From 69b85812eb6febe0d4ddc96bd5d1e31f8b7d6df1 Mon Sep 17 00:00:00 2001 From: firmianay Date: Fri, 16 Mar 2018 21:04:38 +0800 Subject: [PATCH] add 6.1.12 --- SUMMARY.md | 1 + doc/6.1.12_n1ctf2018_vote.md | 42 +++++ doc/6.1.5_pwn_grehackctf2017_beerfighter.md | 5 + doc/6.1.9_rhme3_exploitation.md | 2 +- doc/6.2.2_re_ectf2016_tayy.md | 2 +- doc/6_writeup.md | 1 + src/writeup/6.1.12_n1ctf2018_vote/run.sh | 1 + src/writeup/6.1.12_n1ctf2018_vote/vote | Bin 0 -> 10544 bytes src/writeup/6.1.12_n1ctf2018_vote/vote.c | 173 ++++++++++++++++++++ 9 files changed, 225 insertions(+), 2 deletions(-) create mode 100644 doc/6.1.12_n1ctf2018_vote.md create mode 100644 src/writeup/6.1.12_n1ctf2018_vote/run.sh create mode 100644 src/writeup/6.1.12_n1ctf2018_vote/vote create mode 100644 src/writeup/6.1.12_n1ctf2018_vote/vote.c diff --git a/SUMMARY.md b/SUMMARY.md index 017f619..1ff8630 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -118,6 +118,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) + * [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/6.1.12_n1ctf2018_vote.md b/doc/6.1.12_n1ctf2018_vote.md new file mode 100644 index 0000000..a06c70d --- /dev/null +++ b/doc/6.1.12_n1ctf2018_vote.md @@ -0,0 +1,42 @@ +# 6.1.12 pwn N1CTF2018 vote + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.12_n1ctf2018_vote) + +## 题目复现 +这个题目给了二进制文件和 libc: +``` +$ file vote +vote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=53266adcfdcb7b21a01e9f2a1cb0396b818bfba3, stripped +$ checksec -f vote +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 vote +``` +看起来就是个堆利用的问题: +``` +$ ./vote +0: Create +1: Show +2: Vote +3: Result +4: Cancel +5: Exit +Action: +``` + +然后就可以把它运行起来了: +``` +$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" & +``` + + +## 题目解析 +#### Exploit + + +## 参考资料 +https://ctftime.org/task/5490 diff --git a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md index 598b9bc..1ff6e9e 100644 --- a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md +++ b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md @@ -2,6 +2,7 @@ - [题目解析](#题目解析) - [Exploit](#exploit) +- [参考资料](#参考资料) [下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter) @@ -182,3 +183,7 @@ payload_2 += str(frame_2) io.sendline(payload_2) io.interactive() ``` + + +## 参考资料 +https://ctftime.org/task/4939 diff --git a/doc/6.1.9_rhme3_exploitation.md b/doc/6.1.9_rhme3_exploitation.md index 13704a3..eb4ee79 100644 --- a/doc/6.1.9_rhme3_exploitation.md +++ b/doc/6.1.9_rhme3_exploitation.md @@ -970,4 +970,4 @@ p.interactive() ## 参考资料 -- [Exploitation](https://ctftime.org/task/4528) +https://ctftime.org/task/4528 diff --git a/doc/6.2.2_re_ectf2016_tayy.md b/doc/6.2.2_re_ectf2016_tayy.md index 350c597..1831873 100644 --- a/doc/6.2.2_re_ectf2016_tayy.md +++ b/doc/6.2.2_re_ectf2016_tayy.md @@ -4,7 +4,7 @@ - [参考资料](#参考资料) -章节 4.5 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。 +章节 5.8.1 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。 [下载文件](../src/writeup/6.2.2_re_ectf2016_tayy) diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 4484a27..789a61f 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -12,6 +12,7 @@ - [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md) - [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md) + - [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.12_n1ctf2018_vote/run.sh b/src/writeup/6.1.12_n1ctf2018_vote/run.sh new file mode 100644 index 0000000..37495cc --- /dev/null +++ b/src/writeup/6.1.12_n1ctf2018_vote/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" & \ No newline at end of file diff --git a/src/writeup/6.1.12_n1ctf2018_vote/vote b/src/writeup/6.1.12_n1ctf2018_vote/vote new file mode 100644 index 0000000000000000000000000000000000000000..90543dfd8c7dda72757ef25ecfb4bf28f169b683 GIT binary patch literal 10544 zcmeHNdu&tJ89#Pn2!YyW4J88#myOW0T3m;QG=z>i0mBW0jzOSZY3i8RAqL0J{D6dt zHq;5K>xM>siFTWy4^3UQX{f8J78PP1C2VCHp!Fe*c2P$=yR=m*D9cvB`+eu0dYT2fLBY zVB>(8a5%VzsK!Y;BtlDCAnfu$^Kn!eHK5Aq;Ebd*G#DAQCVNPf@(nkKU^QAXRTCv; zOyL0eQD50iE`l~{jG#%;58f%RQTUl)@+%g8#ll|F0nsr@<@ji9bkvKu^+pFIk{v|Y z5`G@0WJ_(;ClL?v{vs}dIyfU~mj*LQrQeU>$Hyo1|BhIN!D^9jta)K_UIZ1xWw-i$ z8!9Vq^?S6u64^{02$fF!SP!oAucuJ zJQ_Y3xWX+)p4LMg&HnW<@I7PTnKAIoW8eqIz)z2XyT`!Kje$?Z{3y`nw&wthHr{u} zz#kd||LYid8E^$hZuxN|(nQ@^18nBi>N`%EkU*z+3O$;P*1u@-42_Lb2HI4u`#A z&3;ttts!5;%P2Av8C*?}fFWlSWvgV(&HiY(g?Zb35$1CF!oj8m3tZtQcc7U?e67gn z3P;>cn_W#Un_bOrpPz*z9$x_Gkl!0%t=`tKH$qr28ey$&zdzW-+&MA*@dk68?*jHvl?Ng?eTETHn|??UPJqkY;rviPWzB-#bTX|2Ozq}Rf-N5 zTPVj%b-3KaNnzLF`ukj!4%hGV4joRpWm9#yT+^gmrNc3i*>;Z(FU+EhHR|w*I=n@P zPtxISI^3+o+jY1_hj;35Swm7kqQhx#maSKZUoSz>-8x*{I=ObQ4xgg4e_4l%M+UA{ zW1knO3Dbu+C`|26Mog(6pqgszXu%Q9IWzw>RGE@L;cS`Z07r5QDboWPw36SGOiLhr zlFNrlrqZXAT;5M|9?AQ-{3^+`1k!uC{0hlb`gAXsUm%%Ep6=xGb0kx#(`{USf@CUj zx{=F|l1!yduj2B!L@>)2i0_a%7G1D$UhVwjApLHg6>`oRnoqG~~*S>aPjV-UUI|`## z9deAZbF&r;T;?4?NJl?C8c}{oI~YFwZ}QQ zpBDK+96Z~3atC^lP)h$YO$h+v*YTdM9P+5QP2y2-AwL0!k-h87gKO$u*d|Q%)QzT- zYNF`f&e@Hq;9-NhTa6dJO%gAn=DP-EEADp=z>}qajZ?xo0K-K7+XJ*ByOWmgCxQ0u z#Vn=1LYKI2ssu%kJI}_ppJkR^55r&wI9xOjbtHf$t(2=j6{Io6Q5-5zKddk^Vtei> z(3Zg>Zjjg4N70`|ba+#CteV(i)bN-Ze?PT{2Bh^0IEFwyJ72oZje_^dN*Ct`wOAU&ie!3WHNp4Q~v9-qgw_p-hBq=*a12-%OlUA z@0wt-JRXOT;QA3$6^UF0#*)~5?N`Bxf~%mORaUi!_pdJgRbBkJ8b7sv5ZyXRw_i-A zHtz@iNsEG;(FB`mkzq<{VQ9+>3!?)z!^JJtPeQ6Zsg3m}IBF5sgNr-Q#I~Pd?LWcU z^3djl^UTO`{dgpju=3>;w~mCfRc)b8#`B=V|Dkn0 zrSJS(08z-&|Gto~!n2t~o>0@zRQ9tJ1zDJ1LdtO#7fd1*u~EL~SHx-7~EhAmJ7#O0mU@=KVi^_fAXYVlCo7La4Z)CGs5Wm!lU)!{+CQK*H3e(n_5!TtYW}-|pfuw$lpnY>G z=P4Af&rV!FaaF_}AkIPDZ;4w@+%Ji%CvFdM_YwCua9GwCXn0-#+VJ`iTX$1S^8R1w zPDTqgeS(kjLTtz&ksqS+2`3PvM3!Jnb3E`G5t{_cvK>CRoC9=e>D`s3Fa zRrePWrTowG`C>)CKUIti&^+Y|#W@tR&2o7I#>oH$4xtS1XIPSJConWlc+PE1OrX ztPA4R^tNhcwKp8~M_2`H+<_*qpUtmUob-ZP(-iRq14vrpVYMAzW|*G0kS3WP9*>j05?Z*}BwRyxcNzYe6TwbK1gNZkzKR3PCn_Y-MJQ^HBn7%+{U8#n+89 zb|bT<_W*8(e)S0b%B-HAWM6@PkzU`y)ja-7z>h=UsMj0UXZ?=?FTi}>q1SKK{O15W zi(?M-@9Fi=cLYzj#!Lqs5uFb%; z8MrnB*Jj|_4E$fsz^aK3J|4TEa&UBOrIt&h8qDN3U+V-1N94EjF1&(M%YGZj=P+v1 z`5Dh4f=-jN(9?aLn$&-NB@-lhx6wf)`f%A@A1clzkKeK-_)maD?F=@cW_SPOvtj|s<5LEu+(IJJcjb|>>cOeI37p2 zEb|Tud6Up{qyNE4{*IlSYN@E}IzgKS-6H5tL7x%y7lOVn=rKXx6ZBI-FA6%Y(7{vQ zAn05{D+OID=sH201JFS#Jy2S8v{|>hNurear->XMiO3# zTA0n#5eRp*YBUnkG+Vr(Fy3`W2rlSCUcZ|h1lNZ5B&5WS#Vlt0XJ zZZ^((|A^7S@rVdGhfBk!T>lEF@TwG)`Q`qyTL7iPm41MsR-lpWncl%@4y1q5=zxUx zQUSCHO8XOyUHZ#?U@0)#d!)bI&+HY;B))`e2%~Tza;tpN;E(EmOKByfl{A;5MSb`4Hj|2=$nnc<>r4A zN;8h^{aZXg$p2r;wa=B`hOb5EUm*Mo=wl~Zu6?e23O3Y#nV){{qh|dN{plMEtzGFa z@4xc@%LXVonq1#9zg!28K&Q_y|9@d<7Iz!7|1!>Ba{QUns5vSc*{6~0S^7zuf<~Wz zpYY$OXfCp!GJy1x@|R!;ljBbc|D>W>IK=ohi7^37k(~!eCiX0%G16b|e^M>O>8Z>u SZHQh_H0hE?vS;Zhfqwxc;5&){ literal 0 HcmV?d00001 diff --git a/src/writeup/6.1.12_n1ctf2018_vote/vote.c b/src/writeup/6.1.12_n1ctf2018_vote/vote.c new file mode 100644 index 0000000..5bc220c --- /dev/null +++ b/src/writeup/6.1.12_n1ctf2018_vote/vote.c @@ -0,0 +1,173 @@ +#include +#include +#include +#include +#include +#include +#include + +#define MAX 0x10 + +char *users[MAX]; +long counts[MAX]; +int vote_num; + +void read_until_nl_or_max(char *dst, size_t len) { + size_t i = 0; + for (;;) { + if (read(0, &dst[i], 1) == -1) + exit(1); + if (dst[i] == '\n') { + dst[i] = '\0'; + return; + } + i++; + if (i >= len) { + dst[i - 1] = '\0'; + return; + } + } +} + +void puts_heapless(char *str) { + write(1, str, strlen(str)); + write(1, "\n", 1); + fflush(stdout); +} + +void print(char *str) { + write(1, str, strlen(str)); + fflush(stdout); +} + +int read_int() { + char tmp[8]; + memset(tmp, 0, 8); + read_until_nl_or_max(tmp, 8); + return atoi(tmp); +} + +void *vote_thread(void *arg) { + sleep(3); + ++(counts[vote_num]); + return NULL; +} + +void create() { + int size; + char *user; + int i; + for (i = 0; i < MAX; i++) { + if (users[i] == NULL) { + print("Please enter the name's size: "); + size = read_int(); + if (size > 0 && size <= 0x1000) { + user = (char *)malloc(size + 0x10); + *(long *)(user) = 0; + *(long *)(&user[8]) = time(NULL); + print("Please enter the name: "); + read_until_nl_or_max(&user[16], size); + users[i] = user; + } + return; + } + } +} + +void show() { + int index; + char tmp[266]; + memset(tmp, 0, 266); + print("Please enter the index: "); + index = read_int(); + if (index >= 0 && index < MAX && users[index] != NULL) { + snprintf(tmp, 256, "name: %s\ncount: %lu\ntime: %lu", &users[index][16], *(long *)(users[index]), *(long *)(&users[index][8])); + puts_heapless(tmp); + } +} + +void vote() { + int index; + pthread_t id; + print("Please enter the index: "); + index = read_int(); + if (index >= 0 && index < MAX && users[index] != NULL) { + ++(*(long *)(users[index])); + *(long *)(&users[index][8]) = time(NULL); + vote_num = index; + pthread_create(&id, NULL, &vote_thread, NULL); + } +} + +void result() { + int i; + char tmp[266]; + memset(tmp, 0, 266); + for (i = 0; i < MAX; i++) { + if (counts[i] != 0) { + snprintf(tmp, 256, "%d\t->\t%lu", i, counts[i]); + puts_heapless(tmp); + fflush(stdout); + } + } +} + +void cancel() { + int index; + print("Please enter the index: "); + index = read_int(); + if (index >= 0 && index < MAX && users[index] != NULL) { + --(counts[index]); + --(*(long *)(users[index])); + if (counts[index] == *(long *)(users[index])) { + if (counts[index] < 0) { + free(users[index]); + } + return; + } + if (counts[index] < 0) { + printf("%s", &users[vote_num][16]); + fflush(stdout); + puts_heapless(" has freed"); + free(users[index]); + users[index] = 0; + } + } +} + +int main(void) { + setvbuf(stdin, NULL, _IONBF, 0); + int c; + alarm(30); + for (;;) { + puts_heapless("0: Create"); + puts_heapless("1: Show"); + puts_heapless("2: Vote"); + puts_heapless("3: Result"); + puts_heapless("4: Cancel"); + puts_heapless("5: Exit"); + print("Action: "); + if (scanf("%d", &c) == EOF) + exit(1); + if (c == 0) { + create(); + } + if (c == 1) { + show(); + } + if (c == 2) { + vote(); + } + if (c == 3) { + result(); + } + if (c == 4) { + cancel(); + } + if (c == 5) { + puts_heapless("Bye"); + exit(0); + } + } + return 0; +} \ No newline at end of file