l0tus's blog

切开血管,落日殷红

tcache_poisoning

一种简单的堆利用方式

泄露libc 首先申请index为0-7,size为0x100x的八个chunk,第7-1号chunk在逆序free后进入tcache,第0号进入unsorted bin. free完成后可以查看bin的情况,可以看到unsorted bin中的最后一位(这里只有一位),也就是第一个被free进入unsorted bin当中的chunk会指回libc中main_arena的某处地址,同时d......

Posted by l0tus on 2022-12-14

pwn笔记 heap

PoC double_free

Source code 1234567891011121314151617181920212223242526272829303132333435#include<stdio.h>#include<stdlib.h>int main(){ size_t * ptr[12]; for(int i=0;i<12;i++) ......

Posted by l0tus on 2022-12-13

pwn笔记 heap PoC

HEAP

堆相关知识

malloc & free 1234567891011121314151617181920212223242526/* malloc(size_t n) Returns a pointer to a newly allocated chunk of at least n bytes, or null if no space is available. Additionally,......

Posted by l0tus on 2022-12-11

pwn笔记

XCTF-stack2-WP

初遇canary

下载附件拖进ida之后观察main函数: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475int __cdecl main(int argc, const c......

Posted by l0tus on 2022-09-28

pwn笔记 write up

XCTF-实时数据检测-WP

比较经典的一道格式化字符串漏洞的题目,难度不大,l0tus在这里提供两种做法

经典做法 下载附件拖进ida之后看到明显的逻辑,不过这题是32位的 1234567891011int locker(){ char s[520]; // [esp+0h] [ebp-208h] BYREF fgets(s, 512, stdin); imagemagic(s); if ( key == 35795746 ) return system("/b......

Posted by l0tus on 2022-09-12

pwn笔记 write up
VISITORS
Viewed Times
Visitors In Total
FEATURED TAGS
年终总结 pwn笔记 write up 杂谈 静态分析 抽象语法树 论文阅读笔记 IoT CVE复现 FSOP iot JS 转载 LLM heap PoC singapore travel SROP kernel fuzz 虚拟机逃逸 write_up ciscn2024 networking dn11 Fuzz Paper Reading vpn安全 qemu逃逸 ChatGPT Bot stackmove 漏洞复现 源码阅读 操作系统 读书笔记 学期总结
ABOUT ME
avatar_pic

Vidar-Team | Binary security learner

RECENT POSTS
FRIENDS
archives
categories
ESC