mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2025-01-27 05:57:33 +07:00
add 6.1.23 and fix
This commit is contained in:
parent
94932dd6c6
commit
3663cd6394
@ -151,8 +151,9 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.1.18 pwn HITBCTF2017 Sentosa](doc/6.1.18_pwn_hitbctf2017_sentosa.md)
|
||||
* [6.1.19 pwn HITBCTF2018 gundam](doc/6.1.19_pwn_hitbctf2018_gundam.md)
|
||||
* [6.1.20 pwn 33C3CTF2016 babyfengshui](doc/6.1.20_pwn_33c3ctf2016_babyfengshui.md)
|
||||
* [6.1.21 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.21_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.22 pwn BCTF2016 bcloud](doc/6.1.22_pwn_bctf2016_bcloud.md)
|
||||
* [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
|
||||
* [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -1,10 +1,12 @@
|
||||
# 5.1 模糊测试
|
||||
|
||||
- [简介](#简介)
|
||||
- [基本原理](#基本原理)
|
||||
- [方法实现](#方法实现)
|
||||
- [实例分析](#实例分析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 简介
|
||||
## 基本原理
|
||||
模糊测试(fuzzing)是一种通过向程序提供非预期的输入并监控输出中的异常来发现软件中的故障的方法。
|
||||
|
||||
用于模糊测试的模糊测试器(fuzzer)分为两类:
|
||||
@ -34,5 +36,10 @@
|
||||
3. 对关联字段的针对性不强:大多数时候只是对多个元素进行数据的随机生成或变异,缺乏对协议关联字段的针对性
|
||||
|
||||
|
||||
## 方法实现
|
||||
|
||||
## 实例分析
|
||||
|
||||
## 参考资料
|
||||
- [Fuzzing](https://en.wikipedia.org/wiki/Fuzzing)
|
||||
- [Awesome-Fuzzing](https://github.com/secfigo/Awesome-Fuzzing)
|
||||
|
365
doc/6.1.21_pwn_hitconctf2016_secret_holder.md
Normal file
365
doc/6.1.21_pwn_hitconctf2016_secret_holder.md
Normal file
@ -0,0 +1,365 @@
|
||||
# 6.1.21 pwn HITCONCTF2016 Secret_Holder
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.21_pwn_hitconctf2016_secret_holder)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file SecretHolder
|
||||
SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=1d9395599b8df48778b25667e94e367debccf293, stripped
|
||||
$ checksec -f SecretHolder
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
64 位程序,开启了 Canary 和 NX,默认开启 ASLR。
|
||||
|
||||
在 Ubuntu-16.04 上玩一下:
|
||||
```
|
||||
$ ./SecretHolder
|
||||
Hey! Do you have any secret?
|
||||
I can help you to hold your secrets, and no one will be able to see it :)
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
1
|
||||
Which level of secret do you want to keep?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
3. Huge secret
|
||||
1
|
||||
Tell me your secret:
|
||||
AAAA
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
3
|
||||
Which Secret do you want to renew?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
3. Huge secret
|
||||
1
|
||||
Tell me your secret:
|
||||
BBBB
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
2
|
||||
Which Secret do you want to wipe?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
3. Huge secret
|
||||
1
|
||||
```
|
||||
该程序运行我们输入 small、big、huge 三种 secret,且每种 secret 只能输入一个。通过 Renew 可以修改 secret 的内容。Wipe 用于删除 secret。
|
||||
|
||||
猜测三种 secret 应该是有不同的 chunk 大小,但程序没有我们常见的打印信息这种选项来做信息泄漏。
|
||||
|
||||
|
||||
## 题目解析
|
||||
下面我们逐个来逆向这些功能。
|
||||
|
||||
#### Keep secret
|
||||
```
|
||||
[0x00400780]> pdf @ sub.Which_level_of_secret_do_you_want_to_keep_86d
|
||||
/ (fcn) sub.Which_level_of_secret_do_you_want_to_keep_86d 442
|
||||
| sub.Which_level_of_secret_do_you_want_to_keep_86d ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400d6e (main)
|
||||
| 0x0040086d push rbp
|
||||
| 0x0040086e mov rbp, rsp
|
||||
| 0x00400871 sub rsp, 0x20
|
||||
| 0x00400875 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x0040087e mov qword [local_8h], rax
|
||||
| 0x00400882 xor eax, eax
|
||||
| 0x00400884 mov edi, str.Which_level_of_secret_do_you_want_to_keep ; 0x400e28 ; "Which level of secret do you want to keep?"
|
||||
| 0x00400889 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x0040088e mov edi, str.1._Small_secret ; 0x400e53 ; "1. Small secret"
|
||||
| 0x00400893 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400898 mov edi, str.2._Big_secret ; 0x400e63 ; "2. Big secret"
|
||||
| 0x0040089d call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x004008a2 mov edi, str.3._Huge_secret ; 0x400e71 ; "3. Huge secret"
|
||||
| 0x004008a7 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x004008ac lea rax, [local_10h]
|
||||
| 0x004008b0 mov edx, 4
|
||||
| 0x004008b5 mov esi, 0
|
||||
| 0x004008ba mov rdi, rax
|
||||
| 0x004008bd call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x004008c2 lea rax, [local_10h]
|
||||
| 0x004008c6 mov edx, 4
|
||||
| 0x004008cb mov rsi, rax
|
||||
| 0x004008ce mov edi, 0
|
||||
| 0x004008d3 mov eax, 0
|
||||
| 0x004008d8 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x004008dd lea rax, [local_10h]
|
||||
| 0x004008e1 mov rdi, rax
|
||||
| 0x004008e4 call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x004008e9 mov dword [local_14h], eax
|
||||
| 0x004008ec mov eax, dword [local_14h]
|
||||
| 0x004008ef cmp eax, 2 ; 2
|
||||
| ,=< 0x004008f2 je 0x400963
|
||||
| | 0x004008f4 cmp eax, 3 ; 3
|
||||
| ,==< 0x004008f7 je 0x4009bc
|
||||
| || 0x004008fd cmp eax, 1 ; 1
|
||||
| ,===< 0x00400900 je 0x400907
|
||||
| ,====< 0x00400902 jmp 0x400a11
|
||||
| |||| ; JMP XREF from 0x00400900 (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| |`---> 0x00400907 mov eax, dword [0x006020c0] ; [0x6020c0:4]=0
|
||||
| | || 0x0040090d test eax, eax
|
||||
| |,===< 0x0040090f je 0x400916
|
||||
| ,=====< 0x00400911 jmp 0x400a11
|
||||
| ||||| ; JMP XREF from 0x0040090f (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| ||`---> 0x00400916 mov esi, 0x28 ; '(' ; 40
|
||||
| || || 0x0040091b mov edi, 1
|
||||
| || || 0x00400920 call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| || || 0x00400925 mov qword [0x006020b0], rax ; [0x6020b0:8]=0
|
||||
| || || 0x0040092c mov dword [0x006020c0], 1 ; [0x6020c0:4]=0
|
||||
| || || 0x00400936 mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| || || 0x0040093b call sym.imp.puts ; int puts(const char *s)
|
||||
| || || 0x00400940 mov rax, qword [0x006020b0] ; [0x6020b0:8]=0
|
||||
| || || 0x00400947 mov edx, 0x28 ; '(' ; 40
|
||||
| || || 0x0040094c mov rsi, rax
|
||||
| || || 0x0040094f mov edi, 0
|
||||
| || || 0x00400954 mov eax, 0
|
||||
| || || 0x00400959 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||,===< 0x0040095e jmp 0x400a11
|
||||
| ||||| ; JMP XREF from 0x004008f2 (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| ||||`-> 0x00400963 mov eax, dword [0x006020b8] ; [0x6020b8:4]=0
|
||||
| |||| 0x00400969 test eax, eax
|
||||
| ||||,=< 0x0040096b je 0x400972
|
||||
| ,======< 0x0040096d jmp 0x400a11
|
||||
| |||||| ; JMP XREF from 0x0040096b (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| |||||`-> 0x00400972 mov esi, 0xfa0 ; 4000
|
||||
| ||||| 0x00400977 mov edi, 1
|
||||
| ||||| 0x0040097c call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| ||||| 0x00400981 mov qword [0x006020a0], rax ; [0x6020a0:8]=0
|
||||
| ||||| 0x00400988 mov dword [0x006020b8], 1 ; [0x6020b8:4]=0
|
||||
| ||||| 0x00400992 mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| ||||| 0x00400997 call sym.imp.puts ; int puts(const char *s)
|
||||
| ||||| 0x0040099c mov rax, qword [0x006020a0] ; [0x6020a0:8]=0
|
||||
| ||||| 0x004009a3 mov edx, 0xfa0 ; 4000
|
||||
| ||||| 0x004009a8 mov rsi, rax
|
||||
| ||||| 0x004009ab mov edi, 0
|
||||
| ||||| 0x004009b0 mov eax, 0
|
||||
| ||||| 0x004009b5 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| |||||,=< 0x004009ba jmp 0x400a11
|
||||
| |||||| ; JMP XREF from 0x004008f7 (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| ||||`--> 0x004009bc mov eax, dword [0x006020bc] ; [0x6020bc:4]=0
|
||||
| |||| | 0x004009c2 test eax, eax
|
||||
| ||||,==< 0x004009c4 je 0x4009c8
|
||||
| ,=======< 0x004009c6 jmp 0x400a11
|
||||
| ||||||| ; JMP XREF from 0x004009c4 (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| |||||`--> 0x004009c8 mov esi, 0x61a80
|
||||
| ||||| | 0x004009cd mov edi, 1
|
||||
| ||||| | 0x004009d2 call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| ||||| | 0x004009d7 mov qword [0x006020a8], rax ; [0x6020a8:8]=0
|
||||
| ||||| | 0x004009de mov dword [0x006020bc], 1 ; [0x6020bc:4]=0
|
||||
| ||||| | 0x004009e8 mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| ||||| | 0x004009ed call sym.imp.puts ; int puts(const char *s)
|
||||
| ||||| | 0x004009f2 mov rax, qword [0x006020a8] ; [0x6020a8:8]=0
|
||||
| ||||| | 0x004009f9 mov edx, 0x61a80
|
||||
| ||||| | 0x004009fe mov rsi, rax
|
||||
| ||||| | 0x00400a01 mov edi, 0
|
||||
| ||||| | 0x00400a06 mov eax, 0
|
||||
| ||||| | 0x00400a0b call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||||| | 0x00400a10 nop
|
||||
| ||||| | ; XREFS: JMP 0x00400902 JMP 0x00400911 JMP 0x0040095e JMP 0x0040096d JMP 0x004009ba JMP 0x004009c6
|
||||
| `````-`-> 0x00400a11 mov rax, qword [local_8h]
|
||||
| 0x00400a15 xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400a1e je 0x400a25
|
||||
| | 0x00400a20 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400a1e (sub.Which_level_of_secret_do_you_want_to_keep_86d)
|
||||
| `-> 0x00400a25 leave
|
||||
\ 0x00400a26 ret
|
||||
```
|
||||
|
||||
#### Wipe secret
|
||||
```
|
||||
[0x00400780]> pdf @ sub.Which_Secret_do_you_want_to_wipe_a27
|
||||
/ (fcn) sub.Which_Secret_do_you_want_to_wipe_a27 247
|
||||
| sub.Which_Secret_do_you_want_to_wipe_a27 ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400d7a (main)
|
||||
| 0x00400a27 push rbp
|
||||
| 0x00400a28 mov rbp, rsp
|
||||
| 0x00400a2b sub rsp, 0x20
|
||||
| 0x00400a2f mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x00400a38 mov qword [local_8h], rax
|
||||
| 0x00400a3c xor eax, eax
|
||||
| 0x00400a3e mov edi, str.Which_Secret_do_you_want_to_wipe ; 0x400e98 ; "Which Secret do you want to wipe?"
|
||||
| 0x00400a43 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400a48 mov edi, str.1._Small_secret ; 0x400e53 ; "1. Small secret"
|
||||
| 0x00400a4d call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400a52 mov edi, str.2._Big_secret ; 0x400e63 ; "2. Big secret"
|
||||
| 0x00400a57 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400a5c mov edi, str.3._Huge_secret ; 0x400e71 ; "3. Huge secret"
|
||||
| 0x00400a61 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400a66 lea rax, [local_10h]
|
||||
| 0x00400a6a mov edx, 4
|
||||
| 0x00400a6f mov esi, 0
|
||||
| 0x00400a74 mov rdi, rax
|
||||
| 0x00400a77 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x00400a7c lea rax, [local_10h]
|
||||
| 0x00400a80 mov edx, 4
|
||||
| 0x00400a85 mov rsi, rax
|
||||
| 0x00400a88 mov edi, 0
|
||||
| 0x00400a8d mov eax, 0
|
||||
| 0x00400a92 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x00400a97 lea rax, [local_10h]
|
||||
| 0x00400a9b mov rdi, rax
|
||||
| 0x00400a9e call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x00400aa3 mov dword [local_14h], eax
|
||||
| 0x00400aa6 mov eax, dword [local_14h]
|
||||
| 0x00400aa9 cmp eax, 2 ; 2
|
||||
| ,=< 0x00400aac je 0x400ad3
|
||||
| | 0x00400aae cmp eax, 3 ; 3
|
||||
| ,==< 0x00400ab1 je 0x400aee
|
||||
| || 0x00400ab3 cmp eax, 1 ; 1
|
||||
| ,===< 0x00400ab6 jne 0x400b08
|
||||
| ||| 0x00400ab8 mov rax, qword [0x006020b0] ; [0x6020b0:8]=0
|
||||
| ||| 0x00400abf mov rdi, rax
|
||||
| ||| 0x00400ac2 call sym.imp.free ; void free(void *ptr)
|
||||
| ||| 0x00400ac7 mov dword [0x006020c0], 0 ; [0x6020c0:4]=0
|
||||
| ,====< 0x00400ad1 jmp 0x400b08
|
||||
| |||| ; JMP XREF from 0x00400aac (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| |||`-> 0x00400ad3 mov rax, qword [0x006020a0] ; [0x6020a0:8]=0
|
||||
| ||| 0x00400ada mov rdi, rax
|
||||
| ||| 0x00400add call sym.imp.free ; void free(void *ptr)
|
||||
| ||| 0x00400ae2 mov dword [0x006020b8], 0 ; [0x6020b8:4]=0
|
||||
| |||,=< 0x00400aec jmp 0x400b08
|
||||
| |||| ; JMP XREF from 0x00400ab1 (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| ||`--> 0x00400aee mov rax, qword [0x006020a8] ; [0x6020a8:8]=0
|
||||
| || | 0x00400af5 mov rdi, rax
|
||||
| || | 0x00400af8 call sym.imp.free ; void free(void *ptr)
|
||||
| || | 0x00400afd mov dword [0x006020bc], 0 ; [0x6020bc:4]=0
|
||||
| || | 0x00400b07 nop
|
||||
| || | ; JMP XREF from 0x00400ab6 (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| || | ; JMP XREF from 0x00400ad1 (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| || | ; JMP XREF from 0x00400aec (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| ``-`-> 0x00400b08 mov rax, qword [local_8h]
|
||||
| 0x00400b0c xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400b15 je 0x400b1c
|
||||
| | 0x00400b17 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400b15 (sub.Which_Secret_do_you_want_to_wipe_a27)
|
||||
| `-> 0x00400b1c leave
|
||||
\ 0x00400b1d ret
|
||||
```
|
||||
|
||||
#### Renew secret
|
||||
```
|
||||
[0x00400780]> pdf @ sub.Which_Secret_do_you_want_to_renew_b1e
|
||||
/ (fcn) sub.Which_Secret_do_you_want_to_renew_b1e 330
|
||||
| sub.Which_Secret_do_you_want_to_renew_b1e ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400d86 (main)
|
||||
| 0x00400b1e push rbp
|
||||
| 0x00400b1f mov rbp, rsp
|
||||
| 0x00400b22 sub rsp, 0x20
|
||||
| 0x00400b26 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x00400b2f mov qword [local_8h], rax
|
||||
| 0x00400b33 xor eax, eax
|
||||
| 0x00400b35 mov edi, str.Which_Secret_do_you_want_to_renew ; 0x400ec0 ; "Which Secret do you want to renew?"
|
||||
| 0x00400b3a call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b3f mov edi, str.1._Small_secret ; 0x400e53 ; "1. Small secret"
|
||||
| 0x00400b44 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b49 mov edi, str.2._Big_secret ; 0x400e63 ; "2. Big secret"
|
||||
| 0x00400b4e call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b53 mov edi, str.3._Huge_secret ; 0x400e71 ; "3. Huge secret"
|
||||
| 0x00400b58 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b5d lea rax, [local_10h]
|
||||
| 0x00400b61 mov edx, 4
|
||||
| 0x00400b66 mov esi, 0
|
||||
| 0x00400b6b mov rdi, rax
|
||||
| 0x00400b6e call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x00400b73 lea rax, [local_10h]
|
||||
| 0x00400b77 mov edx, 4
|
||||
| 0x00400b7c mov rsi, rax
|
||||
| 0x00400b7f mov edi, 0
|
||||
| 0x00400b84 mov eax, 0
|
||||
| 0x00400b89 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x00400b8e lea rax, [local_10h]
|
||||
| 0x00400b92 mov rdi, rax
|
||||
| 0x00400b95 call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x00400b9a mov dword [local_14h], eax
|
||||
| 0x00400b9d mov eax, dword [local_14h]
|
||||
| 0x00400ba0 cmp eax, 2 ; 2
|
||||
| ,=< 0x00400ba3 je 0x400be9
|
||||
| | 0x00400ba5 cmp eax, 3 ; 3
|
||||
| ,==< 0x00400ba8 je 0x400c1f
|
||||
| || 0x00400baa cmp eax, 1 ; 1
|
||||
| ,===< 0x00400bad jne 0x400c52
|
||||
| ||| 0x00400bb3 mov eax, dword [0x006020c0] ; [0x6020c0:4]=0
|
||||
| ||| 0x00400bb9 test eax, eax
|
||||
| ,====< 0x00400bbb je 0x400be7
|
||||
| |||| 0x00400bbd mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| |||| 0x00400bc2 call sym.imp.puts ; int puts(const char *s)
|
||||
| |||| 0x00400bc7 mov rax, qword [0x006020b0] ; [0x6020b0:8]=0
|
||||
| |||| 0x00400bce mov edx, 0x28 ; '(' ; 40
|
||||
| |||| 0x00400bd3 mov rsi, rax
|
||||
| |||| 0x00400bd6 mov edi, 0
|
||||
| |||| 0x00400bdb mov eax, 0
|
||||
| |||| 0x00400be0 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ,=====< 0x00400be5 jmp 0x400c52
|
||||
| ||||| ; JMP XREF from 0x00400bbb (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ,=`----> 0x00400be7 jmp 0x400c52
|
||||
| || ||| ; JMP XREF from 0x00400ba3 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| || ||`-> 0x00400be9 mov eax, dword [0x006020b8] ; [0x6020b8:4]=0
|
||||
| || || 0x00400bef test eax, eax
|
||||
| || ||,=< 0x00400bf1 je 0x400c1d
|
||||
| || ||| 0x00400bf3 mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| || ||| 0x00400bf8 call sym.imp.puts ; int puts(const char *s)
|
||||
| || ||| 0x00400bfd mov rax, qword [0x006020a0] ; [0x6020a0:8]=0
|
||||
| || ||| 0x00400c04 mov edx, 0xfa0 ; 4000
|
||||
| || ||| 0x00400c09 mov rsi, rax
|
||||
| || ||| 0x00400c0c mov edi, 0
|
||||
| || ||| 0x00400c11 mov eax, 0
|
||||
| || ||| 0x00400c16 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||,====< 0x00400c1b jmp 0x400c52
|
||||
| |||||| ; JMP XREF from 0x00400bf1 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ,=====`-> 0x00400c1d jmp 0x400c52
|
||||
| |||||| ; JMP XREF from 0x00400ba8 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| |||||`--> 0x00400c1f mov eax, dword [0x006020bc] ; [0x6020bc:4]=0
|
||||
| ||||| 0x00400c25 test eax, eax
|
||||
| ||||| ,=< 0x00400c27 je 0x400c51
|
||||
| ||||| | 0x00400c29 mov edi, str.Tell_me_your_secret: ; 0x400e80 ; "Tell me your secret: "
|
||||
| ||||| | 0x00400c2e call sym.imp.puts ; int puts(const char *s)
|
||||
| ||||| | 0x00400c33 mov rax, qword [0x006020a8] ; [0x6020a8:8]=0
|
||||
| ||||| | 0x00400c3a mov edx, 0x61a80
|
||||
| ||||| | 0x00400c3f mov rsi, rax
|
||||
| ||||| | 0x00400c42 mov edi, 0
|
||||
| ||||| | 0x00400c47 mov eax, 0
|
||||
| ||||| | 0x00400c4c call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||||| | ; JMP XREF from 0x00400c27 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ||||| `-> 0x00400c51 nop
|
||||
| ||||| ; JMP XREF from 0x00400bad (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ||||| ; JMP XREF from 0x00400be5 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ||||| ; JMP XREF from 0x00400be7 (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ||||| ; JMP XREF from 0x00400c1b (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| ||||| ; JMP XREF from 0x00400c1d (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| `````---> 0x00400c52 mov rax, qword [local_8h]
|
||||
| 0x00400c56 xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400c5f je 0x400c66
|
||||
| | 0x00400c61 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400c5f (sub.Which_Secret_do_you_want_to_renew_b1e)
|
||||
| `-> 0x00400c66 leave
|
||||
\ 0x00400c67 ret
|
||||
```
|
||||
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/2954
|
@ -1,30 +0,0 @@
|
||||
# 6.1.21 pwn HITCONCTF2016 Sleepy_Holder
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.21_pwn_hitconctf2016_sleepy_holder)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file SleepyHolder
|
||||
SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=46f0e70abd9460828444d7f0975a8b2f2ddbad46, stripped
|
||||
$ checksec -f SleepyHolder
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
|
||||
|
||||
## 题目解析
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/4812
|
||||
- https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder
|
350
doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md
Normal file
350
doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md
Normal file
@ -0,0 +1,350 @@
|
||||
# 6.1.22 pwn HITCONCTF2016 Sleepy_Holder
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file SleepyHolder
|
||||
SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=46f0e70abd9460828444d7f0975a8b2f2ddbad46, stripped
|
||||
$ checksec -f SleepyHolder
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
64 位程序,开启了 Canary 和 NX,默认开启 ASLR。
|
||||
|
||||
在 Ubuntu-16.04 上玩一下:
|
||||
```
|
||||
$ ./SleepyHolder
|
||||
Waking Sleepy Holder up ...
|
||||
Hey! Do you have any secret?
|
||||
I can help you to hold your secrets, and no one will be able to see it :)
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
1
|
||||
What secret do you want to keep?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
3. Keep a huge secret and lock it forever
|
||||
1
|
||||
Tell me your secret:
|
||||
AAAA
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
1
|
||||
What secret do you want to keep?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
3. Keep a huge secret and lock it forever
|
||||
3
|
||||
Tell me your secret:
|
||||
CCCC
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
3
|
||||
Which Secret do you want to renew?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
1
|
||||
Tell me your secret:
|
||||
BBBB
|
||||
1. Keep secret
|
||||
2. Wipe secret
|
||||
3. Renew secret
|
||||
2
|
||||
Which Secret do you want to wipe?
|
||||
1. Small secret
|
||||
2. Big secret
|
||||
1
|
||||
```
|
||||
这一题看起来和上一题 Secret_Holder 差不多。同样是 small、big、huge 三种 secret,不同的是这里的 huge secret 是不可修改和删除的。另外在程序开始时会 sleep 几秒钟,不知道对利用有没有帮助。
|
||||
|
||||
|
||||
## 题目解析
|
||||
下面我们逐个来逆向这些功能。
|
||||
|
||||
#### Keep secret
|
||||
```
|
||||
[0x00400850]> pdf @ sub.What_secret_do_you_want_to_keep_93d
|
||||
/ (fcn) sub.What_secret_do_you_want_to_keep_93d 452
|
||||
| sub.What_secret_do_you_want_to_keep_93d ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400e3c (main)
|
||||
| 0x0040093d push rbp
|
||||
| 0x0040093e mov rbp, rsp
|
||||
| 0x00400941 sub rsp, 0x20
|
||||
| 0x00400945 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x0040094e mov qword [local_8h], rax
|
||||
| 0x00400952 xor eax, eax
|
||||
| 0x00400954 mov edi, str.What_secret_do_you_want_to_keep ; 0x400ee8 ; "What secret do you want to keep?"
|
||||
| 0x00400959 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x0040095e mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
|
||||
| 0x00400963 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400968 mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
|
||||
| 0x0040096d call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400972 mov eax, dword [0x006020dc] ; [0x6020dc:4]=0
|
||||
| 0x00400978 test eax, eax
|
||||
| ,=< 0x0040097a jne 0x400986
|
||||
| | 0x0040097c mov edi, str.3._Keep_a_huge_secret_and_lock_it_forever ; 0x400f28 ; "3. Keep a huge secret and lock it forever"
|
||||
| | 0x00400981 call sym.imp.puts ; int puts(const char *s)
|
||||
| | ; JMP XREF from 0x0040097a (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| `-> 0x00400986 lea rax, [local_10h]
|
||||
| 0x0040098a mov edx, 4
|
||||
| 0x0040098f mov esi, 0
|
||||
| 0x00400994 mov rdi, rax
|
||||
| 0x00400997 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x0040099c lea rax, [local_10h]
|
||||
| 0x004009a0 mov edx, 4
|
||||
| 0x004009a5 mov rsi, rax
|
||||
| 0x004009a8 mov edi, 0
|
||||
| 0x004009ad mov eax, 0
|
||||
| 0x004009b2 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x004009b7 lea rax, [local_10h]
|
||||
| 0x004009bb mov rdi, rax
|
||||
| 0x004009be call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x004009c3 mov dword [local_14h], eax
|
||||
| 0x004009c6 mov eax, dword [local_14h]
|
||||
| 0x004009c9 cmp eax, 2 ; 2
|
||||
| ,=< 0x004009cc je 0x400a3d
|
||||
| | 0x004009ce cmp eax, 3 ; 3
|
||||
| ,==< 0x004009d1 je 0x400a96
|
||||
| || 0x004009d7 cmp eax, 1 ; 1
|
||||
| ,===< 0x004009da je 0x4009e1
|
||||
| ,====< 0x004009dc jmp 0x400aeb
|
||||
| |||| ; JMP XREF from 0x004009da (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| |`---> 0x004009e1 mov eax, dword [0x006020e0] ; [0x6020e0:4]=0
|
||||
| | || 0x004009e7 test eax, eax
|
||||
| |,===< 0x004009e9 je 0x4009f0
|
||||
| ,=====< 0x004009eb jmp 0x400aeb
|
||||
| ||||| ; JMP XREF from 0x004009e9 (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| ||`---> 0x004009f0 mov esi, 0x28 ; '(' ; 40
|
||||
| || || 0x004009f5 mov edi, 1
|
||||
| || || 0x004009fa call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| || || 0x004009ff mov qword [0x006020d0], rax ; [0x6020d0:8]=0
|
||||
| || || 0x00400a06 mov dword [0x006020e0], 1 ; [0x6020e0:4]=0
|
||||
| || || 0x00400a10 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
|
||||
| || || 0x00400a15 call sym.imp.puts ; int puts(const char *s)
|
||||
| || || 0x00400a1a mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
|
||||
| || || 0x00400a21 mov edx, 0x28 ; '(' ; 40
|
||||
| || || 0x00400a26 mov rsi, rax
|
||||
| || || 0x00400a29 mov edi, 0
|
||||
| || || 0x00400a2e mov eax, 0
|
||||
| || || 0x00400a33 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||,===< 0x00400a38 jmp 0x400aeb
|
||||
| ||||| ; JMP XREF from 0x004009cc (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| ||||`-> 0x00400a3d mov eax, dword [0x006020d8] ; [0x6020d8:4]=0
|
||||
| |||| 0x00400a43 test eax, eax
|
||||
| ||||,=< 0x00400a45 je 0x400a4c
|
||||
| ,======< 0x00400a47 jmp 0x400aeb
|
||||
| |||||| ; JMP XREF from 0x00400a45 (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| |||||`-> 0x00400a4c mov esi, 0xfa0 ; 4000
|
||||
| ||||| 0x00400a51 mov edi, 1
|
||||
| ||||| 0x00400a56 call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| ||||| 0x00400a5b mov qword [0x006020c0], rax ; [0x6020c0:8]=0
|
||||
| ||||| 0x00400a62 mov dword [0x006020d8], 1 ; [0x6020d8:4]=0
|
||||
| ||||| 0x00400a6c mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
|
||||
| ||||| 0x00400a71 call sym.imp.puts ; int puts(const char *s)
|
||||
| ||||| 0x00400a76 mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
|
||||
| ||||| 0x00400a7d mov edx, 0xfa0 ; 4000
|
||||
| ||||| 0x00400a82 mov rsi, rax
|
||||
| ||||| 0x00400a85 mov edi, 0
|
||||
| ||||| 0x00400a8a mov eax, 0
|
||||
| ||||| 0x00400a8f call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| |||||,=< 0x00400a94 jmp 0x400aeb
|
||||
| |||||| ; JMP XREF from 0x004009d1 (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| ||||`--> 0x00400a96 mov eax, dword [0x006020dc] ; [0x6020dc:4]=0
|
||||
| |||| | 0x00400a9c test eax, eax
|
||||
| ||||,==< 0x00400a9e je 0x400aa2
|
||||
| ,=======< 0x00400aa0 jmp 0x400aeb
|
||||
| ||||||| ; JMP XREF from 0x00400a9e (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| |||||`--> 0x00400aa2 mov esi, 0x61a80
|
||||
| ||||| | 0x00400aa7 mov edi, 1
|
||||
| ||||| | 0x00400aac call sym.imp.calloc ; void *calloc(size_t nmeb, size_t size)
|
||||
| ||||| | 0x00400ab1 mov qword [0x006020c8], rax ; [0x6020c8:8]=0
|
||||
| ||||| | 0x00400ab8 mov dword [0x006020dc], 1 ; [0x6020dc:4]=0
|
||||
| ||||| | 0x00400ac2 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
|
||||
| ||||| | 0x00400ac7 call sym.imp.puts ; int puts(const char *s)
|
||||
| ||||| | 0x00400acc mov rax, qword [0x006020c8] ; [0x6020c8:8]=0
|
||||
| ||||| | 0x00400ad3 mov edx, 0x61a80
|
||||
| ||||| | 0x00400ad8 mov rsi, rax
|
||||
| ||||| | 0x00400adb mov edi, 0
|
||||
| ||||| | 0x00400ae0 mov eax, 0
|
||||
| ||||| | 0x00400ae5 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||||| | 0x00400aea nop
|
||||
| ||||| | ; XREFS: JMP 0x004009dc JMP 0x004009eb JMP 0x00400a38 JMP 0x00400a47 JMP 0x00400a94 JMP 0x00400aa0
|
||||
| `````-`-> 0x00400aeb mov rax, qword [local_8h]
|
||||
| 0x00400aef xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400af8 je 0x400aff
|
||||
| | 0x00400afa call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400af8 (sub.What_secret_do_you_want_to_keep_93d)
|
||||
| `-> 0x00400aff leave
|
||||
\ 0x00400b00 ret
|
||||
```
|
||||
|
||||
#### Wipe secret
|
||||
```
|
||||
[0x00400850]> pdf @ sub.Which_Secret_do_you_want_to_wipe_b01
|
||||
/ (fcn) sub.Which_Secret_do_you_want_to_wipe_b01 207
|
||||
| sub.Which_Secret_do_you_want_to_wipe_b01 ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400e48 (main)
|
||||
| 0x00400b01 push rbp
|
||||
| 0x00400b02 mov rbp, rsp
|
||||
| 0x00400b05 sub rsp, 0x20
|
||||
| 0x00400b09 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x00400b12 mov qword [local_8h], rax
|
||||
| 0x00400b16 xor eax, eax
|
||||
| 0x00400b18 mov edi, str.Which_Secret_do_you_want_to_wipe ; 0x400f68 ; "Which Secret do you want to wipe?"
|
||||
| 0x00400b1d call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b22 mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
|
||||
| 0x00400b27 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b2c mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
|
||||
| 0x00400b31 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400b36 lea rax, [local_10h]
|
||||
| 0x00400b3a mov edx, 4
|
||||
| 0x00400b3f mov esi, 0
|
||||
| 0x00400b44 mov rdi, rax
|
||||
| 0x00400b47 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x00400b4c lea rax, [local_10h]
|
||||
| 0x00400b50 mov edx, 4
|
||||
| 0x00400b55 mov rsi, rax
|
||||
| 0x00400b58 mov edi, 0
|
||||
| 0x00400b5d mov eax, 0
|
||||
| 0x00400b62 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x00400b67 lea rax, [local_10h]
|
||||
| 0x00400b6b mov rdi, rax
|
||||
| 0x00400b6e call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x00400b73 mov dword [local_14h], eax
|
||||
| 0x00400b76 mov eax, dword [local_14h]
|
||||
| 0x00400b79 cmp eax, 1 ; 1
|
||||
| ,=< 0x00400b7c je 0x400b85
|
||||
| | 0x00400b7e cmp eax, 2 ; 2
|
||||
| ,==< 0x00400b81 je 0x400ba0
|
||||
| ,===< 0x00400b83 jmp 0x400bba
|
||||
| ||| ; JMP XREF from 0x00400b7c (sub.Which_Secret_do_you_want_to_wipe_b01)
|
||||
| ||`-> 0x00400b85 mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
|
||||
| || 0x00400b8c mov rdi, rax
|
||||
| || 0x00400b8f call sym.imp.free ; void free(void *ptr)
|
||||
| || 0x00400b94 mov dword [0x006020e0], 0 ; [0x6020e0:4]=0
|
||||
| ||,=< 0x00400b9e jmp 0x400bba
|
||||
| ||| ; JMP XREF from 0x00400b81 (sub.Which_Secret_do_you_want_to_wipe_b01)
|
||||
| |`--> 0x00400ba0 mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
|
||||
| | | 0x00400ba7 mov rdi, rax
|
||||
| | | 0x00400baa call sym.imp.free ; void free(void *ptr)
|
||||
| | | 0x00400baf mov dword [0x006020d8], 0 ; [0x6020d8:4]=0
|
||||
| | | 0x00400bb9 nop
|
||||
| | | ; JMP XREF from 0x00400b83 (sub.Which_Secret_do_you_want_to_wipe_b01)
|
||||
| | | ; JMP XREF from 0x00400b9e (sub.Which_Secret_do_you_want_to_wipe_b01)
|
||||
| `-`-> 0x00400bba mov rax, qword [local_8h]
|
||||
| 0x00400bbe xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400bc7 je 0x400bce
|
||||
| | 0x00400bc9 call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400bc7 (sub.Which_Secret_do_you_want_to_wipe_b01)
|
||||
| `-> 0x00400bce leave
|
||||
\ 0x00400bcf ret
|
||||
```
|
||||
|
||||
#### Renew secret
|
||||
```
|
||||
[0x00400850]> pdf @ sub.Which_Secret_do_you_want_to_renew_bd0
|
||||
/ (fcn) sub.Which_Secret_do_you_want_to_renew_bd0 259
|
||||
| sub.Which_Secret_do_you_want_to_renew_bd0 ();
|
||||
| ; var int local_14h @ rbp-0x14
|
||||
| ; var int local_10h @ rbp-0x10
|
||||
| ; var int local_8h @ rbp-0x8
|
||||
| ; CALL XREF from 0x00400e54 (main)
|
||||
| 0x00400bd0 push rbp
|
||||
| 0x00400bd1 mov rbp, rsp
|
||||
| 0x00400bd4 sub rsp, 0x20
|
||||
| 0x00400bd8 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x00400be1 mov qword [local_8h], rax
|
||||
| 0x00400be5 xor eax, eax
|
||||
| 0x00400be7 mov edi, str.Which_Secret_do_you_want_to_renew ; 0x400f90 ; "Which Secret do you want to renew?"
|
||||
| 0x00400bec call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400bf1 mov edi, str.1._Small_secret ; 0x400f09 ; "1. Small secret"
|
||||
| 0x00400bf6 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400bfb mov edi, str.2._Big_secret ; 0x400f19 ; "2. Big secret"
|
||||
| 0x00400c00 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00400c05 lea rax, [local_10h]
|
||||
| 0x00400c09 mov edx, 4
|
||||
| 0x00400c0e mov esi, 0
|
||||
| 0x00400c13 mov rdi, rax
|
||||
| 0x00400c16 call sym.imp.memset ; void *memset(void *s, int c, size_t n)
|
||||
| 0x00400c1b lea rax, [local_10h]
|
||||
| 0x00400c1f mov edx, 4
|
||||
| 0x00400c24 mov rsi, rax
|
||||
| 0x00400c27 mov edi, 0
|
||||
| 0x00400c2c mov eax, 0
|
||||
| 0x00400c31 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| 0x00400c36 lea rax, [local_10h]
|
||||
| 0x00400c3a mov rdi, rax
|
||||
| 0x00400c3d call sym.imp.atoi ; int atoi(const char *str)
|
||||
| 0x00400c42 mov dword [local_14h], eax
|
||||
| 0x00400c45 mov eax, dword [local_14h]
|
||||
| 0x00400c48 cmp eax, 1 ; 1
|
||||
| ,=< 0x00400c4b je 0x400c54
|
||||
| | 0x00400c4d cmp eax, 2 ; 2
|
||||
| ,==< 0x00400c50 je 0x400c8a
|
||||
| ,===< 0x00400c52 jmp 0x400cbd
|
||||
| ||| ; JMP XREF from 0x00400c4b (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ||`-> 0x00400c54 mov eax, dword [0x006020e0] ; [0x6020e0:4]=0
|
||||
| || 0x00400c5a test eax, eax
|
||||
| ||,=< 0x00400c5c je 0x400c88
|
||||
| ||| 0x00400c5e mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
|
||||
| ||| 0x00400c63 call sym.imp.puts ; int puts(const char *s)
|
||||
| ||| 0x00400c68 mov rax, qword [0x006020d0] ; [0x6020d0:8]=0
|
||||
| ||| 0x00400c6f mov edx, 0x28 ; '(' ; 40
|
||||
| ||| 0x00400c74 mov rsi, rax
|
||||
| ||| 0x00400c77 mov edi, 0
|
||||
| ||| 0x00400c7c mov eax, 0
|
||||
| ||| 0x00400c81 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ,====< 0x00400c86 jmp 0x400cbd
|
||||
| |||| ; JMP XREF from 0x00400c5c (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ,===`-> 0x00400c88 jmp 0x400cbd
|
||||
| |||| ; JMP XREF from 0x00400c50 (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| |||`--> 0x00400c8a mov eax, dword [0x006020d8] ; [0x6020d8:4]=0
|
||||
| ||| 0x00400c90 test eax, eax
|
||||
| ||| ,=< 0x00400c92 je 0x400cbc
|
||||
| ||| | 0x00400c94 mov edi, str.Tell_me_your_secret: ; 0x400f52 ; "Tell me your secret: "
|
||||
| ||| | 0x00400c99 call sym.imp.puts ; int puts(const char *s)
|
||||
| ||| | 0x00400c9e mov rax, qword [0x006020c0] ; [0x6020c0:8]=0
|
||||
| ||| | 0x00400ca5 mov edx, 0xfa0 ; 4000
|
||||
| ||| | 0x00400caa mov rsi, rax
|
||||
| ||| | 0x00400cad mov edi, 0
|
||||
| ||| | 0x00400cb2 mov eax, 0
|
||||
| ||| | 0x00400cb7 call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
|
||||
| ||| | ; JMP XREF from 0x00400c92 (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ||| `-> 0x00400cbc nop
|
||||
| ||| ; JMP XREF from 0x00400c52 (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ||| ; JMP XREF from 0x00400c86 (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ||| ; JMP XREF from 0x00400c88 (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| ```---> 0x00400cbd mov rax, qword [local_8h]
|
||||
| 0x00400cc1 xor rax, qword fs:[0x28]
|
||||
| ,=< 0x00400cca je 0x400cd1
|
||||
| | 0x00400ccc call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
| | ; JMP XREF from 0x00400cca (sub.Which_Secret_do_you_want_to_renew_bd0)
|
||||
| `-> 0x00400cd1 leave
|
||||
\ 0x00400cd2 ret
|
||||
```
|
||||
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/4812
|
||||
- https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder
|
@ -1,4 +1,4 @@
|
||||
# 6.1.22 pwn BCTF2016 bcloud
|
||||
# 6.1.23 pwn BCTF2016 bcloud
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
@ -6,7 +6,7 @@
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.22_pwn_bctf2016_bcloud)
|
||||
[下载文件](../src/writeup/6.1.23_pwn_bctf2016_bcloud)
|
||||
|
||||
## 题目复现
|
||||
```
|
@ -21,8 +21,9 @@
|
||||
* [6.1.18 pwn HITBCTF2017 Sentosa](6.1.18_pwn_hitbctf2017_sentosa.md)
|
||||
* [6.1.19 pwn HITBCTF2018 gundam](6.1.19_pwn_hitbctf2018_gundam.md)
|
||||
* [6.1.20 pwn 33C3CTF2016 babyfengshui](6.1.20_pwn_33c3ctf2016_babyfengshui.md)
|
||||
* [6.1.21 pwn HITCONCTF2016 Sleepy_Holder](6.1.21_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.22 pwn BCTF2016 bcloud](6.1.22_pwn_bctf2016_bcloud.md)
|
||||
* [6.1.21 pwn HITCONCTF2016 Secret_Holder](6.1.21_pwn_hitconctf2016_secret_holder.md)
|
||||
* [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](6.1.22_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.23 pwn BCTF2016 bcloud](6.1.23_pwn_bctf2016_bcloud.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
|
BIN
src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/SecretHolder
Executable file
BIN
src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/SecretHolder
Executable file
Binary file not shown.
BIN
src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc.so.6
Executable file
BIN
src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc.so.6
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user