update some

This commit is contained in:
firmianay 2017-12-26 22:29:56 +08:00
parent 94125ff6a8
commit 6d0d5b053e
9 changed files with 178 additions and 5 deletions

View File

@ -1 +1,11 @@
# 1.6.3 流密码 # 1.6.3 流密码
- [流密码概述](#流密码概述)
- [参考资料](#参考资料)
## 流密码概述
## 参考资料
- [Stream cipher](https://en.wikipedia.org/wiki/Stream_cipher)

View File

@ -1 +1,50 @@
# 1.6.4 分组密码 # 1.6.4 分组密码
- [分组密码概述](#分组密码概述)
- [Feistel 密码结构](#feistel-密码结构)
- [数据加密标准](#数据加密标准)
- [DES](#des)
- [3DES](#3des)
- [高级加密标准](#高级加密标准)
- [分组密码工作模式](#分组密码工作模式)
- [电子密码本模式](#电子密码本模式)
- [密码分组链接模式](#密码分组链接模式)
- [密码反馈模式](#密码反馈模式)
- [输出反馈模式](#输出反馈模式)
- [计数器模式](#计数器模式)
- [参考资料](#参考资料)
## 分组密码概述
#### Feistel 密码结构
## 数据加密标准
#### DES
#### 3DES
## 高级加密标准
## 分组密码工作模式
#### 电子密码本模式
#### 密码分组链接模式
#### 密码反馈模式
#### 输出反馈模式
#### 计数器模式
## 参考资料
- [Block cipher](https://en.wikipedia.org/wiki/Block_cipher)
- [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard)
- [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
- [Block cipher mode of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)

View File

@ -1 +1,12 @@
# 1.6.5 公钥密码 # 1.6.5 公钥密码
- [参考资料](#参考资料)
- [RSA](#rsa)
## RSA
## 参考资料
- [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)
- [RSA (cryptosystem)](https://en.wikipedia.org/wiki/RSA_(cryptosystem))

View File

@ -1 +1,7 @@
# 1.6.6 哈希函数 # 1.6.6 哈希函数
- [参考资料](#参考资料)
## 参考资料
- [Hash function](https://en.wikipedia.org/wiki/Hash_function)

View File

@ -1 +1,7 @@
# 1.6.7 数字签名 # 1.6.7 数字签名
- [参考资料](#参考资料)
## 参考资料
- [Digital signature](https://en.wikipedia.org/wiki/Digital_signature)

View File

@ -1,20 +1,109 @@
# 6.1.9 pwn RHme3 Exploitation # 6.1.9 pwn RHme3 Exploitation
- [题目复现](#题目复现)
- [题目解析](#题目解析) - [题目解析](#题目解析)
- [参考资料](#参考资料) - [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.9_rhme3_exploitation) [下载文件](../src/writeup/6.1.9_rhme3_exploitation)
## 题目解析 ## 题目复现
这个题目给出了二进制文件和 libc。
``` ```
$ file main.elf $ file main.bin
main.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped
``` $ checksec -f main.bin
```
$ checksec -f main.elf
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.elf Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
```
64 位程序,保护措施除了 PIE 都开启了。
## 题目解析
玩一下,一看就是堆利用的题目:
```
$ ./main.elf
Welcome to your TeamManager (TM)!
0.- Exit
1.- Add player
2.- Remove player
3.- Select player
4.- Edit player
5.- Show player
6.- Show team
Your choice:
```
程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。
添加两个球员看看:
```
Your choice: 1
Found free slot: 0
Enter player name: aaaa
Enter attack points: 1
Enter defense points: 2
Enter speed: 3
Enter precision: 4
0.- Exit
1.- Add player
2.- Remove player
3.- Select player
4.- Edit player
5.- Show player
6.- Show team
Your choice: 1
Found free slot: 1
Enter player name: bbbb
Enter attack points: 5
Enter defense points: 6
Enter speed: 7
Enter precision: 8
```
试着选中第一个球员,然后删除它:
```
Your choice: 3
Enter index: 0
Player selected!
Name: aaaa
A/D/S/P: 1,2,3,4
0.- Exit
1.- Add player
2.- Remove player
3.- Select player
4.- Edit player
5.- Show player
6.- Show team
Your choice: 2
Enter index: 0
She's gone!
```
接下来直接显示该球员信息:
```
Your choice: 5
Name:
A/D/S/P: 29082240,0,3,4
0.- Exit
1.- Add player
2.- Remove player
3.- Select player
4.- Edit player
5.- Show player
6.- Show team
Your choice: 6
Your team:
Player 0
Name: bbbb
A/D/S/P: 5,6,7,8
```
奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。
于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。
#### Exploit
完整的 exp 如下:
```python
``` ```

Binary file not shown.

View File

@ -0,0 +1 @@
909090909090909090909090909090909090909090909090909090909090909090

View File

@ -0,0 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=libc.so.6 ./main.elf" &