mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 03:01:15 +07:00
add 6.1.11
This commit is contained in:
parent
dc10687bc8
commit
7dc80c9097
@ -111,6 +111,7 @@
|
||||
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||
- [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||
- [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -99,6 +99,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
||||
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||
* re
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
@ -177,7 +177,7 @@ gef➤ x/20gx 0xafc966564d0-0x10
|
||||
```
|
||||
free 掉的 chunk,其结构体被清空,等待下一次 malloc,并添加到空出来的地方。
|
||||
|
||||
通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 的检查:
|
||||
通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 大小的检查:
|
||||
```python
|
||||
payload = "A"*16
|
||||
payload += p64(0)
|
||||
@ -526,16 +526,16 @@ gef➤ x/30gx 0xafc966564d0-0x10
|
||||
0xafc966565a0: 0x0000000000000000 0x0000000000000000
|
||||
```
|
||||
|
||||
最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。
|
||||
最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。现在可以开启 ASLR 了,因为通过泄漏 libc 地址,我们已经完全绕过了它。
|
||||
|
||||
Bingo!!!
|
||||
```
|
||||
$ python exp.py
|
||||
[+] Opening connection to 127.0.0.1 on port 10001: Done
|
||||
[*] leak => 0x7ffff7dd1b78
|
||||
[*] libc => 0x7ffff7a0d000
|
||||
[*] __malloc_hook => 0x7ffff7dd1b10
|
||||
[*] one_gadget => 0x7ffff7a5226a
|
||||
[*] leak => 0x7f8c1be9eb78
|
||||
[*] libc => 0x7f8c1bada000
|
||||
[*] __malloc_hook => 0x7f8c1be9eb10
|
||||
[*] one_gadget => 0x7f8c1bb1f26a
|
||||
[*] Switching to interactive mode
|
||||
$ whoami
|
||||
firmy
|
||||
|
23
doc/6.1.11_9447ctf2015_search_engine.md
Normal file
23
doc/6.1.11_9447ctf2015_search_engine.md
Normal file
@ -0,0 +1,23 @@
|
||||
# 6.1.11 pwn 9447CTF2015 Search-Engine
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.11_9447ctf2015_search_engine)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file search
|
||||
search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped
|
||||
$ checksec -f search
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search
|
||||
```
|
||||
|
||||
|
||||
## 题目解析
|
||||
|
||||
## 参考资料
|
||||
- [how2heap](https://github.com/shellphish/how2heap)
|
@ -11,6 +11,7 @@
|
||||
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
|
||||
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
|
||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
||||
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
||||
- re
|
||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
|
BIN
src/writeup/6.1.11_9447ctf2015_search_engine/search
Executable file
BIN
src/writeup/6.1.11_9447ctf2015_search_engine/search
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user