2017-12-26 12:37:26 +07:00
|
|
|
# 6.1.9 pwn RHme3 Exploitation
|
|
|
|
|
2017-12-26 21:29:56 +07:00
|
|
|
- [题目复现](#题目复现)
|
2017-12-26 12:37:26 +07:00
|
|
|
- [题目解析](#题目解析)
|
|
|
|
- [参考资料](#参考资料)
|
|
|
|
|
|
|
|
|
|
|
|
[下载文件](../src/writeup/6.1.9_rhme3_exploitation)
|
|
|
|
|
2017-12-26 21:29:56 +07:00
|
|
|
## 题目复现
|
|
|
|
这个题目给出了二进制文件和 libc。
|
|
|
|
```
|
|
|
|
$ file main.bin
|
|
|
|
main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped
|
|
|
|
$ checksec -f main.bin
|
|
|
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
|
|
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
|
|
|
|
```
|
|
|
|
64 位程序,保护措施除了 PIE 都开启了。
|
|
|
|
|
2017-12-29 16:55:35 +07:00
|
|
|
但其实这个程序并不能运行,它是一个线下赛的题目,会对做一些环境检查和处理,直接 nop 掉就好了:
|
|
|
|
```
|
|
|
|
| 0x004021ad bf18264000 mov edi, 0x402618
|
|
|
|
| 0x004021b2 e87ceeffff call sym.background_process
|
|
|
|
| 0x004021b7 bf39050000 mov edi, 0x539 ; 1337
|
|
|
|
| 0x004021bc e85eefffff call sym.serve_forever
|
|
|
|
| 0x004021c1 8945f8 mov dword [local_8h], eax
|
|
|
|
| 0x004021c4 8b45f8 mov eax, dword [local_8h]
|
|
|
|
| 0x004021c7 89c7 mov edi, eax
|
|
|
|
| 0x004021c9 e8c6f0ffff call sym.set_io
|
|
|
|
```
|
|
|
|
```
|
|
|
|
$ python2 -c 'print "90"*33' > nop.txt
|
|
|
|
```
|
|
|
|
```
|
|
|
|
[0x00400ec0]> s 0x004021ad
|
|
|
|
[0x004021ad]> cat ./nop.txt
|
|
|
|
909090909090909090909090909090909090909090909090909090909090909090
|
|
|
|
[0x004021ad]> wxf ./nop.txt
|
|
|
|
```
|
|
|
|
|
|
|
|
最后把它运行起来:
|
|
|
|
```
|
|
|
|
$ socat tcp4-listen:10001,reuseaddr,fork exec:"LD_PRELOAD=./libc.so.6 ./main.elf" &
|
|
|
|
```
|
|
|
|
|
2017-12-26 21:29:56 +07:00
|
|
|
|
2017-12-26 12:37:26 +07:00
|
|
|
## 题目解析
|
2017-12-26 21:29:56 +07:00
|
|
|
玩一下,一看就是堆利用的题目:
|
|
|
|
```
|
|
|
|
$ ./main.elf
|
|
|
|
Welcome to your TeamManager (TM)!
|
|
|
|
0.- Exit
|
|
|
|
1.- Add player
|
|
|
|
2.- Remove player
|
|
|
|
3.- Select player
|
|
|
|
4.- Edit player
|
|
|
|
5.- Show player
|
|
|
|
6.- Show team
|
|
|
|
Your choice:
|
|
|
|
```
|
|
|
|
程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。
|
|
|
|
|
|
|
|
添加两个球员看看:
|
2017-12-26 12:37:26 +07:00
|
|
|
```
|
2017-12-26 21:29:56 +07:00
|
|
|
Your choice: 1
|
|
|
|
Found free slot: 0
|
|
|
|
Enter player name: aaaa
|
|
|
|
Enter attack points: 1
|
|
|
|
Enter defense points: 2
|
|
|
|
Enter speed: 3
|
|
|
|
Enter precision: 4
|
|
|
|
0.- Exit
|
|
|
|
1.- Add player
|
|
|
|
2.- Remove player
|
|
|
|
3.- Select player
|
|
|
|
4.- Edit player
|
|
|
|
5.- Show player
|
|
|
|
6.- Show team
|
|
|
|
Your choice: 1
|
|
|
|
Found free slot: 1
|
|
|
|
Enter player name: bbbb
|
|
|
|
Enter attack points: 5
|
|
|
|
Enter defense points: 6
|
|
|
|
Enter speed: 7
|
|
|
|
Enter precision: 8
|
2017-12-26 12:37:26 +07:00
|
|
|
```
|
2017-12-26 21:29:56 +07:00
|
|
|
试着选中第一个球员,然后删除它:
|
2017-12-26 12:37:26 +07:00
|
|
|
```
|
2017-12-26 21:29:56 +07:00
|
|
|
Your choice: 3
|
|
|
|
Enter index: 0
|
|
|
|
Player selected!
|
|
|
|
Name: aaaa
|
|
|
|
A/D/S/P: 1,2,3,4
|
|
|
|
0.- Exit
|
|
|
|
1.- Add player
|
|
|
|
2.- Remove player
|
|
|
|
3.- Select player
|
|
|
|
4.- Edit player
|
|
|
|
5.- Show player
|
|
|
|
6.- Show team
|
|
|
|
Your choice: 2
|
|
|
|
Enter index: 0
|
|
|
|
She's gone!
|
|
|
|
```
|
|
|
|
接下来直接显示该球员信息:
|
|
|
|
```
|
|
|
|
Your choice: 5
|
|
|
|
Name:
|
|
|
|
A/D/S/P: 29082240,0,3,4
|
|
|
|
0.- Exit
|
|
|
|
1.- Add player
|
|
|
|
2.- Remove player
|
|
|
|
3.- Select player
|
|
|
|
4.- Edit player
|
|
|
|
5.- Show player
|
|
|
|
6.- Show team
|
|
|
|
Your choice: 6
|
|
|
|
Your team:
|
|
|
|
Player 0
|
|
|
|
Name: bbbb
|
|
|
|
A/D/S/P: 5,6,7,8
|
|
|
|
```
|
|
|
|
奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。
|
|
|
|
|
|
|
|
于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。
|
|
|
|
|
|
|
|
|
|
|
|
#### Exploit
|
|
|
|
完整的 exp 如下:
|
|
|
|
```python
|
|
|
|
|
2017-12-26 12:37:26 +07:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## 参考资料
|
|
|
|
- [Exploitation](https://ctftime.org/task/4528)
|