Recently made a number of difficult problems, more and more autistic, felt to be completed with the basics, simply doing a short pause source title, put some basic knowledge and patted. This series of blog to "ctf-in-all" and "pwn Basics linux" i Spring basis to start learning.
First blog, and patted how to use the vulnerability to gain libc.
First, what libc that?
That C language library libc on Linux systems.
Different versions of libc, offset relative to the first address of the function of the offset between the beginning of the file and function do not necessarily match. Therefore, if the title is not available libc, the system function calculated by the method of any leakage through the address a library function not so that address. This requires us to find ways to get libc target system.
In an unknown site to find a video, talk a bit about this knowledge point, talking about relatively easy to understand, it will be an important part of the local cut down.
In "Linux PWN Getting Started" and "ctf-in-all" in the main function is to use DynELF to disclose the address.
DynELF use of modules such as pwntools, memory search, function directly address our needs.
Here elaborate on DynELF knowledge of:
Use as follows:
io = remote(ip, port) def leak(addr): payload2leak_addr = “****” + pack(addr) + “****” io.send(payload2leak_addr) data = io.recv() return data d = DynELF(leak, pointer = pointer_into_ELF_file, elf = ELFObject) system_addr = d.lookup(“system”, libc)
When using DynELF, we need to use a leak as a function of the target file required parameter, a pointer to a file or the ELF ELF classloading providing at least one optional parameter d as an example, to initialize a class DynELF. Then you can search for libc library function through this method of example d lookup.
Wherein, leak Vulnerability function requires that the target program itself leaking from the incoming data memory address DynELF type int argument addr corresponding to. And because DynELF calls the leak function multiple times, this function must be able to use any number of times, that does not leak after a few addresses to cause the program to crash. Since the required leak data, payload is always contained in the print function, such as write, puts, printf, etc. According to the characteristics of these functions into two parts which respectively explain
DynELF principle:
Screenshot from "ctf-in-all"
DynELF example:
In libc, we usually write, puts, printf to print the specified memory data.
1, write function
Characteristics in that the output of the write function entirely by the size parameter determined, as long as the read destination address, size how much the output would fill, without being influences such as the character '\ 0', '\ n' and the like. Thus leak function of data reading and processing is relatively simple.
2, puts function
3, printf function
