CTF-All-In-One/doc/6.1.6_pwn_defconctf2015_fuckup.md
2017-11-25 16:45:09 +08:00

37 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 6.1.6 pwn DefconCTF2015 fuckup
- [ret2vdso 原理](#ret2vdso-原理)
- [题目解析](#题目解析)
- [Exploit](#exploit)
- [参考资料](#参考资料)
## ret2vdso 原理
在你使用 `ldd` 命令时,通常会显示出 vDSO如下
```
$ ldd /usr/bin/ls
linux-vdso.so.1 (0x00007ffff7ffa000)
libcap.so.2 => /usr/lib/libcap.so.2 (0x00007ffff79b2000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007ffff75fa000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd8000)
```
32 位程序则会显示 `linux-gate.so.1`,都是一个意思。
## 题目解析
```
$ file fuckup
fuckup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
$ checksec -f fuckup
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 0 fuckup
```
## Exploit
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.6_pwn_defconctf2015_fuckup)相应文件夹中:
## 参考资料
- `man vdso`
- [Return to VDSO using ELF Auxiliary Vectors](http://v0ids3curity.blogspot.in/2014/12/return-to-vdso-using-elf-auxiliary.html)