diff --git a/SUMMARY.md b/SUMMARY.md index 3aba312..667bedc 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -68,13 +68,14 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md) * [3.1.4 返回导向编程(ROP)(x86)](doc/3.1.4_rop_x86.md) * [3.1.5 返回导向编程(ROP)(ARM)](doc/3.1.5_rop_arm.md) - * [3.1.6 Linux 堆利用(上)](doc/3.1.6_heap_exploit_1.md) - * [3.1.7 Linux 堆利用(中)](doc/3.1.7_heap_exploit_2.md) - * [3.1.8 Linux 堆利用(下)](doc/3.1.8_heap_exploit_3.md) - * [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md) - * [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md) - * [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md) - * [3.1.12 竞争条件](doc/3.1.12_race_condition.md) + * [3.1.6 Linux 堆利用(一)](doc/3.1.6_heap_exploit_1.md) + * [3.1.7 Linux 堆利用(二)](doc/3.1.7_heap_exploit_2.md) + * [3.1.8 Linux 堆利用(三)](doc/3.1.8_heap_exploit_3.md) + * [3.1.9 Linux 堆利用(四)](doc/3.1.9_heap_exploit_4.md) + * [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md) + * [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md) + * [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md) + * [3.1.13 竞争条件](doc/3.1.13_race_condition.md) * Reverse * [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md) * [3.2.2 脱壳技术(PE)](doc/3.2.2_pe_unpack.md) @@ -163,6 +164,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md) * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md) * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md) + * [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md) * Reverse * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/3.1.9_kernel_rop.md b/doc/3.1.10_kernel_rop.md similarity index 94% rename from doc/3.1.9_kernel_rop.md rename to doc/3.1.10_kernel_rop.md index 38f5de8..55cc356 100644 --- a/doc/3.1.9_kernel_rop.md +++ b/doc/3.1.10_kernel_rop.md @@ -1,4 +1,4 @@ -# 3.1.9 内核 ROP +# 3.1.10 内核 ROP - [参考资料](#参考资料) diff --git a/doc/3.1.10_linux_kernel_exploit.md b/doc/3.1.11_linux_kernel_exploit.md similarity index 99% rename from doc/3.1.10_linux_kernel_exploit.md rename to doc/3.1.11_linux_kernel_exploit.md index 387467b..1519055 100644 --- a/doc/3.1.10_linux_kernel_exploit.md +++ b/doc/3.1.11_linux_kernel_exploit.md @@ -1,4 +1,4 @@ -# 3.1.10 Linux 内核漏洞利用 +# 3.1.11 Linux 内核漏洞利用 - [从用户态到内核态](#从用户态到内核态) - [内核漏洞分类](#内核漏洞分类) diff --git a/doc/3.1.12_race_condition.md b/doc/3.1.12_race_condition.md deleted file mode 100644 index 73febf4..0000000 --- a/doc/3.1.12_race_condition.md +++ /dev/null @@ -1 +0,0 @@ -# 3.1.12 竞争条件 diff --git a/doc/3.1.11_windows_kernel_exploit.md b/doc/3.1.12_windows_kernel_exploit.md similarity index 86% rename from doc/3.1.11_windows_kernel_exploit.md rename to doc/3.1.12_windows_kernel_exploit.md index d39ec96..fea23dd 100644 --- a/doc/3.1.11_windows_kernel_exploit.md +++ b/doc/3.1.12_windows_kernel_exploit.md @@ -1,4 +1,4 @@ -# 3.1.11 Windows 内核漏洞利用 +# 3.1.12 Windows 内核漏洞利用 - [参考资料](#参考资料) diff --git a/doc/3.1.13_race_condition.md b/doc/3.1.13_race_condition.md new file mode 100644 index 0000000..9968c00 --- /dev/null +++ b/doc/3.1.13_race_condition.md @@ -0,0 +1 @@ +# 3.1.13 竞争条件 diff --git a/doc/3.1.9_heap_exploit_4.md b/doc/3.1.9_heap_exploit_4.md new file mode 100644 index 0000000..6815164 --- /dev/null +++ b/doc/3.1.9_heap_exploit_4.md @@ -0,0 +1,19 @@ +# 3.1.9 Linux 堆利用(四) + +- [house_of_rabbit](#house_of_rabbit) +- [house_of_roman](#house_of_roman) +- [参考资料](#参考资料) + + +[下载文件](../src/Others/3.1.6_heap_exploit) + +#### house_of_rabbit + +#### house_of_roman + + +## 参考资料 +- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235) +- https://github.com/shift-crops/House_of_Rabbit +- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc) +- https://github.com/romanking98/House-Of-Roman diff --git a/doc/3_topics.md b/doc/3_topics.md index a8b8d30..26768fc 100644 --- a/doc/3_topics.md +++ b/doc/3_topics.md @@ -6,13 +6,14 @@ * [3.1.3 栈溢出](3.1.3_stack_overflow.md) * [3.1.4 返回导向编程(ROP)(x86)](3.1.4_rop_x86.md) * [3.1.5 返回导向编程(ROP)(ARM)](3.1.5_rop_arm.md) - * [3.1.6 Linux 堆利用(上)](3.1.6_heap_exploit_1.md) - * [3.1.7 Linux 堆利用(中)](3.1.7_heap_exploit_2.md) - * [3.1.8 Linux 堆利用(下)](3.1.8_heap_exploit_3.md) - * [3.1.9 内核 ROP](3.1.9_kernel_rop.md) - * [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md) - * [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md) - * [3.1.12 竞争条件](3.1.12_race_condition.md) + * [3.1.6 Linux 堆利用(一)](3.1.6_heap_exploit_1.md) + * [3.1.7 Linux 堆利用(二)](3.1.7_heap_exploit_2.md) + * [3.1.8 Linux 堆利用(三)](3.1.8_heap_exploit_3.md) + * [3.1.9 Linux 堆利用(四)](3.1.9_heap_exploit_4.md) + * [3.1.10 内核 ROP](3.1.10_kernel_rop.md) + * [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md) + * [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md) + * [3.1.13 竞争条件](3.1.13_race_condition.md) * Reverse * [3.2.1 patch 二进制文件](3.2.1_patch_binary.md) * [3.2.2 脱壳技术(PE)](3.2.2_pe_unpack.md) diff --git a/doc/6.1.16_pwn_hitbctf2017_1000levels.md b/doc/6.1.16_pwn_hitbctf2017_1000levels.md index 06b02db..9dd0917 100644 --- a/doc/6.1.16_pwn_hitbctf2017_1000levels.md +++ b/doc/6.1.16_pwn_hitbctf2017_1000levels.md @@ -15,7 +15,7 @@ $ file 1000levels $ checksec -f 1000levels RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 6 1000levels -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.4.0 20160609. ``` @@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system 对于第一个问题,我们有不需要参数的 one-gadget 可以用,通过将输入的第二个数设置为偏移,即可通过程序的计算将 system 修改为 one-gadget。 ``` -$ one_gadget libc.so.6 +$ one_gadget libc-2.23.so 0x45216 execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL @@ -456,7 +456,7 @@ firmy from pwn import * #context.log_level = 'debug' -io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'}) one_gadget = 0x4526a system_offset = 0x45390 diff --git a/doc/6.1.18_pwn_hitbctf2017_sentosa.md b/doc/6.1.18_pwn_hitbctf2017_sentosa.md index 67939f5..b879431 100644 --- a/doc/6.1.18_pwn_hitbctf2017_sentosa.md +++ b/doc/6.1.18_pwn_hitbctf2017_sentosa.md @@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin $ checksec -f sentosa RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 sentosa -$ strings libc.so.6| grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.4.0 20160609. ``` @@ -715,8 +715,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'}) +libc = ELF('libc-2.23.so') def start_proj(length, name, price, area, capacity): io.sendlineafter("Exit\n", '1') diff --git a/doc/6.1.19_pwn_hitbctf2018_gundam.md b/doc/6.1.19_pwn_hitbctf2018_gundam.md index 7fa1cb0..c2225a7 100644 --- a/doc/6.1.19_pwn_hitbctf2018_gundam.md +++ b/doc/6.1.19_pwn_hitbctf2018_gundam.md @@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link $ checksec -f gundam RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 gundam -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.26.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al. Compiled by GNU CC version 6.4.0 20171010. ``` @@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10 0x555555757b60: 0x0000000000000000 0x0000000000000000 gdb-peda$ vmmap libc Start End Perm Name -0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc.so.6 -0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc.so.6 -0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc.so.6 -0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc.so.6 +0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc-2.26.so +0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc-2.26.so +0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc-2.26.so +0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc-2.26.so gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000 $1 = 0x3dac78 ``` @@ -696,9 +696,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'}) #elf = ELF('gundam') -libc = ELF('libc.so.6') +libc = ELF('libc-2.26.so') def build(name): io.sendlineafter("choice : ", '1') diff --git a/doc/6.1.1_pwn_hctf2016_brop.md b/doc/6.1.1_pwn_hctf2016_brop.md index 35dbf33..f22fff4 100644 --- a/doc/6.1.1_pwn_hctf2016_brop.md +++ b/doc/6.1.1_pwn_hctf2016_brop.md @@ -274,19 +274,19 @@ def dump_memory(buf_size, stop_addr, gadgets_addr, puts_plt, start_addr, end_add ``` $ r2 -B 0x400000 code.bin [0x00400630]> pd 14 @ 0x4005e7 - :::: 0x004005e7 25240a2000 and eax, 0x200a24 - :::: 0x004005ec 0f1f4000 nop dword [rax] - :::: 0x004005f0 ff25220a2000 jmp qword [0x00601018] ; [0x601018:8]=-1 - :::: 0x004005f6 6800000000 push 0 - `====< 0x004005fb e9e0ffffff jmp 0x4005e0 - ::: 0x00400600 ff251a0a2000 jmp qword [0x00601020] ; [0x601020:8]=-1 - ::: 0x00400606 6801000000 push 1 ; 1 - `===< 0x0040060b e9d0ffffff jmp 0x4005e0 - :: 0x00400610 ff25120a2000 jmp qword [0x00601028] ; [0x601028:8]=-1 - :: 0x00400616 6802000000 push 2 ; 2 - `==< 0x0040061b e9c0ffffff jmp 0x4005e0 - : 0x00400620 ff250a0a2000 jmp qword [0x00601030] ; [0x601030:8]=-1 - : 0x00400626 6803000000 push 3 ; 3 + :::: 0x004005e7 25240a2000 and eax, 0x200a24 + :::: 0x004005ec 0f1f4000 nop dword [rax] + :::: 0x004005f0 ff25220a2000 jmp qword [0x00601018] ; [0x601018:8]=-1 + :::: 0x004005f6 6800000000 push 0 + `====< 0x004005fb e9e0ffffff jmp 0x4005e0 + ::: 0x00400600 ff251a0a2000 jmp qword [0x00601020] ; [0x601020:8]=-1 + ::: 0x00400606 6801000000 push 1 ; 1 + `===< 0x0040060b e9d0ffffff jmp 0x4005e0 + :: 0x00400610 ff25120a2000 jmp qword [0x00601028] ; [0x601028:8]=-1 + :: 0x00400616 6802000000 push 2 ; 2 + `==< 0x0040061b e9c0ffffff jmp 0x4005e0 + : 0x00400620 ff250a0a2000 jmp qword [0x00601030] ; [0x601030:8]=-1 + : 0x00400626 6803000000 push 3 ; 3 `=< 0x0040062b e9b0ffffff jmp 0x4005e0 ``` 于是我们就得到了 puts@got 地址 `0x00601018`。可以看到该表中还有其他几个函数,根据程序的功能大概可以猜到,无非就是 setbuf、read 之类的,在后面的过程中如果实在无法确定 libc,这些信息可能会有用。 diff --git a/doc/6.1.21_pwn_hitconctf2016_secret_holder.md b/doc/6.1.21_pwn_hitconctf2016_secret_holder.md index eae77c6..e0aed4d 100644 --- a/doc/6.1.21_pwn_hitconctf2016_secret_holder.md +++ b/doc/6.1.21_pwn_hitconctf2016_secret_holder.md @@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l $ checksec -f SecretHolder RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.3.1 20160413. ``` @@ -554,9 +554,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'}) elf = ELF('SecretHolder') -libc = ELF('libc.so.6') +libc = ELF('libc-2.23.so') small_ptr = 0x006020b0 big_ptr = 0x006020a0 diff --git a/doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md b/doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md index 878d101..a03e4e8 100644 --- a/doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md +++ b/doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md @@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l $ checksec -f SleepyHolder RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.3.1 20160413. ``` @@ -525,9 +525,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'}) elf = ELF('SleepyHolder') -libc = ELF('libc.so.6') +libc = ELF('libc-2.23.so') small_ptr = 0x006020d0 big_ptr = 0x006020c0 diff --git a/doc/6.1.24_hitconctf2016_house_of_orange.md b/doc/6.1.24_hitconctf2016_house_of_orange.md index e6ad28a..ed152b9 100644 --- a/doc/6.1.24_hitconctf2016_house_of_orange.md +++ b/doc/6.1.24_hitconctf2016_house_of_orange.md @@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical $ checksec -f houseoforange RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.3.1 20160413. ``` @@ -744,8 +744,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'}) +libc = ELF('libc-2.23.so') def build(size, name): io.sendlineafter("Your choice : ", '1') diff --git a/doc/6.1.26_pwn_34c3ctf2017_300.md b/doc/6.1.26_pwn_34c3ctf2017_300.md index 3100458..60fcdc6 100644 --- a/doc/6.1.26_pwn_34c3ctf2017_300.md +++ b/doc/6.1.26_pwn_34c3ctf2017_300.md @@ -15,7 +15,7 @@ $ file 300 $ checksec -f 300 RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 2 300 -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.24.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al. Compiled by GNU CC version 6.3.0 20170406. ``` @@ -434,12 +434,6 @@ def pwn(): ``` python exp.py [+] Starting local process './300': pid 5158 -[*] '/home/firmyy/300/libc.so.6' - Arch: amd64-64-little - RELRO: Partial RELRO - Stack: Canary found - NX: NX enabled - PIE: PIE enabled [*] libc_base address: 0x7efdcef24000 [*] heap address: 0x5624a7a3c000 [*] _IO_list_all address: 0x7efdcf2e6500 @@ -462,8 +456,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'}) +libc = ELF('libc-2.24.so') def alloc(idx): io.sendlineafter("free\n", '1') diff --git a/doc/6.1.28_pwn_asisctf2016_b00ks.md b/doc/6.1.28_pwn_asisctf2016_b00ks.md index 81759d3..0db1c74 100644 --- a/doc/6.1.28_pwn_asisctf2016_b00ks.md +++ b/doc/6.1.28_pwn_asisctf2016_b00ks.md @@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke $ checksec -f b00ks RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 b00ks -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.23.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.4.0 20160609. ``` diff --git a/doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md b/doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md index 402ff43..ed9c134 100644 --- a/doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md +++ b/doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md @@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam $ checksec -f ghost_in_the_heap RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 2 ghost_in_the_heap -$ strings libc.so.6 | grep "GNU C" +$ strings libc-2.24.so | grep "GNU C" GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al. Compiled by GNU CC version 6.3.0 20170406. ``` diff --git a/doc/6.1.31_pwn_hitbctf2018_mutepig.md b/doc/6.1.31_pwn_hitbctf2018_mutepig.md new file mode 100644 index 0000000..622134b --- /dev/null +++ b/doc/6.1.31_pwn_hitbctf2018_mutepig.md @@ -0,0 +1,30 @@ +# 6.1.31 pwn HITBCTF2018 mutepig + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [漏洞利用](#漏洞利用) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig) + +## 题目复现 +``` +$ file mutepig +mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped +[firmy@firmy-pc mutepip]$ checksec -f mutepig +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 1 mutepig +$ strings libc-2.23.so | grep "GNU C" +GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al. +Compiled by GNU CC version 8.1.0. +``` +64 位程序,开启了 Canary 和 NX。 + + +## 题目解析 + +## 漏洞利用 + +## 参考资料 +- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn diff --git a/doc/6.1.7_pwn_0ctf2015_freenote.md b/doc/6.1.7_pwn_0ctf2015_freenote.md index db976a7..ac1db67 100644 --- a/doc/6.1.7_pwn_0ctf2015_freenote.md +++ b/doc/6.1.7_pwn_0ctf2015_freenote.md @@ -15,6 +15,9 @@ freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke $ checksec -f freenote RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote +$ strings libc-2.19.so | grep "GNU C" +GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al. +Compiled by GNU CC version 4.8.2. ``` 因为没有 PIE,即使本机开启 ASLR 也没有关系。 @@ -101,7 +104,7 @@ Aborted 在 Ubuntu 14.04 上把程序跑起来: ``` -$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" & +$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" & ``` @@ -713,10 +716,10 @@ Start End Offset Perm Path 0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap] gef➤ vmmap libc Start End Offset Perm Path -0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc.so.6_1 -0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc.so.6_1 -0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc.so.6_1 -0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc.so.6_1 +0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so +0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so +0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so +0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so ``` 为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk,所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体: @@ -840,7 +843,7 @@ gef➤ x/20gx 0x00007ffff7dd37b8-0x78 ``` 我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`,但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移: ``` -$ readelf -s libc.so.6_1 | grep __malloc_hook +$ readelf -s libc-2.19.so | grep __malloc_hook 1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5 ``` 因为偏移是不变的,我们总是可以计算出 libc 的地址: @@ -1045,9 +1048,9 @@ firmy ```python from pwn import * -io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'}) +io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'}) elf = ELF('freenote') -libc = ELF('libc.so.6_1') +libc = ELF('libc-2.19.so') def newnote(x): io.recvuntil("Your choice: ") diff --git a/doc/6.1.8_pwn_dctf2017_flex.md b/doc/6.1.8_pwn_dctf2017_flex.md index 8c7521d..6b13a41 100644 --- a/doc/6.1.8_pwn_dctf2017_flex.md +++ b/doc/6.1.8_pwn_dctf2017_flex.md @@ -131,7 +131,7 @@ $ ldd flex | 0x00401161 31c0 xor eax, eax | 0x00401163 bf47454000 mov edi, str.FlexMD5_bruteforce_tool_V0.1 ; 0x404547 ; "FlexMD5 bruteforce tool V0.1" | 0x00401168 e863faffff call sym.imp.puts ; int puts(const char *s) -| 0x0040116d bf64454000 mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)" +| 0x0040116d bf64454000 mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)" | 0x00401172 e859faffff call sym.imp.puts ; int puts(const char *s) | 0x00401177 488d85e0feff. lea rax, [local_120h] | 0x0040117e be04000000 mov esi, 4 @@ -457,12 +457,6 @@ Bingo!!! ``` $ python2 exp.py [+] Opening connection to 127.0.0.1 on port 10001: Done -[*] '/usr/lib/libc-2.26.so' - Arch: amd64-64-little - RELRO: Full RELRO - Stack: Canary found - NX: NX enabled - PIE: PIE enabled [*] Switching to interactive mode $ whoami firmy diff --git a/doc/6.1.9_pwn_rhme3_exploitation.md b/doc/6.1.9_pwn_rhme3_exploitation.md index cafb736..b9cf1be 100644 --- a/doc/6.1.9_pwn_rhme3_exploitation.md +++ b/doc/6.1.9_pwn_rhme3_exploitation.md @@ -16,6 +16,9 @@ main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke $ checksec -f main.bin RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin +$ strings libc-2.23.so | grep "GNU C" +GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al. +Compiled by GNU CC version 5.4.0 20160609. ``` 64 位程序,保护措施除了 PIE 都开启了。 @@ -42,7 +45,7 @@ $ python2 -c 'print "90"*33' > nop.txt 最后把它运行起来: ``` -socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" & +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" & ``` @@ -952,7 +955,7 @@ p.recvuntil('Name: ') leak = u64(p.recv(6).ljust(8, '\x00')) libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc -system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@ +system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@ log.info("leak => 0x%x" % leak) log.info("libc => 0x%x" % libc) diff --git a/doc/6_writeup.md b/doc/6_writeup.md index ab511dc..bc517de 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -31,6 +31,7 @@ * [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md) * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md) * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md) + * [6.1.31 pwn HITBCTF2018 mutepig](6.1.31_pwn_hitbctf2018_mutepig.md) * Reverse * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py b/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py index 17d78dc..cc43f20 100644 --- a/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py +++ b/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/exp.py @@ -3,7 +3,7 @@ from pwn import * #context.log_level = 'debug' -io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'}) one_gadget = 0x4526a system_offset = 0x45390 diff --git a/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/libc.so.6 b/src/writeup/6.1.16_pwn_hitbctf2017_1000levels/libc-2.23.so similarity index 100% rename from src/writeup/6.1.16_pwn_hitbctf2017_1000levels/libc.so.6 rename to src/writeup/6.1.16_pwn_hitbctf2017_1000levels/libc-2.23.so diff --git a/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/exp.py b/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/exp.py index 4b67ed2..d88a2e2 100644 --- a/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/exp.py +++ b/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/exp.py @@ -4,8 +4,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'}) +libc = ELF('libc-2.23.so') def start_proj(length, name, price, area, capacity): io.sendlineafter("Exit\n", '1') diff --git a/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/libc.so.6 b/src/writeup/6.1.18_pwn_hitbctf2017_sentosa/libc-2.23.so similarity index 100% rename from src/writeup/6.1.18_pwn_hitbctf2017_sentosa/libc.so.6 rename to src/writeup/6.1.18_pwn_hitbctf2017_sentosa/libc-2.23.so diff --git a/src/writeup/6.1.19_pwn_hitbctf2018_gundam/exp.py b/src/writeup/6.1.19_pwn_hitbctf2018_gundam/exp.py index ccb9693..b5cefcf 100644 --- a/src/writeup/6.1.19_pwn_hitbctf2018_gundam/exp.py +++ b/src/writeup/6.1.19_pwn_hitbctf2018_gundam/exp.py @@ -4,9 +4,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'}) #elf = ELF('gundam') -libc = ELF('libc.so.6') +libc = ELF('libc-2.26.so') def build(name): io.sendlineafter("choice : ", '1') diff --git a/src/writeup/6.1.19_pwn_hitbctf2018_gundam/libc.so.6 b/src/writeup/6.1.19_pwn_hitbctf2018_gundam/libc-2.26.so similarity index 100% rename from src/writeup/6.1.19_pwn_hitbctf2018_gundam/libc.so.6 rename to src/writeup/6.1.19_pwn_hitbctf2018_gundam/libc-2.26.so diff --git a/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/exp.py b/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/exp.py index 37b797f..dcb0582 100644 --- a/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/exp.py +++ b/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/exp.py @@ -4,9 +4,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'}) elf = ELF('SecretHolder') -libc = ELF('libc.so.6') +libc = ELF('libc-2.23.so') small_ptr = 0x006020b0 big_ptr = 0x006020a0 diff --git a/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/libc.so.6 b/src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/libc-2.23.so similarity index 100% rename from src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/libc.so.6 rename to src/writeup/6.1.21_pwn_hitconctf2016_secret_holder/libc-2.23.so diff --git a/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/exp.py b/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/exp.py index 797b3a8..3fd32aa 100644 --- a/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/exp.py +++ b/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/exp.py @@ -4,9 +4,9 @@ from pwn import * #context.log_level = 'debug' -io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'}) +io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'}) elf = ELF('SleepyHolder') -libc = ELF('libc.so.6') +libc = ELF('libc-2.23.so') small_ptr = 0x006020d0 big_ptr = 0x006020c0 diff --git a/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc.so.6 b/src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc-2.23.so similarity index 100% rename from src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc.so.6 rename to src/writeup/6.1.22_pwn_hitconctf2016_sleepy_holder/libc-2.23.so diff --git a/src/writeup/6.1.24_hitconctf2016_house_of_orange/exp.py b/src/writeup/6.1.24_hitconctf2016_house_of_orange/exp.py index 8217d30..41e2d07 100644 --- a/src/writeup/6.1.24_hitconctf2016_house_of_orange/exp.py +++ b/src/writeup/6.1.24_hitconctf2016_house_of_orange/exp.py @@ -4,8 +4,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'}) +libc = ELF('libc-2.23.so') def build(size, name): io.sendlineafter("Your choice : ", '1') diff --git a/src/writeup/6.1.24_hitconctf2016_house_of_orange/libc.so.6 b/src/writeup/6.1.24_hitconctf2016_house_of_orange/libc-2.23.so similarity index 100% rename from src/writeup/6.1.24_hitconctf2016_house_of_orange/libc.so.6 rename to src/writeup/6.1.24_hitconctf2016_house_of_orange/libc-2.23.so diff --git a/src/writeup/6.1.26_pwn_34c3ctf2017_300/exp.py b/src/writeup/6.1.26_pwn_34c3ctf2017_300/exp.py index 24616f3..ef86b3d 100644 --- a/src/writeup/6.1.26_pwn_34c3ctf2017_300/exp.py +++ b/src/writeup/6.1.26_pwn_34c3ctf2017_300/exp.py @@ -4,8 +4,8 @@ from pwn import * #context.log_level = 'debug' -io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'}) -libc = ELF('libc.so.6') +io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'}) +libc = ELF('libc-2.24.so') def alloc(idx): io.sendlineafter("free\n", '1') diff --git a/src/writeup/6.1.26_pwn_34c3ctf2017_300/libc.so.6 b/src/writeup/6.1.26_pwn_34c3ctf2017_300/libc-2.24.so similarity index 100% rename from src/writeup/6.1.26_pwn_34c3ctf2017_300/libc.so.6 rename to src/writeup/6.1.26_pwn_34c3ctf2017_300/libc-2.24.so diff --git a/src/writeup/6.1.28_pwn_asisctf2016_b00ks/libc.so.6 b/src/writeup/6.1.28_pwn_asisctf2016_b00ks/libc-2.23.so similarity index 100% rename from src/writeup/6.1.28_pwn_asisctf2016_b00ks/libc.so.6 rename to src/writeup/6.1.28_pwn_asisctf2016_b00ks/libc-2.23.so diff --git a/src/writeup/6.1.30_pwn_hitconctf2017_ghost_in_the_heap/libc.so.6 b/src/writeup/6.1.30_pwn_hitconctf2017_ghost_in_the_heap/libc-2.24.so similarity index 100% rename from src/writeup/6.1.30_pwn_hitconctf2017_ghost_in_the_heap/libc.so.6 rename to src/writeup/6.1.30_pwn_hitconctf2017_ghost_in_the_heap/libc-2.24.so diff --git a/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/libc-2.23.so b/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/libc-2.23.so new file mode 100755 index 0000000..af3ede5 Binary files /dev/null and b/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/libc-2.23.so differ diff --git a/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/mutepig b/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/mutepig new file mode 100755 index 0000000..da2e281 Binary files /dev/null and b/src/writeup/6.1.31_pwn_hitbctf2018_mutepig/mutepig differ diff --git a/src/writeup/6.1.7_pwn_0ctf2015_freenote/exp.py b/src/writeup/6.1.7_pwn_0ctf2015_freenote/exp.py index 2553f72..5ad3081 100644 --- a/src/writeup/6.1.7_pwn_0ctf2015_freenote/exp.py +++ b/src/writeup/6.1.7_pwn_0ctf2015_freenote/exp.py @@ -2,9 +2,9 @@ from pwn import * -io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'}) +io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'}) elf = ELF('freenote') -libc = ELF('libc.so.6_1') +libc = ELF('libc-2.19.so') def newnote(x): io.recvuntil("Your choice: ") diff --git a/src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1 b/src/writeup/6.1.7_pwn_0ctf2015_freenote/libc-2.19.so similarity index 100% rename from src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1 rename to src/writeup/6.1.7_pwn_0ctf2015_freenote/libc-2.19.so diff --git a/src/writeup/6.1.7_pwn_0ctf2015_freenote/run.sh b/src/writeup/6.1.7_pwn_0ctf2015_freenote/run.sh index fcc1eb3..d48c7d1 100644 --- a/src/writeup/6.1.7_pwn_0ctf2015_freenote/run.sh +++ b/src/writeup/6.1.7_pwn_0ctf2015_freenote/run.sh @@ -1 +1 @@ -socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" & +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" & diff --git a/src/writeup/6.1.9_pwn_rhme3_exploitation/exp.py b/src/writeup/6.1.9_pwn_rhme3_exploitation/exp.py index 80f9ad0..0354da4 100644 --- a/src/writeup/6.1.9_pwn_rhme3_exploitation/exp.py +++ b/src/writeup/6.1.9_pwn_rhme3_exploitation/exp.py @@ -63,7 +63,7 @@ p.recvuntil('Name: ') leak = u64(p.recv(6).ljust(8, '\x00')) libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc -system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@ +system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@ log.info("leak => 0x%x" % leak) log.info("libc => 0x%x" % libc) diff --git a/src/writeup/6.1.9_pwn_rhme3_exploitation/libc.so.6 b/src/writeup/6.1.9_pwn_rhme3_exploitation/libc-2.23.so similarity index 100% rename from src/writeup/6.1.9_pwn_rhme3_exploitation/libc.so.6 rename to src/writeup/6.1.9_pwn_rhme3_exploitation/libc-2.23.so diff --git a/src/writeup/6.1.9_pwn_rhme3_exploitation/run.sh b/src/writeup/6.1.9_pwn_rhme3_exploitation/run.sh index 6dab5ea..ce74a1b 100644 --- a/src/writeup/6.1.9_pwn_rhme3_exploitation/run.sh +++ b/src/writeup/6.1.9_pwn_rhme3_exploitation/run.sh @@ -1 +1 @@ -socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" & +socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &