houseoforange_hitcon_2016

本文详细介绍了HouseofOrange_Hitcon_2016 CTF挑战中关于_IO_FILE_plus结构体的利用方法。通过分析_IO_FILE结构和vtable,利用堆溢出和unsorted_bin攻击,最终实现将_IO_OVERFLOW函数修改为system,以获取shell。文章详细阐述了漏洞利用的步骤和思路,包括main函数、add和edit函数的分析,以及如何通过编辑操作泄露和控制内存。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

houseoforange_hitcon_2016

先检查保护
在这里插入图片描述

保护全开

FSOP:对于_IO_FILE_plus结构体的利用

首先,在分析这个题目之前,我们需要知道两个知识点,一个是_IO_FILE_plus,一个是FSOP

_IO_FILE_PLUS

_IO_FILE_plus是ptmalloc中定义的一种结构体,他决定了很多东西,先在gdb里面查看一眼
在这里插入图片描述

在此,我们就用本次题目中会使用到的_IO_list_all结构体来作为参考。

_IO_FILE_plus 主要是由两个部分组成,其中一个是_IO_FILE,另外一个是vtable。
_ I O _ F I L E _ p l u s = _ I O _ F I L E + v t a b l e \_IO\_FILE\_plus = \_IO\_FILE + vtable _IO_FILE_plus=_IO_FILE+vtable

_IO_FILE

_IO_FILE里面存了很多东西,这里有很多利用方式,比如说,

将_FLAGS = 0xfdab2887(或者说其他的值也行)
程序会将_IO_write_base = 0x80  以及 _IO_write_ptr之间的值打印出来
假设将_IO_write_base = 0x80    _IO_write_ptr = 0xa0   就会将把下图之中1到0xfffffffffff之间的值打印出来。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-oXYTUqa3-1649341524268)(F:\MarkDownS\HEAP\houseoforange_hitcon_2016\houseoforange_hitcon_2016\微信图片_20210925003541.png)]

这是一种暂时与本题无关的泄露方式。

看回本题,

在_IO_FILE之中, _ chain是用来存储下一个_IO_FILE_PLUS指针的值,在malloc之中,如果产生错误,就会利用这一特性调用,最终来到 _IO_flush_all_lookup处,这个地方是用来打印错误信息的。这个地方有漏洞,对于_IO_FILE_PLUS结构体

  1. _mode == 0
    
  2. _IO_vtable_offset == 0
    
  3. _IO_write_ptr > _IO_write_base
    

    当满足以上条件的时候,会调用 _IO_OVERFLOW函数,并且将_chain里面那个结构体作为第一个函数传入,

    所以我们的利用思路,就是将**_IO_OVERFLOW**函数修改为system,将结构体的第一个位置改为"/bin/sh"这样的话就能getshell

vtable

vtable也是一个结构体

在这里插入图片描述

对于前文提到的_overflow就在这个地方(当然只是个人感觉)

所以这个也比较明确了,就是将vtable这一段修改为system。

函数分析

main()

在这里插入图片描述
在这里插入图片描述

add()

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cL9nNZZX-1649341524274)(F:\MarkDownS\HEAP\houseoforange_hitcon_2016\houseoforange_hitcon_2016\image-20220406221655886.png)]

先看add函数,add函数一共malloc了3个chunk两个0x20,一个大小是自己malloc出来的。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9plYpU8e-1649341524275)(F:\MarkDownS\HEAP\houseoforange_hitcon_2016\houseoforange_hitcon_2016\image-20220406230140404.png)]

第一个是存了两个地址,也就是下面的两个chunk地址,

第二个存的是content

第三个是size,以及color_type

show()

### HITCON 2017 SSRF Challenge Overview The **HITCON 2017 CTF** featured a variety of challenges, including those related to Server-Side Request Forgery (SSRF). These challenges were designed to test participants' understanding of web application vulnerabilities and their ability to exploit them effectively. One notable challenge was the **SSRFme task**, which involved exploiting an SSRF vulnerability within a PHP-based system. The provided code snippet demonstrates how the `$_SERVER['HTTP_X_FORWARDED_FOR']` variable is manipulated by splitting its value using commas as delimiters[^5]. This manipulation allows attackers to control the `$http_x_headers[0]` value, potentially leading to unauthorized access or command execution scenarios. In another instance, contestants had to leverage file-writing capabilities through GET requests combined with filename parameters[^4]. By carefully crafting filenames that included shell commands such as `/readflag`, they could execute arbitrary commands on the server side. Specifically: - A request like `/?url=/&filename=aaa` would create a new file named after the specified parameter. - Subsequent exploitation steps allowed reading sensitive files from restricted directories via crafted URLs incorporating malicious payloads into both query strings (`?`) and headers. Additionally, there exists documentation regarding similar exercises where users reconstruct past competitions’ problems locally for practice purposes—such efforts often involve setting up Docker containers mimicking original environments accurately so learners may gain hands-on experience without needing direct participation during actual events themselves[^1]. For further exploration beyond just theoretical knowledge about these types of attacks but also practical implementations thereof consider reviewing additional resources discussing advanced techniques surrounding path traversal exploits alongside other common injection vectors present throughout modern-day applications today too! ```python import os from flask import Flask, request app = Flask(__name__) @app.route('/') def index(): url = request.args.get('url', '') filename = request.args.get('filename', 'default.txt') try: response = open(url) # Vulnerable line due to lack of validation content = response.read() with open(f"/tmp/{filename}", "w") as f: f.write(content) return f"Content written successfully to {filename}" except Exception as e: return str(e), 400 if __name__ == '__main__': app.run(debug=True) ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值