diff --git a/doc/1.6.3_stream_cipher.md b/doc/1.6.3_stream_cipher.md index 6183ebf..7271594 100644 --- a/doc/1.6.3_stream_cipher.md +++ b/doc/1.6.3_stream_cipher.md @@ -1 +1,11 @@ # 1.6.3 流密码 + +- [流密码概述](#流密码概述) +- [参考资料](#参考资料) + + +## 流密码概述 + + +## 参考资料 +- [Stream cipher](https://en.wikipedia.org/wiki/Stream_cipher) diff --git a/doc/1.6.4_block_cipher.md b/doc/1.6.4_block_cipher.md index 07ce80d..57dc77a 100644 --- a/doc/1.6.4_block_cipher.md +++ b/doc/1.6.4_block_cipher.md @@ -1 +1,50 @@ # 1.6.4 分组密码 + +- [分组密码概述](#分组密码概述) + - [Feistel 密码结构](#feistel-密码结构) +- [数据加密标准](#数据加密标准) + - [DES](#des) + - [3DES](#3des) +- [高级加密标准](#高级加密标准) +- [分组密码工作模式](#分组密码工作模式) + - [电子密码本模式](#电子密码本模式) + - [密码分组链接模式](#密码分组链接模式) + - [密码反馈模式](#密码反馈模式) + - [输出反馈模式](#输出反馈模式) + - [计数器模式](#计数器模式) +- [参考资料](#参考资料) + + +## 分组密码概述 + +#### Feistel 密码结构 + + +## 数据加密标准 + +#### DES + +#### 3DES + + +## 高级加密标准 + + +## 分组密码工作模式 + +#### 电子密码本模式 + +#### 密码分组链接模式 + +#### 密码反馈模式 + +#### 输出反馈模式 + +#### 计数器模式 + + +## 参考资料 +- [Block cipher](https://en.wikipedia.org/wiki/Block_cipher) +- [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard) +- [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) +- [Block cipher mode of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) diff --git a/doc/1.6.5_public-key_crypto.md b/doc/1.6.5_public-key_crypto.md index d4ca401..1302356 100644 --- a/doc/1.6.5_public-key_crypto.md +++ b/doc/1.6.5_public-key_crypto.md @@ -1 +1,12 @@ # 1.6.5 公钥密码 + +- [参考资料](#参考资料) +- [RSA](#rsa) + + +## RSA + + +## 参考资料 +- [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) +- [RSA (cryptosystem)](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) diff --git a/doc/1.6.6_hash.md b/doc/1.6.6_hash.md index aac8391..6cb7a2b 100644 --- a/doc/1.6.6_hash.md +++ b/doc/1.6.6_hash.md @@ -1 +1,7 @@ # 1.6.6 哈希函数 + +- [参考资料](#参考资料) + + +## 参考资料 +- [Hash function](https://en.wikipedia.org/wiki/Hash_function) diff --git a/doc/1.6.7_digital_signature.md b/doc/1.6.7_digital_signature.md index 00f4fad..07dc04e 100644 --- a/doc/1.6.7_digital_signature.md +++ b/doc/1.6.7_digital_signature.md @@ -1 +1,7 @@ # 1.6.7 数字签名 + +- [参考资料](#参考资料) + + +## 参考资料 +- [Digital signature](https://en.wikipedia.org/wiki/Digital_signature) diff --git a/doc/6.1.9_rhme3_exploitation.md b/doc/6.1.9_rhme3_exploitation.md index 05f9886..21f04c1 100644 --- a/doc/6.1.9_rhme3_exploitation.md +++ b/doc/6.1.9_rhme3_exploitation.md @@ -1,20 +1,109 @@ # 6.1.9 pwn RHme3 Exploitation +- [题目复现](#题目复现) - [题目解析](#题目解析) - [参考资料](#参考资料) [下载文件](../src/writeup/6.1.9_rhme3_exploitation) +## 题目复现 +这个题目给出了二进制文件和 libc。 +``` +$ file main.bin +main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped +$ checksec -f main.bin +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin +``` +64 位程序,保护措施除了 PIE 都开启了。 + + ## 题目解析 +玩一下,一看就是堆利用的题目: ``` -$ file main.elf -main.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped +$ ./main.elf +Welcome to your TeamManager (TM)! +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: ``` +程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。 + +添加两个球员看看: ``` -$ checksec -f main.elf -RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE -Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.elf +Your choice: 1 +Found free slot: 0 +Enter player name: aaaa +Enter attack points: 1 +Enter defense points: 2 +Enter speed: 3 +Enter precision: 4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 1 +Found free slot: 1 +Enter player name: bbbb +Enter attack points: 5 +Enter defense points: 6 +Enter speed: 7 +Enter precision: 8 +``` +试着选中第一个球员,然后删除它: +``` +Your choice: 3 +Enter index: 0 +Player selected! + Name: aaaa + A/D/S/P: 1,2,3,4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 2 +Enter index: 0 +She's gone! +``` +接下来直接显示该球员信息: +``` +Your choice: 5 + Name: + A/D/S/P: 29082240,0,3,4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 6 +Your team: +Player 0 + Name: bbbb + A/D/S/P: 5,6,7,8 +``` +奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。 + +于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。 + + +#### Exploit +完整的 exp 如下: +```python + ``` diff --git a/src/writeup/6.1.9_rhme3_exploitation/main.bin b/src/writeup/6.1.9_rhme3_exploitation/main.bin new file mode 100755 index 0000000..b97a58a Binary files /dev/null and b/src/writeup/6.1.9_rhme3_exploitation/main.bin differ diff --git a/src/writeup/6.1.9_rhme3_exploitation/nop.txt b/src/writeup/6.1.9_rhme3_exploitation/nop.txt new file mode 100644 index 0000000..ba8a8e1 --- /dev/null +++ b/src/writeup/6.1.9_rhme3_exploitation/nop.txt @@ -0,0 +1 @@ +909090909090909090909090909090909090909090909090909090909090909090 diff --git a/src/writeup/6.1.9_rhme3_exploitation/run.sh b/src/writeup/6.1.9_rhme3_exploitation/run.sh new file mode 100644 index 0000000..0feeb34 --- /dev/null +++ b/src/writeup/6.1.9_rhme3_exploitation/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=libc.so.6 ./main.elf" &