-
Reviewing Netgear WNR2200 Heap Overflow
0x00 Preface
Although the security protection on routers is relatively poor, it is also necessary to learn some attack surfaces and how to exploit them on different platforms. Porting exploits to a Netgear WNR2200 is an example of using the exp in MSF to compromise easily the router with old version samba. While the cross platform exploitation has been completed, it can be known that the function pointer of the structure is covered due to a heap overflow, with the executable permissions and brute force on the heap, the shellcode in different architectures is carried out. There is a Netgear WNR2200 on in my hand, and the firmware version is the same as the one in the text. Therefore, it is a good chance to analyze the exploitation of CVE-2007-2446 on the router.
-
Basic ROP Write Up
0x00 Abstract
When I learn about basic rop technology, doing some exercises is necessary. The website not only summarizes the pwn experience but also provides corresponding ctf subjects. To perfect, I practice.
-
ROP Emporium Write Up
0x00 Abstract
It has been a long time since I stopped doing pwn exercises. I solved some basic challenges of ROP Emporium this time, which is a good place to practice your ability constructing write4, xor or pivot ROP chain. I believe that you should know the usage of ROPgadget before reading this write up.
-
CVE-2018-11013 D-Link DIR-816 OOB BoF
0x00 Abstract
Well, it is time to practice my poor English by writing internationalized post, not in the future. I would appreciate it if you could point me out the inappropriate usage of English. Return to the rop, CVE-2018-11013 is a stack based BoF in D-Link DIR-816 router, the author has exploited it in an interesting way, which is so abstract that I explored as fllows.
-
CVE-2018-1111 Red Hat DHCP客户端命令执行漏洞分析
0x00 背景
CVE-2018-1111具体来说是DHCP client (dhclient) package中的一个脚本文件存在命令注入漏洞,由于DHCP是内网环境下没有认证的UDP数据包,所以攻击场景就是在内网环境下可以伪造DHCP服务器的响应,根据DHCP 252(Private/Proxy autodiscovery) string类型的option,将带单引号的string传入漏洞脚本,完成命令注入。