BENJ's blog

123456789101112131415161718192021222324252627282930313233//跳过/r/n计算sock函数中字符的数量int get_line(int sock, char *buf, int size){ int i = 0; char c = '\0'; int n; while ((i < size - 1) && (c != '\n')) { n = recv(sock, &c, 1, 0); /* DEBUG printf("%02X\n", c); */ if (n > 0) { if (c == '\r') { n = recv(sock, &c, 1, MSG_PEEK); //MSG_PEEK时代表只是查看 ...

IO_FILE基础逻辑12345struct _IO_FILE_plus{ _IO_FILE file; const struct _IO_jump_t *vtable;}; 其中一个是描述各个属性的结构体，另一个是描述文件操作行为的跳转表的指针 而其中描述文件属性的_IO_FILE结构体描述为 123456789101112131415161718192021222324252627282930313233343536373839404142struct _IO_FILE { int _flags; /* High-order word is _IO_MAGIC; rest is flags. */#define _IO_file_flags _flags /* The following pointers correspond to the C++ streambuf protocol. */ /* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directl ...

level1:初探kernel pwn笔记 一些零散基础知识点cred权限进程权限管理,task_struct的源码： 12345678910/* Process credentials: *//* Tracer's credentials at attach: */const struct cred __rcu *ptracer_cred;/* Objective and real subjective task credentials (COW): */const struct cred __rcu *real_cred;/* Effective (overridable) subjective task credentials (COW): */const struct cred __rcu *cred; Process credentials 是 kernel 用以判断一个进程权限的凭证，在 kernel 中使用 cred 结构体进行标识，对于一个进程而言应当有三个 cred： ptracer_cred：使用ptrace ...

babyarm记录一下arm格式 1234567891011121314151617调试启动时设置参数-g 8888 开启8888端口如qemu-arm -g 8888 -L /usr/arm-linux-gnueabi/ ./chall接着用gdb-multiarch设置架构set architecture arm连接端口target remote localhost:8888 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566from pwn import*context.log_level="Debug"context.arch = "arm"p=process(["qemu-arm","-L","/usr/arm-linux-gnueabi/","./chall" ...

magic_book2.29版本以后增加了对tcache上key的检测，导致我们不能在tcache上直接double free了。这到底就是house of botcake标准模板题，唯一值得注意的点就是在我们构造堆重叠unsotrbin与tcache是，我们构造的重叠堆块的地址使用唯一的luck_free不把指针指令达到double free的效果，再切割unsortbin使得我们可以更改tcache指针指向残留的main+96地址，我们在进行爆破stdout就可以leak libc，之后我们再次利用house of botcake留下的重叠堆块（这一块想了好久一定要注意布置的堆块位置），就可以构造free_hook上写system，再free bin/sh就可以getshell了 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777 ...