syzkaller_1_environ_build
Syzkaller(1):环境搭建
Syzkaller是Google的安全研究人员开发的内核fuzz工具,也是当前最强大的内核fuzz工具之一。其基本语言是Go,支持akaros/fuchsia/linux/android/freebsd/netbsd/openbsd/windows等系统,不支持Darwin/XNU。
环境搭建
采用ubuntu1804搭建;
安装依赖
sudo apt-get install debootstrapsudo apt install qemu-kvmsudo apt-get install subversionsudo apt-get install gitsudo apt-get install makesudo apt-get install qemusudo apt install libssl-dev libelf-devsudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr ...
trinity_1
Trinity(1)
bomblab
bomblab
运行
[root@1e4873216d41 bomb]# ./bomb Welcome to my fiendish little bomb. You have 6 phases withwhich to blow yourself up. Have a nice day!
看的出要拆炸弹,但是需要有几个条件,看一下部分源代码;
source code
initialize_bomb(); printf("Welcome to my fiendish little bomb. You have 6 phases with\n"); printf("which to blow yourself up. Have a nice day!\n"); /* Hmm... Six phases must be more secure than one phase! */ input = read_line(); /* Get input */ pha ...
preparelab
preparelab
url
https://csapp.cs.cmu.edu/3e/labs.html
docker
使用docker挂载目录,实现宿主机与镜像的数据同步;
拉取一个centos系统
docker pull centos
创建目录挂载
docker container run -it -v /home/klose/ctf/pwn/csapp_lab:/csapp_lab --name=csapp_env centos /bin/bash
使用完毕后退出:
ctrl ^ p + q
列出当前镜像
docker ps -a
开启
docker start <id>
进入
docker attach <id>
environment
update
yum -y update
sudo
yum install sudo
c/c++ environ
yum install make automake gcc gcc-c++ kernel-devel
gdb for debug
yum install gdb
...
qctf2018_stack2
qctf2018_stack2
信息收集
checksec
Arch: i386-32-littleRELRO: Partial RELROStack: Canary foundNX: NX enabledPIE: No PIE (0x8048000)
执行
************************************************************ An easy calc **Give me your numbers and I will return to you an average **(0 <= x < 256) ************************************************************How many numbers you have:1Give me your numbers2 ...
datalab
datalab
下载压缩包,看README;
handout_zip
README
根据指示完成各阶段的实验;
/* * CS:APP Data Lab * * <K1ose> * * bits.c - Source file with your solutions to the Lab. * This is the file you will hand in to your instructor. * * WARNING: Do not include the <stdio.h> header; it confuses the dlc * compiler. You can still use printf for debugging without including * <stdio.h>, although you might get a compiler warning. In general, * it's not good practice to ignore compiler warnings, b ...
0ctf2018_final_babykernel
0ctf2018_final_babykernel
信息收集
文件
源文件
baby.ko core.cpio start.sh vmlinuz-4.15.0-22-generic
vmlinuz
$ file vmlinuz-4.15.0-22-generic vmlinuz-4.15.0-22-generic: Linux kernel x86 boot executable bzImage, version 4.15.0-22-generic (buildd@lcy01-amd64-010) #24~16.04.1-Ubuntu S, RO-rootFS, swap_dev 0x7, Normal VGA$ strings vmlinuz-4.15.0-22-generic | grep gcc4.15.0-22-generic (buildd@lcy01-amd64-010) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #24~16.04.1-Ubuntu SMP Fri May 18 09:4 ...
AFL_basic
AFL基础
模糊测试
将自动或半自动生成的随机数据输入到一个程序中,并监视程序异常(崩溃、断言等)失败,以发现可能的程序错误,如内存泄漏等;
分类
根据数据生成方式分类:
基于生成的测试(generation-based)
基于变异的测试(mutation-based) (AFL)
根据对目标的理解程度分类:
白盒测试
灰盒测试 (AFL)
黑盒测试
根据fuzz过程的反馈处理分类:
盲测
反馈制导 (AFL)
原理
使用
安装
git clone git://github.com/google/AFLcd AFLmake
测试用例
代码
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <signal.h> int vuln(char *str){ int len = strlen(str); if(str[0] == 'A' &&am ...
pwnable.kr_passcode
passcode
信息收集
在ssh连接靶机之后,看文件:
$ ls -lltotal 16-r--r----- 1 root passcode_pwn 48 Jun 26 2014 flag-r-xr-sr-x 1 root passcode_pwn 7485 Jun 26 2014 passcode-rw-r--r-- 1 root root 858 Jun 26 2014 passcode.c
查看C文件:
$ cat passcode.c #include <stdio.h>#include <stdlib.h>void login(){ int passcode1; int passcode2; printf("enter passcode1 : "); scanf("%d", passcode1); // lose '&' fflush(stdin); // ha! mommy told me that 32bit is vulnerable ...
pwnable.kr_flag
flag
checksec
[*] '/home/klose/ctf/pwn/file/pwnable_kr/flag/flag' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments Packer: Packed with UPX
看到有个UPX壳;
strings看一下;
$ strings flag | grep UPX | bat───────┬────────────────────────────────────────────────────────────────────────────────────── │ STDIN───────┼──────────────────────────────────────────────────────────── ...