- caddy-*: http server related files
- v2ray-*: v2ray related files
- forword-*: files to relay requests
It has been a long time since I finish(nearly) these problems...
In linux, 0
is std_input, 1
is std_output, 2
is std_error_output.
We just need to send LETMEWIN
to std_input and set fd to 0
which means (our input - 0x1234) == 0.
My note for trying rust-for-linux.
Here I take arch linux as an example, and I assume you already installed rust and put ~/.cargo/bin
inside your PATH
.
cd /some/where
# Install requirements
sudo pacman -Syuu --noconfirm bc bison curl clang diffutils flex git gcc llvm libelf lld ncurses make qemu-system-x86 cpio
export MAKEFLAGS="-j32"
var SMS = global('SMSRB'); | |
var SENDER = global('SMSRF'); | |
var SMSCONTENT = SMS + "\nSender: " + SENDER + "\nFrom Mobile" | |
var url = "https://xxxxxxxx/sendMessage?chat_id=0000000"; | |
var xhttp = new XMLHttpRequest(); | |
xhttp.open("POST", url, false); | |
xhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded"); | |
xhttp.send("text="+encodeURIComponent(SMSCONTENT)); |
#!/bin/sh | |
sudo apt-get -y install curl python-pip | |
sudo pip install shadowsocks | |
sudo mkdir /etc/shadowsocks | |
printf "=====\nEnter your shadowsocks password\n=====\n" | |
read password | |
printf "=====\nEnter your shadowsocks port(>1024)\n=====\n" | |
read port | |
printf "\nConfigure shadowsocks with password: $password and at port: $port\n" | |
printf "{\n\t\"server\":\"::\",\n\t\"server_port\":$port,\n\t\"local_port\":10800,\n\t\"password\":\"$password\",\n\t\"timeout\":600,\n\t\"method\":\"rc4-md5\"\n}" | sudo tee /etc/shadowsocks/config.json > /dev/null |
物理端口映射:eth0 - WAN, eth1~4 - LAN4~1。
默认梅林会将 eth1~7 组成 br0。要做独立的网络就要将 Guest 网络需要用到的 eth 接口从 br0 里摘掉,然后加入到新的 br 里。 这里摘掉了 eth1(对应 LAN4)、wl0.2(第二个 2.4G 访客网络)和 wl1.2(第二个 5G 访客网络)。
之后利用 iptables 允许 Guest 网络访问公网,但禁止其向 br0 主动通信即可。
三个脚本 +x 后放 /jffs/scripts
里(管理页面也要开启 jffs 功能),dnsmasq.conf.add
放 /jffs/configs
里。
use std::{borrow::Borrow, cell::UnsafeCell, hash::Hash, ptr::NonNull, sync::RwLock}; | |
use fxhash::FxHashMap; | |
// const CACHE: Cache = unsafe { Cache::new() }; | |
struct Cache<K, V> { | |
data: UnsafeCell<NonNull<RwLock<FxHashMap<K, V>>>>, | |
} |
Load bf
with IDA:
main:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@4
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to execve
. Since the first one is too time consuming, here I use the second one.
In function main
, there is a alloca
with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
In function fsb
, there is a printf
bug, and we can use %1$n
to write any address. So we can just write an address, and use $
to get a reference, and we can write that address! However, all input is saved at .bss
.
So we can consider another way. We can notice that the ebp
is point to an old ebp
, and we can control it.