-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
243 lines (216 loc) · 40.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>aYoung's Blog</title><meta name="author" content="aYoung"><meta name="copyright" content="aYoung"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="aYoung的博客">
<meta property="og:type" content="website">
<meta property="og:title" content="aYoung's Blog">
<meta property="og:url" content="https://iamayoung.xyz/index.html">
<meta property="og:site_name" content="aYoung's Blog">
<meta property="og:description" content="aYoung的博客">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s4.ax1x.com/2022/01/14/731OZF.jpg">
<meta property="article:author" content="aYoung">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://s4.ax1x.com/2022/01/14/731OZF.jpg"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="https://iamayoung.xyz/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
},
fancybox: {
js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
isPost: false,
isHome: true,
isHighlightShrink: false,
isToc: false,
postUpdate: '2023-02-24 11:51:04'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
})(window)</script><meta name="generator" content="Hexo 6.2.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="https://s4.ax1x.com/2022/01/14/731OZF.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/archives/"><div class="headline">文章</div><div class="length-num">81</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/tags/"><div class="headline">标签</div><div class="length-num">18</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header" style="background-image: url('https://s1.ax1x.com/2022/12/02/zBsZMn.png')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">aYoung's Blog</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">aYoung's Blog</h1><div id="site-subtitle"><span id="subtitle"></span></div><div id="site_social_icons"><a class="social-icon" href="https://github.com/aYoung-CS" target="_blank" title="Github"><i class="fab fa-github"></i></a></div></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2023/02/12/qemu%E6%90%AD%E5%BB%BAlinux%E5%86%85%E6%A0%B8%E7%8E%AF%E5%A2%83/" title="Qemu搭建linux内核环境"> <img class="post_bg" src="https://ftp.bmp.ovh/imgs/2020/12/7359e568759eebbb.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Qemu搭建linux内核环境"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/02/12/qemu%E6%90%AD%E5%BB%BAlinux%E5%86%85%E6%A0%B8%E7%8E%AF%E5%A2%83/" title="Qemu搭建linux内核环境">Qemu搭建linux内核环境</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-02-12T11:24:50.000Z" title="发表于 2023-02-12 19:24:50">2023-02-12</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/linux/">linux</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/linux/">linux</a></span></div><div class="content">编译linux内核下载内核源码https://mirrors.tuna.tsinghua.edu.cn/kernel/解压源码tar -xvf linux-xxxx.tar.gz
解压后进入源码根目录,指定编译架构,打开配置菜单
1234cd linux-xxxxexport ARCH=x86make x86_64_defconfigmake menuconfig
编译生成镜像1sudo make -j 4 bzImage
配置busybox启动内核还需要一个具有根文件系统的磁盘镜像文件,根文件系统中提供可供交互的shell程序以及一些常用工具命令。
借助busybox工具来制作根文件系统
下载地址 https://git.busybox.net/busybox/解压1tar -jxvf busybox-1.32.0.tar.bz2
进入busybox根目录,配置编译选项
12cd busybox-1.32.0make menuconfig
设置为静态编译12Settings ---> [*] Build BusyBox as a static binar ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2022/09/21/%E3%80%90WP%E3%80%91%E8%93%9D%E5%B8%BD%E6%9D%AF2022-final/" title="【WP】蓝帽杯2022_final"> <img class="post_bg" src="https://ftp.bmp.ovh/imgs/2021/02/ec5ef65c96792f29.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】蓝帽杯2022_final"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/09/21/%E3%80%90WP%E3%80%91%E8%93%9D%E5%B8%BD%E6%9D%AF2022-final/" title="【WP】蓝帽杯2022_final">【WP】蓝帽杯2022_final</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-09-21T12:27:44.000Z" title="发表于 2022-09-21 20:27:44">2022-09-21</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/wp/">wp</a></span></div><div class="content">杀猪盘静态编译,第四个人出来的时候有两次栈溢出,第一次泄露canary,第二次泄露基地址返回rop,execve("/bin/sh",0,0)
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657# encoding: utf-8from pwn import*context(os='linux', arch='amd64', log_level='debug')# r = process('./szp2')r = remote('39.105.99.40',25862)def init(): r.sendlineafter('> ', str(2))def cao(): r.sendlineafter(': ', str(4)) r.sendlineafter(&# ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2022/09/07/%E3%80%90WP%E3%80%91Ethernaut/" title="【WP】Ethernaut"> <img class="post_bg" src="https://s1.ax1x.com/2022/11/18/zn2XIe.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】Ethernaut"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/09/07/%E3%80%90WP%E3%80%91Ethernaut/" title="【WP】Ethernaut">【WP】Ethernaut</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-09-07T06:46:53.000Z" title="发表于 2022-09-07 14:46:53">2022-09-07</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/wp/">wp</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/blockchain/">blockchain</a></span></div><div class="content">Hello Ethernaut略
Fallback123456789101112131415161718192021222324252627282930313233343536373839404142434445// SPDX-License-Identifier: MITpragma solidity ^0.6.0;import '@openzeppelin/contracts/math/SafeMath.sol';contract Fallback { using SafeMath for uint256; mapping(address => uint) public contributions; address payable public owner; constructor() public { owner = msg.sender; contributions[msg.sender] = 1000 * (1 ether); } modifier onlyOwner { ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2022/08/26/%E3%80%90WP%E3%80%91qwb2022-final-rdp/" title="【WP】qwb2022_final_rdp"> <img class="post_bg" src="https://s1.ax1x.com/2022/08/27/vR8Hv6.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】qwb2022_final_rdp"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/08/26/%E3%80%90WP%E3%80%91qwb2022-final-rdp/" title="【WP】qwb2022_final_rdp">【WP】qwb2022_final_rdp</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-08-25T16:11:41.000Z" title="发表于 2022-08-26 00:11:41">2022-08-26</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/wp/">wp</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/realworld/">realworld</a></span></div><div class="content">前言一道realworld题目,难度不算太高吧但还是没能在时间内做出来,可惜。
题目描述123456789101112题目名称:RDP虚拟机环境:虚拟机操作系统ubuntu22.04;管理员用户名rdp,密码Aa123456(展示机用户具有不同口令)。题目描述:请针对xrdp服务进行漏洞利用,使用非管理员用户ctf执行选手exp程序后获取ubuntu操作系统root权限。展示步骤:1. 选手配置网络和虚拟机相连;2. 操作员使用如下方式启动做题环境: 1. 直接恢复快照(ctf用户桌面); 2. 在上述方法失效时,使用展示机rdp用户的口令登录rdp帐号,使用sudo systemctl restart xrdp&& sudo systemctl restart xrdp-sesman重启xrdp服务,然后切换至ctf用户;3. 选手使用http服务放入exp程序,操作员使用浏览器进行下载;4. 操作员执行选手exp程序(可多次执行,服务崩溃后选手可以选择重启靶机或恢复快照);5. 如果在/目录成功写入内容包含队伍特征的flag文件,则挑战成功。
附件给了三个文件1 ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2022/08/09/%E3%80%90WP%E3%80%91%E8%AE%B0%E5%BD%95%E4%B8%80%E9%81%93jerryscript%E5%BC%95%E6%93%8E%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/" title="【WP】记录一道jerryscript引擎漏洞利用"> <img class="post_bg" src="https://ftp.bmp.ovh/imgs/2021/02/ec5ef65c96792f29.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】记录一道jerryscript引擎漏洞利用"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/08/09/%E3%80%90WP%E3%80%91%E8%AE%B0%E5%BD%95%E4%B8%80%E9%81%93jerryscript%E5%BC%95%E6%93%8E%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/" title="【WP】记录一道jerryscript引擎漏洞利用">【WP】记录一道jerryscript引擎漏洞利用</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-08-09T15:36:48.000Z" title="发表于 2022-08-09 23:36:48">2022-08-09</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/wp/">wp</a></span></div><div class="content">一些基础知识数组表示/jerry-core/ecma/base/ecma-globals.h
12345678910111213141516171819202122232425262728typedef struct{ /** type : 4 bit : ecma_object_type_t or ecma_lexical_environment_type_t depending on ECMA_OBJECT_FLAG_BUILT_IN_OR_LEXICAL_ENV flags : 2 bit : ECMA_OBJECT_FLAG_BUILT_IN_OR_LEXICAL_ENV, ECMA_OBJECT_FLAG_EXTENSIBLE or ECMA_OBJECT_FLAG_BLOCK refs : 10 / 26 bit (max 1022 / 67108862) */ ecma_object_descriptor_t type_flags_refs; /** ne ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2022/08/09/PowerPC-PWN%E4%BB%8E%E5%85%A5%E9%97%A8%E5%88%B0%E5%AE%9E%E8%B7%B5/" title="PowerPC_PWN从入门到实践"> <img class="post_bg" src="https://s1.ax1x.com/2022/08/09/v18HoT.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="PowerPC_PWN从入门到实践"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/08/09/PowerPC-PWN%E4%BB%8E%E5%85%A5%E9%97%A8%E5%88%B0%E5%AE%9E%E8%B7%B5/" title="PowerPC_PWN从入门到实践">PowerPC_PWN从入门到实践</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-08-09T11:14:43.000Z" title="发表于 2022-08-09 19:14:43">2022-08-09</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/ppc/">ppc</a></span></div><div class="content">
本文首发于跳跳糖,转载于个人博客PowerPC PWN从入门到实践
概述前段时间2022虎符决赛结束,赛后从学长那看到了题目,其中出现了一道PowerPC64架构的pwn题,从架构方面来说比较少见,刚好之前看过一道PowerPC架构32位栈溢出的题目,于是放到一起整理一下。
前置知识相关内容很多,更多深入的内容还需要翻阅手册,这里就介绍一些基本的、与做题相关的内容。
PowerPC简介PowerPC(后称Performance Optimization With Enhanced RISC – Performance Computing,有时缩写为PPC)是一种精简指令集计算机(RISC)指令集架构(ISA),由 1991 年苹果-IBM-摩托罗拉联盟创建,称为AIM。PowerPC 作为一种不断发展的指令集,自 2006 年起被命名为Power ISA,而旧名称作为基于Power Architecture的处理器 的某些实现的商标继续存在。
数据类型PowerPC支持的数据类型
名称
字长(bits)
Quadwords
128
Doublewords
64
...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2022/07/16/house-of-apple/" title="House_of_apple"> <img class="post_bg" src="https://img1.imgtp.com/2022/07/16/CsY1zb7h.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="House_of_apple"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/07/16/house-of-apple/" title="House_of_apple">House_of_apple</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-07-16T08:07:32.000Z" title="发表于 2022-07-16 16:07:32">2022-07-16</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a></span></div><div class="content">
到达世界最高城,glibc2.35!
昨天dsctf的eznote没做出来,2.35的环境是现配的,自己的思路也不是很清晰加上最后时间不太够了没能做出来,对我来说属于船新版本了。赛后ver爷发了一篇house of apple文章,确实太🐂了,通杀目前所有版本。有必要跟上时代,特此学习一下
house of apple众所周知高版本(>=glibc2.34)移除了诸多hook,已有的攻击方法基本都是针对IO结构体的利用,特别是通过更改vtable地址,利用一个原有的某jumps中的函数指针,进行后续利用。
另外在glibc2.35中似乎exit hook也看不到了。痛,太痛了……
house of apple方法也类似,利用的是_IO_wstrn_jumps中的_IO_wstrn_overflow。达到的效果是任意地址写地址,这里写入的地址通常是堆地址
12345678910111213141516171819202122232425262728293031static wint_t_IO_wstrn_overflow (FILE *fp, wint_t c){ ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2022/07/13/LLVM-PASS-PWN%E5%AD%A6%E4%B9%A0/" title="LLVM-PASS-PWN学习"> <img class="post_bg" src="https://img1.imgtp.com/2022/07/13/qWpwPIW3.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="LLVM-PASS-PWN学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/07/13/LLVM-PASS-PWN%E5%AD%A6%E4%B9%A0/" title="LLVM-PASS-PWN学习">LLVM-PASS-PWN学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-07-13T03:35:17.000Z" title="发表于 2022-07-13 11:35:17">2022-07-13</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/llvm/">llvm</a></span></div><div class="content">LLVMLLVM是一个编译器框架。LLVM作为编译器框架,是需要各种功能模块支撑起来的,可以将clang和lld都看做是LLVM的组成部分。下图是Clang/LLVM的简单架构。
LLVM IRLLVM IR是LLVM的中间表示,文档https://llvm.org/docs/LangRef.html
LLVM中,IR有三种表示
.ll:给人类看的,介于高等语言和汇编之间
.bc:不可读的二进制IR,称作位码(bitcode)
内存格式
LLVM相关工具opt是一个在IR级别做程序优化的工具,输入和输出都是同一类型的LLVM IR
llvm-link,是IR级别的链接器,链接IR文件
llvm-as是针对LLVM IR的汇编器,功能是将.ll文件翻译为.bc文件。在LLVM项目里,.ll称为LLVM汇编码。
llvm-dis和llvm-as相反,即IR的反汇编器,将.bc文件翻译为.ll文件
clang。通过指定-emit-llvm参数,可以配合-S或-c生成.ll或.bc文件,就能把Clang的部分和LLVM的后端分离开独立运行
12345.c -> .ll:clang ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2022/07/06/Tinyhttpd%E5%AD%A6%E4%B9%A0/" title="Tinyhttpd学习"> <img class="post_bg" src="https://img1.imgtp.com/2022/07/12/of8e0yaR.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Tinyhttpd学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/07/06/Tinyhttpd%E5%AD%A6%E4%B9%A0/" title="Tinyhttpd学习">Tinyhttpd学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-07-06T07:45:25.000Z" title="发表于 2022-07-06 15:45:25">2022-07-06</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a></span></div><div class="content">今天学一下很早之前在github看到的一个httpd项目,一直打算看一下拖到了现在。立刻开学
项目地址https://github.com/EZLippi/Tinyhttpd
socket相关
struct sockaddr_in,in_addr123456789101112#include <netinet/in.h>struct sockaddr_in { short sin_family; // e.g. AF_INET unsigned short sin_port; // e.g. htons(3490) struct in_addr sin_addr; // see struct in_addr, below char sin_zero[8]; // zero this if you want to};struct in_addr { unsigned long s_addr; // load with inet_aton() ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2022/05/25/%E5%A4%8D%E7%8E%B0%E7%82%B9%E5%9B%BA%E4%BB%B6%E9%A2%98/" title="复现点固件题"> <img class="post_bg" src="https://ftp.bmp.ovh/imgs/2021/02/ec5ef65c96792f29.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="复现点固件题"></a></div><div class="recent-post-info"><a class="article-title" href="/2022/05/25/%E5%A4%8D%E7%8E%B0%E7%82%B9%E5%9B%BA%E4%BB%B6%E9%A2%98/" title="复现点固件题">复现点固件题</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2022-05-25T02:18:40.000Z" title="发表于 2022-05-25 10:18:40">2022-05-25</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/ctf/">ctf</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/ctf/">ctf</a><span class="article-meta__link">•</span><a class="article-meta__tags" href="/tags/pwn/">pwn</a></span></div><div class="content">很早开了本坑,然后中道崩殂了。如今死灰复燃了呃。
题目来源:hws2021线上赛
STMbin文件放到ida里,Processor typr选ARM 小端Processor options选ARMv7-MROM开始地址填0x8000000(固定的开始地址),size会自动计算好
stm32初始化方法:从最低地址找中断向量表,中断向量表存着reset的中断处理函数,会根据这里,也即0x0000 0004指示的地址开始执行代码
进ida后,看到第二个地址指向0x8000101,最后一个1代表thumb模式
跳过来,在0x8000100处单走一个c键,识别出了很多函数和指令
然后就能找到main了逻辑很简单就是异或加密一下
123456789101112131415#include<stdio.h>int main(){ unsigned char ida_chars[] = { 0x7D, 0x77, 0x40, 0x7A, 0x66, 0x30, 0x2A, 0x2F, 0x28, 0x40, 0x7E, 0x30, 0x33 ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><span class="space">…</span><a class="page-number" href="/page/9/">9</a><a class="extend next" rel="next" href="/page/2/"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="card-info-avatar is-center"><img class="avatar-img" src="https://s4.ax1x.com/2022/01/14/731OZF.jpg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/><div class="author-info__name">aYoung</div><div class="author-info__description">aYoung的博客</div></div><div class="card-info-data"><div class="card-info-data-item is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">81</div></a></div><div class="card-info-data-item is-center"><a href="/tags/"><div class="headline">标签</div><div class="length-num">18</div></a></div><div class="card-info-data-item is-center"><a href="/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/aYoung-CS"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/aYoung-CS" target="_blank" title="Github"><i class="fab fa-github"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">好好学习</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2023/02/12/qemu%E6%90%AD%E5%BB%BAlinux%E5%86%85%E6%A0%B8%E7%8E%AF%E5%A2%83/" title="Qemu搭建linux内核环境"><img src="https://ftp.bmp.ovh/imgs/2020/12/7359e568759eebbb.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Qemu搭建linux内核环境"/></a><div class="content"><a class="title" href="/2023/02/12/qemu%E6%90%AD%E5%BB%BAlinux%E5%86%85%E6%A0%B8%E7%8E%AF%E5%A2%83/" title="Qemu搭建linux内核环境">Qemu搭建linux内核环境</a><time datetime="2023-02-12T11:24:50.000Z" title="发表于 2023-02-12 19:24:50">2023-02-12</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/09/21/%E3%80%90WP%E3%80%91%E8%93%9D%E5%B8%BD%E6%9D%AF2022-final/" title="【WP】蓝帽杯2022_final"><img src="https://ftp.bmp.ovh/imgs/2021/02/ec5ef65c96792f29.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】蓝帽杯2022_final"/></a><div class="content"><a class="title" href="/2022/09/21/%E3%80%90WP%E3%80%91%E8%93%9D%E5%B8%BD%E6%9D%AF2022-final/" title="【WP】蓝帽杯2022_final">【WP】蓝帽杯2022_final</a><time datetime="2022-09-21T12:27:44.000Z" title="发表于 2022-09-21 20:27:44">2022-09-21</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/09/07/%E3%80%90WP%E3%80%91Ethernaut/" title="【WP】Ethernaut"><img src="https://s1.ax1x.com/2022/11/18/zn2XIe.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】Ethernaut"/></a><div class="content"><a class="title" href="/2022/09/07/%E3%80%90WP%E3%80%91Ethernaut/" title="【WP】Ethernaut">【WP】Ethernaut</a><time datetime="2022-09-07T06:46:53.000Z" title="发表于 2022-09-07 14:46:53">2022-09-07</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/08/26/%E3%80%90WP%E3%80%91qwb2022-final-rdp/" title="【WP】qwb2022_final_rdp"><img src="https://s1.ax1x.com/2022/08/27/vR8Hv6.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】qwb2022_final_rdp"/></a><div class="content"><a class="title" href="/2022/08/26/%E3%80%90WP%E3%80%91qwb2022-final-rdp/" title="【WP】qwb2022_final_rdp">【WP】qwb2022_final_rdp</a><time datetime="2022-08-25T16:11:41.000Z" title="发表于 2022-08-26 00:11:41">2022-08-26</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/08/09/%E3%80%90WP%E3%80%91%E8%AE%B0%E5%BD%95%E4%B8%80%E9%81%93jerryscript%E5%BC%95%E6%93%8E%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/" title="【WP】记录一道jerryscript引擎漏洞利用"><img src="https://ftp.bmp.ovh/imgs/2021/02/ec5ef65c96792f29.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="【WP】记录一道jerryscript引擎漏洞利用"/></a><div class="content"><a class="title" href="/2022/08/09/%E3%80%90WP%E3%80%91%E8%AE%B0%E5%BD%95%E4%B8%80%E9%81%93jerryscript%E5%BC%95%E6%93%8E%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/" title="【WP】记录一道jerryscript引擎漏洞利用">【WP】记录一道jerryscript引擎漏洞利用</a><time datetime="2022-08-09T15:36:48.000Z" title="发表于 2022-08-09 23:36:48">2022-08-09</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
<i class="fas fa-folder-open"></i>
<span>分类</span>
</div>
<ul class="card-category-list" id="aside-cat-list">
<li class="card-category-list-item "><a class="card-category-list-link" href="/categories/ctf/"><span class="card-category-list-name">ctf</span><span class="card-category-list-count">77</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/linux/"><span class="card-category-list-name">linux</span><span class="card-category-list-count">1</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/python/"><span class="card-category-list-name">python</span><span class="card-category-list-count">2</span></a></li>
</ul></div><div class="card-widget card-tags"><div class="item-headline"><i class="fas fa-tags"></i><span>标签</span></div><div class="card-tag-cloud"><a href="/tags/ARM/" style="font-size: 1.1em; color: #999">ARM</a> <a href="/tags/IO-FILE/" style="font-size: 1.1em; color: #999">IO-FILE</a> <a href="/tags/IO-FILE/" style="font-size: 1.17em; color: #999c9f">IO_FILE</a> <a href="/tags/ROP/" style="font-size: 1.23em; color: #999ea6">ROP</a> <a href="/tags/blockchain/" style="font-size: 1.1em; color: #999">blockchain</a> <a href="/tags/ctf/" style="font-size: 1.5em; color: #99a9bf">ctf</a> <a href="/tags/heap/" style="font-size: 1.23em; color: #999ea6">heap</a> <a href="/tags/how2heap/" style="font-size: 1.3em; color: #99a1ac">how2heap</a> <a href="/tags/kernel/" style="font-size: 1.23em; color: #999ea6">kernel</a> <a href="/tags/linux/" style="font-size: 1.1em; color: #999">linux</a> <a href="/tags/llvm/" style="font-size: 1.1em; color: #999">llvm</a> <a href="/tags/ppc/" style="font-size: 1.1em; color: #999">ppc</a> <a href="/tags/pwn/" style="font-size: 1.43em; color: #99a6b9">pwn</a> <a href="/tags/pwn/" style="font-size: 1.1em; color: #999">pwn'</a> <a href="/tags/python/" style="font-size: 1.17em; color: #999c9f">python</a> <a href="/tags/realworld/" style="font-size: 1.1em; color: #999">realworld</a> <a href="/tags/vmpwn/" style="font-size: 1.1em; color: #999">vmpwn</a> <a href="/tags/wp/" style="font-size: 1.37em; color: #99a4b2">wp</a></div></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span><a class="card-more-btn" href="/archives/" title="查看更多">
<i class="fas fa-angle-right"></i></a></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/02/"><span class="card-archive-list-date">二月 2023</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/09/"><span class="card-archive-list-date">九月 2022</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/08/"><span class="card-archive-list-date">八月 2022</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/07/"><span class="card-archive-list-date">七月 2022</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/05/"><span class="card-archive-list-date">五月 2022</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/04/"><span class="card-archive-list-date">四月 2022</span><span class="card-archive-list-count">4</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/02/"><span class="card-archive-list-date">二月 2022</span><span class="card-archive-list-count">4</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2022/01/"><span class="card-archive-list-date">一月 2022</span><span class="card-archive-list-count">5</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">81</div></div><div class="webinfo-item"><div class="item-name">本站总字数 :</div><div class="item-count">169.7k</div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2023-02-24T03:51:03.268Z"></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">©2020 - 2023 By aYoung</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><div class="js-pjax"><script>function subtitleType () {
if (true) {
var typed = new Typed("#subtitle", {
strings: "敏于事,慎于言,speedy as a worker and cautious as a speaker".split(","),
startDelay: 300,
typeSpeed: 150,
loop: true,
backSpeed: 50
})
} else {
document.getElementById("subtitle").innerHTML = '敏于事,慎于言'
}
}
if (true) {
if (typeof Typed === 'function') {
subtitleType()
} else {
getScript('https://cdn.jsdelivr.net/npm/typed.js/lib/typed.min.js').then(subtitleType)
}
} else {
subtitleType()
}</script></div><canvas class="fireworks" mobile="false"></canvas><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/fireworks.min.js"></script><script defer="defer" id="fluttering_ribbon" mobile="true" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/canvas-fluttering-ribbon.min.js"></script><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/activate-power-mode.min.js"></script><script>POWERMODE.colorful = true;
POWERMODE.shake = false;
POWERMODE.mobile = true;
document.body.addEventListener('input', POWERMODE);
</script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>