- caddy-*: http server related files
- v2ray-*: v2ray related files
- forword-*: files to relay requests
ihc童鞋@提不起劲 ihciah
It has been a long time since I finish(nearly) these problems...
In linux, 0 is std_input, 1 is std_output, 2 is std_error_output.
We just need to send LETMEWIN to std_input and set fd to 0 which means (our input - 0x1234) == 0.
My note for trying rust-for-linux.
Here I take arch linux as an example, and I assume you already installed rust and put ~/.cargo/bin inside your PATH.
cd /some/where
# Install requirements
sudo pacman -Syuu --noconfirm bc bison curl clang diffutils flex git gcc llvm libelf lld ncurses make qemu-system-x86 cpio
export MAKEFLAGS="-j32"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var SMS = global('SMSRB'); | |
| var SENDER = global('SMSRF'); | |
| var SMSCONTENT = SMS + "\nSender: " + SENDER + "\nFrom Mobile" | |
| var url = "https://xxxxxxxx/sendMessage?chat_id=0000000"; | |
| var xhttp = new XMLHttpRequest(); | |
| xhttp.open("POST", url, false); | |
| xhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded"); | |
| xhttp.send("text="+encodeURIComponent(SMSCONTENT)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| sudo apt-get -y install curl python-pip | |
| sudo pip install shadowsocks | |
| sudo mkdir /etc/shadowsocks | |
| printf "=====\nEnter your shadowsocks password\n=====\n" | |
| read password | |
| printf "=====\nEnter your shadowsocks port(>1024)\n=====\n" | |
| read port | |
| printf "\nConfigure shadowsocks with password: $password and at port: $port\n" | |
| printf "{\n\t\"server\":\"::\",\n\t\"server_port\":$port,\n\t\"local_port\":10800,\n\t\"password\":\"$password\",\n\t\"timeout\":600,\n\t\"method\":\"rc4-md5\"\n}" | sudo tee /etc/shadowsocks/config.json > /dev/null |
物理端口映射:eth0 - WAN, eth1~4 - LAN4~1。
默认梅林会将 eth1~7 组成 br0。要做独立的网络就要将 Guest 网络需要用到的 eth 接口从 br0 里摘掉,然后加入到新的 br 里。 这里摘掉了 eth1(对应 LAN4)、wl0.2(第二个 2.4G 访客网络)和 wl1.2(第二个 5G 访客网络)。
之后利用 iptables 允许 Guest 网络访问公网,但禁止其向 br0 主动通信即可。
三个脚本 +x 后放 /jffs/scripts 里(管理页面也要开启 jffs 功能),dnsmasq.conf.add 放 /jffs/configs 里。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::{borrow::Borrow, cell::UnsafeCell, hash::Hash, ptr::NonNull, sync::RwLock}; | |
| use fxhash::FxHashMap; | |
| // const CACHE: Cache = unsafe { Cache::new() }; | |
| struct Cache<K, V> { | |
| data: UnsafeCell<NonNull<RwLock<FxHashMap<K, V>>>>, | |
| } |
Load bf with IDA:
main:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@4
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to execve. Since the first one is too time consuming, here I use the second one.
In function main, there is a alloca with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
In function fsb, there is a printf bug, and we can use %1$n to write any address. So we can just write an address, and use $ to get a reference, and we can write that address! However, all input is saved at .bss.
So we can consider another way. We can notice that the ebp is point to an old ebp, and we can control it.