• ROP Emporium Write Up

    0x00 Abstartc

    It has been a long time since I stopped doing pwn exercises. I solved some basic challenges of ROP Emporium this time, which is a good place to practice your ability constructing write4, xor or pivot ROP chain. I believe that you should know the usage of ROPgadget before reading this write up.

    Read on →

  • CVE-2018-11013 D-Link DIR-816 OOB BoF

    0x00 Abstract

    Well, it is time to practice my poor English by writing internationalized post, not in the future. I would appreciate it if you could point me out the inappropriate usage of English. Return to the rop, CVE-2018-11013 is a stack based BoF in D-Link DIR-816 router, the author has exploited it in an interesting way, which is so abstract that I explored as fllows.

    Read on →

  • CVE-2018-1111 Red Hat DHCP客户端命令执行漏洞分析

    0x00 背景

    CVE-2018-1111具体来说是DHCP client (dhclient) package中的一个脚本文件存在命令注入漏洞,由于DHCP是内网环境下没有认证的UDP数据包,所以攻击场景就是在内网环境下可以伪造DHCP服务器的响应,根据DHCP 252(Private/Proxy autodiscovery) string类型的option,将带单引号的string传入漏洞脚本,完成命令注入。

    Read on →

  • D-Link DIR-645 post_login.xml BoF

    0x00 背景

    在看《揭秘家用路由器0day漏洞挖掘技术》这本书时,头两个讲了D-Link DIR-815和DIR-645的漏洞,在看exploit-db上相关利用时,可以发现公告中还有一个DIR-645 post_login.xml的栈溢出漏洞,本文就稍作分析利用漏洞点:

    Read on →

  • MBE Lab8 Misc and Canaries Write Up

    0x00 背景

    此篇write up对应于MBE的Lab8,相关的内容是整数溢出,文件描述符利用和Stack Cookies的绕过,虽然是很杂的知识没有之前的那么有挑战性,但了解与掌握还是有必要的。

    Read on →