-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
1 lines (1 loc) · 22 KB
/
index.html
File metadata and controls
1 lines (1 loc) · 22 KB
1
<!-- build time:Wed Oct 30 2019 23:12:38 GMT+0800 (中国标准时间) --><!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1"><meta name="description" content=""><meta name="keywords" content=""><meta name="author" content="Hpasserby"><meta name="copyright" content="Hpasserby"><title>一个bin菜鸡 | Hpasserby</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.6.1"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.6.1"><link rel="dns-prefetch" href="https://cdn.staticfile.org"><link rel="dns-prefetch" href="https://cdn.bootcss.com"><link rel="dns-prefetch" href="https://creativecommons.org"><link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/npm/gitalk/dist/gitalk.min.css"><script src="https://cdn.jsdelivr.net/npm/gitalk@latest/dist/gitalk.min.js"></script><script src="https://cdn.jsdelivr.net/npm/blueimp-md5@2.10.0/js/md5.min.js"></script><link rel="dns-prefetch" href="https://hm.baidu.com"><script>var _hmt=_hmt||[];!function(){var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?4e3b4e0b100ec31631e29622d1ef8014";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)}()</script><link rel="dns-prefetch" href="https://www.google-analytics.com"><script>!function(e,t,a,n,c,s,o){e.GoogleAnalyticsObject=c,e[c]=e[c]||function(){(e[c].q=e[c].q||[]).push(arguments)},e[c].l=1*new Date,s=t.createElement(a),o=t.getElementsByTagName(a)[0],s.async=1,s.src=n,o.parentNode.insertBefore(s,o)}(window,document,"script","https://www.google-analytics.com/analytics.js","ga"),ga("create","UA-136221440-1","auto"),ga("send","pageview")</script><link rel="dns-prefetch" href="http://ta.qq.com"><script>!function(){var t=document.createElement("script");t.src="https://tajs.qq.com/stats?sId=66194231";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}()</script><script>var GLOBAL_CONFIG={root:"/",algolia:void 0,localSearch:{path:"search.xml",languages:{hits_empty:"找不到您查询的内容:${query}"}},copy:{success:"复制成功",error:"复制错误",noSupport:"浏览器不支持"}}</script></head><body><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar"><div class="author-info"><div class="author-info__avatar text-center"><img src="/images/avatar.jpg"></div><div class="author-info__name text-center">Hpasserby</div><div class="author-info__description text-center"></div><div class="follow-button"><a href="https://github.com/Hpasserby/Hpasserby.github.io">Follow Me</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">19</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">19</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">友情链接</div><a class="author-info-links__name text-center" href="http://pidanxu.github.io/">我eax大哥</a><a class="author-info-links__name text-center" href="https://redogwu.github.io/">wjllz师傅</a><a class="author-info-links__name text-center" href="https://hachp1.github.io/">HACHp1大佬</a></div></div></div><nav id="nav" style="background-image:url(/images/head.jpg)"><div id="page-header"><span class="pull-left"><a id="site-name" href="/">Hpasserby</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus"><a class="site-page social-icon search"><i class="fa fa-search"></i><span> 搜索</span></a><a class="site-page" href="/">主页</a><a class="site-page" href="/archives">归档</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a><a class="site-page" href="/about">关于</a></span></div><div id="site-info"><div id="site-title">Hpasserby</div><div id="site-sub-title">一个bin菜鸡</div></div></nav><div id="content-outer"><div class="layout" id="content-inner"><div class="recent-post-item article-container"><a class="article-title" href="/post/9850d6ab.html">RealWorld ctf 2019 accessible writeup</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-10-16</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/v8/">v8</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/JIT/">JIT</a></span><div class="content"><blockquote><p> 这道题中,主要涉及v8中的dependency机制,由于patch文件删除了某些添加依赖(dependency)的代码,导致在生成的JIT代码中,即使某些元素类型发生了变化也不会触发deoptimize,从而导致type confusion。</p><p> 在这篇writeup里我主要记录我分析的过程,因为我事先从已有的wp中知道到了一些结论性的东西,所以我试图找到一个从零逐步寻找得到最后结果的逻辑,这个过程中可能会显得比较啰嗦。</p></blockquote><p></p></div><a class="more" href="/post/9850d6ab.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/32483719.html">cve-2016-5198 漏洞分析</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-09-01</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/v8/">v8</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/JIT/">JIT</a></span><div class="content"><blockquote><p>这是一个由于JIT代码中没有检查全局对象的类型变化而造成的漏洞,可以导致越界读写</p></blockquote></div><a class="more" href="/post/32483719.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/825d66e8.html">*CTF2019 OOB-v8 writeup</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-08-20</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/v8/">v8</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/OOB/">OOB</a></span><div class="content"><blockquote><p>这是用来入门v8的一道很好的<a href="https://ctftime.org/task/8393" target="_blank" rel="noopener">CTF题目</a>,主要思路就是利用oob修改v8中JS对象的map,从而造成type confusion</p></blockquote></div><a class="more" href="/post/825d66e8.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/abaa2e35.html">v8 exploit入门[PlaidCTF roll a d8]</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-05-22</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/v8/">v8</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/OOB/">OOB</a></span><div class="content"><blockquote><p>本文首发于先知社区 <a href="https://xz.aliyun.com/t/5190" target="_blank" rel="noopener">https://xz.aliyun.com/t/5190</a></p></blockquote><blockquote><p>这篇博客3月份一直拖到现在才写完2333,太水了<br>一直想要入门chrome漏洞挖掘,于是就打算从一道<a href="https://ctftime.org/task/6081" target="_blank" rel="noopener">CTF题目</a>入手(其实也是一个真实的漏洞),这篇文章记录了我的学习过程,是一个总结,也希望能帮到同样在入门的朋友。</p></blockquote></div><a class="more" href="/post/abaa2e35.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/ef2727d8.html">IE整数溢出漏洞[cve-2013-2551]分析</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-03-03</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/IE/">IE</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/整数溢出/">整数溢出</a></span><div class="content"><blockquote><p>调试的第二个洞,深刻的体会到了自己调试功底有多弱,在写这篇笔记的时候才理清调试思路。。。<br>这个洞说是整数溢出,我感觉主要还是在整数溢出造成的越界访问上。<br></p></blockquote></div><a class="more" href="/post/ef2727d8.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/b72ee585.html">IE越界访问漏洞[cve-2012-1876]分析</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2019-02-25</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/browser/">browser</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/IE/">IE</a></span><div class="content"><blockquote><p>第一次接触ctf外的漏洞,跟着各个师傅的博客和《漏洞战争》折腾了好几天,也终于算是成功了。在这里记录一下自己整个调试过程,做个总结。<br></p></blockquote></div><a class="more" href="/post/b72ee585.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/aaf4d161.html">BCTF2018 easiest writeup</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-12-08</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/writeup/">writeup</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/fastbin-attack/">fastbin_attack</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/IO-FILE/">IO_FILE</a></span><div class="content"><blockquote><p>并没有参加这次bctf,只有事后看看题目,这道题目不算难,不过还是学到了一些以前不是很清楚的东西,所以记录一下。</p></blockquote><h1 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述"></a>题目描述</h1><p>题目来源: BCTF 2018<br>知识点:fastbin_attack、IO_FILE<br></p></div><a class="more" href="/post/aaf4d161.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/8e1cd5dc.html">Hitcon2018 baby_tcache writeup</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-11-09</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/writeups/">writeups</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/off-by-one/">off_by_one</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/IO-FILE/">IO_FILE</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/overlapping/">overlapping</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/tcache/">tcache</a></span><div class="content"><blockquote><p>这道题和前一道children_tcache是同一个系列,然而这题难多了_(:зゝ∠)_。在网上搜了一大圈,貌似只有英文的wp,只有硬着头皮肝了。。。这题和children那题唯一的不同就是这题没有现成的输出功能,泄露变得十分困难,还好前段时间也学过了house of orange,不然wp都看不懂。。</p></blockquote><h2 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述"></a>题目描述</h2><p>题目来源:HITCON CTF 2018<br>知识点:tcache && overlapping && off_by_one && IO_FILE<br></p></div><a class="more" href="/post/8e1cd5dc.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/cdad9cf7.html">Hitcon2018 children_tcache writeup && overlapping</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-10-27</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/writeups/">writeups</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/off-by-one/">off_by_one</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/overlapping/">overlapping</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/tcache/">tcache</a></span><div class="content"><blockquote><p>第一次参加HITCON CTF,之前在学堆利用的时候倒是做过几道往年的题,自我感觉还挺不错的,结果就爆零了23333。前几天就在网上看到了这题的writeup,一直拖到今天才拿来学习了一波,看完感觉自己是真的菜。。。</p></blockquote><h2 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述"></a>题目描述</h2><p>题目来源:HITCON CTF 2018<br>知识点:tcache && overlapping && off_by_one<br></p></div><a class="more" href="/post/cdad9cf7.html#more">阅读更多</a><hr></div><div class="recent-post-item article-container"><a class="article-title" href="/post/f8f8701e.html">堆利用学习之house of orange</a><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2018-10-14</time><span class="article-meta"><span class="article-meta__separator">|</span><i class="fa fa-inbox article-meta__icon" aria-hidden="true"></i><a class="article-meta__categories" href="/categories/堆利用学习/">堆利用学习</a></span><span class="article-meta tags"><span class="article-meta__separator">|</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/堆利用/">堆利用</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/house-of-orange/">house_of_orange</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/IO-FILE/">IO_FILE</a><span class="article-meta__link">-</span><i class="fa fa-tag article-meta__icon" aria-hidden="true"></i><a class="article-meta__tags" href="/tags/unsortedbin-attack/">unsortedbin_attack</a></span><div class="content"><blockquote><p>终于学到了house of orange,看了无数师傅的博客,终于马马虎虎理清了一点思路,还是得写点笔记以免忘掉。</p></blockquote><h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p>house of orange是来自Hitcon CTF 2016中的一道同名题目,其中使用了一种全新的攻击手段(现在也不新了2333),攻击的主要思路是利用<code>unsorted attack</code>修改<code>_IO_list_all</code>指针,并伪造<code>_IO_FILE_plus</code>结构体及其<code>vtable</code>(虚表)来劫持控制流。<br>直接上题目好了。。。<br></p></div><a class="more" href="/post/f8f8701e.html#more">阅读更多</a><hr></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><a class="extend next" rel="next" href="/page/2/"><i class="fa fa-chevron-right"></i></a></div></nav></div></div><footer class="footer-bg" style="background-image:url(/images/head.jpg)"><div class="layout" id="footer"><div class="copyright">©2018 - 2019 By Hpasserby</div><div class="framework-info"><span>驱动 - </span><a href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="footer_custom_text"><span>Hosted by <a href="https://pages.coding.me" style="font-weight:700">Coding Pages</a></span></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_site_uv"><i class="fa fa-user"></i><span id="busuanzi_value_site_uv"></span><span></span></span><span class="footer-separator">|</span><span id="busuanzi_container_site_pv"><i class="fa fa-eye"></i><span id="busuanzi_value_site_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.6.1"></script><script src="/js/fancybox.js?version=1.6.1"></script><script src="/js/sidebar.js?version=1.6.1"></script><script src="/js/copy.js?version=1.6.1"></script><script src="/js/fireworks.js?version=1.6.1"></script><script src="/js/transition.js?version=1.6.1"></script><script src="/js/scroll.js?version=1.6.1"></script><script src="/js/head.js?version=1.6.1"></script><script src="/js/search/local-search.js"></script><script>/Android|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)&&($("#nav").addClass("is-mobile"),$("footer").addClass("is-mobile"))</script><div class="search-dialog" id="local-search"><div class="search-dialog__title" id="local-search-title">本地搜索</div><div id="local-input-panel"><div id="local-search-input"><div class="local-search-box"><input class="local-search-box--input" placeholder="搜索文章"></div></div></div><hr><div id="local-search-results"><div id="local-hits"></div><div id="local-stats"><div class="local-search-stats__hr" id="hr"><span>由</span> <a href="https://github.com/wzpan/hexo-generator-search" style="color:#49B1F5">hexo-generator-search</a> <span>提供支持</span></div></div></div><span class="search-close-button"><i class="fa fa-times"></i></span></div><div class="search-mask"></div></body></html><!-- rebuild by neat -->