It's the first first !!!!!!!!!

Background

In recently ctf (tamuctf 2022), I solve a challenge called void (writeup).

This challenge only contains a few line of assembly code, with no libc and NX enabled.

The only thing we can utilize is a buffer overflow and some syscall gadget.

It seems impossible to do. However, there is a technique call SROP - Sigreturn Oriented Programming that can help us to pwn this binary.

Theory

The original paper is here paper, slides

Check it out if you want to.

I'll brief explain how SROP works.

0x1 background

when I was doing zeropts CTF 2022, I found a pwn question called accountant.

There is a line of code that use alloca to allocate memory. However, at that time, I didn't know that alloca allocate the memory on the stack. so I simply thought there is no bug... :(

later, Super Guesser publish their writeup on accountant that point out that alloca allocate space on the stack.

So I could have a chance of looking at alloca.

不是，就挺离谱的。

看了一眼之前写的的爬虫框架。

发现之前实现限制并发数的方法是暂停go routine, 如下所示，就纯纯的等待有空余的位置了，然后继续执行Fetch

func (e *Engine) FetchTentacle(tentacle Tentacle) *TentacleResult {
	err := e.limiter.WaitN(e.context, 1)
	<-e.waitChan
	result, _ := Fetch(tentacle, e.requestFunc, e.ReqHandlers, e.RespHandlers)
	e.waitChan <- 1
	return result
}

离谱在于，如果我有10000个页面要分析，这个东西的实现方式是先创建10000个goroutine，然后等一个goroutine结束了，再挑选新的goroutine执行。

也就是说，如果有N个页面要爬，程序会同时创建N个goroutine............

虽然goroutine确实不怎么耗资源。但是现在一看怎么这么sb啊，为啥不直接用queue。完全不理解当时是怎么想的.

把我自己给整尬了

ps:

和群友吹水的时候突然想起来之前用这个框架做的一个动漫爬虫确实遇到了由这个引起的问题。

之前爬动漫网站，一开始是直接把所有的页面丢进去然后执行，但是不知道为啥，一直出panic，我也找不到问题。

然后我选择每隔10000次请求就暂停，等待这10000次请求完成再继续执行 (如下代码所示)，然后这个panic就不再出现了。

func (c *MixsiteCrawler) Start()  {
    for c.StartID <= c.EndID {
        c.InfoEngine.FetchAsync(fmt.Sprintf("http://www.susudm.com/acg/%s/",c.parseId()))
        c.StartID ++
        if c.StartID % 10000 == 0 {
            fmt.Println("wait 10000 to complete")
            c.Wait()
        }
    }
}

现在再看，估计就是goroutine创建太多的原因了。

todo.

check out https://bishopfox.com/blog/unredacter-tool-never-pixelation

0x0 Introduction

printf is a common vulnerable in the pwn questions. Recently, I got an opportunity to try two very interesting question related to printf in MapleCTF 2022, I think it would be good if I wrote my experience about printf so that I could reinforce my understanding about printf stuff.

Anyway, I would try to explain as much as detail in the article in order to make it beginner friendly.

Hope this article can help you in printf

0x1 What is printf (string formating)

so, string format is a way to print out data by stating its format in a string.

emo了要emo了

好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊好烦啊

现在写作业和写代码啥的都变成防止我变emo的工具了。一停下来就感觉要抑郁了。想死想死想死想死想死想死想死想死想死想死想死

我感觉我人真的要不行了，连续好几天了，都是快要睡着的时候，突然开始出现某明奇妙的幻听，然后心悸，全身发麻动不了。就感觉快死了的感觉。搞得最近都不敢睡觉。

0x0 Introduction

In maple ctf 2022 (more write up at here). There is a quesiton require bruteforcing canary

To be honest, this is the first time I got practice on brute-forcing canary.

0x1 What is Canary

so, before talking about brute force canary. What is canary

Basically, canary is a mitigation that prevent buffer overflow. Since buffer over utilize the overflow the variable on the stack to overwrite rbp and rip. This could help attacker to execute arbitrary code by constructing a rop chain or something. The canary can help prevent simple buffer overflow by put a cookie just above the RBP.

0x0 Introduction

In maple ctf 2022 (more write up at here), there is a crypto question using timing attack, which is a type of side channel attack.

timing attack basically is a side channel attack which attacker could attack a crypto system by analyzing the execution time of certain code.

Since every logical operation require time, more complex code takes more time. We can use this property to analyze codes.

For example. the second part takes longer than first part

add rip, 1

add rip, 1
add rip, 1

在前后端分离的项目里，因为前端和后端不在一个域上，所以为了在使用跨域请求带上cookie，要把withCredentials设置为true

axios.defaults.withCredentials = true

但是设置完之后，访问又出现了如下的问题

Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8080' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.