6.1.28_pwn_asisctf2016_b00ks.md

@@ -1,4 +1,4 @@
-# 6.1.27 pwn ASISCTF2016 b00ks
+# 6.1.28 pwn ASISCTF2016 b00ks
 
 - [题目复现](#题目复现)
 - [题目解析](#题目解析)
@@ -6,7 +6,7 @@
 - [参考资料](#参考资料)
 
 
-[下载文件](../src/writeup/6.1.27_pwn_asisctf2016_b00ks)
+[下载文件](../src/writeup/6.1.28_pwn_asisctf2016_b00ks)
 
 ## 题目复现
 ```

doc/6_writeup.md

@@ -24,10 +24,11 @@
   * [6.1.21 pwn HITCONCTF2016 Secret_Holder](6.1.21_pwn_hitconctf2016_secret_holder.md)
   * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](6.1.22_pwn_hitconctf2016_sleepy_holder.md)
   * [6.1.23 pwn BCTF2016 bcloud](6.1.23_pwn_bctf2016_bcloud.md)
-  * [6.1.24 pwn HCTF2017 babyprintf](6.1.24_pwn_hctf2017_babyprintf.md)
-  * [6.1.25 pwn 34C3CTF2017 300](6.1.25_pwn_34c3ctf2017_300.md)
-  * [6.1.26 pwn SECCONCTF2016 tinypad](6.1.26_pwn_secconctf2016_tinypad.md)
-  * [6.1.27 pwn ASISCTF2016 b00ks](6.1.27_pwn_asisctf2016_b00ks.md)
+  * [6.1.24 pwn HITCONCTF2016 House_of_Orange](doc/6.1.24_hitconctf2016_house_of_orange.md)
+  * [6.1.25 pwn HCTF2017 babyprintf](6.1.25_pwn_hctf2017_babyprintf.md)
+  * [6.1.26 pwn 34C3CTF2017 300](6.1.26_pwn_34c3ctf2017_300.md)
+  * [6.1.27 pwn SECCONCTF2016 tinypad](6.1.27_pwn_secconctf2016_tinypad.md)
+  * [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
 * Reverse
   * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
   * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)