From 221ba178d78051bfe716bf6435c420e1a599828d Mon Sep 17 00:00:00 2001 From: firmianay Date: Sun, 12 Nov 2017 23:33:34 +0800 Subject: [PATCH] add 6.2 --- README.md | 3 +- SUMMARY.md | 3 +- doc/3.3.1_format_string.md | 3 +- doc/6.2_pwn_0ctf2015_freenote.md | 1 - doc/6.2_pwn_njctf2017_pingme.md | 58 ++++++++++++++++++ doc/6.3_pwn_0ctf2015_freenote.md | 1 + doc/6_writeup.md | 3 +- .../6.2_pwn_njctf2017_pingme/pingme} | Bin src/writeup/6.2_pwn_njctf2017_pingme/run.sh | 1 + 9 files changed, 68 insertions(+), 5 deletions(-) delete mode 100644 doc/6.2_pwn_0ctf2015_freenote.md create mode 100644 doc/6.2_pwn_njctf2017_pingme.md create mode 100644 doc/6.3_pwn_0ctf2015_freenote.md rename src/{Pwn/3.3.1_pingme_200 => writeup/6.2_pwn_njctf2017_pingme/pingme} (100%) create mode 100755 src/writeup/6.2_pwn_njctf2017_pingme/run.sh diff --git a/README.md b/README.md index 83c2817..318764c 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,8 @@ - [六、题解篇](doc/6_writeup.md) - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - - [6.2 pwn 0ctf2015 freenote](doc/6.2_pwn_0ctf2015_freenote.md) + - [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) + - [6.3 pwn 0ctf2015 freenote](doc/6.3_pwn_0ctf2015_freenote.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 5d9042d..f36f278 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -63,7 +63,8 @@ * [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md) * [六、题解篇](doc/6_writeup.md) * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - * [6.2 pwn 0ctf2015 freenote](doc/6.2_pwn_0ctf2015_freenote.md) + * [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) + * [6.3 pwn 0ctf2015 freenote](doc/6.3_pwn_0ctf2015_freenote.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) diff --git a/doc/3.3.1_format_string.md b/doc/3.3.1_format_string.md index f280d9d..592d267 100644 --- a/doc/3.3.1_format_string.md +++ b/doc/3.3.1_format_string.md @@ -1400,4 +1400,5 @@ hacked! ## 练习 - [**pwn** - UIUCTF 2017 - goodluck - 200](../src/Pwn/3.3.1_goodluck_200) -- [**Pwn** - NJCTF 2017 - pingme - 200](../src/Pwn/3.3.1_pingme_200) +- [**Pwn** - NJCTF 2017 - pingme - 200](../src/writeup/6.2_pwn_njctf2017_pingme) + - writeup 在章节 6.2 中 diff --git a/doc/6.2_pwn_0ctf2015_freenote.md b/doc/6.2_pwn_0ctf2015_freenote.md deleted file mode 100644 index 14c4144..0000000 --- a/doc/6.2_pwn_0ctf2015_freenote.md +++ /dev/null @@ -1 +0,0 @@ -# 6.2 pwn 0ctf2015 freenote diff --git a/doc/6.2_pwn_njctf2017_pingme.md b/doc/6.2_pwn_njctf2017_pingme.md new file mode 100644 index 0000000..2902c24 --- /dev/null +++ b/doc/6.2_pwn_njctf2017_pingme.md @@ -0,0 +1,58 @@ +# 6.2 pwn njctf2017 pingme + +- [题目复现](#题目复现) +- [Blind fmt 原理及题目解析](#blind-fmt-原理及题目解析) +- [Exploit](#exploit) +- [参考资料](#参考资料) + + +## 题目复现 +在 6.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。 + +checksec 如下: +``` +$ checksec -f pingme +RELRO STACK CANARY NX PIE RPATH RUNPATHFORTIFY Fortified Fortifiable FILE +No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 pingme +``` +然后把程序运行起来: +``` +$ socat tcp4-listen:10001,reuseaddr,fork exec:./pingme +``` + + +## Blind fmt 原理及题目解析 +格式化字符串漏洞我们已经在 3.3.1 中详细讲过了,blind fmt 要求我们在没有二进制文件和 libc.so 的情况下进行漏洞利用,好在程序没有开启任何保护,利用很直接。 + +通常有两种方法可以解决这种问题,一种是利用信息泄露把程序从内存中 dump 下来,另一种是使用 pwntools 的 DynELF 模块(关于该模块的使用我们在章节 4.4 中有讲过)。 + +#### 确认漏洞 +首先你当然不知道这是一个栈溢出还是格式化字符串,栈溢出的话输入一段长字符串,但程序是否崩溃,格式化字符串的话就输入格式字符,看输出。 +``` +$ nc 127.0.0.1 10001 +Ping me +ABCD%7$x +ABCD44434241 +``` +很明显是格式字符串,而且 ABCD 在第 7 个参数的位置,实际上当然不会这么巧,所以需要使用一个脚本去枚举。这里使用 pwntools 的 fmtstr 模块了: +```python +def exec_fmt(payload): + p.sendline(payload) + info = p.recv() + return info +auto = FmtStr(exec_fmt) +offset = auto.offset +``` +``` +[*] Found format string offset: 7 +``` + +## Exploit +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_njctf2017_pingme)相应文件夹中: +```python + +``` + + +## 参考资料 +- [Linux系统下格式化字符串利用研究](https://paper.seebug.org/246/) diff --git a/doc/6.3_pwn_0ctf2015_freenote.md b/doc/6.3_pwn_0ctf2015_freenote.md new file mode 100644 index 0000000..c210d7a --- /dev/null +++ b/doc/6.3_pwn_0ctf2015_freenote.md @@ -0,0 +1 @@ +# 6.3 pwn 0ctf2015 freenote diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 95f22bc..bf18e63 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -1,4 +1,5 @@ # 第六章 题解篇 - [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md) -- [6.2 pwn 0ctf2015 freenote](./6.2_pwn_0ctf2015_freenote.md) +- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md) +- [6.3 pwn 0ctf2015 freenote](./6.3_pwn_0ctf2015_freenote.md) diff --git a/src/Pwn/3.3.1_pingme_200 b/src/writeup/6.2_pwn_njctf2017_pingme/pingme similarity index 100% rename from src/Pwn/3.3.1_pingme_200 rename to src/writeup/6.2_pwn_njctf2017_pingme/pingme diff --git a/src/writeup/6.2_pwn_njctf2017_pingme/run.sh b/src/writeup/6.2_pwn_njctf2017_pingme/run.sh new file mode 100755 index 0000000..fd408c0 --- /dev/null +++ b/src/writeup/6.2_pwn_njctf2017_pingme/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:./pingme &