mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2025-01-27 05:57:33 +07:00
add 6.1.28 and fix
This commit is contained in:
parent
b4eb88d250
commit
ed53b050d2
@ -147,10 +147,11 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
|
||||
* [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
|
||||
* [6.1.24 pwn HCTF2017 babyprintf](doc/6.1.24_pwn_hctf2017_babyprintf.md)
|
||||
* [6.1.25 pwn 34C3CTF2017 300](doc/6.1.25_pwn_34c3ctf2017_300.md)
|
||||
* [6.1.26 pwn SECCONCTF2016 tinypad](doc/6.1.26_pwn_secconctf2016_tinypad.md)
|
||||
* [6.1.27 pwn ASISCTF2016 b00ks](doc/6.1.27_pwn_asisctf2016_b00ks.md)
|
||||
* [6.1.24 pwn HITCONCTF2016 House_of_Orange](doc/6.1.24_hitconctf2016_house_of_orange.md)
|
||||
* [6.1.25 pwn HCTF2017 babyprintf](doc/6.1.25_pwn_hctf2017_babyprintf.md)
|
||||
* [6.1.26 pwn 34C3CTF2017 300](doc/6.1.26_pwn_34c3ctf2017_300.md)
|
||||
* [6.1.27 pwn SECCONCTF2016 tinypad](doc/6.1.27_pwn_secconctf2016_tinypad.md)
|
||||
* [6.1.28 pwn ASISCTF2016 b00ks](doc/6.1.28_pwn_asisctf2016_b00ks.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||
|
30
doc/6.1.24_hitconctf2016_house_of_orange.md
Normal file
30
doc/6.1.24_hitconctf2016_house_of_orange.md
Normal file
@ -0,0 +1,30 @@
|
||||
# 6.1.24 pwn HITCONCTF2016 House_of_Orange
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.24_hitconctf2016_house_of_orange)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file houseoforange
|
||||
houseoforange: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a58bda41b65d38949498561b0f2b976ce5c0c301, stripped
|
||||
$ checksec -f houseoforange
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 1 3 houseoforange
|
||||
$ strings libc.so.6 | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 5.3.1 20160413.
|
||||
```
|
||||
64 位程序,保护全开,默认开启 ASLR。
|
||||
|
||||
|
||||
## 题目解析
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://ctftime.org/task/4811
|
@ -1,30 +0,0 @@
|
||||
# 6.1.24 pwn HCTF2017 babyprintf
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.24_pwn_hctf2017_babyprintf)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file babyprintf
|
||||
babyprintf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5652f65b98094d8ab456eb0a54d37d9b09b4f3f6, stripped
|
||||
$ checksec -f babyprintf
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 2 babyprintf
|
||||
$ strings libc-2.24.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 6.3.0 20170406.
|
||||
```
|
||||
64 位程序,开启了 canary 和 NX,默认开启 ASLR。
|
||||
|
||||
|
||||
## 题目解析
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
## 参考资料
|
||||
- https://github.com/spineee/hctf/tree/master/2017/babyprintf
|
136
doc/6.1.25_pwn_hctf2017_babyprintf.md
Normal file
136
doc/6.1.25_pwn_hctf2017_babyprintf.md
Normal file
@ -0,0 +1,136 @@
|
||||
# 6.1.25 pwn HCTF2017 babyprintf
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
- [漏洞利用](#漏洞利用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.25_pwn_hctf2017_babyprintf)
|
||||
|
||||
## 题目复现
|
||||
```
|
||||
$ file babyprintf
|
||||
babyprintf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5652f65b98094d8ab456eb0a54d37d9b09b4f3f6, stripped
|
||||
$ checksec -f babyprintf
|
||||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 2 babyprintf
|
||||
$ strings libc-2.24.so | grep "GNU C"
|
||||
GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
|
||||
Compiled by GNU CC version 6.3.0 20170406.
|
||||
```
|
||||
64 位程序,开启了 canary 和 NX,默认开启 ASLR。
|
||||
|
||||
|
||||
## 题目解析
|
||||
#### main
|
||||
```
|
||||
[0x00400850]> pdf @ main
|
||||
;-- section..text:
|
||||
/ (fcn) main 130
|
||||
| main ();
|
||||
| ; DATA XREF from 0x0040086d (entry0)
|
||||
| 0x004007c0 push rbx ; [14] -r-x section size 706 named .text
|
||||
| 0x004007c1 xor eax, eax
|
||||
| 0x004007c3 call sub.setbuf_950 ; void setbuf(FILE *stream,
|
||||
| ,=< 0x004007c8 jmp 0x400815
|
||||
| 0x004007ca nop word [rax + rax]
|
||||
| | ; JMP XREF from 0x00400832 (main)
|
||||
| .--> 0x004007d0 mov edi, eax
|
||||
| :| 0x004007d2 call sym.imp.malloc ; void *malloc(size_t size)
|
||||
| :| 0x004007d7 mov esi, str.string: ; 0x400aa4 ; "string: "
|
||||
| :| 0x004007dc mov rbx, rax
|
||||
| :| 0x004007df mov edi, 1
|
||||
| :| 0x004007e4 xor eax, eax
|
||||
| :| 0x004007e6 call sym.imp.__printf_chk
|
||||
| :| 0x004007eb mov rdi, rbx
|
||||
| :| 0x004007ee xor eax, eax
|
||||
| :| 0x004007f0 call sym.imp.gets ; char*gets(char *s)
|
||||
| :| 0x004007f5 mov esi, str.result: ; 0x400aad ; "result: "
|
||||
| :| 0x004007fa mov edi, 1
|
||||
| :| 0x004007ff xor eax, eax
|
||||
| :| 0x00400801 call sym.imp.__printf_chk
|
||||
| :| 0x00400806 mov rsi, rbx
|
||||
| :| 0x00400809 mov edi, 1
|
||||
| :| 0x0040080e xor eax, eax
|
||||
| :| 0x00400810 call sym.imp.__printf_chk
|
||||
| :| ; JMP XREF from 0x004007c8 (main)
|
||||
| :`-> 0x00400815 mov esi, str.size: ; 0x400a94 ; "size: "
|
||||
| : 0x0040081a mov edi, 1
|
||||
| : 0x0040081f xor eax, eax
|
||||
| : 0x00400821 call sym.imp.__printf_chk
|
||||
| : 0x00400826 xor eax, eax
|
||||
| : 0x00400828 call sub._IO_getc_990
|
||||
| : 0x0040082d cmp eax, 0x1000
|
||||
| `==< 0x00400832 jbe 0x4007d0
|
||||
| 0x00400834 mov edi, str.too_long ; 0x400a9b ; "too long"
|
||||
| 0x00400839 call sym.imp.puts ; int puts(const char *s)
|
||||
| 0x0040083e mov edi, 1
|
||||
\ 0x00400843 call sym.imp.exit ; void exit(int status)
|
||||
```
|
||||
|
||||
#### read
|
||||
```
|
||||
[0x00400850]> pdf @ sub._IO_getc_990
|
||||
/ (fcn) sub._IO_getc_990 122
|
||||
| sub._IO_getc_990 ();
|
||||
| ; CALL XREF from 0x00400828 (main)
|
||||
| 0x00400990 push rbp
|
||||
| 0x00400991 push rbx
|
||||
| 0x00400992 xor ebx, ebx
|
||||
| 0x00400994 sub rsp, 0x28 ; '('
|
||||
| 0x00400998 mov rax, qword fs:[0x28] ; [0x28:8]=-1 ; '(' ; 40
|
||||
| 0x004009a1 mov qword [rsp + 0x18], rax
|
||||
| 0x004009a6 xor eax, eax
|
||||
| 0x004009a8 nop dword [rax + rax]
|
||||
| ; JMP XREF from 0x004009ce (sub._IO_getc_990)
|
||||
| .-> 0x004009b0 mov rdi, qword [obj.stdin] ; [0x601090:8]=0
|
||||
| : 0x004009b7 movsxd rbp, ebx
|
||||
| : 0x004009ba call sym.imp._IO_getc
|
||||
| : 0x004009bf cmp al, 0xa ; 10
|
||||
| : 0x004009c1 mov byte [rsp + rbx], al
|
||||
| ,==< 0x004009c4 je 0x400a05
|
||||
| |: 0x004009c6 add rbx, 1
|
||||
| |: 0x004009ca cmp rbx, 9 ; 9
|
||||
| |`=< 0x004009ce jne 0x4009b0
|
||||
| | 0x004009d0 cmp byte [rsp + 9], 0xa ; [0xa:1]=255 ; 10
|
||||
| |,=< 0x004009d5 je 0x400a00
|
||||
| || ; JMP XREF from 0x00400a09 (sub._IO_getc_990)
|
||||
| .---> 0x004009d7 xor edx, edx
|
||||
| :|| 0x004009d9 xor esi, esi
|
||||
| :|| 0x004009db mov rdi, rsp
|
||||
| :|| 0x004009de call sym.imp.strtoul ; long strtoul(const char *str, char**endptr, int base)
|
||||
| :|| 0x004009e3 mov rcx, qword [rsp + 0x18] ; [0x18:8]=-1 ; 24
|
||||
| :|| 0x004009e8 xor rcx, qword fs:[0x28]
|
||||
| ,====< 0x004009f1 jne 0x400a0b
|
||||
| |:|| 0x004009f3 add rsp, 0x28 ; '('
|
||||
| |:|| 0x004009f7 pop rbx
|
||||
| |:|| 0x004009f8 pop rbp
|
||||
| |:|| 0x004009f9 ret
|
||||
|:|| 0x004009fa nop word [rax + rax]
|
||||
| |:|| ; JMP XREF from 0x004009d5 (sub._IO_getc_990)
|
||||
| |:|`-> 0x00400a00 mov ebp, 9
|
||||
| |:| ; JMP XREF from 0x004009c4 (sub._IO_getc_990)
|
||||
| |:`--> 0x00400a05 mov byte [rsp + rbp], 0
|
||||
| |`===< 0x00400a09 jmp 0x4009d7
|
||||
| | ; JMP XREF from 0x004009f1 (sub._IO_getc_990)
|
||||
\ `----> 0x00400a0b call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
|
||||
```
|
||||
|
||||
|
||||
## 漏洞利用
|
||||
|
||||
开启 ASLR,Bingo!!!
|
||||
```
|
||||
|
||||
```
|
||||
|
||||
#### exploit
|
||||
完整 exp 如下:
|
||||
```python
|
||||
|
||||
```
|
||||
|
||||
|
||||
## 参考资料
|
||||
- https://github.com/spineee/hctf/tree/master/2017/babyprintf
|
@ -1,4 +1,4 @@
|
||||
# 6.1.25 pwn 34C3CTF2017 300
|
||||
# 6.1.26 pwn 34C3CTF2017 300
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
@ -6,7 +6,7 @@
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.25_pwn_34c3ctf2017_300)
|
||||
[下载文件](../src/writeup/6.1.26_pwn_34c3ctf2017_300)
|
||||
|
||||
## 题目复现
|
||||
```
|
@ -1,4 +1,4 @@
|
||||
# 6.1.26 pwn SECCONCTF2016 tinypad
|
||||
# 6.1.27 pwn SECCONCTF2016 tinypad
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
@ -6,7 +6,7 @@
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.26_pwn_secconctf2016_tinypad)
|
||||
[下载文件](../src/writeup/6.1.27_pwn_secconctf2016_tinypad)
|
||||
|
||||
## 题目复现
|
||||
```
|
@ -1,4 +1,4 @@
|
||||
# 6.1.27 pwn ASISCTF2016 b00ks
|
||||
# 6.1.28 pwn ASISCTF2016 b00ks
|
||||
|
||||
- [题目复现](#题目复现)
|
||||
- [题目解析](#题目解析)
|
||||
@ -6,7 +6,7 @@
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/writeup/6.1.27_pwn_asisctf2016_b00ks)
|
||||
[下载文件](../src/writeup/6.1.28_pwn_asisctf2016_b00ks)
|
||||
|
||||
## 题目复现
|
||||
```
|
@ -24,10 +24,11 @@
|
||||
* [6.1.21 pwn HITCONCTF2016 Secret_Holder](6.1.21_pwn_hitconctf2016_secret_holder.md)
|
||||
* [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](6.1.22_pwn_hitconctf2016_sleepy_holder.md)
|
||||
* [6.1.23 pwn BCTF2016 bcloud](6.1.23_pwn_bctf2016_bcloud.md)
|
||||
* [6.1.24 pwn HCTF2017 babyprintf](6.1.24_pwn_hctf2017_babyprintf.md)
|
||||
* [6.1.25 pwn 34C3CTF2017 300](6.1.25_pwn_34c3ctf2017_300.md)
|
||||
* [6.1.26 pwn SECCONCTF2016 tinypad](6.1.26_pwn_secconctf2016_tinypad.md)
|
||||
* [6.1.27 pwn ASISCTF2016 b00ks](6.1.27_pwn_asisctf2016_b00ks.md)
|
||||
* [6.1.24 pwn HITCONCTF2016 House_of_Orange](doc/6.1.24_hitconctf2016_house_of_orange.md)
|
||||
* [6.1.25 pwn HCTF2017 babyprintf](6.1.25_pwn_hctf2017_babyprintf.md)
|
||||
* [6.1.26 pwn 34C3CTF2017 300](6.1.26_pwn_34c3ctf2017_300.md)
|
||||
* [6.1.27 pwn SECCONCTF2016 tinypad](6.1.27_pwn_secconctf2016_tinypad.md)
|
||||
* [6.1.28 pwn ASISCTF2016 b00ks](6.1.28_pwn_asisctf2016_b00ks.md)
|
||||
* Reverse
|
||||
* [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||
* [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||
|
BIN
src/writeup/6.1.24_hitconctf2016_house_of_orange/houseoforange
Executable file
BIN
src/writeup/6.1.24_hitconctf2016_house_of_orange/houseoforange
Executable file
Binary file not shown.
BIN
src/writeup/6.1.24_hitconctf2016_house_of_orange/libc.so.6
Executable file
BIN
src/writeup/6.1.24_hitconctf2016_house_of_orange/libc.so.6
Executable file
Binary file not shown.
Loading…
Reference in New Issue
Block a user