This commit is contained in:
firmianay 2018-06-07 17:23:45 +08:00
parent 6301bcc4f8
commit 77551e0470
47 changed files with 146 additions and 99 deletions

View File

@ -68,13 +68,14 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md) * [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
* [3.1.4 返回导向编程ROPx86](doc/3.1.4_rop_x86.md) * [3.1.4 返回导向编程ROPx86](doc/3.1.4_rop_x86.md)
* [3.1.5 返回导向编程ROPARM](doc/3.1.5_rop_arm.md) * [3.1.5 返回导向编程ROPARM](doc/3.1.5_rop_arm.md)
* [3.1.6 Linux 堆利用(上)](doc/3.1.6_heap_exploit_1.md) * [3.1.6 Linux 堆利用(一)](doc/3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(中)](doc/3.1.7_heap_exploit_2.md) * [3.1.7 Linux 堆利用(二)](doc/3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(下)](doc/3.1.8_heap_exploit_3.md) * [3.1.8 Linux 堆利用(三)](doc/3.1.8_heap_exploit_3.md)
* [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md) * [3.1.9 Linux 堆利用(四)](doc/3.1.9_heap_exploit_4.md)
* [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md) * [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md)
* [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md) * [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md)
* [3.1.12 竞争条件](doc/3.1.12_race_condition.md) * [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md)
* [3.1.13 竞争条件](doc/3.1.13_race_condition.md)
* Reverse * Reverse
* [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md) * [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md)
* [3.2.2 脱壳技术PE](doc/3.2.2_pe_unpack.md) * [3.2.2 脱壳技术PE](doc/3.2.2_pe_unpack.md)
@ -163,6 +164,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md) * [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md) * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md)
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md) * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
* [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md)
* Reverse * Reverse
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -1,4 +1,4 @@
# 3.1.9 内核 ROP # 3.1.10 内核 ROP
- [参考资料](#参考资料) - [参考资料](#参考资料)

View File

@ -1,4 +1,4 @@
# 3.1.10 Linux 内核漏洞利用 # 3.1.11 Linux 内核漏洞利用
- [从用户态到内核态](#从用户态到内核态) - [从用户态到内核态](#从用户态到内核态)
- [内核漏洞分类](#内核漏洞分类) - [内核漏洞分类](#内核漏洞分类)

View File

@ -1 +0,0 @@
# 3.1.12 竞争条件

View File

@ -1,4 +1,4 @@
# 3.1.11 Windows 内核漏洞利用 # 3.1.12 Windows 内核漏洞利用
- [参考资料](#参考资料) - [参考资料](#参考资料)

View File

@ -0,0 +1 @@
# 3.1.13 竞争条件

View File

@ -0,0 +1,19 @@
# 3.1.9 Linux 堆利用(四)
- [house_of_rabbit](#house_of_rabbit)
- [house_of_roman](#house_of_roman)
- [参考资料](#参考资料)
[下载文件](../src/Others/3.1.6_heap_exploit)
#### house_of_rabbit
#### house_of_roman
## 参考资料
- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235)
- https://github.com/shift-crops/House_of_Rabbit
- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
- https://github.com/romanking98/House-Of-Roman

View File

@ -6,13 +6,14 @@
* [3.1.3 栈溢出](3.1.3_stack_overflow.md) * [3.1.3 栈溢出](3.1.3_stack_overflow.md)
* [3.1.4 返回导向编程ROPx86](3.1.4_rop_x86.md) * [3.1.4 返回导向编程ROPx86](3.1.4_rop_x86.md)
* [3.1.5 返回导向编程ROPARM](3.1.5_rop_arm.md) * [3.1.5 返回导向编程ROPARM](3.1.5_rop_arm.md)
* [3.1.6 Linux 堆利用(上)](3.1.6_heap_exploit_1.md) * [3.1.6 Linux 堆利用(一)](3.1.6_heap_exploit_1.md)
* [3.1.7 Linux 堆利用(中)](3.1.7_heap_exploit_2.md) * [3.1.7 Linux 堆利用(二)](3.1.7_heap_exploit_2.md)
* [3.1.8 Linux 堆利用(下)](3.1.8_heap_exploit_3.md) * [3.1.8 Linux 堆利用(三)](3.1.8_heap_exploit_3.md)
* [3.1.9 内核 ROP](3.1.9_kernel_rop.md) * [3.1.9 Linux 堆利用(四)](3.1.9_heap_exploit_4.md)
* [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md) * [3.1.10 内核 ROP](3.1.10_kernel_rop.md)
* [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md) * [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md)
* [3.1.12 竞争条件](3.1.12_race_condition.md) * [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md)
* [3.1.13 竞争条件](3.1.13_race_condition.md)
* Reverse * Reverse
* [3.2.1 patch 二进制文件](3.2.1_patch_binary.md) * [3.2.1 patch 二进制文件](3.2.1_patch_binary.md)
* [3.2.2 脱壳技术PE](3.2.2_pe_unpack.md) * [3.2.2 脱壳技术PE](3.2.2_pe_unpack.md)

View File

@ -15,7 +15,7 @@ $ file 1000levels
$ checksec -f 1000levels $ checksec -f 1000levels
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 6 1000levels Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 6 1000levels
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609. Compiled by GNU CC version 5.4.0 20160609.
``` ```
@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system
对于第一个问题,我们有不需要参数的 one-gadget 可以用,通过将输入的第二个数设置为偏移,即可通过程序的计算将 system 修改为 one-gadget。 对于第一个问题,我们有不需要参数的 one-gadget 可以用,通过将输入的第二个数设置为偏移,即可通过程序的计算将 system 修改为 one-gadget。
``` ```
$ one_gadget libc.so.6 $ one_gadget libc-2.23.so
0x45216 execve("/bin/sh", rsp+0x30, environ) 0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints: constraints:
rax == NULL rax == NULL
@ -456,7 +456,7 @@ firmy
from pwn import * from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
one_gadget = 0x4526a one_gadget = 0x4526a
system_offset = 0x45390 system_offset = 0x45390

View File

@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin
$ checksec -f sentosa $ checksec -f sentosa
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 sentosa Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 sentosa
$ strings libc.so.6| grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609. Compiled by GNU CC version 5.4.0 20160609.
``` ```
@ -715,8 +715,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
def start_proj(length, name, price, area, capacity): def start_proj(length, name, price, area, capacity):
io.sendlineafter("Exit\n", '1') io.sendlineafter("Exit\n", '1')

View File

@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link
$ checksec -f gundam $ checksec -f gundam
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 gundam Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 gundam
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.26.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
Compiled by GNU CC version 6.4.0 20171010. Compiled by GNU CC version 6.4.0 20171010.
``` ```
@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10
0x555555757b60: 0x0000000000000000 0x0000000000000000 0x555555757b60: 0x0000000000000000 0x0000000000000000
gdb-peda$ vmmap libc gdb-peda$ vmmap libc
Start End Perm Name Start End Perm Name
0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc.so.6 0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc-2.26.so
0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc.so.6 0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc-2.26.so
0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc.so.6 0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc-2.26.so
0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc.so.6 0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc-2.26.so
gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000 gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000
$1 = 0x3dac78 $1 = 0x3dac78
``` ```
@ -696,9 +696,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
#elf = ELF('gundam') #elf = ELF('gundam')
libc = ELF('libc.so.6') libc = ELF('libc-2.26.so')
def build(name): def build(name):
io.sendlineafter("choice : ", '1') io.sendlineafter("choice : ", '1')

View File

@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
$ checksec -f SecretHolder $ checksec -f SecretHolder
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413. Compiled by GNU CC version 5.3.1 20160413.
``` ```
@ -554,9 +554,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SecretHolder') elf = ELF('SecretHolder')
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
small_ptr = 0x006020b0 small_ptr = 0x006020b0
big_ptr = 0x006020a0 big_ptr = 0x006020a0

View File

@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
$ checksec -f SleepyHolder $ checksec -f SleepyHolder
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413. Compiled by GNU CC version 5.3.1 20160413.
``` ```
@ -525,9 +525,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SleepyHolder') elf = ELF('SleepyHolder')
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
small_ptr = 0x006020d0 small_ptr = 0x006020d0
big_ptr = 0x006020c0 big_ptr = 0x006020c0

View File

@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical
$ checksec -f houseoforange $ checksec -f houseoforange
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.3.1 20160413. Compiled by GNU CC version 5.3.1 20160413.
``` ```
@ -744,8 +744,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
def build(size, name): def build(size, name):
io.sendlineafter("Your choice : ", '1') io.sendlineafter("Your choice : ", '1')

View File

@ -15,7 +15,7 @@ $ file 300
$ checksec -f 300 $ checksec -f 300
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 2 300 Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 2 300
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.24.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
Compiled by GNU CC version 6.3.0 20170406. Compiled by GNU CC version 6.3.0 20170406.
``` ```
@ -434,12 +434,6 @@ def pwn():
``` ```
python exp.py python exp.py
[+] Starting local process './300': pid 5158 [+] Starting local process './300': pid 5158
[*] '/home/firmyy/300/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] libc_base address: 0x7efdcef24000 [*] libc_base address: 0x7efdcef24000
[*] heap address: 0x5624a7a3c000 [*] heap address: 0x5624a7a3c000
[*] _IO_list_all address: 0x7efdcf2e6500 [*] _IO_list_all address: 0x7efdcf2e6500
@ -462,8 +456,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.24.so')
def alloc(idx): def alloc(idx):
io.sendlineafter("free\n", '1') io.sendlineafter("free\n", '1')

View File

@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f b00ks $ checksec -f b00ks
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 b00ks Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 b00ks
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609. Compiled by GNU CC version 5.4.0 20160609.
``` ```

View File

@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam
$ checksec -f ghost_in_the_heap $ checksec -f ghost_in_the_heap
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 2 ghost_in_the_heap Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 2 ghost_in_the_heap
$ strings libc.so.6 | grep "GNU C" $ strings libc-2.24.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al. GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
Compiled by GNU CC version 6.3.0 20170406. Compiled by GNU CC version 6.3.0 20170406.
``` ```

View File

@ -0,0 +1,30 @@
# 6.1.31 pwn HITBCTF2018 mutepig
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig)
## 题目复现
```
$ file mutepig
mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped
[firmy@firmy-pc mutepip]$ checksec -f mutepig
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 1 mutepig
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 8.1.0.
```
64 位程序,开启了 Canary 和 NX。
## 题目解析
## 漏洞利用
## 参考资料
- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn

View File

@ -15,6 +15,9 @@ freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f freenote $ checksec -f freenote
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote
$ strings libc-2.19.so | grep "GNU C"
GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.
Compiled by GNU CC version 4.8.2.
``` ```
因为没有 PIE即使本机开启 ASLR 也没有关系。 因为没有 PIE即使本机开启 ASLR 也没有关系。
@ -101,7 +104,7 @@ Aborted
在 Ubuntu 14.04 上把程序跑起来: 在 Ubuntu 14.04 上把程序跑起来:
``` ```
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" & $ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
``` ```
@ -713,10 +716,10 @@ Start End Offset Perm Path
0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap] 0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap]
gef➤ vmmap libc gef➤ vmmap libc
Start End Offset Perm Path Start End Offset Perm Path
0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc.so.6_1 0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so
0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc.so.6_1 0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so
0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc.so.6_1 0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so
0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc.so.6_1 0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so
``` ```
为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体: 为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体:
@ -840,7 +843,7 @@ gef➤ x/20gx 0x00007ffff7dd37b8-0x78
``` ```
我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`,但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移: 我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`,但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移:
``` ```
$ readelf -s libc.so.6_1 | grep __malloc_hook $ readelf -s libc-2.19.so | grep __malloc_hook
1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5 1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5
``` ```
因为偏移是不变的,我们总是可以计算出 libc 的地址: 因为偏移是不变的,我们总是可以计算出 libc 的地址:
@ -1045,9 +1048,9 @@ firmy
```python ```python
from pwn import * from pwn import *
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'}) io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
elf = ELF('freenote') elf = ELF('freenote')
libc = ELF('libc.so.6_1') libc = ELF('libc-2.19.so')
def newnote(x): def newnote(x):
io.recvuntil("Your choice: ") io.recvuntil("Your choice: ")

View File

@ -457,12 +457,6 @@ Bingo!!!
``` ```
$ python2 exp.py $ python2 exp.py
[+] Opening connection to 127.0.0.1 on port 10001: Done [+] Opening connection to 127.0.0.1 on port 10001: Done
[*] '/usr/lib/libc-2.26.so'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Switching to interactive mode [*] Switching to interactive mode
$ whoami $ whoami
firmy firmy

View File

@ -16,6 +16,9 @@ main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
$ checksec -f main.bin $ checksec -f main.bin
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
$ strings libc-2.23.so | grep "GNU C"
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
``` ```
64 位程序,保护措施除了 PIE 都开启了。 64 位程序,保护措施除了 PIE 都开启了。
@ -42,7 +45,7 @@ $ python2 -c 'print "90"*33' > nop.txt
最后把它运行起来: 最后把它运行起来:
``` ```
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" & socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &
``` ```
@ -952,7 +955,7 @@ p.recvuntil('Name: ')
leak = u64(p.recv(6).ljust(8, '\x00')) leak = u64(p.recv(6).ljust(8, '\x00'))
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@ system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
log.info("leak => 0x%x" % leak) log.info("leak => 0x%x" % leak)
log.info("libc => 0x%x" % libc) log.info("libc => 0x%x" % libc)

View File

@ -31,6 +31,7 @@
* [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md) * [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md) * [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md)
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md) * [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
* [6.1.31 pwn HITBCTF2018 mutepig](6.1.31_pwn_hitbctf2018_mutepig.md)
* Reverse * Reverse
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

View File

@ -3,7 +3,7 @@
from pwn import * from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
one_gadget = 0x4526a one_gadget = 0x4526a
system_offset = 0x45390 system_offset = 0x45390

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
def start_proj(length, name, price, area, capacity): def start_proj(length, name, price, area, capacity):
io.sendlineafter("Exit\n", '1') io.sendlineafter("Exit\n", '1')

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
#elf = ELF('gundam') #elf = ELF('gundam')
libc = ELF('libc.so.6') libc = ELF('libc-2.26.so')
def build(name): def build(name):
io.sendlineafter("choice : ", '1') io.sendlineafter("choice : ", '1')

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SecretHolder') elf = ELF('SecretHolder')
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
small_ptr = 0x006020b0 small_ptr = 0x006020b0
big_ptr = 0x006020a0 big_ptr = 0x006020a0

View File

@ -4,9 +4,9 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
elf = ELF('SleepyHolder') elf = ELF('SleepyHolder')
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
small_ptr = 0x006020d0 small_ptr = 0x006020d0
big_ptr = 0x006020c0 big_ptr = 0x006020c0

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.23.so')
def build(size, name): def build(size, name):
io.sendlineafter("Your choice : ", '1') io.sendlineafter("Your choice : ", '1')

View File

@ -4,8 +4,8 @@ from pwn import *
#context.log_level = 'debug' #context.log_level = 'debug'
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'}) io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
libc = ELF('libc.so.6') libc = ELF('libc-2.24.so')
def alloc(idx): def alloc(idx):
io.sendlineafter("free\n", '1') io.sendlineafter("free\n", '1')

Binary file not shown.

Binary file not shown.

View File

@ -2,9 +2,9 @@
from pwn import * from pwn import *
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'}) io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
elf = ELF('freenote') elf = ELF('freenote')
libc = ELF('libc.so.6_1') libc = ELF('libc-2.19.so')
def newnote(x): def newnote(x):
io.recvuntil("Your choice: ") io.recvuntil("Your choice: ")

View File

@ -1 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" & socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &

View File

@ -63,7 +63,7 @@ p.recvuntil('Name: ')
leak = u64(p.recv(6).ljust(8, '\x00')) leak = u64(p.recv(6).ljust(8, '\x00'))
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@ system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
log.info("leak => 0x%x" % leak) log.info("leak => 0x%x" % leak)
log.info("libc => 0x%x" % libc) log.info("libc => 0x%x" % libc)

View File

@ -1 +1 @@
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" & socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &