• Learn Corelan Exploit Writing Part 2

    0x00 环境搭建

    Part2作为Part1的延续,在Part1基础的栈溢出漏洞上,介绍了几种ret2shellcode的方法,所以安全机制依旧是全关。虽然最终是跳转shellcode执行,但其中也掺杂了一些gadget选取和rop链的构造思想,有些地方还需要进一步的逆向和尝试,遂成此文。

    Read on →

  • Learn Corelan Exploit Writing Part 1

    0x00 环境搭建

    茅盾说:我从来不梦想,我只是在努力认识现实。所以经典的Corelan Team漏洞利用教程还是要先过一遍的。Part 1只是以一个现实漏洞为例,介绍了栈溢出的原理和基本的利用过程。学习别人的东西我也就不用英文装模作样了,还能提高一下效率/笑哭。

    Read on →

  • Reviewing Netgear WNR2200 Heap Overflow

    0x00 Preface

    Although the security protection on routers is relatively poor, it is also necessary to learn some attack surfaces and how to exploit them on different platforms. Porting exploits to a Netgear WNR2200 is an example of using the exp in MSF to compromise easily the router with old version samba. While the cross platform exploitation has been completed, it can be known that the function pointer of the structure is covered due to a heap overflow, with the executable permissions and brute force on the heap, the shellcode in different architectures is carried out. There is a Netgear WNR2200 on in my hand, and the firmware version is the same as the one in the text. Therefore, it is a good chance to analyze the exploitation of CVE-2007-2446 on the router.

    Read on →

  • Basic ROP Write Up

    0x00 Abstract

    When I learn about basic rop technology, doing some exercises is necessary. The website not only summarizes the pwn experience but also provides corresponding ctf subjects. To perfect, I practice.

    Read on →

  • ROP Emporium Write Up

    0x00 Abstract

    It has been a long time since I stopped doing pwn exercises. I solved some basic challenges of ROP Emporium this time, which is a good place to practice your ability constructing write4, xor or pivot ROP chain. I believe that you should know the usage of ROPgadget before reading this write up.

    Read on →