mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
fix
This commit is contained in:
parent
6301bcc4f8
commit
77551e0470
16
SUMMARY.md
16
SUMMARY.md
@ -68,13 +68,14 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [3.1.3 栈溢出](doc/3.1.3_stack_overflow.md)
|
||||
* [3.1.4 返回导向编程(ROP)(x86)](doc/3.1.4_rop_x86.md)
|
||||
* [3.1.5 返回导向编程(ROP)(ARM)](doc/3.1.5_rop_arm.md)
|
||||
* [3.1.6 Linux 堆利用(上)](doc/3.1.6_heap_exploit_1.md)
|
||||
* [3.1.7 Linux 堆利用(中)](doc/3.1.7_heap_exploit_2.md)
|
||||
* [3.1.8 Linux 堆利用(下)](doc/3.1.8_heap_exploit_3.md)
|
||||
* [3.1.9 内核 ROP](doc/3.1.9_kernel_rop.md)
|
||||
* [3.1.10 Linux 内核漏洞利用](doc/3.1.10_linux_kernel_exploit.md)
|
||||
* [3.1.11 Windows 内核漏洞利用](doc/3.1.11_windows_kernel_exploit.md)
|
||||
* [3.1.12 竞争条件](doc/3.1.12_race_condition.md)
|
||||
* [3.1.6 Linux 堆利用(一)](doc/3.1.6_heap_exploit_1.md)
|
||||
* [3.1.7 Linux 堆利用(二)](doc/3.1.7_heap_exploit_2.md)
|
||||
* [3.1.8 Linux 堆利用(三)](doc/3.1.8_heap_exploit_3.md)
|
||||
* [3.1.9 Linux 堆利用(四)](doc/3.1.9_heap_exploit_4.md)
|
||||
* [3.1.10 内核 ROP](doc/3.1.10_kernel_rop.md)
|
||||
* [3.1.11 Linux 内核漏洞利用](doc/3.1.11_linux_kernel_exploit.md)
|
||||
* [3.1.12 Windows 内核漏洞利用](doc/3.1.12_windows_kernel_exploit.md)
|
||||
* [3.1.13 竞争条件](doc/3.1.13_race_condition.md)
|
||||
* Reverse
|
||||
* [3.2.1 patch 二进制文件](doc/3.2.1_patch_binary.md)
|
||||
* [3.2.2 脱壳技术(PE)](doc/3.2.2_pe_unpack.md)
|
||||
@ -163,6 +164,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
|
||||
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md)
|
||||
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](doc/6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
|
||||
* [6.1.31 pwn HITBCTF2018 mutepig](doc/6.1.31_pwn_hitbctf2018_mutepig.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 3.1.9 内核 ROP
|
||||
# 3.1.10 内核 ROP
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 3.1.10 Linux 内核漏洞利用
|
||||
# 3.1.11 Linux 内核漏洞利用
|
||||
|
||||
- [从用户态到内核态](#从用户态到内核态)
|
||||
- [内核漏洞分类](#内核漏洞分类)
|
@ -1 +0,0 @@
|
||||
# 3.1.12 竞争条件
|
@ -1,4 +1,4 @@
|
||||
# 3.1.11 Windows 内核漏洞利用
|
||||
# 3.1.12 Windows 内核漏洞利用
|
||||
|
||||
- [参考资料](#参考资料)
|
||||
|
1
doc/3.1.13_race_condition.md
Normal file
1
doc/3.1.13_race_condition.md
Normal file
@ -0,0 +1 @@
|
||||
# 3.1.13 竞争条件
|
19
doc/3.1.9_heap_exploit_4.md
Normal file
19
doc/3.1.9_heap_exploit_4.md
Normal file
@ -0,0 +1,19 @@
|
||||
# 3.1.9 Linux 堆利用(四)
|
||||
|
||||
- [house_of_rabbit](#house_of_rabbit)
|
||||
- [house_of_roman](#house_of_roman)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/Others/3.1.6_heap_exploit)
|
||||
|
||||
#### house_of_rabbit
|
||||
|
||||
#### house_of_roman
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [House of Rabbit - Heap exploitation technique bypassing ASLR](http://shift-crops.hatenablog.com/entry/2017/09/17/213235)
|
||||
- https://github.com/shift-crops/House_of_Rabbit
|
||||
- [House_of_Roman](https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc)
|
||||
- https://github.com/romanking98/House-Of-Roman
|
@ -6,13 +6,14 @@
|
||||
* [3.1.3 栈溢出](3.1.3_stack_overflow.md)
|
||||
* [3.1.4 返回导向编程(ROP)(x86)](3.1.4_rop_x86.md)
|
||||
* [3.1.5 返回导向编程(ROP)(ARM)](3.1.5_rop_arm.md)
|
||||
* [3.1.6 Linux 堆利用(上)](3.1.6_heap_exploit_1.md)
|
||||
* [3.1.7 Linux 堆利用(中)](3.1.7_heap_exploit_2.md)
|
||||
* [3.1.8 Linux 堆利用(下)](3.1.8_heap_exploit_3.md)
|
||||
* [3.1.9 内核 ROP](3.1.9_kernel_rop.md)
|
||||
* [3.1.10 Linux 内核漏洞利用](3.1.10_linux_kernel_exploit.md)
|
||||
* [3.1.11 Windows 内核漏洞利用](3.1.11_windows_kernel_exploit.md)
|
||||
* [3.1.12 竞争条件](3.1.12_race_condition.md)
|
||||
* [3.1.6 Linux 堆利用(一)](3.1.6_heap_exploit_1.md)
|
||||
* [3.1.7 Linux 堆利用(二)](3.1.7_heap_exploit_2.md)
|
||||
* [3.1.8 Linux 堆利用(三)](3.1.8_heap_exploit_3.md)
|
||||
* [3.1.9 Linux 堆利用(四)](3.1.9_heap_exploit_4.md)
|
||||
* [3.1.10 内核 ROP](3.1.10_kernel_rop.md)
|
||||
* [3.1.11 Linux 内核漏洞利用](3.1.11_linux_kernel_exploit.md)
|
||||
* [3.1.12 Windows 内核漏洞利用](3.1.12_windows_kernel_exploit.md)
|
||||
* [3.1.13 竞争条件](3.1.13_race_condition.md)
|
||||
* Reverse
|
||||
* [3.2.1 patch 二进制文件](3.2.1_patch_binary.md)
|
||||
* [3.2.2 脱壳技术(PE)](3.2.2_pe_unpack.md)
|
||||
|
@ -15,7 +15,7 @@ $ file 1000levels
|
||||
$ checksec -f 1000levels
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 6 1000levels
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.4.0 20160609.
|
||||
```
|
||||
@ -351,7 +351,7 @@ vaddr=0x00201fd0 paddr=0x00001fd0 type=SET_64 system
|
||||
|
||||
对于第一个问题,我们有不需要参数的 one-gadget 可以用,通过将输入的第二个数设置为偏移,即可通过程序的计算将 system 修改为 one-gadget。
|
||||
```
|
||||
$ one_gadget libc.so.6
|
||||
$ one_gadget libc-2.23.so
|
||||
0x45216 execve("/bin/sh", rsp+0x30, environ)
|
||||
constraints:
|
||||
rax == NULL
|
||||
@ -456,7 +456,7 @@ firmy
|
||||
from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
|
||||
one_gadget = 0x4526a
|
||||
system_offset = 0x45390
|
||||
|
@ -15,7 +15,7 @@ sentosa: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically lin
|
||||
$ checksec -f sentosa
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 sentosa
|
||||
$ strings libc.so.6| grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu4) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.4.0 20160609.
|
||||
```
|
||||
@ -715,8 +715,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
def start_proj(length, name, price, area, capacity):
|
||||
io.sendlineafter("Exit\n", '1')
|
||||
|
@ -15,7 +15,7 @@ gundam: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically link
|
||||
$ checksec -f gundam
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 4 gundam
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.26.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 6.4.0 20171010.
|
||||
```
|
||||
@ -596,10 +596,10 @@ gdb-peda$ x/6gx 0x555555757b50-0x10
|
||||
0x555555757b60: 0x0000000000000000 0x0000000000000000
|
||||
gdb-peda$ vmmap libc
|
||||
Start End Perm Name
|
||||
0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc.so.6
|
||||
0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc.so.6
|
||||
0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc.so.6
|
||||
0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc.so.6
|
||||
0x00007ffff79f8000 0x00007ffff7bce000 r-xp /home/firmy/gundam/libc-2.26.so
|
||||
0x00007ffff7bce000 0x00007ffff7dce000 ---p /home/firmy/gundam/libc-2.26.so
|
||||
0x00007ffff7dce000 0x00007ffff7dd2000 r--p /home/firmy/gundam/libc-2.26.so
|
||||
0x00007ffff7dd2000 0x00007ffff7dd4000 rw-p /home/firmy/gundam/libc-2.26.so
|
||||
gdb-peda$ p 0x00007ffff7dd2c78 - 0x00007ffff79f8000
|
||||
$1 = 0x3dac78
|
||||
```
|
||||
@ -696,9 +696,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
|
||||
#elf = ELF('gundam')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.26.so')
|
||||
|
||||
def build(name):
|
||||
io.sendlineafter("choice : ", '1')
|
||||
|
@ -274,19 +274,19 @@ def dump_memory(buf_size, stop_addr, gadgets_addr, puts_plt, start_addr, end_add
|
||||
```
|
||||
$ r2 -B 0x400000 code.bin
|
||||
[0x00400630]> pd 14 @ 0x4005e7
|
||||
:::: 0x004005e7 25240a2000 and eax, 0x200a24
|
||||
:::: 0x004005ec 0f1f4000 nop dword [rax]
|
||||
:::: 0x004005f0 ff25220a2000 jmp qword [0x00601018] ; [0x601018:8]=-1
|
||||
:::: 0x004005f6 6800000000 push 0
|
||||
`====< 0x004005fb e9e0ffffff jmp 0x4005e0
|
||||
::: 0x00400600 ff251a0a2000 jmp qword [0x00601020] ; [0x601020:8]=-1
|
||||
::: 0x00400606 6801000000 push 1 ; 1
|
||||
`===< 0x0040060b e9d0ffffff jmp 0x4005e0
|
||||
:: 0x00400610 ff25120a2000 jmp qword [0x00601028] ; [0x601028:8]=-1
|
||||
:: 0x00400616 6802000000 push 2 ; 2
|
||||
`==< 0x0040061b e9c0ffffff jmp 0x4005e0
|
||||
: 0x00400620 ff250a0a2000 jmp qword [0x00601030] ; [0x601030:8]=-1
|
||||
: 0x00400626 6803000000 push 3 ; 3
|
||||
:::: 0x004005e7 25240a2000 and eax, 0x200a24
|
||||
:::: 0x004005ec 0f1f4000 nop dword [rax]
|
||||
:::: 0x004005f0 ff25220a2000 jmp qword [0x00601018] ; [0x601018:8]=-1
|
||||
:::: 0x004005f6 6800000000 push 0
|
||||
`====< 0x004005fb e9e0ffffff jmp 0x4005e0
|
||||
::: 0x00400600 ff251a0a2000 jmp qword [0x00601020] ; [0x601020:8]=-1
|
||||
::: 0x00400606 6801000000 push 1 ; 1
|
||||
`===< 0x0040060b e9d0ffffff jmp 0x4005e0
|
||||
:: 0x00400610 ff25120a2000 jmp qword [0x00601028] ; [0x601028:8]=-1
|
||||
:: 0x00400616 6802000000 push 2 ; 2
|
||||
`==< 0x0040061b e9c0ffffff jmp 0x4005e0
|
||||
: 0x00400620 ff250a0a2000 jmp qword [0x00601030] ; [0x601030:8]=-1
|
||||
: 0x00400626 6803000000 push 3 ; 3
|
||||
`=< 0x0040062b e9b0ffffff jmp 0x4005e0
|
||||
```
|
||||
于是我们就得到了 puts@got 地址 `0x00601018`。可以看到该表中还有其他几个函数,根据程序的功能大概可以猜到,无非就是 setbuf、read 之类的,在后面的过程中如果实在无法确定 libc,这些信息可能会有用。
|
||||
|
@ -15,7 +15,7 @@ SecretHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
|
||||
$ checksec -f SecretHolder
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SecretHolder
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
@ -554,9 +554,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
elf = ELF('SecretHolder')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
small_ptr = 0x006020b0
|
||||
big_ptr = 0x006020a0
|
||||
|
@ -15,7 +15,7 @@ SleepyHolder: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically l
|
||||
$ checksec -f SleepyHolder
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 SleepyHolder
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
@ -525,9 +525,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
elf = ELF('SleepyHolder')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
small_ptr = 0x006020d0
|
||||
big_ptr = 0x006020c0
|
||||
|
@ -15,7 +15,7 @@ houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamical
|
||||
$ checksec -f houseoforange
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
@ -744,8 +744,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
def build(size, name):
|
||||
io.sendlineafter("Your choice : ", '1')
|
||||
|
@ -15,7 +15,7 @@ $ file 300
|
||||
$ checksec -f 300
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 0 2 300
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.24.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 6.3.0 20170406.
|
||||
```
|
||||
@ -434,12 +434,6 @@ def pwn():
|
||||
```
|
||||
python exp.py
|
||||
[+] Starting local process './300': pid 5158
|
||||
[*] '/home/firmyy/300/libc.so.6'
|
||||
Arch: amd64-64-little
|
||||
RELRO: Partial RELRO
|
||||
Stack: Canary found
|
||||
NX: NX enabled
|
||||
PIE: PIE enabled
|
||||
[*] libc_base address: 0x7efdcef24000
|
||||
[*] heap address: 0x5624a7a3c000
|
||||
[*] _IO_list_all address: 0x7efdcf2e6500
|
||||
@ -462,8 +456,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
|
||||
libc = ELF('libc-2.24.so')
|
||||
|
||||
def alloc(idx):
|
||||
io.sendlineafter("free\n", '1')
|
||||
|
@ -15,7 +15,7 @@ b00ks: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linke
|
||||
$ checksec -f b00ks
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 b00ks
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.4.0 20160609.
|
||||
```
|
||||
|
@ -15,7 +15,7 @@ ghost_in_the_heap: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynam
|
||||
$ checksec -f ghost_in_the_heap
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 2 ghost_in_the_heap
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
$ strings libc-2.24.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 6.3.0 20170406.
|
||||
```
|
||||
|
30
doc/6.1.31_pwn_hitbctf2018_mutepig.md
Normal file
30
doc/6.1.31_pwn_hitbctf2018_mutepig.md
Normal file
@ -0,0 +1,30 @@
|
||||
# 6.1.31 pwn HITBCTF2018 mutepig
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.31_pwn_hitbctf2018_mutepig)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file mutepig
|
||||
mutepig: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=180b126011ab0d74ab49d0c3c52a41e85155a6a9, stripped
|
||||
[firmy@firmy-pc mutepip]$ checksec -f mutepig
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 1 mutepig
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 8.1.0.
|
||||
```
|
||||
64 位程序,开启了 Canary 和 NX。
|
||||
|
||||
|
||||
## 题目解析
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://www.xctf.org.cn/library/details/hitb-quals-2018/#mutepig-pwn
|
@ -15,6 +15,9 @@ freenote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
|
||||
$ checksec -f freenote
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 2 freenote
|
||||
$ strings libc-2.19.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.6) stable release version 2.19, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 4.8.2.
|
||||
```
|
||||
因为没有 PIE,即使本机开启 ASLR 也没有关系。
|
||||
|
||||
@ -101,7 +104,7 @@ Aborted
|
||||
|
||||
在 Ubuntu 14.04 上把程序跑起来:
|
||||
```
|
||||
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
|
||||
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
|
||||
```
|
||||
|
||||
|
||||
@ -713,10 +716,10 @@ Start End Offset Perm Path
|
||||
0x0000000000603000 0x0000000000625000 0x0000000000000000 rw- [heap]
|
||||
gef➤ vmmap libc
|
||||
Start End Offset Perm Path
|
||||
0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc.so.6_1
|
||||
0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc.so.6_1
|
||||
0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc.so.6_1
|
||||
0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc.so.6_1
|
||||
0x00007ffff7a15000 0x00007ffff7bd0000 0x0000000000000000 r-x /home/firmy/libc-2.19.so
|
||||
0x00007ffff7bd0000 0x00007ffff7dcf000 0x00000000001bb000 --- /home/firmy/libc-2.19.so
|
||||
0x00007ffff7dcf000 0x00007ffff7dd3000 0x00000000001ba000 r-- /home/firmy/libc-2.19.so
|
||||
0x00007ffff7dd3000 0x00007ffff7dd5000 0x00000000001be000 rw- /home/firmy/libc-2.19.so
|
||||
```
|
||||
|
||||
为了泄漏堆地址,我们需要释放 2 个不相邻且不会被合并进 top chunk 里的 chunk,所以我们创建 4 个笔记,可以看到由初始化阶段创建的 Notes 和 Note 结构体:
|
||||
@ -840,7 +843,7 @@ gef➤ x/20gx 0x00007ffff7dd37b8-0x78
|
||||
```
|
||||
我们看到 `__malloc_hook` 在这个地址 `0x00007ffff7dd37b8-0x78` 的地方。其实 `0x7ffff7dd3760` 地方开始就是 `main_arena`,但在这个 libc 里符号被 stripped 扔掉了。看一下 `__malloc_hook` 在 libc 中的偏移:
|
||||
```
|
||||
$ readelf -s libc.so.6_1 | grep __malloc_hook
|
||||
$ readelf -s libc-2.19.so | grep __malloc_hook
|
||||
1079: 00000000003be740 8 OBJECT WEAK DEFAULT 31 __malloc_hook@@GLIBC_2.2.5
|
||||
```
|
||||
因为偏移是不变的,我们总是可以计算出 libc 的地址:
|
||||
@ -1045,9 +1048,9 @@ firmy
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
|
||||
io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
|
||||
elf = ELF('freenote')
|
||||
libc = ELF('libc.so.6_1')
|
||||
libc = ELF('libc-2.19.so')
|
||||
|
||||
def newnote(x):
|
||||
io.recvuntil("Your choice: ")
|
||||
|
@ -131,7 +131,7 @@ $ ldd flex
|
||||
| 0x00401161 31c0 xor eax, eax
|
||||
| 0x00401163 bf47454000 mov edi, str.FlexMD5_bruteforce_tool_V0.1 ; 0x404547 ; "FlexMD5 bruteforce tool V0.1"
|
||||
| 0x00401168 e863faffff call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x0040116d bf64454000 mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)"
|
||||
| 0x0040116d bf64454000 mov edi, str.custom_md5_state__yes_No_ ; 0x404564 ; "custom md5 state (yes/No)"
|
||||
| 0x00401172 e859faffff call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x00401177 488d85e0feff. lea rax, [local_120h]
|
||||
| 0x0040117e be04000000 mov esi, 4
|
||||
@ -457,12 +457,6 @@ Bingo!!!
|
||||
```
|
||||
$ python2 exp.py
|
||||
[+] Opening connection to 127.0.0.1 on port 10001: Done
|
||||
[*] '/usr/lib/libc-2.26.so'
|
||||
Arch: amd64-64-little
|
||||
RELRO: Full RELRO
|
||||
Stack: Canary found
|
||||
NX: NX enabled
|
||||
PIE: PIE enabled
|
||||
[*] Switching to interactive mode
|
||||
$ whoami
|
||||
firmy
|
||||
|
@ -16,6 +16,9 @@ main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linke
|
||||
$ checksec -f main.bin
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin
|
||||
$ strings libc-2.23.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu9) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.4.0 20160609.
|
||||
```
|
||||
64 位程序,保护措施除了 PIE 都开启了。
|
||||
|
||||
@ -42,7 +45,7 @@ $ python2 -c 'print "90"*33' > nop.txt
|
||||
|
||||
最后把它运行起来:
|
||||
```
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &
|
||||
```
|
||||
|
||||
|
||||
@ -952,7 +955,7 @@ p.recvuntil('Name: ')
|
||||
|
||||
leak = u64(p.recv(6).ljust(8, '\x00'))
|
||||
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
|
||||
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@
|
||||
system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
|
||||
|
||||
log.info("leak => 0x%x" % leak)
|
||||
log.info("libc => 0x%x" % libc)
|
||||
|
@ -31,6 +31,7 @@
|
||||
* [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
|
||||
* [6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3](6.1.29_pwn_insomnictf2017_the_great_escape3.md)
|
||||
* [6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap](6.1.30_pwn_hitconctf2017_ghost_in_the_heap.md)
|
||||
* [6.1.31 pwn HITBCTF2018 mutepig](6.1.31_pwn_hitbctf2018_mutepig.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -3,7 +3,7 @@
|
||||
from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./1000levels'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
|
||||
one_gadget = 0x4526a
|
||||
system_offset = 0x45390
|
||||
|
@ -4,8 +4,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./sentosa'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
def start_proj(length, name, price, area, capacity):
|
||||
io.sendlineafter("Exit\n", '1')
|
||||
|
@ -4,9 +4,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./gundam'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./gundam'], env={'LD_PRELOAD':'./libc-2.26.so'})
|
||||
#elf = ELF('gundam')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.26.so')
|
||||
|
||||
def build(name):
|
||||
io.sendlineafter("choice : ", '1')
|
||||
|
@ -4,9 +4,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./SecretHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
elf = ELF('SecretHolder')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
small_ptr = 0x006020b0
|
||||
big_ptr = 0x006020a0
|
||||
|
@ -4,9 +4,9 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
io = process(['./SleepyHolder'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
elf = ELF('SleepyHolder')
|
||||
libc = ELF('libc.so.6')
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
small_ptr = 0x006020d0
|
||||
big_ptr = 0x006020c0
|
||||
|
@ -4,8 +4,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./houseoforange'], env={'LD_PRELOAD':'./libc-2.23.so'})
|
||||
libc = ELF('libc-2.23.so')
|
||||
|
||||
def build(size, name):
|
||||
io.sendlineafter("Your choice : ", '1')
|
||||
|
@ -4,8 +4,8 @@ from pwn import *
|
||||
|
||||
#context.log_level = 'debug'
|
||||
|
||||
io = process(['./300'], env={'LD_PRELOAD':'./libc.so.6'})
|
||||
libc = ELF('libc.so.6')
|
||||
io = process(['./300'], env={'LD_PRELOAD':'./libc-2.24.so'})
|
||||
libc = ELF('libc-2.24.so')
|
||||
|
||||
def alloc(idx):
|
||||
io.sendlineafter("free\n", '1')
|
||||
|
BIN
src/writeup/6.1.31_pwn_hitbctf2018_mutepig/libc-2.23.so
Executable file
BIN
src/writeup/6.1.31_pwn_hitbctf2018_mutepig/libc-2.23.so
Executable file
Binary file not shown.
BIN
src/writeup/6.1.31_pwn_hitbctf2018_mutepig/mutepig
Executable file
BIN
src/writeup/6.1.31_pwn_hitbctf2018_mutepig/mutepig
Executable file
Binary file not shown.
@ -2,9 +2,9 @@
|
||||
|
||||
from pwn import *
|
||||
|
||||
io = process(['./freenote'], env={'LD_PRELOAD':'./libc.so.6_1'})
|
||||
io = process(['./freenote'], env={'LD_PRELOAD':'./libc-2.19.so'})
|
||||
elf = ELF('freenote')
|
||||
libc = ELF('libc.so.6_1')
|
||||
libc = ELF('libc-2.19.so')
|
||||
|
||||
def newnote(x):
|
||||
io.recvuntil("Your choice: ")
|
||||
|
@ -1 +1 @@
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so_1 ./freenote" &
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.19.so ./freenote" &
|
||||
|
@ -63,7 +63,7 @@ p.recvuntil('Name: ')
|
||||
|
||||
leak = u64(p.recv(6).ljust(8, '\x00'))
|
||||
libc = leak - 0x3c4b78 # 0x3c4b78 = leak - libc
|
||||
system = libc + 0x045390 # $ readelf -s libc.so.6 | grep system@
|
||||
system = libc + 0x045390 # $ readelf -s libc-2.23.so | grep system@
|
||||
|
||||
log.info("leak => 0x%x" % leak)
|
||||
log.info("libc => 0x%x" % libc)
|
||||
|
@ -1 +1 @@
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc.so.6 ./main.elf" &
|
||||
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./main.elf" &
|
||||
|
Loading…
Reference in New Issue
Block a user