b0ldfrev's Blog

If you are proficient in assembly, everything is open source.

网鼎杯Pwn之GUESS

ssp leak + environ泄露

0x00 代码分析 1,检查保护 1 2 3 4 5 6 gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial 开了CANARY 和 NX 2,使用IDA分析程序流程 程序将本地的fla...

Posted by b0ldfrev on August 30, 2018

360春秋杯之smallest

SROP利用

0x00 代码分析 很有意思的pwn题目,思路很新颖。 代码如下: 1 2 3 4 5 6 .text:00000000004000B0 xor rax, rax .text:00000000004000B3 mov edx, 400h ; count .text:00000000004000B8 ...

Posted by b0ldfrev on August 11, 2018

pwnable.kr之uaf

虚表利用

题目地址:http://pwnable.kr/play.php 连接 ssh uaf@pwnable.kr -p2222 (pw: guest) 0x01 程序分析 源代码 uaf.cpp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33...

Posted by b0ldfrev on July 27, 2018

pwnable.kr之unlink

堆还是栈?

题目地址:http://pwnable.kr/play.php 连接 ssh unlink@pwnable.kr -p2222 (pw: guest) 0x01 程序分析 它直接给出了源代码unlink.c 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30...

Posted by b0ldfrev on July 21, 2018

pwnable.tw之hacknote

uaf-利用

0x00 代码分析 1,检查保护 1 2 3 4 5 6 gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial 2,使用IDA分析程序流程 main 函数分析 1 2 3 4 5 6 7 8 9...

Posted by b0ldfrev on July 20, 2018

XDCTF2015之pwn200

DynELF实现无libc利用

0x00 代码分析 检查保护,只开启了NX 1 2 3 4 5 6 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial IDA伪代码 1 2 3 4 5 6 7 8 9 10 11 12 13...

Posted by b0ldfrev on June 19, 2018

RCTF2015之welpwn

64位构造ROP过掉00截断

0x00 代码分析 检查保护,只开启了NX 1 2 3 4 5 6 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial IDA代码 1 2 3 4 5 6 7 8 9 10 11 12 13 ...

Posted by b0ldfrev on June 19, 2018

提权读写空指针

"利用中断门提权并挂载物理页"

最近在学习x86的保护模式,学到了调用门,陷阱门,任务门,中断门,及分页相关知识点,这里将所学知识融汇一下,演示一下如何利用中断门提权为空指针挂载物理页。 实验环境: WinDBG + win7 x86 双机调试 VC6.0编译环境 0x00 知识准备 1,中断门(interruptgate) 包含段选择符和中断或异常处理程序的段内偏移量.当控...

Posted by b0ldfrev on June 17, 2018

return to dl-resolve利用

i386 roputils库

0x00 漏洞分析 检查保护-NX被启用 1 2 3 4 5 6 7 root@kali:~# checksec stackba [*] '/root/stackba' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enable...

Posted by b0ldfrev on June 16, 2018

2018铁三东北赛区之aleph1

rbp栈迁移

0x00 漏洞分析 检查保护 1 2 3 4 5 6 7 8 root@kali:~# checksec aleph1 [*] '/root/aleph1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled ...

Posted by b0ldfrev on June 16, 2018

FEATURED TAGS
Pwn CTF
ABOUT ME

One Bug Hunter

FRIENDS