From 66891939943813f4accf2fb3530bdc9bf75bd033 Mon Sep 17 00:00:00 2001 From: firmianay Date: Sun, 19 Nov 2017 15:04:12 +0800 Subject: [PATCH] add 6.4 --- README.md | 3 ++- SUMMARY.md | 3 ++- doc/6.4_pwn_0ctf2015_freenote.md | 1 - doc/6.4_pwn_njctf2017_233.md | 33 +++++++++++++++++++++++ doc/6.5_pwn_0ctf2015_freenote.md | 1 + doc/6_writeup.md | 3 ++- src/writeup/6.4_pwn_njctf2017_233/233 | Bin 0 -> 7318 bytes src/writeup/6.4_pwn_njctf2017_233/run.sh | 1 + 8 files changed, 41 insertions(+), 4 deletions(-) delete mode 100644 doc/6.4_pwn_0ctf2015_freenote.md create mode 100644 doc/6.4_pwn_njctf2017_233.md create mode 100644 doc/6.5_pwn_0ctf2015_freenote.md create mode 100755 src/writeup/6.4_pwn_njctf2017_233/233 create mode 100755 src/writeup/6.4_pwn_njctf2017_233/run.sh diff --git a/README.md b/README.md index 2c58ba7..06d2eff 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,8 @@ - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) - [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - - [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) + - [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) + - [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) diff --git a/SUMMARY.md b/SUMMARY.md index 73fc4d2..2e6e148 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -66,7 +66,8 @@ * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) * [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) * [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - * [6.4 pwn 0ctf2015 freenote](doc/6.4_pwn_0ctf2015_freenote.md) + * [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) + * [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) diff --git a/doc/6.4_pwn_0ctf2015_freenote.md b/doc/6.4_pwn_0ctf2015_freenote.md deleted file mode 100644 index 1d9ca32..0000000 --- a/doc/6.4_pwn_0ctf2015_freenote.md +++ /dev/null @@ -1 +0,0 @@ -# 6.4 pwn 0ctf2015 freenote diff --git a/doc/6.4_pwn_njctf2017_233.md b/doc/6.4_pwn_njctf2017_233.md new file mode 100644 index 0000000..e695a0b --- /dev/null +++ b/doc/6.4_pwn_njctf2017_233.md @@ -0,0 +1,33 @@ +# 6.4 pwn njctf2017 233 + +- [题目复现](#题目复现) +- [SROP 原理及题目解析](#srop-原理及题目解析) +- [Exploit](#exploit) +- [参考资料](#参考资料) + + +## 题目复现 +在 6.1 中我们看到了 blind ROP,这一节中再来看一种 ROP 技术,Sigreturn Oriented Programming。 + +checksec 如下: +``` +$ checksec -f 233 +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233 +``` +把程序运行起来: +``` +$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 +``` + + +## SROP 原理及题目解析 + +## Exploit +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中: + + +## 参考资料 +- [Framing Signals—A Return to Portable Shellcode](http://www.ieee-security.org/TC/SP2014/papers/FramingSignals-AReturntoPortableShellcode.pdf) +- [slides: Framing Signals a return to portable shellcode](https://tc.gtisc.gatech.edu/bss/2014/r/srop-slides.pdf) +- [Sigreturn Oriented Programming](https://www.slideshare.net/AngelBoy1/sigreturn-ori) diff --git a/doc/6.5_pwn_0ctf2015_freenote.md b/doc/6.5_pwn_0ctf2015_freenote.md new file mode 100644 index 0000000..f220569 --- /dev/null +++ b/doc/6.5_pwn_0ctf2015_freenote.md @@ -0,0 +1 @@ +# 6.5 pwn 0ctf2015 freenote diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 5f160cc..7326414 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -3,4 +3,5 @@ - [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md) - [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md) - [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md) -- [6.4 pwn 0ctf2015 freenote](./6.4_pwn_0ctf2015_freenote.md) +- [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md) +- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md) diff --git a/src/writeup/6.4_pwn_njctf2017_233/233 b/src/writeup/6.4_pwn_njctf2017_233/233 new file mode 100755 index 0000000000000000000000000000000000000000..5a039dd0fb027a3390e53401ce1819c2dc97dd7f GIT binary patch literal 7318 zcmeHMeQcA*89&Dc+!0JjQ$Dltin=WnaFdWBC~S-K!Pi2dAwV|-FHY>l9*&*auSBa$4cRhJX{v=G9uUjLXT@SM z6Is-0Hc)^(19>P04=4w$`9WYZb;yWd(T zp&y2xJPu5zo^_DJu-9A_X@>eIXmIG(&H1-$v9$W_bwl zL^RU+L^QZM8i}R4eaX15O6gdZ`pr$d@vokPJ{N*nwhYX^qkgF5aR2#Jub%bgy8ijb zM=OVZ@m%mabq|2)gMH-=iWS7O!KB)TUyYvo@TH@#fBD1yD_?)Q{Lry)A61&k|HYF@ zQHu0_8#a*k+VC=@du-T1dW{XU{EIehAidOvssD}*8%Q^R-AsT=!~*d&WU)a+yih(% zF~)}dF;C1DjgXV}3q=j^26S32WT}`V1p2y-eY{qfTX&dAD;SBHsbnZ95}`m)1gv;O zm}Xmdz-*7i0@28k5FpFIG?1{&&Ojt4%uq031)yk6CRIMNVnKLp*=`0yiBLx*X@wFk z+v}q7Sg0k?8l{(x&Umcg#T4eYXUyh;U0pPgOoo!G_n8OUzjjX68u0#GEZ* z{*AmTaXGO;dtQ zC~zxN?j2}9see;Z`^nvXH+JPvHh+BJdvKHMcQ`%96Z`R)T;Hci~ zqO%Wf-pHPP6q(B3Ug>YH^7q`i8Y)uWOxg>H`aPNSMx^>&-rO5^^ZDF5m|sfQAj_dz z%7$fs@)$Cdzgg1XJB#G=WzsG{xOpg(u7Cwnv$HQVPd=9PF!Bf>9}PX79yM~8P|fjy zXW`&-z1Pjjo2~cGXX`J!*eH=JgN4jPqqZQO*?;Ffbo2C-_8LJP<8h?&JlEI14#{9w@TjJcn&}Eb!MCJ96E71~0Xcy!O zNXF?PBqNjLIMOT}N8OGk#V*&2m@5YI7?ouxe-Ki5+?zbb+vd);T;1YJi#I%8&{sB*k|B|QJf7#>qzw2>v!khw^pshtLJ5AF)Fx>;wJuuw^(>?J2)&tnDzKOjk z3Cpi!?kcxn4aKHd+=3oE3%Mu8-c+vb*gMI+G1qCBiND{?$6rTby6MM)i6Y_}@Mj>0 z!2HJIn)(o!#Qnk`_P$(OxnJO3fS<|>zy=&LeFaAR2HFDV_pckwjVtM2`Fxyh#nK-C zA?&bBOFRa70{A0Hw(EZ-eg|uM9tFPvehvH<_!8Jo{C={N%fL5hUEPz$^4+ben3XcB zed~PHtE*BHRX$r;?W?F>p>ppvtXf^UzF?_rs)X<*dpfN^E2NcBGOSaP7`~*sgfAAi zLOy@(*40*^qkuYMDPL4yG7^tX0VZ^bP?Yv6 z(G|6XFA|I3-wJi(AK!oxsN(W-&ld`t?TJ8V$P5QjQX^Hu3?veP9#ul8zt#pbI1hA2 z+E8&E4wWN(HVR)`yt6YDv+N!FU($?4#sFi;epaH3QAc_hj880Sr_VGDU`={>E0Lk? zxDO?JwGpJYt4I1a;*0e%=E?lxC`=(~N82VagsimdhcTIR zMiXsG2f&PT`eTffIsbIM%qJfLb6zmbxk2Wah`nAwaRiKyU|EK9jm){G{qY$%=h9$p z$GJ&fUa;ePLff4{nr&r0e0Pu^Mp_f?NH2i3T^BOR2dO9!`-HYHfwdja)5y#CPz9nL z>6>6}$9EN3e_K#bU!?DXX-5}s476mVHEFxokfH7DXI!7OJ8QGs2!CYeY101ABLl~6 za*XAf9Dvr*R;S-bdTzmv=MICPV)tvtOAV@8m%=g5OS>*go0^xJFP>O^g(&6kggyA(Qdm+ z%74~H=2}2sns&qPV+|l_L!z{Whq#KxrUn&rj;sQ+4JayO+3v3#i`fxdLG2Hw_YmJR zBz4M*lamRo9Ppi?^r{BF8x&SOaBTvsS=L{u*C|Iz&1q$iU;=UOlAMK}<{VX+Gg8R8 zs4!PrHRlvor<$Bw3Uj8aIixUGb~RTNMsR>QCrC~iiRiBh%$`#*PU)1RqV@y|bEQ^$ z0)@F^tN2t{%}Bk@Itx1i#+%a5R|!K2r`!ps_)&Vj@@xH~iE(F+OZ+9zC**t}Iq(MH zp2aA<%!;s+@c|#SVL!0m_fWqVnDNRXa$u*?4#{~)a$pCNWr7n5MEh?+az2wB*r~j& zlJcMJDGc=lK9AIBp+6nyzae0Id!=FFkL9l*t?TDbi1SbPp9B5(S72Q~^)pbR?oWr9 zFO~q0p}h<-p7pM@HHf3N!G;asy}%{tABIe6(Hzl9Jry7WbD{f}&VX8#n}RnX5XS|HvBwx3=9#%9m<-UfaS^#zdT^YHw&xKLi6 zeFJliAW>fm%y?!N&%zfG8`QG>3&kVA_OtNEfi)ROe9?wkf0L~|+xu0Up7s_n*E~`w zSN^tym9$dr?Y=e~cWh31F3F-jZ#-MWQBshwVz*K3D5U2;%R+E?YnRiZzXz!+NlLoot-@>VnZf3cvDQP z)~t~&-qh^h-e5K~)uYL({W?9R2+sNIztZI2zO@ckHjTU>5a#B_9ku>ObH}DlyBb=| z7JqGH1Kr6xgtlZ#wp3m=)YMEK<^SiKgYI=}eH|go>}oTua4L4l*V-+(lbpDFP}dQ1 zw>tImVzLfi9iZ!Mr9N>XVFr_NGaQHod08>_YUG|9kV&@{_D5r96mCKaozdQ9h7ZGJ g@}fjtpxo#7gI6z8{o?*aj|MMRbiho#R*`l78)y^u7ytkO literal 0 HcmV?d00001 diff --git a/src/writeup/6.4_pwn_njctf2017_233/run.sh b/src/writeup/6.4_pwn_njctf2017_233/run.sh new file mode 100755 index 0000000..a0396e2 --- /dev/null +++ b/src/writeup/6.4_pwn_njctf2017_233/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:./233