发表于 | 分类于

这里总结一下shellcode的各种类型

一、直接调用

1
2
3
4
5
6
7
8
#include <stdio.h>
int main(int argc, char const *argv[])
{
	char s[0x500];
	gets(s);
	((void(*)(void))s)();
	return 0;
}
阅读全文 »

发表于 | 分类于

pwn

很骚的一题,又是将system禁用的堆类型题目

1
2
3
4
5
6
7
8
9
10
11
12
13
$ seccomp-tools dump ./pwn2 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x06 0xc000003e  if (A != ARCH_X86_64) goto 0008
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x04 0x00 0x40000000  if (A >= 0x40000000) goto 0008
 0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009
 0005: 0x15 0x03 0x00 0x00000000  if (A == read) goto 0009
 0006: 0x15 0x02 0x00 0x00000002  if (A == open) goto 0009
 0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009
 0008: 0x06 0x00 0x00 0x00000000  return KILL
 0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
阅读全文 »

发表于

update 404

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Ign:1 http://security.ubuntu.com/ubuntu disco-security InRelease
Ign:2 http://archive.ubuntu.com/ubuntu disco InRelease
Err:3 http://security.ubuntu.com/ubuntu disco-security Release
  404  Not Found [IP: 91.189.91.38 80]
Ign:4 http://archive.ubuntu.com/ubuntu disco-updates InRelease
Ign:5 http://archive.ubuntu.com/ubuntu disco-backports InRelease
Err:6 http://archive.ubuntu.com/ubuntu disco Release
  404  Not Found [IP: 91.189.88.152 80]
Err:7 http://archive.ubuntu.com/ubuntu disco-updates Release
  404  Not Found [IP: 91.189.88.152 80]
Err:8 http://archive.ubuntu.com/ubuntu disco-backports Release
  404  Not Found [IP: 91.189.88.152 80]
Reading package lists... Done
E: The repository 'http://security.ubuntu.com/ubuntu disco-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu disco Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu disco-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu disco-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
阅读全文 »

发表于 | 分类于

re

checksec 一下发现加了upx壳,upx -d 脱壳

IDA f5发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
_BOOL8 __fastcall sub_4009AE(char *a1)
{
  if ( 1629056 * *a1 != 166163712 )
    return 0LL;
  if ( 6771600 * a1[1] != 731332800 )
    return 0LL;
  if ( 3682944 * a1[2] != 357245568 )
    return 0LL;
  if ( 10431000 * a1[3] != 1074393000 )
    return 0LL;
  if ( 3977328 * a1[4] != 489211344 )
    return 0LL;
  if ( 5138336 * a1[5] != 518971936 )
    return 0LL;
  if ( 7532250 * a1[7] != 406741500 )
    return 0LL;
  if ( 5551632 * a1[8] != 294236496 )
    return 0LL;
  if ( 3409728 * a1[9] != 177305856 )
    return 0LL;
  if ( 13013670 * a1[10] != 650683500 )
    return 0LL;
  if ( 6088797 * a1[11] != 298351053 )
    return 0LL;
  if ( 7884663 * a1[12] != 386348487 )
    return 0LL;
  if ( 8944053 * a1[13] != 438258597 )
    return 0LL;
  if ( 5198490 * a1[14] != 249527520 )
    return 0LL;
  if ( 4544518 * a1[15] != 445362764 )
    return 0LL;
  if ( 3645600 * a1[17] != 174988800 )
    return 0LL;
  if ( 10115280 * a1[16] != 981182160 )
    return 0LL;
  if ( 9667504 * a1[18] != 493042704 )
    return 0LL;
  if ( 5364450 * a1[19] != 257493600 )
    return 0LL;
  if ( 13464540 * a1[20] != 767478780 )
    return 0LL;
  if ( 5488432 * a1[21] != 312840624 )
    return 0LL;
  if ( 14479500 * a1[22] != 1404511500 )
    return 0LL;
  if ( 6451830 * a1[23] != 316139670 )
    return 0LL;
  if ( 6252576 * a1[24] != 619005024 )
    return 0LL;
  if ( 7763364 * a1[25] != 372641472 )
    return 0LL;
  if ( 7327320 * a1[26] != 373693320 )
    return 0LL;
  if ( 8741520 * a1[27] != 498266640 )
    return 0LL;
  if ( 8871876 * a1[28] != 452465676 )
    return 0LL;
  if ( 4086720 * a1[29] != 208422720 )
    return 0LL;
  if ( 9374400 * a1[30] == 515592000 )
    return 5759124 * a1[31] == 719890500;
  return 0LL;
}
阅读全文 »

发表于

发现太久没有写博客了,就放一下刚打完的被喷得怪可怜的第5**空间的一点wp吧。

立雪

edit 函数没有对size进行检测,所以可以任意长度的堆溢出

而且程序存在后门函数,unlink到0x602088修改为0xffff即可(其实最快速的做法是unsortedbin attack到0x602088)

阅读全文 »

发表于 | 分类于

brain fuck,类似vm吧,可以进行读写,移位,加减操作。

所以移位操作和读写操作结合起来其实就是任意地址写,且got表可写。

思路:

先通任意地址读,读取got表上的libc地址,然后通过任意地址写将putchar@got修改为main,返回到main函数。

第二次输入的时候修改putchar@got为onegadget即可

阅读全文 »

发表于 | 分类于

cmd1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
        int r=0;
        r += strstr(cmd, "flag")!=0;
        r += strstr(cmd, "sh")!=0;
        r += strstr(cmd, "tmp")!=0;
        return r;
}
int main(int argc, char* argv[], char** envp){
        putenv("PATH=/thankyouverymuch");
        if(filter(argv[1])) return 0;
        system( argv[1] );
        return 0;
}
阅读全文 »

发表于 | 分类于

coin1

二分法,100次就行了,得在60秒内完成

题目也提示了,如果本地超时的话可以去服务器上跑。

ssh fd@pwnable.kr -p2222 (pw:guest),到/tmp下,服务器上有pwntools,将下面脚本中的pwnable.kr改成127.0.0.1跑,飞快

阅读全文 »

发表于 | 分类于

gets(s)栈溢出,且没有canary,没有PIE

本来想的是通过栈溢出直接跳到 if 内部输出flag,不过其地址为0x80A010B结合gets函数遇到回车(‘\x0a’)结束输入的特性,无法将地址0x80A010B写到返回地址上去。这个一步到位的方法pass。

阅读全文 »
0%