随笔分类 - binary exploit
摘要:Heap-Based Buffer Overflow in Sudo (Baron Samedit) 分析 -- POC 验证篇 从源码的角度去调试分析 CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) 说实话我没有分
阅读全文
摘要:之前写完前面四个的时候凌晨 4 点了,剩下最后一题没写 babykernel 补完 babykernel_level5_teaching1.ko 老样子,通过 ioctl 去控制 device_ioctl __int64 __fastcall device_ioctl(file *file, uns
阅读全文
摘要:how2heap -- glibc 2.23 -- fastbin_dup_consolidate.c #include <stdio.h> #include <stdint.h> #include <stdlib.h> int main() { void* p1 = malloc(0x40); v
阅读全文
摘要:__lib_free void __libc_free (void *mem) { mstate ar_ptr; mchunkptr p; /* chunk corresponding to mem */ // 检查 malloc.h 中有没有定义 __free_hook 函数 // 定义的话则执行
阅读全文
摘要:CTF-pwn-tips-zh_CN 原项目(英语):https://github.com/Naetw/CTF-pwn-tips 为了说明白,我做了不少改动 目录 缓冲区溢出 在 gdb 中查找字符串 让程序运行在指定端口上 在 libc 中查找特定的函数偏移量 在共享库里面查找/bin/sh或者s
阅读全文
摘要:malloc_par via:https://elixir.bootlin.com/glibc/glibc-2.26/source/malloc/malloc.c#L1783 每个分配区是 struct malloc_state 的一个实例, ptmalloc 使用 malloc_state 来管理
阅读全文
摘要:从 glibc2.26 开始引入了一个 freed chunk 管理机制:tcache -- thread local caching 还是那句话:Read The F**king Source Code glibc 版本:2.26,via:https://elixir.bootlin.com/gl
阅读全文
摘要:今天有点无聊在 YouTube 上瞎看 看到了 liveoverflow 的一个视频,提到 TOCTOU ,所以打算复现一下 via: https://www.youtube.com/watch?v=5g137gsB9Wk demo 代码: via: https://gist.github.com/
阅读全文
摘要:via:https://ropemporium.com/challenge/ret2csu.html ret2csu We're back in ret2win territory, but this time without the useful gadgets. How will we popu
阅读全文
摘要:via:https://ropemporium.com/challenge/pivot.html pivot There's only enough space for a three link chain on the stack but you've been given space to st
阅读全文
摘要:via:https://ropemporium.com/challenge/fluff.html fluff The concept here is identical to the write4 challenge. The only difference is we may struggle t
阅读全文
摘要:via:https://ropemporium.com/challenge/badchars.html badchars An arbitrary write challenge with a twist; certain input characters get mangled before fi
阅读全文
摘要:via:https://ropemporium.com/challenge/write4.html write4 Our first foray into proper gadget use. A call to system() is still present but we'll need to
阅读全文
摘要:via:https://ropemporium.com/challenge/split.html split In this challenge the elements that allowed you to complete the ret2win challenge are still pre
阅读全文
摘要:via:https://ropemporium.com/challenge/ret2win.html ret2win Locate a method within the binary that you want to call and do so by overwriting a saved re
阅读全文
摘要:STACK FIVE As opposed to executing an existing function in the binary, this time we’ll be introducing the concept of “shell code”, and being able to e
阅读全文
摘要:STACK FOUR Stack Four takes a look at what can happen when you can overwrite the saved instruction pointer (standard buffer overflow). Hints The saved
阅读全文
摘要:STACK THREE Stack Three looks at overwriting function pointers stored on the stack. Hints You can use gdb and objdump to determine where the complete_
阅读全文
摘要:STACK ONE This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory. This
阅读全文
摘要:STACK TWO Stack Two takes a look at environment variables, and how they can be set. Source code 官方页面原话 这可题目还是一样,栈溢出 但是我们没有输入点,只有 的作用就是获取一个名为 的环境变量 这个就
阅读全文
浙公网安备 33010602011771号