목록2017/08 (6)
#dokydoky
Referencehttps://heap-exploitation.dhavalkapil.com/attacks/house_of_lore.htmlhttps://github.com/shellphish/how2heap/blob/master/house_of_lore.csmallbinAbout smallbin총 62개의 small binfree될 때 앞,뒤 chunk가 free되었다면 병합(coalesce)삽입은 HEAD, 제거는 TAIL (FIFO)32bitsize : 0x10, 0x18, 0x20 ...... , 0x1F8(504) (8x+8, 1fd = bin; if (av != &main_arena) victim->size |= NON_MAIN_ARENA; check_malloced_chunk (av, vict..
ReferenceDouble freehttps://heap-exploitation.dhavalkapil.com/attacks/double_free.htmlhttps://github.com/shellphish/how2heap/blob/master/fastbin_dup.cForging chunkshttps://heap-exploitation.dhavalkapil.com/attacks/forging_chunks.htmlhttps://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c (double free + forging chunks)House of spirithttps://heap-exploitation.dhavalkapil.com/at..
ReferenceIt is a simple version of dhavalkapil's work https://heap-exploitation.dhavalkapil.com/diving_into_glibc_heap/core_functions.htmlglibc 2.23 code http://repo.or.cz/glibc.git/commit/ab30899d880f9741a409cbc0d7a28399bdac21bfMallocMalloc pseudo-code//step 1if) size == fastbin range 'return chunk' = chunk at the end of the the fastbin list if) return chunk == null move on to 'smallbin case' e..
WPScan is a black box WordPress vulnerability scannerRepository : https://github.com/wpscanteam/wpscanInstallPrerequisitesRuby >= 2.1.9 - Recommended: 2.3.3Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfaultRubyGems - Recommended: latestGitInstalling with RVM (recommended)If you are using GNOME Terminal, there are some steps required before executing the commands. See here for more ..
팀내부에서 발표했던 자료중 Smart pointer관련 PPT.
IntroductionSUID, GUID, 특정 Supplemental Group가 설정되어 있는 바이너리라면 Code audit할 때 최소한의 권한이 설정되어 있는지 잘 확인해야 한다.권한 설정에 오류가 있으면 임의의 코드가 실행한 바이너리의 경우 쉽게 상위 권한을 얻을 수 있게 된다.OS의 종류와 버전에 따라 그리고 root권한의 유무에 따라 API의 동작이 다르므로 주의해야 한다. User IDTypes Real user ID, Saved set-user-ID, Effective user IDFunctionsint setuid(uid_t uid); int seteuid(uid_t euid); int setreuid(uid_t ruid, uid_t euid); int setresuid(uid_t ru..