Advanced area of attack and defense world experts - stack2
Look at the title, nothing
1, Analysis file
checksec It is found that there is stack overflow protection, which has not been seen before. There may be new knowledge points. Run file It seems to be a program for inputting numbers to calculate the average value. ida open unsig ...
Added by minifairy on Thu, 24 Feb 2022 15:59:12 +0200
Quote ciscn_ 2019_ n_ five
Open the main function and find that get is still a stack overflow, but shift has no bin and system, and no protection is turned on. When a name variable is opened, it is found to exist on the bss side. Therefore, you want to write the name directly to shellcode, and adjust get to the name func ...
Added by manimoor on Sat, 19 Feb 2022 07:23:17 +0200
Common formatting string functions
functionBasic introductionprintfOutput to stdoutfprintfOutput to the specified FILE streamvprintfFormat the output to stdout according to the parameter listvfprintfFormat the output to the specified FILE stream according to the parameter listsprintfOutput to stringsnprintfOutputs the specified number ...
Added by bunner bob on Mon, 17 Jan 2022 14:28:27 +0200
Vegetable chicken summary, if there is something wrong, I hope you can give advice in time to avoid harming people's children.
0x1: basic knowledge:
Everyone must know the problem solved by stack migration technology - the overflow length is not enough and can only cover the return address. As for the length of the rop chain to ...
Added by suepahfly on Thu, 06 Jan 2022 02:49:00 +0200
What is a format character vulnerability
The format string function can accept a variable number of parameters, take the first parameter as the format string, and parse the parameters according to it. Generally speaking, the format string function is to convert the data represented in computer memory into a human readable string format. Al ...
Added by jiayanhuang on Wed, 29 Dec 2021 18:52:22 +0200
This problem is done in two ways: one is to modify the got table, and the other is to modify the return value to control the execution flow.
There is an obvious format string vulnerability, but it is on the bss segment
To sum up, the processing method of 32-bit format string in bss segment is to find an ebp like stack register, ...
Added by Codewarrior123 on Sun, 26 Dec 2021 08:18:34 +0200
Foreword: I just started the core problem recently, so I'll learn from ctfwiki here. Don't spray...
The first step is classic... If the title is not given to vmlinux, it can be extracted through extract vmlinux.
See start SH finds that kalsr randomization is enabled, and the base address needs to be leaked. This is very similar to the pwn pro ...
Added by turkman on Sat, 18 Dec 2021 20:57:35 +0200
Fancy stack overflow
reference resources: https://ctf-wiki.org/pwn/linux/user-mode/stackoverflow/x86/fancy-rop/#2018-over
reference resources: https://www.yuque.com/hxfqg9/bin/erh0l7
reference resources: https://ctf-wiki.org/pwn/linux/user-mode/stackoverflow/x86/fancy-rop
1.1 stack pivoting
Stack pivoting is turned into s ...
Added by beckjo1 on Tue, 05 Oct 2021 01:44:29 +0300