From 1551bb210c5e0cc7ecdd43bd9221e5e2b6982510 Mon Sep 17 00:00:00 2001 From: firmianay Date: Thu, 24 May 2018 16:33:36 +0800 Subject: [PATCH] update malloc --- SUMMARY.md | 1 + doc/1.5.11_jemalloc.md | 48 +++++++++++++++++ doc/1.5.8_glibc_malloc.md | 49 ++++++++++++++++++ ...29_pwn_insomnictf2017_the_great_escape3.md | 37 +++++++++++++ doc/6_writeup.md | 1 + src/others/1.5.8_glibc_malloc/regexp.patch | 24 +++++++++ .../the_great_escape_part3 | Bin 0 -> 14392 bytes 7 files changed, 160 insertions(+) create mode 100644 doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md create mode 100644 src/others/1.5.8_glibc_malloc/regexp.patch create mode 100755 src/writeup/6.1.29_pwn_insomnictf2017_the_great_escape3/the_great_escape_part3 diff --git a/SUMMARY.md b/SUMMARY.md index c5b1b2e..747d74b 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -154,6 +154,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.26 pwn 34C3CTF2017 300](doc/6.1.26_pwn_34c3ctf2017_300.md) * [6.1.27 pwn SECCONCTF2016 tinypad](doc/6.1.27_pwn_secconctf2016_tinypad.md) * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md) + * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md) * Reverse * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/1.5.11_jemalloc.md b/doc/1.5.11_jemalloc.md index d0e01ff..0de7436 100644 --- a/doc/1.5.11_jemalloc.md +++ b/doc/1.5.11_jemalloc.md @@ -1 +1,49 @@ # 1.5.11 jemalloc + +- [jemalloc](#jemalloc) +- [安装](#安装) +- [CTF 实例](#ctf-实例) +- [参考资料](#参考资料) + + +## jemalloc +jemalloc 是 Facebook 推出的一种通用 malloc 实现,在 FreeBSD、firefox 中被广泛使用。比起 ptmalloc2 具有更高的性能。 + + +## 安装 +我们来编译一个带调试信息的 jemalloc(注:4.x和5.x之间似乎差别比较大): +``` +$ wget https://github.com/jemalloc/jemalloc/releases/download/5.0.1/jemalloc-5.0.1.tar.bz2 +$ tar -xjvf jemalloc-5.0.1.tar.bz2 +$ cd jemalloc-5.0.1 +$ ./configure --prefix=/usr/local/jemalloc --enable-debug +$ make -j4 && sudo make install +``` +接下来修改链接信息: +``` +# echo /usr/local/jemalloc/ >> /etc/ld.so.conf.d/jemalloc.conf +# ldconfig +``` +当我们想要在编译程序时指定 jemalloc 时可以像下面这样: +``` +$ gcc test.c -L/usr/local/jemalloc/lib -Wl,--rpath=/usr/local/jemalloc/lib -ljemalloc +$ ldd a.out + linux-vdso.so.1 (0x00007fff69b62000) + libjemalloc.so.2 => /usr/local/jemalloc/lib/libjemalloc.so.2 (0x00007f744483b000) + libc.so.6 => /usr/lib/libc.so.6 (0x00007f744447f000) + libm.so.6 => /usr/lib/libm.so.6 (0x00007f74440ea000) + libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f7443d61000) + libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f7443b43000) + libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f744393f000) + libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7443727000) + /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7444f02000) +``` +可以看到 `libjemalloc.so.2` 已经被链接到程序里了。 + + +## CTF 实例 +查看章节 6.1.29。 + + +## 参考资料 +- http://jemalloc.net/ diff --git a/doc/1.5.8_glibc_malloc.md b/doc/1.5.8_glibc_malloc.md index 230c7d3..1759362 100644 --- a/doc/1.5.8_glibc_malloc.md +++ b/doc/1.5.8_glibc_malloc.md @@ -16,6 +16,55 @@ $ git clone git://sourceware.org/git/glibc.git $ cd glibc $ git checkout --track -b local_glibc-2.23 origin/release/2.23/master ``` +下面来编译它,首先修改配置文件 Makeconfig,将 `-Werror` 注释掉,这样可以避免高版本 GCC(v8.1.0) 将警告当做错误处理: +``` +$ cat Makeconfig | grep -i werror | grep warn ++gccwarn += #-Werror +``` +接下来需要打上一个 patch: +``` +$ cat regexp.patch +diff --git a/misc/regexp.c b/misc/regexp.c +index 19d76c0..9017bc1 100644 +--- a/misc/regexp.c ++++ b/misc/regexp.c +@@ -29,14 +29,17 @@ + + #if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_23) + +-/* Define the variables used for the interface. */ +-char *loc1; +-char *loc2; ++#include /* Get NULL. */ ++ ++/* Define the variables used for the interface. Avoid .symver on common ++ symbol, which just creates a new common symbol, not an alias. */ ++char *loc1 = NULL; ++char *loc2 = NULL; + compat_symbol (libc, loc1, loc1, GLIBC_2_0); + compat_symbol (libc, loc2, loc2, GLIBC_2_0); + + /* Although we do not support the use we define this variable as well. */ +-char *locs; ++char *locs = NULL; + compat_symbol (libc, locs, locs, GLIBC_2_0); +$ patch misc/regexp.c regexp.patch +``` +然后就可以编译了: +``` +$ mkdir build && cd build +$ ../configure --prefix=/usr/local/glibc-2.23 +$ make -j4 && sudo make install +``` + +如果我们想要在编译程序时指定 libc,可以像这样: +``` +$ gcc test.c -L/usr/local/glibc-2.23/lib -Wl,--rpath=/usr/local/glibc-2.23/lib -Wl,-I/usr/local/glibc-2.23/lib/ld-2.23.so +$ ldd a.out + linux-vdso.so.1 (0x00007ffcc76b0000) + libc.so.6 => /usr/local/glibc-2.23/lib/libc.so.6 (0x00007f6abd578000) + /usr/local/glibc-2.23/lib/ld-2.23.so => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f6abdb1c000) +``` ## malloc.c diff --git a/doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md b/doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md new file mode 100644 index 0000000..195757d --- /dev/null +++ b/doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md @@ -0,0 +1,37 @@ +# 6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3 + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [漏洞利用](#漏洞利用) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.29_pwn_insomnictf2017_the_great_escape3) + +## 题目复现 +``` +$ file the_great_escape_part3 +the_great_escape_part3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=08df0c3369b497ee8ed8fca10dbb39ae75ebb273, not stripped +$ checksec -f the_great_escape_part3 +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE RPATH No RUNPATH Yes 0 6 the_great_escape_part3 +$ ldd the_great_escape_part3 + linux-vdso.so.1 (0x00007ffe0f1e8000) + libjemalloc.so.2 => /usr/lib/libjemalloc.so.2 (0x00007fa5e82dd000) + libc.so.6 => /usr/lib/libc.so.6 (0x00007fa5e7f21000) + libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007fa5e7b98000) + libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fa5e797a000) + libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fa5e7776000) + libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007fa5e755e000) + /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa5e875c000) + libm.so.6 => /usr/lib/libm.so.6 (0x00007fa5e71c9000) +``` +64 位动态链接程序,但其使用 jemalloc 替代了 glibc 里的 ptmalloc2,很有意思。关于 jemalloc 的更多内容可以参考章节 1.5.11。 + + +## 题目解析 + +## 漏洞利用 + +## 参考资料 +- https://ctftime.org/task/3311 diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 6a5e5df..014da6a 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -29,6 +29,7 @@ * [6.1.26 pwn 34C3CTF2017 300](6.1.26_pwn_34c3ctf2017_300.md) * [6.1.27 pwn SECCONCTF2016 tinypad](6.1.27_pwn_secconctf2016_tinypad.md) * [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md) + * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md) * Reverse * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/others/1.5.8_glibc_malloc/regexp.patch b/src/others/1.5.8_glibc_malloc/regexp.patch new file mode 100644 index 0000000..1eb4210 --- /dev/null +++ b/src/others/1.5.8_glibc_malloc/regexp.patch @@ -0,0 +1,24 @@ +diff --git a/misc/regexp.c b/misc/regexp.c +index 19d76c0..9017bc1 100644 +--- a/misc/regexp.c ++++ b/misc/regexp.c +@@ -29,14 +29,17 @@ + + #if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_23) + +-/* Define the variables used for the interface. */ +-char *loc1; +-char *loc2; ++#include /* Get NULL. */ ++ ++/* Define the variables used for the interface. Avoid .symver on common ++ symbol, which just creates a new common symbol, not an alias. */ ++char *loc1 = NULL; ++char *loc2 = NULL; + compat_symbol (libc, loc1, loc1, GLIBC_2_0); + compat_symbol (libc, loc2, loc2, GLIBC_2_0); + + /* Although we do not support the use we define this variable as well. */ +-char *locs; ++char *locs = NULL; + compat_symbol (libc, locs, locs, GLIBC_2_0); diff --git a/src/writeup/6.1.29_pwn_insomnictf2017_the_great_escape3/the_great_escape_part3 b/src/writeup/6.1.29_pwn_insomnictf2017_the_great_escape3/the_great_escape_part3 new file mode 100755 index 0000000000000000000000000000000000000000..8ec83e6a4428e14490b48d5d102f19d0bd4389da GIT binary patch literal 14392 zcmeHOeQ+Gbm2d4zwruQ``~}9CcuZ{0aPe9)MiEencO|VoBJu~aY)HVYR=XotwnA^{vM$uU?!UF8H9K;d$Uj{|BKJ3)NJry~x! z-|Oif&5U*oRjImvj#llwe!qV2^~b#K>FIg;YN%v|Pw}K}+$g^%y{{C%`k3E;nG*U?kZ>qEz2> z3W%&h&zx_tk}{@nfb^)X6Blw8w3TNhJwy#c8W&XRQS(Tz{8Lm)wADr@M8hPN{iD9o zuSN8)#S;KWe1HgR;MZwNvXr*Jp~omcaUN$u13V+?4F=34m3r4ekJ|ZhQ>74Wmi4)e zOQmSPq@ufQU01xVX2ZI!*xIgmBGbFJx3*?&%?5uu>0i(LP4-E4^VXfbCOM7@IBN4^ z{Aj4Dy!^NGE{i|*;P3AlKl9!BKfB_eGAAERQyC4pyl;1nC?%{kFo!S&zl-oY{9oVr ztNPGOr^dg0-SQ{*zvDakZ*Thm7ft^GbYYPa4=N~z6Q&fAU+IE>6L>K@_qpKTcflWW z!I!zT^KBRTJudj=z!m(QsoceW0fNQ)^@0n24R8fNXL=q$F+1ixh)ek0^7*)sO*%2r5Br_XTwd^YI7FB9@k{8p$g zWaqHKxq)dT$fY=5!B&ZN#w^7AzDetjbaf@8#;gv9JGzsJa9WR~^l+GkuihJO);i*8 zT}#z>Mbc?4&BBc>Tf#9dCE%7V^DaScMt2)QmJGLU}_HwQwyVe!qLt>;r2+p3ue$n zF55*!OT<{W)}4mEwm9SL zaA_fBo0}Tz>ci{()f>$0bZ)($CN1;ePg2U;d83>#uP7sF;!9bH`A6%im-VAWuK)La z{Q*2SN?C&Y4c6s&d_JwreS*&{i_alD{opB0u4v_yo;Bv968WWyfzL)>h$6?BV!@5} zbC|8M;MV7Pl?Asx&uT3=)ge>Bg3D(wm8ljS9Wc{&3qIFG8N1GcpJTyWEjR|oOq~|o z`q1gI;1#Ac_D>dkfd$`Z!L94jT^4+iMgD*Vr)Q{42QBy#34#t<@N+Hr!xmg@HF)VE z3%=AM|AYk>TP$8WV!@YLIPgZRs@hEzLN?IC#H~AUr9Wxm~j=ToPU&fa<#$;=l_9taFe}i~(rNTbW|26UC zLWLgA-%dQaPNCJ1U!<`11K@e8{#|4Cg&WoEYij@N6Wd!FM@N+N0!$q}dgxptquwO} zmVXe6@3&X1XkhG#zhBwPcB*UXd8YPH`qbRr0qyBxL>qCE7X2DJ< z<`Wp;-N(z?0hPSRYZ_*sqK0i`nX;3A13lB&JESl*w!3f(bSST8Z=FCHh}!|j zUIS=+G<1p@F38D?bD>jebPR&yYROn`Cz$8e+)gmhSNwEg|GUAvD*HpHO1RWGm&%Uj zAOF+TlzPRn)G-e9KfUJqKd+MBVwE(zRDzCFW^X;CW-}AH&>8ihnk#+g5Z$fZ&IvX9 z%GB6%$JDQ#5uLv6)O8-lvPT|)u^1#*uR-6{Y$#tnGE8$O|I`_DB|9)em5r9oCEuAJ zfMb-+MpienrO5sY+0lU~AV#A%JdO#T-)HDPOS-uMB8TZ&G(-|AhUvr~QLumD#EgPb zUhoqt$PG}_XgA3YlWC}(53^Zbl~ktLF|>jF7RAp)d0?bsU=P*^t2RyHp+*QnW-qm@ zSj}6`TJu9FHEPZo^^;@pj;Z_iQ)|`iFQ^G$gL!M!v_KE-GOGR~uc1h%U;KdD;pk@0+Wd2WCZ@{z^DM~pk2tvu;N z&y2gy@Axo-3*~=9ZOp>0jiOv7hxr_vdQr_Dw{%*~zKY7{yY=?<|2bQ4Yfz7Epbt_{ zs(9@`mqVUCFa~ducLI}7HcH%CsF*D~DwT5kNC}M-x9ZohIjm6MJTv-6uxVjt->ONW zm=l$swQpZSsjY9(kJv4a+QQ+YCJkpfK?=nN^zr|u0=KC#2Wqwf<<8>ewGWKJ zzompblAY6Nk?-G|xa`=t0;U{w6N@)2B&)V4NxyE|9yQbJ>@vnY+k-&M40w zAEw<+exVf`&G&;ndDU<$HD@*z*_uP}S(;O0*b<%2cNi>RE>Qb*2Fo1-Y$I4>VE}XH z4^vYI)LbYZQ!g`~HrPYHLfyITX?hfiC#8DZsaAM99!yy3)a*}a>tlUBO;(Q_MyJ>i zgxE0jSpIex!Gj8d{YU7^`W6rWkOu2lC>SQW{6nZ54o3T~A=;7AP@M!eI`A~0EH+*3 zqrB9EXW1{w22zd}Ry;le;jIvE&knqZBKQ*7f#cwM*s%5sh{+1wN9al&`&Tl~OykGjpPI@ag}v;+ zzi>IalH6}eZX5;10DK2>{YQ9VW|h$zRL}_&UIY~|uj6hFQ@`_Hw!#fy3fE!lG`*GM z`@!I~!Ck@ZRB&gorD^|a|7-=DyZvj4?r6-OZp^;abjch1o#E)8y!qkx(7}P<=}Ps# z%l%+e_N}Ju=>}MsTKsFZ|5%B7#mUTD^g?m{?%)l<-N74!;bRA;D}4{|8Qh+D5S+~Jgr2Oj+BOMM>5j2lEGe>HQpRa=<9Dv#uGbP1P38;oFR1eg;UA4q@HG> z=H_k93LSgI6CH{;5fNZQp`#4oQYxW{!wOS?pN(LYOD^zUMQ6t}MaSNqntB*?AI7>D zbT97P80a0K6QBjqrEuh}xbFebK2Vw^i?9sb1xlXyFetsZ$n$U78c`~_rJ0rVR+d~a zZ+7{ClG&An^Y=Z}bt#uHF2&^;TP5Tbv~du1Fkj^+-_olq&bhgKAKSR>s!K0hbrD%0 zn+^Dpr}6jjps(^yPyPH^ji?wn*@@wIH_A0oCd)(pUeEQ048bIKH-683gdElP7=E)b zHh%$X+H0Gx@0WlVp!{3(mMH5}`@P=%v&;&~&Kdmrv0?cR^-sznONsil9C#(hnzy^o zS9!0e&bRa)Z^)MeRnWJl&Zj^Q@^!v)e$F0) zom$wTW$Tml$q0Nh0{?$UAb|H~N{XPI!G)F}N>18uz^p>h1|dLix0K}f1bH?pzaz*q zLiv4Fo&nODOi7*g!Ai|$#MDG>t zlV`X~2}D|A5c5h0emp6yoXEA2_Jow=b4i{x%QI57JiyB(UL|YDU zP&)B_Ou=@{@AoU4v1hzF(r1Wr`Cy_?!PhihxjC7Nr8lz8_4QXOYj(C}5_(3t+`qwJ zwYDb1x$3V}*Z8Y8_%~c);L7@{>YA#Wsw=F`E1LIWme+a$Gs@`8QA<(W%k-jnsX0Hb z#=MxVa$ef;SxnAfJ3gBg^LsB=136#p@^hG+cXoU(lk?M#&;0I5d~vKil_NzcpV>OXCT*1b~p4u9jFMj7r1 zJ%eVppPnZkjQ^nHzK~_YPdISDz@5)I+E-433gIi9xwC;RfbNjjA7 z#IJAMdlxbbG0rmXOui%T!GpS( zognNe+=BhG-36z2pkj7zcEPXW_{@2o<+zW1-WT8%^LIexzV2e@2QK)NE;xP2DAvxm zT<~`|?&IG>s6qT)5%dG#3vgfP_>Yp@UwQfc;*jmKf{(uq;>>#B3lJ?J*RfI|5_FNL zc(-Ehr!TI`O!Mq^;FU%E=Ux{(-vhqDGc)exp9P+GtV>T34*SZ=R$jaOmi`RzV(lE~ zxR252NJ?@%^DgoqxZpncEyeA~b%qp2-)xnL)QRb0Q>Z%jgs7F zMmUbuQs66isd3g&ERN_VmwLYj=(aWOCW*#~qUagiT#!H>D% zuK*`MagOJ2T;$(%!OP&l1jRF-tLbgAn5A)=5SNvjuymAO@~E=_3ki&ixLzt6^CYKVM9P|XlCKfP21{%P2p{uHth(tgj<4jO(9aESS{0f z%ntBiF&1w4;@04n#(EKV6$r?1CyHzm;Z)Id#s~oW7-42S1k7%QLc<)0arP=>#O#GU ze9R8b2~_M9+YmH{H;8a1t%-Ovy9C1A z5V~f^c&J^`a60%DqR~Vgni2fwPz@t6&%EccbTZr-!AY|wd$8UJgmWtKs5iPzJUEXc z;_MQ}k+dDNg~U;lEP;8`k{ftb-ZW2cA%?Yzg|^l=e{p+DcuS~7-PW)}HnLg-=-IWz zJ)qz_I`Fm^8oi7r6A3L!Z+ATY&o08F4~=L-dw~e?Gfvg*MMk{fG=>;H(F|lLJWzC{ znlXR6uUn6_f$AxPcFJ5lfjG(@=1(Mb%^$35T&qVq1lN(s_}emZgj&aA%uifrB;CpU zvAzWC8B|XhC4040n!3it1QSMCO6!V{g2?rB>CDgXqaRs+M-r^A_2SBdF#V|{k7)F3 zonj&BjKPTH3{_*!8yYfyQxsyTCej^`q76x%%mbnDNI#+@nICIgH`Xh@X8t)B+V^9N zW9}d2`)n=NYf5szV{nG7%oF`IesqQ-#Lf3!8LzLP%$nrBM`E~}HhuYitP6vyq@bWq z{RZIpoRXCFAM^ycdW`?rQ%>so})p8C$eEpH-e!vEU7Qw-yfzyMcQN#^W09#NxBE+bS5Tw`JO)^^aDcQ z*?s{tdM~3fmHP5Lph|R9_OnbVIQxHx(61Ba^4vfbg7O@Y^vRY}{~lm8CSthEbI`%L z0Fjm%#JoE1e-9x11|SplHTXgZ=Dz5b+w9vS=n9=;^O507MQhu`QFtd z^dA-NkovM-$$!tGFVB5fiG$KPQczH5|9>d-&HE?b2djksk&n>-u|t1C=*$0`x#1)9 zhaLLz+-19PoJSnv?;OA9pig^oG0n{L8TtQ3PI)K)5_Bsp`tlrS@7dm3op+qQt5%&!bK#hRTRR%&TJNjLe51WJ~s6zE=#cG|JZ)#JtLW zOTdfDss1Vn2rBhAIB=4sBq;^t%DQ=hxOA;EGV`RMz#S~NBj=7)e|)9E^@<5d?m#Bx YxC!^h|L+yAfBRn=`pX>?)>;4m0v%)*>Hq)$ literal 0 HcmV?d00001