CTF-All-In-One/doc/6.1.11_pwn_9447ctf2015_search_engine.md
2018-08-05 17:43:10 +08:00

74 lines
1.7 KiB
Markdown

# 6.1.11 pwn 9447CTF2015 Search-Engine
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.11_pwn_9447ctf2015_search_engine)
## 题目复现
```text
$ file search
search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped
$ checksec -f search
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 1 3 search
```
64 位程序,开启了 NX 和 Canary。
玩一下,看名字就知道是一个搜索引擎,大概流程是这样的,首先给词库加入一些句子,句子里的单词以空格间隔开,然后可以搜索所有包含某单词的句子,当找到某条句子后,将其打印出来,并询问是否删除。
```text
$ ./search
1: Search with a word
2: Index a sentence
3: Quit
2
Enter the sentence size:
10
Enter the sentence:
hello aaaa
Added sentence
1: Search with a word
2: Index a sentence
3: Quit
2
Enter the sentence size:
10
Enter the sentence:
hello bbbb
Added sentence
1: Search with a word
2: Index a sentence
3: Quit
1
Enter the word size:
5
Enter the word:
hello
Found 10: hello bbbb
Delete this sentence (y/n)?
y
Deleted!
Found 10: hello aaaa
Delete this sentence (y/n)?
n
1: Search with a word
2: Index a sentence
3: Quit
3
```
根据经验,这是一道堆利用的题目。
## 题目解析
## 漏洞利用
## 参考资料
- [how2heap](https://github.com/shellphish/how2heap)