AWD learning

The basic flow

1、 Pull down the title file

2、 Quickly analyze the problem loopholes

3、 Patch the vulnerability and send it back

4、 Problem solving 、 attack

5、 Grab flow 、 defense

One 、 Target information collection

PWN Drone aircraft 、 adopt XSHELL Connect , download LIBC Document and ELF file , Please back up after downloading

commonly nc ip + port

libc Generally in lib/x86_64-linux-gnu Of libc-2.23.so file This is the runtime , So download

Create a copy of the game file , take pwn and so Copy in the file

Need to find yourself pwn The port of the topic , Every team pwn The mounting ports are the same

nmap Scan the tool pwn Drone aircraft , You can get the port of the topic for example nmap 127.0.0.1 nc Connect to

netstat -nultp Self scanning Only know your target ip And ports are useless Generally speaking, target plane ip It's all continuous , There are traces to follow

ifconfig Check the network of this computer nmap -sP 192.168.58.0/24

commonly pwn Topic ratio ctf Simple , And there are many loopholes Be the first to write EXP Carry out the first round of attack

After discovering the vulnerability, no matter whether it will be exploited , Patch up , rename PWN file , In case of being used by others

Two 、 commonly PWN Topic common vulnerabilities and patch analysis

Common vulnerabilities

Stack overflow vulnerability

read(0,&buf ,0X40uLL）;

read(0,&s,0x90uLL)

read(&format,24LL) This is not a loophole

Repair form ：

This kind of vulnerability is generally due to accept character overflow , Lead to the vulnerability of modifying the return address

read Generally, you can only read 20 Characters , however , If followed by 0x20, That's equivalent to reading more 16 Characters , Lead to loopholes

repair ：

Limited data entry Yes read and copy It works

Change the data input address to BSS Segment and other readable segments The corresponding is get function

Format string vulnerability

print(&buf,&buf) 

print(&format)

Heap overflow hole

Write across the border

malloc Distribute

Quickly analyze the process , Find digital stream

Start with the input stream , Follow the input stream to find vulnerabilities   Stain analysis

Example ：

（1） stay linux Run the program , Prompt for input   ./change_rdx

stay main We found in the function  read(0,&buf,0x60uLL)   Stack overflow vulnerability Corresponding to the above rbp-30h 30 Bit

Check this line , The right choice copy toassembly  choice yes 

stay linux below gdb change_rdx debugging

b *0x00000000004006EE

r

Pictured

c10 - be0 Certainly more than 0x60

take 60h It is amended as follows 0x30, First step patch, Second parts cancel, Then it becomes as shown in the figure

return main see  read(0,&buf,0x30uLL)  

stay edit Of keypatch Of patcher On the file patch

Or in patch program Of assemble You can also modify

After patching, use patch program Of apply pachthes to input files Files after patching   in the light of ida7.0

Name it _patched

b *0x0000000000400704

r

Can only read 0x30 The data of as long as

（2）gets(&s,argv);

choose segement to jump You can choose .bss Mode view

copy assembly

modify 1156 Of assembly Change to mov rdi,0x0000000000404040

Then return main function

0x404040 Your address corresponds to .bss Start segment address of

alike puts(&s) Also changed to mov rdi,404040h The address of   At this time, apply it

After patching, use patch program Of apply pachthes to input files

Upload the file , then gdb change_buf_to_bss

Add breakpoint at call _gets,   401162

b *0x0000000000401162

r

Input ni

aaaaaaaaaaaaaaaaaaa

Put the patched one in

By comparison , There is no difference between the two functions

Input parameters The stack is changed to bss Pile it up

（3） The format string is generally in the form of print(&FMT)

Common modification methods   Add a format string before the data

modify printf Function is puts function ./fmt_change_pringf_to_puts

aaa command not found

sed -i s/alarm/isnan/g ./fmt_change_printf_to_puts  Modify the clock

%p Basic vulnerabilities can be tested

View source code

format It's a loophole

find puts Of plt surface , instead of plt.got Neither got surface

hold call printf Change to call 0x000000000400670   text It's his output function

After patching, use patch program Of apply pachthes to input files

What's the difference between tests

（4） Heap overflow

There are mainly heap overflows UAF

Direct fixation malloc Of size Limit attack data flow

Don't worry about loopholes , find malloc Fix size

Find the added function  

Heap overflow utilization environment , Application and release of heap

Evade check, And limit the current

 mov eax,dwprd ptr [rbp+size]

It is amended as follows mov eax,0x80 

meanwhile read Inside size It is also revised to

mov eax,dwprd ptr [rbp+size]

It is amended as follows mov eax,0x80      Finally arrive   mov edx,0x80 

  Before and after the patch

  Backstepping Traffic grab

commonly root jurisdiction  

pwn Prevent and catch traffic

 tcpdump -s 0 -w flow.pcap port Port number

Will generate... In the directory flow.pacp file

 payload="a"*40+"\x76\x06\x40\x00\x00\x00\x00\x00"