fix

SUMMARY.md

@@ -68,13 +68,14 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
     * [3.1.4 返回导向编程（ROP）（x86）](doc/3.1.4_rop_x86.md)
     * [3.1.5 返回导向编程（ROP）（ARM）](doc/3.1.5_rop_arm.md)
-    * [3.1.6 Linux 堆利用（上）](doc/3.1.6_heap_exploit_1.md)
-    * [3.1.7 Linux 堆利用（中）](doc/3.1.7_heap_exploit_2.md)
-    * [3.1.8 Linux 堆利用（下）](doc/3.1.8_heap_exploit_3.md)
-    * [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
-    * [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
-    * [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
-    * [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
+    * [3.1.6 Linux 堆利用（一）](doc/3.1.6_heap_exploit_1.md)
+    * [3.1.7 Linux 堆利用（二）](doc/3.1.7_heap_exploit_2.md)
+    * [3.1.8 Linux 堆利用（三）](doc/3.1.8_heap_exploit_3.md)
+    * [3.1.9 Linux 堆利用（四）](doc/3.1.9_heap_exploit_4.md)
+    * [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md)
+    * [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md)
+    * [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md)
+    * [3.1.13 竞争条件](doc/3.1.13_race_condition.md)
   * Reverse
     * [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md)
     * [3.2.2 脱壳技术（PE）](doc/3.2.2_pe_unpack.md)
@@ -163,6 +164,7 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
     * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md)
     * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
+    * [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md)
   * Reverse
     * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
     * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

doc/3.1.9_kernel_rop.md → doc/3.1.10_kernel_rop.md

@@ -1,4 +1,4 @@
-# 3.1.9 内核 ROP
+# 3.1.10 内核 ROP
 
 - [参考资料](#参考资料)
 

doc/3.1.10_linux_kernel_exploit.md → doc/3.1.11_linux_kernel_exploit.md

@@ -1,4 +1,4 @@
-# 3.1.10 Linux 内核漏洞利用
+# 3.1.11 Linux 内核漏洞利用
 
 - [从用户态到内核态](#从用户态到内核态)
 - [内核漏洞分类](#内核漏洞分类)

doc/3.1.11_windows_kernel_exploit.md → doc/3.1.12_windows_kernel_exploit.md

@@ -1,4 +1,4 @@
-# 3.1.11 Windows 内核漏洞利用
+# 3.1.12 Windows 内核漏洞利用
 
 - [参考资料](#参考资料)
 

doc/3.1.13_race_condition.md

@@ -0,0 +1 @@
+# 3.1.13 竞争条件

doc/3.1.9_heap_exploit_4.md

@@ -0,0 +1,19 @@
+# 3.1.9 Linux 堆利用（四）
+
+- [house_of_rabbit](#house_of_rabbit)
+- [house_of_roman](#house_of_roman)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/Others/3.1.6_heap_exploit)
+
+#### house_of_rabbit
+
+#### house_of_roman
+
+
+## 参考资料
+- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235)
+- https://github.com/shift-crops/House_of_Rabbit
+- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
+- https://github.com/romanking98/House-Of-Roman

doc/3_topics.md

@@ -6,13 +6,14 @@
   * [3.1.3 栈溢出](3.1.3_stack_overflow.md)
   * [3.1.4 返回导向编程（ROP）（x86）](3.1.4_rop_x86.md)
   * [3.1.5 返回导向编程（ROP）（ARM）](3.1.5_rop_arm.md)
-  * [3.1.6 Linux 堆利用（上）](3.1.6_heap_exploit_1.md)
-  * [3.1.7 Linux 堆利用（中）](3.1.7_heap_exploit_2.md)
-  * [3.1.8 Linux 堆利用（下）](3.1.8_heap_exploit_3.md)
-  * [3.1.9 内核 ROP](3.1.9_kernel_rop.md)
-  * [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md)
-  * [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md)
-  * [3.1.12 竞争条件](3.1.12_race_condition.md)
+  * [3.1.6 Linux 堆利用（一）](3.1.6_heap_exploit_1.md)
+  * [3.1.7 Linux 堆利用（二）](3.1.7_heap_exploit_2.md)
+  * [3.1.8 Linux 堆利用（三）](3.1.8_heap_exploit_3.md)
+  * [3.1.9 Linux 堆利用（四）](3.1.9_heap_exploit_4.md)
+  * [3.1.10 内核 ROP](3.1.10_kernel_rop.md)
+  * [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md)
+  * [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md)
+  * [3.1.13 竞争条件](3.1.13_race_condition.md)
 * Reverse
   * [3.2.1 patch 二进制文件](3.2.1_patch_binary.md)
   * [3.2.2 脱壳技术（PE）](3.2.2_pe_unpack.md)

doc/6.1.16_pwn_hitbctf2017_1000levels.md

@@ -15,7 +15,7 @@ $ file 1000levels
 $ checksec -f 1000levels
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No      0               6       1000levels
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```
@@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system
 
 对于第一个问题，我们有不需要参数的 one-gadget 可以用，通过将输入的第二个数设置为偏移，即可通过程序的计算将 system 修改为 one-gadget。
 ```
-$ one_gadget libc.so.6 
+$ one_gadget libc-2.23.so 
 0x45216	execve("/bin/sh", rsp+0x30, environ)
 constraints:
   rax == NULL
@@ -456,7 +456,7 @@ firmy
 from pwn import *
 
 #context.log_level = 'debug'
-io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
 
 one_gadget = 0x4526a
 system_offset = 0x45390

doc/6.1.18_pwn_hitbctf2017_sentosa.md

@@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin
 $ checksec -f sentosa 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               3       sentosa
-$ strings libc.so.6| grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```
@@ -715,8 +715,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def start_proj(length, name, price, area, capacity):
     io.sendlineafter("Exit\n", '1')

doc/6.1.19_pwn_hitbctf2018_gundam.md

@@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link
 $ checksec -f gundam
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     0               4       gundam
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.26.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
 Compiled by GNU CC version 6.4.0 20171010.
 ```
@@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10
 0x555555757b60: 0x0000000000000000      0x0000000000000000
 gdb-peda$ vmmap libc
 Start              End                Perm      Name
-0x00007ffff79f8000 0x00007ffff7bce000 r-xp      /home/firmy/gundam/libc.so.6
-0x00007ffff7bce000 0x00007ffff7dce000 ---p      /home/firmy/gundam/libc.so.6
-0x00007ffff7dce000 0x00007ffff7dd2000 r--p      /home/firmy/gundam/libc.so.6
-0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p      /home/firmy/gundam/libc.so.6
+0x00007ffff79f8000 0x00007ffff7bce000 r-xp      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7bce000 0x00007ffff7dce000 ---p      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7dce000 0x00007ffff7dd2000 r--p      /home/firmy/gundam/libc-2.26.so
+0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p      /home/firmy/gundam/libc-2.26.so
 gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000
 $1 = 0x3dac78
 ```
@@ -696,9 +696,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
 #elf = ELF('gundam')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.26.so')
 
 def build(name):
     io.sendlineafter("choice : ", '1')

doc/6.1.1_pwn_hctf2016_brop.md

@@ -274,19 +274,19 @@ def dump_memory(buf_size, stop_addr, gadgets_addr, puts_plt, start_addr, end_add
 ```
 $ r2 -B 0x400000 code.bin
 [0x00400630]> pd 14 @ 0x4005e7
-     ::::   0x004005e7      25240a2000     and eax, 0x200a24                                                                                                                          
-     ::::   0x004005ec      0f1f4000       nop dword [rax]                                                                                                                            
-     ::::   0x004005f0      ff25220a2000   jmp qword [0x00601018]      ; [0x601018:8]=-1                                                                                              
-     ::::   0x004005f6      6800000000     push 0                                                                                                                                     
-     `====< 0x004005fb      e9e0ffffff     jmp 0x4005e0                                                                                                                               
-      :::   0x00400600      ff251a0a2000   jmp qword [0x00601020]      ; [0x601020:8]=-1                                                                                              
-      :::   0x00400606      6801000000     push 1                      ; 1                                                                                                            
-      `===< 0x0040060b      e9d0ffffff     jmp 0x4005e0                                                                                                                               
-       ::   0x00400610      ff25120a2000   jmp qword [0x00601028]      ; [0x601028:8]=-1                                                                                              
-       ::   0x00400616      6802000000     push 2                      ; 2                                                                                                            
-       `==< 0x0040061b      e9c0ffffff     jmp 0x4005e0                                                                                                                               
-        :   0x00400620      ff250a0a2000   jmp qword [0x00601030]      ; [0x601030:8]=-1                                                                                              
-        :   0x00400626      6803000000     push 3                      ; 3                                                                                                            
+     ::::   0x004005e7      25240a2000     and eax, 0x200a24
+     ::::   0x004005ec      0f1f4000       nop dword [rax]
+     ::::   0x004005f0      ff25220a2000   jmp qword [0x00601018]      ; [0x601018:8]=-1
+     ::::   0x004005f6      6800000000     push 0
+     `====< 0x004005fb      e9e0ffffff     jmp 0x4005e0
+      :::   0x00400600      ff251a0a2000   jmp qword [0x00601020]      ; [0x601020:8]=-1
+      :::   0x00400606      6801000000     push 1                      ; 1
+      `===< 0x0040060b      e9d0ffffff     jmp 0x4005e0
+       ::   0x00400610      ff25120a2000   jmp qword [0x00601028]      ; [0x601028:8]=-1
+       ::   0x00400616      6802000000     push 2                      ; 2
+       `==< 0x0040061b      e9c0ffffff     jmp 0x4005e0
+        :   0x00400620      ff250a0a2000   jmp qword [0x00601030]      ; [0x601030:8]=-1
+        :   0x00400626      6803000000     push 3                      ; 3
         `=< 0x0040062b      e9b0ffffff     jmp 0x4005e0
 ```
 于是我们就得到了 puts@got 地址 `0x00601018`。可以看到该表中还有其他几个函数，根据程序的功能大概可以猜到，无非就是 setbuf、read 之类的，在后面的过程中如果实在无法确定 libc，这些信息可能会有用。

doc/6.1.21_pwn_hitconctf2016_secret_holder.md

@@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
 $ checksec -f SecretHolder
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               2       SecretHolder
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -554,9 +554,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SecretHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020b0
 big_ptr = 0x006020a0

doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md

@@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
 $ checksec -f SleepyHolder
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               2       SleepyHolder
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -525,9 +525,9 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
+io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
 elf = ELF('SleepyHolder')
-libc = ELF('libc.so.6')
+libc = ELF('libc-2.23.so')
 
 small_ptr = 0x006020d0
 big_ptr = 0x006020c0

doc/6.1.24_hitconctf2016_house_of_orange.md

@@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical
 $ checksec -f houseoforange
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               3       houseoforange
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.3.1 20160413.
 ```
@@ -744,8 +744,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
+libc = ELF('libc-2.23.so')
 
 def build(size, name):
     io.sendlineafter("Your choice : ", '1')

doc/6.1.26_pwn_34c3ctf2017_300.md

@@ -15,7 +15,7 @@ $ file 300
 $ checksec -f 300
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     0               2       300
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.24.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
 Compiled by GNU CC version 6.3.0 20170406.
 ```
@@ -434,12 +434,6 @@ def pwn():
 ```
 python exp.py
 [+] Starting local process './300': pid 5158
-[*] '/home/firmyy/300/libc.so.6'
-    Arch:     amd64-64-little
-    RELRO:    Partial RELRO
-    Stack:    Canary found
-    NX:       NX enabled
-    PIE:      PIE enabled
 [*] libc_base address: 0x7efdcef24000
 [*] heap address: 0x5624a7a3c000
 [*] _IO_list_all address: 0x7efdcf2e6500
@@ -462,8 +456,8 @@ from pwn import *
 
 #context.log_level = 'debug'
 
-io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
-libc = ELF('libc.so.6')
+io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
+libc = ELF('libc-2.24.so')
 
 def alloc(idx):
     io.sendlineafter("free\n", '1')

doc/6.1.28_pwn_asisctf2016_b00ks.md

@@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke
 $ checksec -f b00ks
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No      0               2       b00ks
-$ strings libc.so.6 | grep "GNU C"
+$ strings libc-2.23.so | grep "GNU C"
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
 Compiled by GNU CC version 5.4.0 20160609.
 ```

doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md

@@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam
 $ checksec -f ghost_in_the_heap 
 RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
 Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     1               2       ghost_in_the_heap
-$ strings libc.so.6 | grep "GNU C"       
+$ strings libc-2.24.so | grep "GNU C"       
 GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
 Compiled by GNU CC version 6.3.0 20170406.
 ```

doc/6.1.31_pwn_hitbctf2018_mutepig.md

@@ -0,0 +1,30 @@
+# 6.1.31 pwn HITBCTF2018 mutepig
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig)
+
+## 题目复现
+```
+$ file mutepig 
+mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped
+[firmy@firmy-pc mutepip]$ checksec -f mutepig 
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     0               1       mutepig
+$ strings libc-2.23.so | grep "GNU C"
+GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
+Compiled by GNU CC version 8.1.0.
+```
+64 位程序，开启了 Canary 和 NX。
+
+
+## 题目解析
+
+## 漏洞利用
+
+## 参考资料
+- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn