mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add 6.1.11
This commit is contained in:
parent
dc10687bc8
commit
7dc80c9097
@ -111,6 +111,7 @@
|
|||||||
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
- [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||||
- [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
- [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
||||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
- [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||||
|
- [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||||
- re
|
- re
|
||||||
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
- [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
- [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||||
|
@ -99,6 +99,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
* [6.1.8 pwn DCTF2017 Flex](doc/6.1.8_pwn_dctf2017_flex.md)
|
||||||
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
||||||
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||||
|
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||||
* re
|
* re
|
||||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||||
|
@ -177,7 +177,7 @@ gef➤ x/20gx 0xafc966564d0-0x10
|
|||||||
```
|
```
|
||||||
free 掉的 chunk,其结构体被清空,等待下一次 malloc,并添加到空出来的地方。
|
free 掉的 chunk,其结构体被清空,等待下一次 malloc,并添加到空出来的地方。
|
||||||
|
|
||||||
通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 的检查:
|
通过溢出漏洞修改已被释放的 chunk 2,让 fd 指针指向 chunk 4,这样就将 small chunk 加入到了 fastbins 链表中,然后还需要把 chunk 4 的 0x91 改成 0x21 以绕过 fastbins 大小的检查:
|
||||||
```python
|
```python
|
||||||
payload = "A"*16
|
payload = "A"*16
|
||||||
payload += p64(0)
|
payload += p64(0)
|
||||||
@ -526,16 +526,16 @@ gef➤ x/30gx 0xafc966564d0-0x10
|
|||||||
0xafc966565a0: 0x0000000000000000 0x0000000000000000
|
0xafc966565a0: 0x0000000000000000 0x0000000000000000
|
||||||
```
|
```
|
||||||
|
|
||||||
最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。
|
最后,只要调用了 malloc,就会触发 hook 函数,即 one-gadget。现在可以开启 ASLR 了,因为通过泄漏 libc 地址,我们已经完全绕过了它。
|
||||||
|
|
||||||
Bingo!!!
|
Bingo!!!
|
||||||
```
|
```
|
||||||
$ python exp.py
|
$ python exp.py
|
||||||
[+] Opening connection to 127.0.0.1 on port 10001: Done
|
[+] Opening connection to 127.0.0.1 on port 10001: Done
|
||||||
[*] leak => 0x7ffff7dd1b78
|
[*] leak => 0x7f8c1be9eb78
|
||||||
[*] libc => 0x7ffff7a0d000
|
[*] libc => 0x7f8c1bada000
|
||||||
[*] __malloc_hook => 0x7ffff7dd1b10
|
[*] __malloc_hook => 0x7f8c1be9eb10
|
||||||
[*] one_gadget => 0x7ffff7a5226a
|
[*] one_gadget => 0x7f8c1bb1f26a
|
||||||
[*] Switching to interactive mode
|
[*] Switching to interactive mode
|
||||||
$ whoami
|
$ whoami
|
||||||
firmy
|
firmy
|
||||||
|
23
doc/6.1.11_9447ctf2015_search_engine.md
Normal file
23
doc/6.1.11_9447ctf2015_search_engine.md
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# 6.1.11 pwn 9447CTF2015 Search-Engine
|
||||||
|
|
||||||
|
- [题目复现](#题目复现)
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/writeup/6.1.11_9447ctf2015_search_engine)
|
||||||
|
|
||||||
|
## 题目复现
|
||||||
|
```
|
||||||
|
$ file search
|
||||||
|
search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped
|
||||||
|
$ checksec -f search
|
||||||
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## 题目解析
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
- [how2heap](https://github.com/shellphish/how2heap)
|
@ -11,6 +11,7 @@
|
|||||||
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
|
- [6.1.8 pwn DCTF2017 Flex](6.1.8_pwn_dctf2017_flex.md)
|
||||||
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
|
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
|
||||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
||||||
|
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
||||||
- re
|
- re
|
||||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||||
|
BIN
src/writeup/6.1.11_9447ctf2015_search_engine/search
Executable file
BIN
src/writeup/6.1.11_9447ctf2015_search_engine/search
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user