CodeQL+XNU
入门浅试记录一下,文档还没看完
安装
下载压缩包解压到一个位置
1export PATH=$PATH:<codeql_path>
建立XNU database
cd 进xnu源码的存放位置
1codeql database create xnu-database --language=cpp --command="make SDKROOT=macosx ARCH_CONFIGS=X86_64 KERNEL_CONFIGS=RELEASE"
查询测试
首先建立一个CodeQL package
1codeql pack init xnuql -e cpp
然后添加cpp-all
12cd xnuqlcodeql pack add codeql/cpp-all
在package里新建一个ql文件,配合vscode的CodeQL插件就可以简单进行查询,来进行一点简单的测试先,参考这篇文章
可以查询到
1234567891011121314151617181920212223 sopt.sopt_dir = SOPT_GET; sopt.sopt_level = ...
虎符2022 pwn 复现
HFCTF
没空去结束了之后简单做了一下pwn
HFCTF
gogogo
hfdev
babygame
vdq
mva
gogogo
go写的,不太会分析,首先运行起来,搜索 LET'S BEGIN TO PLAY A GUESS GAME IN HFCTF! 能找到 main_main 但是断点下来没有用,搜了一下一个go程序的启动过程
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134// The main goroutine.func m ...
Voucher, Port and Message: Exploit CVE-2019-6225 on macOS
CVE-2019-6225
Vulnerability
The problem is in the MIG code.
1234routine task_swap_mach_voucher( task : task_t; new_voucher : ipc_voucher_t; inout old_voucher : ipc_voucher_t);
this routine simply swaps two vouchers. Let’s take a look at the following codes.
12345678910111213141516171819202122232425262728293031323334353637mig_internal novalue _Xtask_swap_mach_voucher (mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP){... ...
An Intro to Linux Kernel Pwn in CTF
An Intro to Linux Kernel Pwn in CTF
Intro
In this post we will have a brief view about Linux kernel pwn, what we need to do and how it works.
Actually Linux kernel pwn is similar to userland pwn, except that our target is the kernel(or kernel module). In most of the cases, the vulnerability is in custom Linux Kernel Module, LKM, which provides service to user as a part of kernel in ring0. Usually, the emulator for the task in Linux kernel pwn in CTF is qemu. And the challenge will often be deplo ...
西湖论剑2021 PWN
XHLJ 2021 PWN
Blind
分析的时候完全想岔了,往dl resolve的方向做了结果完全做不出来()
考虑alarm(),有一个特点
1234gef➤ x/32i alarm=> 0x7ffff7eb5d90 <alarm>: mov eax,0x25 0x7ffff7eb5d95 <alarm+5>: syscall 0x7ffff7eb5d97 <alarm+7>: cmp rax,0xfffffffffffff001
第二条指令就是syscall,所以我们可以爆破最后一个字节,有256种可能,成功即可直接用GOT表跳转到syscall,然后,又可以利用read()的返回值是写入的字节数来控制rax寄存器,这样就能实现任意syscall了,剩下的内容都很容易,给的栈溢出空间很多,很容易构造 ROP Chain
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535 ...
CVE-2017-2370
CVE-2017-2370
Bug
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364kern_return_t mach_voucher_extract_attr_recipe_trap(struct mach_voucher_extract_attr_recipe_args *args) { ipc_voucher_t voucher = IV_NULL; kern_return_t kr = KERN_SUCCESS; mach_msg_type_number_t sz = 0; // recipe_size is a pointer if (copyin(args->recipe_size, (void *)&sz, sizeof(sz))) return KERN_MEMORY_ERROR; // now ...
Hackergame2021 Writeup
Hackergame 2021
a brief writeup
Hackergame 2021
签到
进制十六——参上
猫咪问答 Pro Max
卖瓜
透明的文件
旅行照片
FLAG 助力大红包
Amnesia
轻度失忆
记忆清除
图之上的信息
Easy RSA
赛博厨房
灯,等灯等灯
Level1
只读文件系统
卷王与野生的 GPA
助记词
第一顿大餐
minecRaft
fzuu
外星人的音游掌机
超 OI 的 Writeup 模拟器
果然还是逆向比较简单,这次没人两小时手做了吧
签到
观察可以发现http://202.38.93.111:10000/?page=1后面的参数page决定了现在的秒数,找个日期计算器即可
进制十六——参上
复制下来找个Hex编辑器就可以了
猫咪问答 Pro Max
看起来主要是考察信息检索
第一题使用 https://web.archive.org 即可
第二题可以爆猜(不是),找到对应的网页即可(其实这题是很晚才做的,当时直接搜了一下在知乎找到了…)
第三题在 https://lug.ustc.edu.cn ...