mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
update some
This commit is contained in:
parent
94125ff6a8
commit
6d0d5b053e
@ -1 +1,11 @@
|
||||
# 1.6.3 流密码
|
||||
|
||||
- [流密码概述](#流密码概述)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 流密码概述
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Stream cipher](https://en.wikipedia.org/wiki/Stream_cipher)
|
||||
|
@ -1 +1,50 @@
|
||||
# 1.6.4 分组密码
|
||||
|
||||
- [分组密码概述](#分组密码概述)
|
||||
- [Feistel 密码结构](#feistel-密码结构)
|
||||
- [数据加密标准](#数据加密标准)
|
||||
- [DES](#des)
|
||||
- [3DES](#3des)
|
||||
- [高级加密标准](#高级加密标准)
|
||||
- [分组密码工作模式](#分组密码工作模式)
|
||||
- [电子密码本模式](#电子密码本模式)
|
||||
- [密码分组链接模式](#密码分组链接模式)
|
||||
- [密码反馈模式](#密码反馈模式)
|
||||
- [输出反馈模式](#输出反馈模式)
|
||||
- [计数器模式](#计数器模式)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 分组密码概述
|
||||
|
||||
#### Feistel 密码结构
|
||||
|
||||
|
||||
## 数据加密标准
|
||||
|
||||
#### DES
|
||||
|
||||
#### 3DES
|
||||
|
||||
|
||||
## 高级加密标准
|
||||
|
||||
|
||||
## 分组密码工作模式
|
||||
|
||||
#### 电子密码本模式
|
||||
|
||||
#### 密码分组链接模式
|
||||
|
||||
#### 密码反馈模式
|
||||
|
||||
#### 输出反馈模式
|
||||
|
||||
#### 计数器模式
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Block cipher](https://en.wikipedia.org/wiki/Block_cipher)
|
||||
- [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard)
|
||||
- [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
|
||||
- [Block cipher mode of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
|
||||
|
@ -1 +1,12 @@
|
||||
# 1.6.5 公钥密码
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
- [RSA](#rsa)
|
||||
|
||||
|
||||
## RSA
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)
|
||||
- [RSA (cryptosystem)](https://en.wikipedia.org/wiki/RSA_(cryptosystem))
|
||||
|
@ -1 +1,7 @@
|
||||
# 1.6.6 哈希函数
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Hash function](https://en.wikipedia.org/wiki/Hash_function)
|
||||
|
@ -1 +1,7 @@
|
||||
# 1.6.7 数字签名
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [Digital signature](https://en.wikipedia.org/wiki/Digital_signature)
|
||||
|
@ -1,20 +1,109 @@
|
||||
# 6.1.9 pwn RHme3 Exploitation
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.9_rhme3_exploitation)
|
||||
|
||||
## 题目复现
|
||||
这个题目给出了二进制文件和 libc。
|
||||
```
|
||||
$ file main.bin
|
||||
main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped
|
||||
$ checksec -f main.bin
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
|
||||
```
|
||||
64 位程序,保护措施除了 PIE 都开启了。
|
||||
|
||||
|
||||
## 题目解析
|
||||
玩一下,一看就是堆利用的题目:
|
||||
```
|
||||
$ file main.elf
|
||||
main.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped
|
||||
$ ./main.elf
|
||||
Welcome to your TeamManager (TM)!
|
||||
0.- Exit
|
||||
1.- Add player
|
||||
2.- Remove player
|
||||
3.- Select player
|
||||
4.- Edit player
|
||||
5.- Show player
|
||||
6.- Show team
|
||||
Your choice:
|
||||
```
|
||||
程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。
|
||||
|
||||
添加两个球员看看:
|
||||
```
|
||||
$ checksec -f main.elf
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.elf
|
||||
Your choice: 1
|
||||
Found free slot: 0
|
||||
Enter player name: aaaa
|
||||
Enter attack points: 1
|
||||
Enter defense points: 2
|
||||
Enter speed: 3
|
||||
Enter precision: 4
|
||||
0.- Exit
|
||||
1.- Add player
|
||||
2.- Remove player
|
||||
3.- Select player
|
||||
4.- Edit player
|
||||
5.- Show player
|
||||
6.- Show team
|
||||
Your choice: 1
|
||||
Found free slot: 1
|
||||
Enter player name: bbbb
|
||||
Enter attack points: 5
|
||||
Enter defense points: 6
|
||||
Enter speed: 7
|
||||
Enter precision: 8
|
||||
```
|
||||
试着选中第一个球员,然后删除它:
|
||||
```
|
||||
Your choice: 3
|
||||
Enter index: 0
|
||||
Player selected!
|
||||
Name: aaaa
|
||||
A/D/S/P: 1,2,3,4
|
||||
0.- Exit
|
||||
1.- Add player
|
||||
2.- Remove player
|
||||
3.- Select player
|
||||
4.- Edit player
|
||||
5.- Show player
|
||||
6.- Show team
|
||||
Your choice: 2
|
||||
Enter index: 0
|
||||
She's gone!
|
||||
```
|
||||
接下来直接显示该球员信息:
|
||||
```
|
||||
Your choice: 5
|
||||
Name:
|
||||
A/D/S/P: 29082240,0,3,4
|
||||
0.- Exit
|
||||
1.- Add player
|
||||
2.- Remove player
|
||||
3.- Select player
|
||||
4.- Edit player
|
||||
5.- Show player
|
||||
6.- Show team
|
||||
Your choice: 6
|
||||
Your team:
|
||||
Player 0
|
||||
Name: bbbb
|
||||
A/D/S/P: 5,6,7,8
|
||||
```
|
||||
奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。
|
||||
|
||||
于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。
|
||||
|
||||
|
||||
#### Exploit
|
||||
完整的 exp 如下:
|
||||
```python
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
BIN
src/writeup/6.1.9_rhme3_exploitation/main.bin
Executable file
BIN
src/writeup/6.1.9_rhme3_exploitation/main.bin
Executable file
Binary file not shown.
1
src/writeup/6.1.9_rhme3_exploitation/nop.txt
Normal file
1
src/writeup/6.1.9_rhme3_exploitation/nop.txt
Normal file
@ -0,0 +1 @@
|
||||
909090909090909090909090909090909090909090909090909090909090909090
|
1
src/writeup/6.1.9_rhme3_exploitation/run.sh
Normal file
1
src/writeup/6.1.9_rhme3_exploitation/run.sh
Normal file
@ -0,0 +1 @@
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=libc.so.6 ./main.elf" &
|
Loading…
Reference in New Issue
Block a user