From 6d0d5b053e867e12475ba8367a497432566824a1 Mon Sep 17 00:00:00 2001 From: firmianay Date: Tue, 26 Dec 2017 22:29:56 +0800 Subject: [PATCH] update some --- doc/1.6.3_stream_cipher.md | 10 ++ doc/1.6.4_block_cipher.md | 49 +++++++++ doc/1.6.5_public-key_crypto.md | 11 ++ doc/1.6.6_hash.md | 6 ++ doc/1.6.7_digital_signature.md | 6 ++ doc/6.1.9_rhme3_exploitation.md | 99 +++++++++++++++++- src/writeup/6.1.9_rhme3_exploitation/main.bin | Bin 0 -> 19560 bytes src/writeup/6.1.9_rhme3_exploitation/nop.txt | 1 + src/writeup/6.1.9_rhme3_exploitation/run.sh | 1 + 9 files changed, 178 insertions(+), 5 deletions(-) create mode 100755 src/writeup/6.1.9_rhme3_exploitation/main.bin create mode 100644 src/writeup/6.1.9_rhme3_exploitation/nop.txt create mode 100644 src/writeup/6.1.9_rhme3_exploitation/run.sh diff --git a/doc/1.6.3_stream_cipher.md b/doc/1.6.3_stream_cipher.md index 6183ebf..7271594 100644 --- a/doc/1.6.3_stream_cipher.md +++ b/doc/1.6.3_stream_cipher.md @@ -1 +1,11 @@ # 1.6.3 流密码 + +- [流密码概述](#流密码概述) +- [参考资料](#参考资料) + + +## 流密码概述 + + +## 参考资料 +- [Stream cipher](https://en.wikipedia.org/wiki/Stream_cipher) diff --git a/doc/1.6.4_block_cipher.md b/doc/1.6.4_block_cipher.md index 07ce80d..57dc77a 100644 --- a/doc/1.6.4_block_cipher.md +++ b/doc/1.6.4_block_cipher.md @@ -1 +1,50 @@ # 1.6.4 分组密码 + +- [分组密码概述](#分组密码概述) + - [Feistel 密码结构](#feistel-密码结构) +- [数据加密标准](#数据加密标准) + - [DES](#des) + - [3DES](#3des) +- [高级加密标准](#高级加密标准) +- [分组密码工作模式](#分组密码工作模式) + - [电子密码本模式](#电子密码本模式) + - [密码分组链接模式](#密码分组链接模式) + - [密码反馈模式](#密码反馈模式) + - [输出反馈模式](#输出反馈模式) + - [计数器模式](#计数器模式) +- [参考资料](#参考资料) + + +## 分组密码概述 + +#### Feistel 密码结构 + + +## 数据加密标准 + +#### DES + +#### 3DES + + +## 高级加密标准 + + +## 分组密码工作模式 + +#### 电子密码本模式 + +#### 密码分组链接模式 + +#### 密码反馈模式 + +#### 输出反馈模式 + +#### 计数器模式 + + +## 参考资料 +- [Block cipher](https://en.wikipedia.org/wiki/Block_cipher) +- [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard) +- [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) +- [Block cipher mode of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) diff --git a/doc/1.6.5_public-key_crypto.md b/doc/1.6.5_public-key_crypto.md index d4ca401..1302356 100644 --- a/doc/1.6.5_public-key_crypto.md +++ b/doc/1.6.5_public-key_crypto.md @@ -1 +1,12 @@ # 1.6.5 公钥密码 + +- [参考资料](#参考资料) +- [RSA](#rsa) + + +## RSA + + +## 参考资料 +- [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) +- [RSA (cryptosystem)](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) diff --git a/doc/1.6.6_hash.md b/doc/1.6.6_hash.md index aac8391..6cb7a2b 100644 --- a/doc/1.6.6_hash.md +++ b/doc/1.6.6_hash.md @@ -1 +1,7 @@ # 1.6.6 哈希函数 + +- [参考资料](#参考资料) + + +## 参考资料 +- [Hash function](https://en.wikipedia.org/wiki/Hash_function) diff --git a/doc/1.6.7_digital_signature.md b/doc/1.6.7_digital_signature.md index 00f4fad..07dc04e 100644 --- a/doc/1.6.7_digital_signature.md +++ b/doc/1.6.7_digital_signature.md @@ -1 +1,7 @@ # 1.6.7 数字签名 + +- [参考资料](#参考资料) + + +## 参考资料 +- [Digital signature](https://en.wikipedia.org/wiki/Digital_signature) diff --git a/doc/6.1.9_rhme3_exploitation.md b/doc/6.1.9_rhme3_exploitation.md index 05f9886..21f04c1 100644 --- a/doc/6.1.9_rhme3_exploitation.md +++ b/doc/6.1.9_rhme3_exploitation.md @@ -1,20 +1,109 @@ # 6.1.9 pwn RHme3 Exploitation +- [题目复现](#题目复现) - [题目解析](#题目解析) - [参考资料](#参考资料) [下载文件](../src/writeup/6.1.9_rhme3_exploitation) +## 题目复现 +这个题目给出了二进制文件和 libc。 +``` +$ file main.bin +main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped +$ checksec -f main.bin +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin +``` +64 位程序,保护措施除了 PIE 都开启了。 + + ## 题目解析 +玩一下,一看就是堆利用的题目: ``` -$ file main.elf -main.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped +$ ./main.elf +Welcome to your TeamManager (TM)! +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: ``` +程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。 + +添加两个球员看看: ``` -$ checksec -f main.elf -RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE -Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.elf +Your choice: 1 +Found free slot: 0 +Enter player name: aaaa +Enter attack points: 1 +Enter defense points: 2 +Enter speed: 3 +Enter precision: 4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 1 +Found free slot: 1 +Enter player name: bbbb +Enter attack points: 5 +Enter defense points: 6 +Enter speed: 7 +Enter precision: 8 +``` +试着选中第一个球员,然后删除它: +``` +Your choice: 3 +Enter index: 0 +Player selected! + Name: aaaa + A/D/S/P: 1,2,3,4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 2 +Enter index: 0 +She's gone! +``` +接下来直接显示该球员信息: +``` +Your choice: 5 + Name: + A/D/S/P: 29082240,0,3,4 +0.- Exit +1.- Add player +2.- Remove player +3.- Select player +4.- Edit player +5.- Show player +6.- Show team +Your choice: 6 +Your team: +Player 0 + Name: bbbb + A/D/S/P: 5,6,7,8 +``` +奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。 + +于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。 + + +#### Exploit +完整的 exp 如下: +```python + ``` diff --git a/src/writeup/6.1.9_rhme3_exploitation/main.bin b/src/writeup/6.1.9_rhme3_exploitation/main.bin new file mode 100755 index 0000000000000000000000000000000000000000..b97a58a947a5113d2968b7cd46417b256a336c74 GIT binary patch literal 19560 zcmeHPdvsLQx!*G(JVO#5Y9xvW5R4C!fPjd$o&*L47buc|w2G4 z>;7@q>V}zbf4}dszx_Pt>@z!exK=E6Ivh+TC;K8JuDej@koab7?-I^RY#|%NbaoND zfQ?qdaa?XO*@rMMKL@@c2ky^-zmo&+%7LHFf&VcF{#FkB)g1W39Qf88 z_$4{;aXIi6IdE$GZ0-N=z$dUNtZq&na*V0I3zZiMH9_8NG$R1E!5{Fk`bM8WL>7=5 zk&U5Xv?a`Z(U!ST_64I6LMhB(ON2EGx6x*AcoPeUya8XZnRz2YKdWyFh7A^Mfpc$t zy#ZaAwQh(aXqZ#U@GS^|9uGAIMIVZIn!Wx2YX}(z;Em0}fP_74*^1@Wi#>D8=b5>= z<@3>=PTRjc8)uhg>e{7>bHD?p7*p4e$$tNMTFEN`5*D4}A48rNkrL8iMIEQKhM&uG z;!E{6UCU{mSE;13j%P>VTe{%9X2I#&pi-FyH!s}~R$6d%jU=0e7TkItp<8hCdINp8 z1*e!)T4lk_F$>{33yy{`Q=J7LYod%bT5y_EDz#Yf0tJG$S#UJGnc6LQp@}kfw*@b< z;9VA6^(BdSTkr`M{XG`kI*<2S@JSZ^eHNUq^(yVR;O8h1wA+H8XTg7N!AmT7uLY;I zTBTzae2M}=`z&~=1y5RV>kY*z3x1(Rf6#(Ywct#yUo=K8vf!gFxMsnNE%-DGUSh$g zTX4;S&#>TS7W`rhUTMK+TJVJye3k{*EjX?DD!F3=qum|(znY;j_s;G}e)69%``oc3 zqYn#>q4_UBG&J)FzKbr>kt4p5gsHwEq?reZr>UIk<^0pcJBjb+{8Pl!)J^T<{CA0` zDVy5E`G<+8shaBI{Qbn!6iu~r{vP6~*;6f?zl(U9lBqh*ZzZ0lVrmuVL&Vb*OzE7z zop_phsY=doAfBdNO5^;OiKnTSD(3uZ;%SPd80W7io~Bmn)Mo%@RufNCD%HpNMa0uo zO7(JnF7XqI@8T&$bABxGG-XmPoOcpW zQzcc$`M*vFPg5kdit`^3Pg5hMbN(dpG$m4%oc|N?G!;@B=YLN;O@UM~=YLB)4gD13 z{4a^8A)h++Db@c4;x*#?IDde68se#5&Oc53bmF@?{}k~vh~LNg?-EZ#IkkuL4--#A zIMv1Z>S-El=mO8voOhPTU%Jg5|C2j*;?%0zhS#UBuQO7Uj2p;r(eEE|U}1z%Us=gRMWB z{{|q(Xh_?-iE#dpV_KL*g}?iewXuHtT#KBwE=v6E18Fq@pkcP5FAJx_#1 zWn>@lavtQGojXrKbZ`lEUA%|aIr%ing@8PbLA4K36-1OfL}b#}liU|CrbC|$?fC!@ zxDPph6g{?Y+b=4J@B|F71X zJkQl#eFtcPIatZ{dy+RJ)`lKepHnu@Rp8^U6CJJ>i+<7#A0NXfmqHeI9gl50ZdPm(AmXD_;Ss8b z5krUTn7d;oHFE(UE|E$71;8ME0@D7+lI0*~qZh}wo$YX)<(&?dYRJ-|K7*1;NDU6* zOq=kZrI6YY!qGP2RtRxLtDmZ|pHekMYg3Mf*>UKqF&-PJjBguo$D@7m-uTMnce|23 zE_yy=DA--!ixJc3?ksS2xCRbT7@|eT!2y<%JLJ$SKxr}8SqDt6aUBnrkm+uB=PH_F zeQrl@(Q|B(D;fQ_O#CP>#cT`B4CM1gvGXssD0U$z8AZ0zpZ$BK4;%ZZs2Rj`tev5Y zRVvwwLgTJ8v2AC}Q7|3__qYZ~yT1~{FWKQbb3hDp8h&pKBFxxeo@%W(-~mg|9M`Fs zYrqlPHZXeoFFRbPp!v+lS?1^vz;qMQVi=E}7#8apUiw^jr|Y!rr=wyGsYB^S&$&)t zJ2o<{W6c@#NRs!+n$vd|$6RO7XD4Dw$2G1qn-BLpy3!ixn_q3l2*`DGAz1@RATbB?V3r+)sl2LhubKNWpXB zaT0t-2->8emjus{V3!bhq~IqcI6{JEAy_H}kCNcG5QruDH$qw_rR|WSRZkrh9omx& z(J~K!CeoiFjJpOfIous@9K?yqGOgjBz}Ov51e3{L#cRgdy7hMp4?{^F>22Dh-Mq zEd`voaiL8aN#v-1R9x{>-v z#dzKkd!C@Nn6px%>O2%}KaO&4hb*2ao>%+4H4}hUFEI zCjP@L?^9vBR@(lMiWm1B2Wb1jH2aYBiTN5`l+vLtLlI_l@#4f^OkeN7HCCmi($}L|e0AD=eFBxVuT>)w#WU4#-6Nd+ zRw_~wwC&q3r#zn2k%F2;9$db8*kU75T&pa=J%2-6Ea7#6z~< z{DwnQykt=I;+i)==fQDxZLacMRdh_aH{ZB6qvbrOMyFW}8)x8Q9 z{fqdeLaN5|{|mCjI;zHN@A0;IS}Kp_)yV&`WRKDa%IL(mVIgW&dymEDTnA^LO)`yu_3A^(MwZtv!`2$=H9v@4r!yB!FCkPr?mZjwl5zAFFmap^r zxcbZs{+;{^bm1i=@5KEq>f8^Vcplv!*&?VVPq8BbS7XQvLvR;)_QQE5G*h zm!DqqJfi&l6J-4}%Xfie(L z5Zp-09r?N}cQ?XF?Sync4Uc3szmK8agZ#}m(vt(`_kNfS^}(Z~e~r-Ej_1Gra9q?`5w!C{1su~$RfE;Sx zEKB|w0!iJE3W&It(4|sr2o*iheYfjlbneK_x5&<|g9GZ^j~)FRgnkdA>|ZPLy;%DD zuNV0re>KbAV4SHwSB0uMuzkGo@s9qz09qbF&D`Cq z)i(zH^~NHNm%A*eZNRHfUNrZE*PI3~xyFcS-Uz)H)mnmhZyIKz^oZs&8jL^~K?#^b zAmwn2VfYvi09;GRsP~8c!2la`16(fBW`@VIF;x{yDrzcLf%9FV{+qA7R(jj~&CzBp z5N+OIgtTCTtVCGDYt{Nj!#9mB4Mqb#jb3tU;ih1O{ETIbgV83R76>96z3YnJE%u+beIGf z3Dc&r8t;~1z#H;TBL|mF*NL#o={ga1?R1?8b5GZau-fT55mq-{C&HSh>qMBNH1C=d zpr!cieRF7tcALwRcm@TXifOzK^bycD(63=_+YNe_mIlx}u&f>f9gXY8Am}d85+`Gq zW8tLVn>`1*4)l*$KHES~W98fp>c^ese$efBJURy2j8$$BbTKXyC3%e9iu*tv^mR~r zV|5EwzAoZH_Y;rRuMhMB+>+9dobCYCK*!)gQ3oxZBxDj^0y(6qHRt4ycP#3 zPz;abb1nKL25QQk+fDl;fWHHI+$P^)%1;0vjlSG&lW#HQBT#Mwz`Mg zM+($FM<9O`W9>bg{YlgQ1mw+l0({jbe~HU41~vlyI|Enj^Py+@cgOPb3V4WQ#mB=H z(3_00dCLXOz1llwa z?5hilzwWFqEV(bwRj752s4gtKH{V@Yxof1maA9oJ%0fL?px9`hf+duF*QD3a^vAio23aam|-hm5+xWUY|;- zkH;I%tMc05*EKtSK6B5hvqC(dXZiiLRhY-0zO0B?|3|R*`MW@?qyUVA4UeC$15UL6sf>Q1 z>jB}F8P}O|iDzDa=zh(CI2&dBYTc~i`0)1JD*dSI8Cafn;oFg=U+7sPTfKe=oZ@^= z#>tiE1|@1I7i_885Odtx&PtoRSDNu#%X#* z4*a?t_$@i`U=IAQ9Qe}w?EUfp*DqvKCyRQ~e53R&iHE1^oNwpfj6IRVKkd(C>-QI> zpTp8WfA)v3S90hlbKvw4m(BkqjKggB%pCXcP0>4M%w*see zlDR(nxxQ4gkZn2eZvxjWdMf+f9Qw}!r+G)e-JrCNe>3(x;m-5fDv3*&{gUgaua6_7 z;5F{QkexS4=Lp~1LGCSyzb@wy-?ISz9``eawMhT!{&`U9cTd-$#hAgr@mzp{vbFyO zIq=FH_!5p6vOO|RzQ=?z-o&RE?Qkrkz8h3L^7?g|jORw_=d@f04oUnLiC;89=SURu zmXbe5Jlla&xtZ(3J<`tu6LoGME3z?%t=Pvl38gi~2`d`k02Xo+e z0;h4F+5VltHD03q>tDE^Le_Df&IPSfyg!G3CvTtO_pvYL(0?Nb&gw&va3tE$P+pIt zU)L{Q?OCzBrq<(OJ|kpoq@!#hPo&v{vt9*vM~b zG9rer{Hpm2=Vw>)H24F4k2e(ZZt)m_NN5XAo8i@p#}{pG-U1T~=YeL#riub^CJhn# zym+M*@NYG649-u0$Fp>G)k>Ggb;AmnA)?}yP?UDNBr#i;uK;AW}s2{J2ig#aF|dY5X{8sg`Y>h6vP2QkNMJx z8F=;QX*L2;<}rNUh?j-&?$1=^rxfkZ_%TI0lzI9wEuBZl4ROvejZo{*k;xko%c8m^C;?%eyPD0vca3{`H4uf$r(vFcEJ2LF3q+RU8%eaVP zwj8x0e`AW-f@T#*DdoXYyP-N8YDY6pVDgimb`8;;d^(1Mo<^Jj#W?aTzY#_G`~goi zjP|2ic(6<0Z}J3qWAc}?>g}I(Ak%D+$4c$Rh$FFfOq_1DW9g#Am@-FOsMYY`kgU;) z7t&Co7p!(mk7q+TtQrU%?ho>b&FHlGZ4}p?=QnP&yJj zOv@u)IeV^e^{kc)-Qp&1IE+}h{uD~ zK&@Z2OsHkozDT5}rl%nqsHf(@;bprkI*)8e#Mx#$#>&H6nj_u~pplTEjVgy%^+u?L zmE(Q5QC?NOe0IdUQF0pt(ee#ZKmITSju4j<*XYH0>2lwe0Q?CW2?+`Mo4>v1YLf9l z7BZT=WFT`bO%YbkM_)Oz0$w;AYYcsjYfHSX!OB};)JQVP6!K?zr7x6 zD8}3DuSY<^2)PGBYg{=794n^_3a&!-OYr}Sqx}ZD6~pa4Pih}+p#;?avlMe(l_xp_ zAKLR(_O(tOT>9^OXq-!b;j(W_bHG{c)xKOrI=tAXP0#-Jv;-_(WzpjpPrIGEq@3{g zc$CBK15fIHTC(g0WN1%Z*>^j2aI}BU2|I@STuQXBPVJ=ZO9(_-iw~(Nd$k|9TW-Xw zeRtBOL_VzPHZZj3t?bpl;Tv)zeYI3p@hd$=H$hH&=!#eSi(crYC%=-KYGONA%dphdx?3}RJ zQkKSwHHrPZbopw(xBU{Kb^Py?{|l&5QzKri^PvVN*xe09yJbj1GAQ|_N@miNIR`BxHPZo zLHj3GdvkxgQdqc2Xi3UW(LuNER!Sb@z+_Bns$@oj;Ix-bP ef>gWFT1JWHXSVY9eu0bG2WsIIEH6)HIr$${t&#%( literal 0 HcmV?d00001 diff --git a/src/writeup/6.1.9_rhme3_exploitation/nop.txt b/src/writeup/6.1.9_rhme3_exploitation/nop.txt new file mode 100644 index 0000000..ba8a8e1 --- /dev/null +++ b/src/writeup/6.1.9_rhme3_exploitation/nop.txt @@ -0,0 +1 @@ +909090909090909090909090909090909090909090909090909090909090909090 diff --git a/src/writeup/6.1.9_rhme3_exploitation/run.sh b/src/writeup/6.1.9_rhme3_exploitation/run.sh new file mode 100644 index 0000000..0feeb34 --- /dev/null +++ b/src/writeup/6.1.9_rhme3_exploitation/run.sh @@ -0,0 +1 @@ +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=libc.so.6 ./main.elf" &