GreenHouse论文笔记
论文概述论文题目:Greenhouse: Single-Service Rehosting of Linux-Based Firmware Binaries in User-Space...
Client V8学习
V8 V8-ignition指令 V8内存回收机制 Code-caching V8 Hole V8指针压缩 V8 数据结构
GoogleCTF 2022 d8 Write Up
有一位大佬分享了当时的wp思路,网上似乎没找到中文版的wp,在此做翻译记录和学习。 概览题目目录文件: 12345678910base ❯ tree -L 1.├── build.Dockerfile├── challenge├── launcher.py├── Makefile.txt├── snapshot_blob.bin└── v8.patch0 directories, 6 files 根据v8.patch文件可知定义了/srv/challenge/runner.cc文件作为题目。 12345-DEFINE_BOOL(wasm_write_protect_code_memory, true,+DEFINE_BOOL(wasm_write_protect_code_memory, false, "write protect code memory on the wasm native heap with mprotect") 主要逻辑为challenge二进制程序接收用户输入(大小不超过65536)binary...
honggfuzz学习笔记
Honggfuzz特性 多进程-多线程; pesistent fuzzing mode:fuzz api时,在同一进程中输入新的数据。可以显著提升模糊测试效率 crash track记录完整准确 使用底层(eg:ptrace)接口监视进程状态。可以检测到被劫持、忽视的信号 支持多种基于硬件指令级以及软件层的覆盖率测量方式;同时支持qemu mode的黑盒测试。 persistent fuzzing mode:长期存活的进程重复调用fuzz接口 lets you fuzz your target persistently between two addresses - without forking for every fuzzing attempt. 参考链接 honggfuzz
鸣潮Mod安装
心血来潮.使用工具: WWMI WWMI安装release版本msi,安装后点击鸣潮添加到左上角,然后Install即可 Mod Installation Extract mod’s archive Put extracted folder into the Mods folder Mod Hot LoadTo properly load newly installed mod without restarting the game: Install mod Hide modded character from screen (switch to another) Press [F10] to reload WWMI Mod User Hotkeys [F12]: Toggle User Guide [F6]: Toggle WWMI dependant mods [F10]: Reload WWMI and Save Mod Settings [Alt]+[F12]: Toggle 0.6.X Compatibility...
Kernel PWN保护机制总结
QEMU上可以开的保护及各种绕过方法KASLR (CONFIG_RANDOMIZE_BASE)KASLR(Kernel Address Space Layout Randomize, 内核地址空间布局随机化),开启后,允许kernel image加载到VMALLOC区域的任何位置。在未开启KASLR保护机制时,内核代码段的基址为 0xffffffff81000000,direct mapping area 的基址为 0xffff888000000000。 查看方法 内核启动参数是否包含kaslr参数; 读/proc/kallsyms,查看是否对应未开启KASLR的基址,或者多开几次看地址是否相同。 绕过1通过利用漏洞实现任意地址读,泄漏page_offset_base;https://arttnba3.cn/2021/03/03/PWN-0X00-LINUX-KERNEL-PWN-PART-I/#0x07-Kernel-Heap-Arbitrary-Address-Allocationmsg_msg 泄漏 绕过2通过Kernel...
RWCTF2022 kernel_for_player
内核堆题基本思路:通过修改free_list的next指针来完成内核空间任意地址分配 保护机制查看开启的保护机制,通过qemu启动脚本可知开启kaslr,smep,smap,查看/sys/devices/system/cpu/vulnerabilities/*内容可知开启PTI保护,或者通过/proc/cpuinfo查看: 123456/home $ grep flags /proc/cpuinfo -m 1 | grep ptiflags : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm constant_tsc nopl xtopology cpuid pni cx16 hypervisop/home $ grep flags /proc/cpuinfo -m 1 | grep smepflags : fpu de pse tsc msr pae mce cx8...
源码覆盖率统计
LibFuzzer使用的覆盖率统计工具为Source-based Code Coverage。另外两个clang实现的覆盖率统计实现: SanitizerCoverage: 低开销的工具。可以提供边级别的覆盖率统计; gcov: gcc兼容的覆盖率统计实现,基于DebugInfo。-ftest-coverage和--coverage workflow 编译附带覆盖率信息 运行插桩程序 创建覆盖率报告后面以下面的代码为例:ShowLineNumbers1234567891011% cat <<EOF > foo.cc#define BAR(x) ((x) || (x))template <typename T> void foo(T x) { for (unsigned I = 0; I < 10; ++I) { BAR(I); }}int main() { foo<int>(0); foo<float>(0); return...
Fuzz学习
正式开始Fuzz的学习之路,大概总结了一下,大概学习路线如下: 源码Fuzz gcc&clang等编译工具总结 ASAN, UBSAN, LSan,QASAN AFL++ HonggFuzz LibFuzzer学习笔记 LibAFL学习笔记 源码覆盖率统计 二进制Fuzz afl-qemu FirmAFL GreenHouse LibAFL-qemu TFuzz(加了符号执行,去除sanity check) V8Fuzz Fuzzilli 内核Fuzz Syzkaller :sequence of syscalls TriforceLinuxSyscallFuzzer Unicorefuzz KAFL EQUAFL Hypervisor Nyx Android Fuzz竞态条件 ...
LibFuzzer学习笔记
环境配置 Ubuntu 22.04安装源码:showLineNumbers123456789# Install git and get this tutorialsudo apt-get --yes install gitgit clone https://github.com/google/fuzzing.git fuzzing# Get fuzzer-test-suitegit clone https://github.com/google/fuzzer-test-suite.git FTS./fuzzing/tutorial/libFuzzer/install-deps.sh # Get deps./fuzzing/tutorial/libFuzzer/install-clang.sh # Get fresh clang binaries 验证:12clang++ -g -fsanitize=address,fuzzer fuzzing/tutorial/libFuzzer/fuzz_me.cc./a.out 2>&1 | grep...