HITCON-Training
For Linux binary Exploitation
Environment Setup
git clone https://github.com/scwuaptx/HITCON-Training.git ~/
cd HITCON-Training && chmod u+x ./env_setup.sh && ./env_setup.sh
Outline
Basic Knowledge
- Introduction
- Reverse Engineering
- Static Analysis
- Dynamic Analysis
- Exploitation
- Useful Tool
- IDA PRO
- GDB
- Pwntool
- lab 1 - sysmagic
- Reverse Engineering
- Section
- Compile,linking,assmbler
- Execution
- how program get run
- Segment
- x86 assembly
- Calling convention
- lab 2 - open/read/write
- shellcoding
- Introduction
Stack Overflow
- Buffer Overflow
- Return to Text/Shellcode
- lab 3 - ret2shellcode
- Protection
- ASLR/DEP/PIE/StackGuard
- Lazy binding
- Return to Library
- lab 4 - ret2lib
Return Oriented Programming
- ROP
- lab 5 - simple rop
- Using ROP bypass ASLR
- ret2plt
- Stack migration
- lab 6 - migration
- ROP
Format String Attack
- Format String
- Read from arbitrary memory
- lab 7 - crack
- Write to arbitrary memory
- lab 8 - craxme
- Advanced Trick
- EBP chain
- lab 9 - playfmt
x64 Binary Exploitation
- x64 assembly
- ROP
- Format string Attack
Heap exploitation
- Glibc memory allocator overview
- Vulnerablility on heap
- Use after free
- lab 10 - hacknote
- Heap overflow
- house of force
- lab 11 - 1 - bamboobox1
- unlink
- lab 11 - 2 - bamboobox2
- house of force
- Use after free
Advanced heap exploitation
- Fastbin attack
- lab 12 - babysecretgarden
- Shrink the chunk
- Extend the chunk
- lab 13 - heapcreator
- Unsortbin attack
- lab 14 - magicheap
- Fastbin attack
C++ Exploitation
- Name Mangling
- Vtable fucntion table
- Vector & String
- New & delete
- Copy constructor & assignment operator
- lab 15 - zoo
那些 Pwning 的奇淫技巧:
write up
LAB 1 [sysmagic]
简单的 Symbolic Execution
反编译发现输入buf == v2
,buf是随机数,可以直接gdb调试。
1 | if ( buf == v2 ) |
断点 0x08048712 <+375>: call 0x8048480 <__isoc99_scanf@plt>
,然后随便输入一个值,
1 | pwndbg> b *get_flag+375 |
其实我在想另一种方法,就是既然变量都在程序里,我们也可以手动计算。
1 |
|
1 | sb@xulun:~/pwn/HITCON-Training/LAB/lab1$ ./calc |
LAB 2 [orw.bin]
syscall : shellcode
跟pwnable.tw的orw应该是同一题,翻了翻互联网的wp,记录一下。
1 | Only open read write syscall are allowed to use. |
main
1 | int __cdecl main(int argc, const char **argv, const char **envp) |
orw_seccomp
1 | unsigned int orw_seccomp() |
关注prctl
1 |
|
1 | sb@xulun:~/pwn/HITCON-Training/LAB/lab2$ seccomp-tools dump ./orw |
系统过滤,系统调用函数中只有open,read,write能够进入下一步。
参考一个师傅的做法,首先使用open打开flag,然后用read读取flag,最后通过stdout输出到屏幕。
1 | int fd = sys_open("/home/orw/flag"); |
1 | .bss:0804A060 public shellcode |
1 | 该师傅的 |
我的观察:
1 | read正下方的一些指令 |
eax作为返回值,当我们传入open(path)返回的文件描述符(见pwnable.kr的fd),一个FILE流的句柄,可以有该句柄读入到另一个寄存器(edi还是esp都可以,我们只是需要一个地址去存放)。
1 | shellcode = '' |
对于汇编的知识,