Vulnerability analysis: CVE-2017-17215
The command injection vulnerability of Huawei HG532 router lies in the UPnP module.
What is UPnP?
Set up the environment (using the docker environment of IOT vulhub), start the environment, and check the service and port monitoring started by the system.
The vulnerability lie ...
Posted on Fri, 03 Dec 2021 20:49:00 -0500 by affluent980
Some time ago, the geek challenge 2021 and the SCU freshman competition in 2021 did not work out the last question. As a sophomore, I really should reflect on myself. It's too delicious. Woo woo. Geek challenge, because I played for too long, I almost forgot the title, so I didn't write wp.
Simple stack overflow, hello world in pwn. ...
Posted on Mon, 29 Nov 2021 04:41:41 -0500 by LordRogaine
[pwn] 2021 geek challenge (part)
How to say, this problem is to write rop chain with fmt.
But it's also the first time to see this kind of fmt, which can be regarded as a new question type.
We open IDA for reverse analysis
Just the two main functions, let me be the first level and the second level
First enter the ga ...
Posted on Mon, 29 Nov 2021 01:09:07 -0500 by jasonhardwick
First, the title is a menu title. Manually identify and rename the title in ida, as shown in the figure:
First, analyze the add function together with the program according to the program flow, as shown in the figure:
According to the above analysis, PTR_ Array is a global array with a length of 5, and then enter if to judge that "* ...
Posted on Sun, 28 Nov 2021 04:16:28 -0500 by Baez
WP comes from the network security community of Qilu Normal University Pay attention to the official account to receive more latest safety messages.
When you look at the url, the standard dark net domain name at the end of the onion
Use the onion browser to access and view the html code
Prompt at the beginning ...
Posted on Sat, 20 Nov 2021 05:37:23 -0500 by nrg_alpha
house_of_lore is a utilization of the small_bin mechanism. By other means, if bin->bk can be replaced with the BK of the small_bin header chunk, then the BK of the header chunk can be set in advance to point to a fake_chunk that is fake_chunk. This allows any address to be leaked or its contents to be ...
Posted on Sun, 26 Sep 2021 12:25:43 -0400 by damonlee
Before reproducing this question, you need to know some pre knowledge: largebin under libc2.31_ attack，tcache_stashing_unlink plus and IO under glibc_ File attack
First, see largebin under libc2.31_ attack
0x1.largebin under libc2.31_ attack
Follow the largebin in the how2heap project_ Attack and source code debugging.
Starting with ...
Posted on Sun, 05 Sep 2021 17:45:33 -0400 by vishi83