From 7dc80c9097689734ebde841bc9b88ac53e517e51 Mon Sep 17 00:00:00 2001 From: firmianay Date: Wed, 10 Jan 2018 20:55:34 +0800 Subject: [PATCH] add 6.1.11 --- README.md | 1 + SUMMARY.md | 1 + doc/6.1.10_0ctf2017_babyheap2017.md | 12 ++++----- doc/6.1.11_9447ctf2015_search_engine.md | 23 ++++++++++++++++++ doc/6_writeup.md | 1 + .../6.1.11_9447ctf2015_search_engine/search | Bin 0 -> 10472 bytes 6 files changed, 32 insertions(+), 6 deletions(-) create mode 100644 doc/6.1.11_9447ctf2015_search_engine.md create mode 100755 src/writeup/6.1.11_9447ctf2015_search_engine/search diff --git a/README.md b/README.md index f2427e9..a51b394 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,7 @@ - [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) - [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) + - [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) - re - [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/SUMMARY.md b/SUMMARY.md index e6117cf..5d8672c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -99,6 +99,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One * [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md) * [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md) * [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md) + * [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md) * re * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md) diff --git a/doc/6.1.10_0ctf2017_babyheap2017.md b/doc/6.1.10_0ctf2017_babyheap2017.md index 1200361..c01e190 100644 --- a/doc/6.1.10_0ctf2017_babyheap2017.md +++ b/doc/6.1.10_0ctf2017_babyheap2017.md @@ -177,7 +177,7 @@ gef➤ x/20gx 0xafc966564d0-0x10 ``` free 掉的 chunk,其结构体被清空,等待下一次 malloc,并添加到空出来的地方。 -通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 的检查: +通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 大小的检查: ```python payload = "A"*16 payload += p64(0) @@ -526,16 +526,16 @@ gef➤ x/30gx 0xafc966564d0-0x10 0xafc966565a0: 0x0000000000000000 0x0000000000000000 ``` -最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。 +最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。现在可以开启 ASLR 了,因为通过泄漏 libc 地址,我们已经完全绕过了它。 Bingo!!! ``` $ python exp.py [+] Opening connection to 127.0.0.1 on port 10001: Done -[*] leak => 0x7ffff7dd1b78 -[*] libc => 0x7ffff7a0d000 -[*] __malloc_hook => 0x7ffff7dd1b10 -[*] one_gadget => 0x7ffff7a5226a +[*] leak => 0x7f8c1be9eb78 +[*] libc => 0x7f8c1bada000 +[*] __malloc_hook => 0x7f8c1be9eb10 +[*] one_gadget => 0x7f8c1bb1f26a [*] Switching to interactive mode $ whoami firmy diff --git a/doc/6.1.11_9447ctf2015_search_engine.md b/doc/6.1.11_9447ctf2015_search_engine.md new file mode 100644 index 0000000..3be41f5 --- /dev/null +++ b/doc/6.1.11_9447ctf2015_search_engine.md @@ -0,0 +1,23 @@ +# 6.1.11 pwn 9447CTF2015 Search-Engine + +- [题目复现](#题目复现) +- [题目解析](#题目解析) +- [参考资料](#参考资料) + + +[下载文件](../src/writeup/6.1.11_9447ctf2015_search_engine) + +## 题目复现 +``` +$ file search +search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped +$ checksec -f search +RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE +Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search +``` + + +## 题目解析 + +## 参考资料 +- [how2heap](https://github.com/shellphish/how2heap) diff --git a/doc/6_writeup.md b/doc/6_writeup.md index 7f7054b..7da5b71 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -11,6 +11,7 @@ - [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md) - [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md) - [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md) + - [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md) - re - [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md) - [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md) diff --git a/src/writeup/6.1.11_9447ctf2015_search_engine/search b/src/writeup/6.1.11_9447ctf2015_search_engine/search new file mode 100755 index 0000000000000000000000000000000000000000..a82e85313c26a79c738d803f6ce5f92a06f83c98 GIT binary patch literal 10472 zcmeHNe{fXQ6~4PkWI@=h3cARzCzIG<&6G1+7{WM#8iH*X~o zOVh?s*ASaJSoxzfWyaQa#_3FEoK{LL2}DUdtqxM_w8d#tE4oWW>1Z*nh3$9lyJz#* zni;1v{VzB3-nrj*&pG$pbMLz^@4fwcb?qj*%_g|m#hrrCvktGM%(D>5n6I0hVUrdt+3tSWQJi12xRl}ps=t}?azTxcrGnzNaHwTX z`EB7qaX1u-cNce8tSMeo?&<3El*w_Ef70E&r9t+@d2|C&%nNbQ8ld+3c0?VG&qSY1 ztvHx}X!OnBcD`7?f%MsjIWA4~+FX*ODPFbgz|vg}ejWyxE6V`jwO3LSt)78jHUqzV z27cuXygmcpGXsC$4Ezvy4M%qIf%v>}HO|0aJp=#n3_Q)x=lKuJz;6S8jaV!WYt5($ z!Rvn=>csyzix*fot+Y(mh^D4!EEF-?np)d;i(q%i5Yf2N1-i@dx9%pksm&h>6WiME zkBKfL5Q^X&GdjbfBiPXuG)S~|M5(DW4&)DqJ6lEDo><5TindtL9}v)bq$S=4x70KF zju}lIet1HA5cIB&&WNI$#OB(XjdwMbc~*PMGxh0Ondf#Iqh0;wC}}de8J^az4Xc~h zKQB;YacC~B{O>DnVJNhKu7DR5j^9Y_cJWhSDpM<(rKGiwhD_l+(;mpasgd(cyxIbZ z7H*aQIjB=STr>+$@p37$@HtFEmRNY+bEvt(!dv%cuZ6enOS*-pn7GtgcwR%)w%x*8 z^U!SJ=dlyWb_-8ypG(xj&u0>{+rnc)GNsqTJ2R{hPgr=hMax#b?*oTEkoQBkCiMPM zBQNn0yHhrK8DH z7)9x*Oj_yrn#3Cq>WO#szIQLw)z^%VmN>maA3r|2fW&wd|DGhNzfamc`70iW8-a9I z3322{n4ku|_%MXtH|5k5XZP3}$BvK!P0S~aBh-|h$Y0S*+z~>oe|#zj`g-Doe*D}9 z-F8ZUV=4~gqokh+oqH%j7;p)Oa#)8z|eyV>G{d-})m9 zpPPLI$MNd5%1Hk8aDecSpk`Wk%o zzQiXDTlaO;Brf?9ZF4%&L1PGCq7CZy_8P( zkM3LE`!z8yeyY0vqVb#lGx24=K>ulJ{q+-wr)urr;@9nH^zHOD`W_rRSuMom-_cES zqzdzp+y>n?neVOA|FIHs-uFSBKDe{M70?HA3yWlTRRua`H1U^Y6)f~Yqrg#mn&2}C zLSMVHz+o)c2WkuSfWCUZG>Ly1^Ix|ExicqKPyFdvJ-U?Xz#4fBh7kR5H~A{!On&xn z%FuLv8b%^e_tiISMLh20%V>sv1N0NG4tmq;FQu_kzV#`h8ySLPZR`2uA?Va1GcNLd zI`N^N7_UjZlKc*GuMaGHdXa|7KNG(;HB3Vq*r5UCKmMEq_qcl33gg_`-H!NKePCT} z;#_Uwz2viS*gqQo-N07&vBMmE@;F$%b*mc_b2EIJ6Ed*ZmHY!5M(7GlUj7WV7hsXh z1!ty~t`R-)e$tL`dhaOc$?xx`TuMiKUATJYl3(&OOxELMeG;|Q{ZJc1Hr=&}_syA1 zJw+OQq;U{qrS<7+7&!&3^5sY#fClnah|UJv)4s&3-?(IE>^#C4Ns(y?DmAT_l7A&t z%;tDi;zP=pA1+5|+H0@~Y&C=7TkXkTN}bw-HtwY@M${&nT~_vH0zz4o23CF&e{ z-p(`c_4xrCt9_+I}P zuS@9u5lS*17`&zolDDd$-B|&pdXO#jgW)9G;brm%W}d=GuJ!t(>vLp&KGM(vt&x>f z+fKDLs8KknyD5gudL(^)Jg)}*QyD^Te~z9YPQY{Dl+9SwH)W4&ARb1}hbI4QURS`S z$mh`H>n84-%8BQZ|FMxfsn0ht4mp2c@g>r}Z8Zt(3N?w}`|4{43oBe2wzR=wl3Qz6 zoh?11AHS4Ckt7@biM7&y-dN7pmt3(ItKcKO@a;^(sUyDleNAJQ>+9n&tVS9Wg@OUu z@IT9zPD2YuI^(T zF?*Trnj0#GFAxYK3gt_bR%%;={#a|fwkKq?BX|l@lvQdqkwCB;IHS3`QoBEne^@#6 z&ZrUUjL-zzmgKApL(a#cO{LSc>uX558<+8B$R~ikSRoUT&5%=&7a%LJJ@;Zxn<0m> zG7dvdU;#`(y09?l`8f(%0zVUw-Lx&B&~p?O+oKN%Ter)$Wd0n-kZq2OczSkz2{GJ4 z3aWg*z7PdyC;jG6(`kXegwwUj>ApMv>OGELvEjybx2!H$NiN79w^^|rW4VrqDyRH6 z^bS;a;%El{B=H-auBYr(PWNEWMyGZlx5`ATAApXV&{Ikk;WH*_{S9X|SJ zg8Kg+j$zpMLkgeM)o0)0Y_@Nn=XCj;jvDj7IqK&X9B$<7R*Dlo2JM@j?gKgSxj)zE zEb7a{Jt`;9hHk2ynvc7wmJY~17j_Qhx?pDe68noV-()er$LwE@A9ho)zZt%0{EbeB z%-v4#F3cU}fq479^VI0fygf$!A-`Wz?JcmQTpk2p0lOga7|*xu)lTWFt^%S zbRbW6mh8VucUJVxx!36pJ1dY!j1zgy<+v$?`Lu@TM1>bA z$s&gJ!TsZrU5;nF(#Ja>i8-Ga z6fRTk%FX{>@OSL&j`pj0{jQSFEBP}ePb&GAlJ6;bQOTutxu?QYUR)NJsB~Xxxu>LjmC1_#QYTZnP(XMHwfno;g(uJx>FVh)r4ch* z9tp;}=+%!@Q=kcLv0&Iw2C5bf8`LFU8F`FgH_mMUXzP?O%sj#NrnZ>BBiPg)fGs1_ zqRAhN`Fl(Yu0PZYHF)=Tgj&&cCmiDBk-eB6Te`Z0r?s=A124C-bNatvx}IpQ@^w;S z_X17-euJ-HN#exonlZgAqHBij>+N2k>EB0a5>20Sr>nAd6V6t9!|s*5p&ZitBWuaF zFGu4=Tw~ln?<9>kdUq3z1Rt9r_gU(wGjHQ^F%$FWzYA?a`kbU?-$Bk=8Eei zhj38;oPV#n&w7>p0&27r%C)r|0e=?sXW5V9BLtPvd?`c$2WG;| z{3$4gQK3-zzRUj?@b8XzzF9vTzl;XzitYLT2DkcMRqUO#Wa*4jV+zGG?y8cx$&6HDC5_Ps?`ad3