BENJ's blog

AFL++参考：https://www.cnblogs.com/unr4v31/p/15237728.html\ 1234567891011121314151617CC=/home/AFLplusplus/afl-gcc-fast CXX=/home/AFLplusplus/afl-g++-fast++ CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bo ...

vuln在文件输出长串的字符串以后可以拼接出一个返回地址里面就包含了一个裸的写入代码然后执行代码段的函数但是fgets的大小只有0x10,这时候我们写一段汇编进去控制rdi，直接pop就行因为此时栈上的值大概率为一个很大的地址值，当然先push也可以，控制了rdi以后就可以写一个很长的shellcode进去就行 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960# _*_ coding:utf-8 _*_from pwn import *import reimport os, struct, random, time, sys, signalimport hashlibfrom hashlib import sha256p = process("./vuln")context.log_level = "debug" # infocontext.arch = 'amd6 ...

Hello Ethernaut一些基本的操作交互指令熟悉熟悉即可 Fallback1234567891011121314151617181920212223242526272829303132333435363738// SPDX-License-Identifier: MITpragma solidity ^0.8.0;contract Fallback { mapping(address => uint256) public contributions; address public owner; constructor() { owner = msg.sender; contributions[msg.sender] = 1000 * (1 ether); } modifier onlyOwner() { require(msg.sender == owner, "caller is not the owner"); _; ...

dirty_pipe5.8 <= Linux内核版本 <5.16.11 / 5.15.25 / 5.10.102 | Ubuntu 21.10 在写入pipe管道时候调用pipefifo_fops->pipe_write,对于新写入的数据如果pipe_buf->flag == PIPE_BUF_FLAG_CAN_MERGE则会向上一个未满的buffer写入数据，而在splice函数（这是一个用于文件和管道进行数据拷贝的函数）调用的时候，他会先将pipe_buf的page与文件的page进行映射,关键在于当执行调用链到 copy_page_to_iter_pipe（）的时候将 pipe_buf->page设置为文件对应的页框时候会执行一段 get_page(page)会对页框的应用+1并且没有初始化 pipe_buf->flag 这就使得当首先将管道写满后再读出将pipe_buf->flag 设置为 PIPE_BUF_FLAG_CAN_MERGE 在执行 splice 进行文件映射，再对管道进行数据写入，这时候由于 PIPE_BUF_FLAG_C ...

comd trick12345678910cpio -idmv < ./rootfs.cpiofind . | cpio -o --format=newc > ./rootfs.cpiocat proc/modules./extract-vmlinux ./bzImage > ./vmlinuxmusl-gcc -w -s -static -o3 exp.c -o expgcc exp.c -static -masm=intel -o exp#---------debug----------------KPTI: cat /sys/devices/system/cpu/vulnerabilities/关掉 kaslr 开 root 从 `/proc/kallsyms` 中读取其偏移 tty结构体相关利用简单来说就是在tty_struct 偏移24中ops结构体中的write和ioctl等函数在对tty_struct中fd的相应的write/ioctl操作时候会劫持执行流，同时这时执行write/ioctl函数时候的rax为tty_struct， ...

代码buffer.h1234567891011121314151617181920212223242526272829303132333435363738#ifndef BLOCKQUEUE_H#define BLOCKQUEUE_H#include <deque>#include <condition_variable>#include <mutex>#include <sys/time.h>using namespace std;template<typename T>class BlockQueue {public: explicit BlockQueue(size_t maxsize = 1000); ~BlockQueue(); bool empty(); bool full(); void push_back(const T& item); void push_front(const T& item); bool pop(T &item); ...

1p/x *stdout auto_coffeestdout_attack + uaf 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127# _*_ coding:utf-8 _*_ from pwn import * import re import os, struct, random, time, sys, signal import hashlib from hashlib import sha256 # p = remote("172.16.7.10","1 ...

codeql123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130# _*_ coding:utf-8 _*_from pwn import *import reimport os, struct, random, time, sys, signalimport hashlibfrom hashlib import sha256# p = remote("","")p = process("./codelog")elf = E ...

C++11语法 123456789101112--------------------game1-------------------------------for ( int i : {2, 3, 4}) { std::cout << i << std::endl;}----->std::vector<double> vec:...for( auto elem : vec) { std::cout << elem << std::end;}--------------------------------------------------------- level-0STL体系基础新式header不带有.h后缀 using namespace std相当于打开std的空间例如可以使用cout而不使用std：：cout 1234567891011121314#include <vector>#include <algorithm> ...

Level1基础配置 soln1 简单的固件模拟运行使用qemu-user-static进行模拟，下载地址 12https://packages.debian.org/bullseye/amd64/qemu-user-static/download#之后执行 sudo dpkg -i xx 就行 在解压的目录中执行，获得qemu 12345678910cp $(whereis qemu-mipsel-static) . #针对小端序路由器cp $(whereis qemu-mips-static) . #针对大端序路由器#之后想要对想要模拟的部分固件服务，例如：sudo chroot . ./qemu-mips-static -0 "ssdpcgi" -E HTTP_ST=ssdp:all ./htdocs/cgibin#该例子是启动大端序路由器cgibin服务终端ssdpcgi分支， #-0 参数意思是第一个参数即是cgibin的main函数中的第一个参数，用于进入服务 #-E 参数意思是设置环境 #如果指令出现问题，检查执行的固件服务的格式 # file ...