diff --git a/source/_posts/bluewhale2024/orange.md b/source/_posts/bluewhale2024/orange.md index faaf032..96671c6 100644 --- a/source/_posts/bluewhale2024/orange.md +++ b/source/_posts/bluewhale2024/orange.md @@ -1,7 +1,7 @@ --- title: bluewhale2024 - one orange date: 2024/5/4 00:11:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - heap - unsorted - House of Orange @@ -149,6 +149,6 @@ def payload(lo:int): sh.interactive() ``` -## 参考文献 +## 参考 [House of Orange](https://www.cnblogs.com/ZIKH26/articles/16712469.html) diff --git a/source/_posts/hgame2024/W3_EldenRingIII.md b/source/_posts/hgame2024/W3_EldenRingIII.md index 141e836..238f9ec 100644 --- a/source/_posts/hgame2024/W3_EldenRingIII.md +++ b/source/_posts/hgame2024/W3_EldenRingIII.md @@ -1,7 +1,7 @@ --- title: hgame2024 week3 - Elden Ring III date: 2024/2/22 19:25:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - heap - largebin - largebin attack @@ -31,10 +31,10 @@ glibc 2.32 反编译发现只能分配large bin,那就干脆学一下Largebin attack和House of Apple吧, 以后打高版本libc都要用到 -我会在参考文献一栏列出优质的博客,没有它们,我不能做出这题!还有就是在打Apple的时候, +我会在参考一栏列出优质的博客,没有它们,我不能做出这题!还有就是在打Apple的时候, 要想进入overflow分支,还需要伪造的IO_FILE里`_IO_write_ptr > _IO_write_base` -另,自glibc 2.38开始,调用链发生变化,`_IO_flsuh_all_lockp`已更名为`_IO_flsuh_all`, +另,自glibc 2.38开始,调用链发生变化,`_IO_flush_all_lockp`已更名为`_IO_flush_all`, 但是apple2仍然能打,不影响 ## EXPLOIT @@ -135,7 +135,7 @@ def payload(lo:int): sh.interactive() ``` -## 参考文献 +## 参考 1. [Largebin Attack典例](https://www.anquanke.com/post/id/244018) 2. [House of Apple 2官方示例](https://bbs.kanxue.com/thread-273832.htm) diff --git a/source/_posts/hgame2024/W3_StillNotes.md b/source/_posts/hgame2024/W3_StillNotes.md index c666921..01a4a56 100644 --- a/source/_posts/hgame2024/W3_StillNotes.md +++ b/source/_posts/hgame2024/W3_StillNotes.md @@ -1,7 +1,7 @@ --- title: hgame2024 week3 - 你满了,那我就漫出来了! date: 2024/2/22 19:16:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - heap - unsortedbin - off-by-null @@ -31,7 +31,7 @@ glibc 2.27 没有UAF,大小限制在0x120以内,只有一个off-by-null... 好不容易在网上找到了例题,show和alloc都需要打House of Einherjar,主要利用合并机制 -(例题附在参考文献中) +(例题附在参考中) 要注意的是,对于tcache堆块,无论是否有`PREV_INUSE`标记,都不会发生合并,这也是需要绕过的点 @@ -138,6 +138,6 @@ def payload(lo:int): sh.interactive() ``` -## 参考文献 +## 参考 1. [Off-by-One精选博客](https://song-10.gitee.io/2020/05/14/pwn-2020-05-14-Off-By-One/#Control-Instruction-Pointer) diff --git a/source/_posts/hgame2024/final_1988.md b/source/_posts/hgame2024/final_1988.md index 5eb71bc..0a5b177 100644 --- a/source/_posts/hgame2024/final_1988.md +++ b/source/_posts/hgame2024/final_1988.md @@ -1,7 +1,7 @@ --- title: hgame2024 final - 1988 date: 2024/3/23 17:56:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - vax780 excerpt: 利用vax780的栈溢出和suid权限,通过定时任务实现RCE并获取flag。 @@ -58,6 +58,6 @@ docker起不了,本地的环境久久无法正常工作,于是我决定直 同时这道题是对pwn一词的诠释,让我第一次见到了二进制利用在现实中的应用 -## 参考文献 +## 参考 [解题所需的blog](https://www.rapid7.com/blog/post/2019/01/02/the-ghost-of-exploits-past-a-deep-dive-into-the-morris-worm/) diff --git a/source/_posts/isctf2023/abstract_shellcode.md b/source/_posts/isctf2023/abstract_shellcode.md index a11bc64..77a5932 100644 --- a/source/_posts/isctf2023/abstract_shellcode.md +++ b/source/_posts/isctf2023/abstract_shellcode.md @@ -1,7 +1,7 @@ --- title: isctf2023 - abstract shellcode date: 2023/12/2 20:00:00 -updated: 2024/7/30 10:28:00 +updated: 2024/8/26 17:18:00 tags: - shellcode excerpt: 通过分析64位程序的shellcode,利用read和execve实现远程shell的获取。 @@ -93,7 +93,7 @@ push rbx ; S 还原rbx的地址到rsp上 ret ; \xc3 ; aka pop rip: 程序跳转到rbx的地址上 ``` -## 参考文献 +## 参考 [printable shellcode](https://web.archive.org/web/20110716082850/http://skypher.com/wiki/index.php?title=X64_alphanumeric_opcodes) diff --git a/source/_posts/newstar2023/W1_Random.md b/source/_posts/newstar2023/W1_Random.md index b359741..71c0072 100644 --- a/source/_posts/newstar2023/W1_Random.md +++ b/source/_posts/newstar2023/W1_Random.md @@ -1,7 +1,7 @@ --- title: newstar2023 week1 - Random date: 2023/9/28 12:00:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - result predicting excerpt: 通过时间预测随机数,成功利用程序漏洞打开shell。 @@ -80,7 +80,7 @@ while True: sh.interactive() ``` -## 参考文献 +## 参考 [模拟攻击](http://www.asuka39.top/article/security/ctf/pwn/2064/) diff --git a/source/_posts/newstar2023/W2_shellcode_revenge.md b/source/_posts/newstar2023/W2_shellcode_revenge.md index 7c58fd5..e81c340 100644 --- a/source/_posts/newstar2023/W2_shellcode_revenge.md +++ b/source/_posts/newstar2023/W2_shellcode_revenge.md @@ -1,7 +1,7 @@ --- title: newstar2023 week2 - shellcode revenge date: 2023/10/4 12:00:00 -updated: 2024/7/30 10:28:00 +updated: 2024/8/26 17:18:00 tags: - shellcode thumbnail: /assets/newstar2023/regs.png @@ -32,7 +32,7 @@ xor主要使用rbx,要清空它;rax和rdx都有特定值要存放,所以 ## Shellcode分析 -```as +```as shellcode exec: push rdx ; R pop rcx ; Y set base addr @@ -67,8 +67,8 @@ xor byte ptr [rcx + 0x44], bl ; 0YD make 0x05 syscall ; OE is xored by 0YC0YD ``` -``` -data section: +```plaintext +data_section: rcx + 'E': 000 ; just padding; shrink it to get a shorter shellcode rcx + 'H': 3 ; xor pivot 2 rcx + 'I': R ; xor pivot 1 @@ -103,11 +103,11 @@ def toChr(s: str): *RYH1YZH3YZ2YI0YJ0YN0YQ0YY2YIH3YJH3YRST2YK0Y8WZ0Y94O4D40WGF2YT0YC0YDOE0003RH607H60R5TYY5EXR* *cat flag* -## 参考资料 +## 参考 -[short shellcode](https://blog.csdn.net/A951860555/article/details/110936441) -[alphanumeric shellcode编写指南](https://dl.packetstormsecurity.net/papers/shellcode/alpha.pdf) -[在线汇编/反汇编器](http://shell-storm.org/online/Online-Assembler-and-Disassembler/) -[好用的在线异或](http://i.goto327.top:85/Tools1/XOR.aspx) +1. [short shellcode](https://blog.csdn.net/A951860555/article/details/110936441) +2. [alphanumeric shellcode编写指南](https://dl.packetstormsecurity.net/papers/shellcode/alpha.pdf) +3. [在线汇编/反汇编器](http://shell-storm.org/online/Online-Assembler-and-Disassembler/) +4. [好用的在线异或](http://i.goto327.top:85/Tools1/XOR.aspx) Done. diff --git a/source/_posts/newstar2023/W3_dlresolve.md b/source/_posts/newstar2023/W3_dlresolve.md index 6e181e5..bef3fcb 100644 --- a/source/_posts/newstar2023/W3_dlresolve.md +++ b/source/_posts/newstar2023/W3_dlresolve.md @@ -1,7 +1,7 @@ --- title: newstar2023 week3 - dlresolve date: 2023/10/10 12:00:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - ret2dlresolve thumbnail: /assets/newstar2023/relro.png @@ -108,7 +108,7 @@ Elf64_Rel fakeRel = { 另外,作者还提到了其他文章所没有介绍的Full Relro的利用方法,也可以学习一下 -## 参考文献 +## 参考 1. [图片来源文章](https://blog.csdn.net/IO1n0/article/details/103323738 "透过深入分析延迟绑定了解 ret_2_dl_resolve:1Oin0的博客") 2. [深入讲解动态加载技术的知乎文章](https://zhuanlan.zhihu.com/p/134105591 "深入窥探动态链接:1Oin0的看雪论坛文章") diff --git a/source/_posts/ningbo2024/minho.md b/source/_posts/ningbo2024/minho.md index 4dcb5af..52bee20 100644 --- a/source/_posts/ningbo2024/minho.md +++ b/source/_posts/ningbo2024/minho.md @@ -1,7 +1,7 @@ --- title: ningbo2024 初赛 - House of Minho date: 2024/5/11 13:13:00 -updated: 2024/7/25 12:34:56 +updated: 2024/8/26 17:18:00 tags: - heap - unsorted - House of minho @@ -252,6 +252,6 @@ def payload(lo:int): sh.interactive() ``` -## 参考文献 +## 参考 [Black Hat 2023 0解Pwn题Houseofminho详细WP](https://bbs.kanxue.com/thread-279588.htm) diff --git a/source/images/friends/chenzhen_banner.png b/source/images/friends/chunzhen_banner.png similarity index 100% rename from source/images/friends/chenzhen_banner.png rename to source/images/friends/chunzhen_banner.png