• Learn Corelan Exploit Writing Part 3

    0x00 环境搭建

    戏剧家洪深说:我的梦想,是明年吃苦的能力比今年更强。Part3Part3b 都是以真实漏洞为例,讲解了一下SHE的原理和基于SHE的漏洞利用。在这里推荐去看《逆向工程核心原理》的第48章结合案例调试理解SHE的原理,再结合《0day》的相关章节了解SHE和safaSEH的利用和绕过方法。

    Read on →

  • Learn Corelan Exploit Writing Part 2

    0x00 环境搭建

    Part2作为Part1的延续,在Part1基础的栈溢出漏洞上,介绍了几种ret2shellcode的方法,所以安全机制依旧是全关。虽然最终是跳转shellcode执行,但其中也掺杂了一些gadget选取和rop链的构造思想,有些地方还需要进一步的逆向和尝试,遂成此文。

    Read on →

  • Learn Corelan Exploit Writing Part 1

    0x00 环境搭建

    茅盾说:我从来不梦想,我只是在努力认识现实。所以经典的Corelan Team漏洞利用教程还是要先过一遍的。Part 1只是以一个现实漏洞为例,介绍了栈溢出的原理和基本的利用过程。学习别人的东西我也就不用英文装模作样了,还能提高一下效率/笑哭。

    Read on →

  • Reviewing Netgear WNR2200 Heap Overflow

    0x00 Preface

    Although the security protection on routers is relatively poor, it is also necessary to learn some attack surfaces and how to exploit them on different platforms. Porting exploits to a Netgear WNR2200 is an example of using the exp in MSF to compromise easily the router with old version samba. While the cross platform exploitation has been completed, it can be known that the function pointer of the structure is covered due to a heap overflow, with the executable permissions and brute force on the heap, the shellcode in different architectures is carried out. There is a Netgear WNR2200 on in my hand, and the firmware version is the same as the one in the text. Therefore, it is a good chance to analyze the exploitation of CVE-2007-2446 on the router.

    Read on →

  • Basic ROP Write Up

    0x00 Abstract

    When I learn about basic rop technology, doing some exercises is necessary. The website not only summarizes the pwn experience but also provides corresponding ctf subjects. To perfect, I practice.

    Read on →