diff --git a/README.md b/README.md index f2427e9..a51b394 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,7 @@ - [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) - [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) + - [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) - re - [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/SUMMARY.md b/SUMMARY.md index e6117cf..5d8672c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -99,6 +99,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) + * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/6.1.10_0ctf2017_babyheap2017.md b/doc/6.1.10_0ctf2017_babyheap2017.md index 1200361..c01e190 100644 --- a/doc/6.1.10_0ctf2017_babyheap2017.md +++ b/doc/6.1.10_0ctf2017_babyheap2017.md @@ -177,7 +177,7 @@ gef➤ x/20gx 0xafc966564d0-0x10 ``` free 掉的 chunk,其结构体被清空,等待下一次 malloc,并添加到空出来的地方。 -通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 的检查: +通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 大小的检查: ```python payload = "A"*16 payload += p64(0) @@ -526,16 +526,16 @@ gef➤ x/30gx 0xafc966564d0-0x10 0xafc966565a0: 0x0000000000000000 0x0000000000000000 ``` -最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。 +最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。现在可以开启 ASLR 了,因为通过泄漏 libc 地址,我们已经完全绕过了它。 Bingo!!! ``` $ python exp.py [+] Opening connection to 127.0.0.1 on port 10001: Done -[*] leak => 0x7ffff7dd1b78 -[*] libc => 0x7ffff7a0d000 -[*] __malloc_hook => 0x7ffff7dd1b10 -[*] one_gadget => 0x7ffff7a5226a +[*] leak => 0x7f8c1be9eb78 +[*] libc => 0x7f8c1bada000 +[*] __malloc_hook => 0x7f8c1be9eb10 +[*] one_gadget => 0x7f8c1bb1f26a [*] Switching to interactive mode $ whoami firmy diff --git a/doc/6.1.11_9447ctf2015_search_engine.md b/doc/6.1.11_9447ctf2015_search_engine.md new file mode 100644 index 0000000..3be41f5 --- /dev/null +++ b/doc/6.1.11_9447ctf2015_search_engine.md @@ -0,0 +1,23 @@ +# 6.1.11 pwn 9447CTF2015 Search-Engine + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.11_9447ctf2015_search_engine) + +## 题目复现 +``` +$ file search +search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped +$ checksec -f search +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search +``` + + +## 题目解析 + +## 参考资料 +- [how2heap](https://github.com/shellphish/how2heap) diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 7f7054b..7da5b71 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -11,6 +11,7 @@ - [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md) - [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md) + - [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.11_9447ctf2015_search_engine/search b/src/writeup/6.1.11_9447ctf2015_search_engine/search new file mode 100755 index 0000000..a82e853 Binary files /dev/null and b/src/writeup/6.1.11_9447ctf2015_search_engine/search differ