简介 介绍部分,来自参考资料[0] 漏洞成因 堆溢出写 top_chunk 适用范围 2.23——2.29 可分配任意大小的 chunk 需要泄露或已知要操作的目标地址 利用原理 对 top_chunk 的利用,过程如下: 申请 chunk A 写 A 的时候溢出,修改 top_chunk 的 si
Published on 2024-01-08
_int_malloc use_top: /* 如果足够大,分割top chunk If large enough, split off the chunk bordering the end of memory (held in
Published on 2024-01-07
简介 介绍部分,来自参考资料[0] 漏洞成因 overflow write、off by one、off by null 目的是修改chunk的prev_inuse标志位 适用范围 2.23—— 至今 可分配大于处于 unsortedbin 的 chunk 利用原理 利用 off by null 修
Published on 2024-01-06
__libc_free void __libc_free(void *mem) { mstate ar_ptr; mchunkptr p; /* chunk corresponding to mem */ // 如果释放0内存,直接返回 if (mem == 0) /
Published on 2024-01-05
_int_malloc 申请tcachebin的函数是__libc_malloc,如果tcachebin分配不了,就会调用_int_malloc进行接下来的分配 _int_malloc优先分配fastbin中的chunk: /* If the size qualifies as
Published on 2024-01-04
__libc_free void __libc_free(void *mem) { mstate ar_ptr; mchunkptr p; /* chunk corresponding to mem */ // 如果释放0内存,直接返回 if (mem == 0) /
Published on 2024-01-03
tcache_init:初始化 tcache_perthread_struct static void tcache_init(void) { mstate ar_ptr; // arena void *victim = 0; const size_t bytes = si
Published on 2024-01-02
编译可进行源码级调试的libc库 手动操作过程 下载对应版本的libc源码:Index of /gnu/glibc,解压 创建两个目录:glibc-2.xx_build,glibc-2.xx_out 进入glibc-2.xx_build目录 执行: ../glibc-2.xx/configure -
Published on 2023-12-28
![[Pico CTF 2022]pwn-basic-file-exploit](https://img.kn0sky.com/typora/image-20231107174951-mxcwqbt.png)
题目分析 只给了个源码.c文件:应该只是逻辑问题 #include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <string.h> #include <stdint.h> #include <ctype.h> #inclu
Published on 2023-11-07
![[Pico CTF 2021]pwn-Unsubscriptions Are Free](https://img.kn0sky.com/typora/image-20231107170314-vk16jhe.png)
题目分析 给出了程序和源码 ➜ pwn-Unsubscriptions Are Free pwn checksec vuln [*] '/home/selph/Downloads/PicoCTF/pwn-Unsubscriptions Are Free/vuln' Arch: i3
Published on 2023-11-07
![[Pico CTF 2021]pwn-Here's a Libc](https://img.kn0sky.com/typora/image-20231106175918-c6us53j.png)
题目分析 无PIE,有NX,无Canary,一眼疑似栈溢出 [*] "/home/selph/Downloads/PicoCTF/pwn-Here's a LIBC/vuln" Arch: amd64-64-little RELRO: Partial RELRO
Published on 2023-11-07
![[Pico CTF 2021]pwn-Cache Me Outside](https://img.kn0sky.com/typora/image-20231103142822-wbm71ya.png)
题目分析 题目给了三个文件,libc版本是2.27,其中给了个makefile: ➜ pwn-Cache Me Outside cat Makefile all: gcc -Xlinker -rpath=./ -Wall -m64 -pedantic -no-pie --std=gnu99 -
Published on 2023-11-03
![[Pico CTF 2021]pwn-Stonks](https://img.kn0sky.com/typora/image-20231102150829-5xzo7v7.png)
题目分析 pwn题目的一种形式是,直接给源码,本题就是: #include <stdlib.h> #include <stdio.h> #include <string.h> #include <time.h> #define FLAG_BUFFER 128 #define MAX_SYM_LEN
Published on 2023-11-02
![[Google CTF 2023]pwn-write-flag-where3](https://img.kn0sky.com/typora/image-20230907143013-4y5jg1p.png)
题目分析 int __cdecl main(int argumentCount, const char **arguments, const char **environmentVariables) { __int64 buffer[9]; // [rsp+0h] [rbp-70h] BYREF
Published on 2023-10-26
![[Google CTF 2023]pwn-write-flag-where2](https://img.kn0sky.com/typora/image-20230906160036-lq35taf.png)
题目分析 直接看代码: int __cdecl main(int argumentCount, const char **arguments, const char **environmentVariables) { __int64 buffer[9]; // [rsp+0h] [rbp-70h
Published on 2023-10-25
