pwnable.tw - start

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/tan6600/article/details/80963747

首先安装 pwntools,在执行pip install --upgrade pwntools时出错 cannot import name main
要修改 /usr/bin/pip

from pip import main
为
from pip import __main__

    sys.exit(__main__._main())

再次执行即可

安装 peda

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit

检查安全措施

image_1chhvhv5g1cq1lp41g9m9sr16u29.png-15.4kB

可以看到非可执行栈(NX),peda 检查二进制程序安全特征的脚本来自 http://www.trapkit.de/tools/checksec.sh

查看检查 NX 部分的脚本为

if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
    echo -n -e '\033[31mNX disabled\033[m'
else
    echo -n -e '\033[32mNX enabled\033[m'
fi

程序分析

IDA 中分析两个函数,start 与 exit
image_1chi17pjb1pko1uua1sl91ih7shm.png-19.1kB
反编译后:
image_1chi109d5htr9sd1plv1cb01v989.png-9.4kB

exit 函数为:
image_1chi3bbpp1o858f1kkm12e5rec13.png-7.9kB

没有 main 函数,可能是内联汇编写的程序。系统调用通过 int 80h 实现,执行时 eax 中为调用的功能号,ebx、ecx、edx 等以此为参数。系统调用号写在 /usr/include/asm/unistd.h

#define __NR_exit                 1
#define __NR_fork                 2
#define __NR_read                 3
#define __NR_write                4
#define __NR_open                 5

可以看到,IDA 将 sys_write 和 sys_exit 函数识别出来了,而 sys_read 没有成功识别

使用 sys_write 调用,即 int 80h 前 eax 为 4,ebx 为文件描述符 fd,stdout 的文件描述符为 1,ecx 为 buffer 的内存地址,edx 为 buffer 的长度

所以 start 函数主要是

  • exit 函数压栈
  • 清空 eax、ebx、ecx、edx 寄存器的值
  • 向栈中压入数据
  • 调用 sys_write 系统调用
  • 调用 sys_read 系统调用
  • retn 返回

依次压入栈的数据为:

3A465443h
20656874h
20747261h
74732073h
2774654Ch

整理一下为 4C657427732073746172742074687420746865204354463A,将十六进制转换为字符串为 Let's start tht the CTF:

在调用 sys_read 系统调用前,修改 eax 为 3 自不必说,ebx 改为了 0 即 stdin,edx 改为了 3Ch

阅读更多

weblogic server start file里的start command?

07-09

大侠:rn我在练习EJB的部署时,文章说:Edit the WebLogic Server startup file and edit the start command to include the following VM parameters:rn-classic -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,address=8888,suspend=n,server=yrnrn我不知道该怎样eidt.我的startWebLogic.cmd如下:rn@echo offrnrn@rem This script can be used to start WebLogic Server. This script ensures thatrn@rem the server is started using the config.xml file found in this directory andrn@rem that the CLASSPATH is set correctly. This script contains the following variables:rn@remrn@rem JAVA_HOME - Determines the version of Java used to startrn@rem WebLogic Server. This variable must point to thern@rem root directory of a JDK installation and will be setrn@rem for you by the WebLogic Server installer. Note thatrn@rem this script uses the hotspot VM to run WebLogic Server.rn@rem If you choose to use a JDK other than the onern@rem included in the disribution, make sure that the JDKrn@rem includes the hotspot VM. See the WebLogic platform supportrn@rem page (http://e-docs.bea.com/wls/platforms/index.html)rn@rem for an up-to-date list of supported JVMs on Windows NT.rn@remrn@rem When setting these variables below, please use short file names (8.3).rn@rem To display short (MS-DOS) filenames, use "dir /x". File names withrn@rem spaces will break this script.rn@remrn@rem jDriver for Oracle users: This script assumes that native librariesrn@rem required for jDriver for Oracle have been installed in the properrn@rem location and that your system PATH variable has been set appropriately.rn@rem For additional information, refer to Installing and Setting up WebLogicrn@rem Server (http://e-docs.bea.com/wls/docs61/install/index.html).rnrnSETLOCALrnrncd ..\..rnrn@rem Set user-defined variables.rnset JAVA_HOME=C:\bea\jdk131rnrn@rem Check that script is being run from the appropriate directoryrnif not exist lib\weblogic.jar goto wrongplacerngoto checkJDKrnrnrn:wrongplacernecho startWebLogic.cmd must be run from the config\mydomain directory. 1>&2rngoto finishrnrn:checkJDKrnif exist "%JAVA_HOME%/bin/javac.exe" goto runWebLogicrnecho.rnecho Javac wasn't found in directory %JAVA_HOME%/bin.rnecho Please edit the startWebLogic.cmd script so that the JAVA_HOMErnecho variable points to the root directory of your JDK installation.rngoto finishrnrn:runWebLogicrnecho onrnset PATH=.\bin;%PATH%rnrnset CLASSPATH=.;.\lib\weblogic_sp.jar;.\lib\weblogic.jar;C:\JBuilder6\lib\jdsremote.jar;C:\JBuilder6\lib\jdsserver.jar;C:\JBuilder6\lib\jds.jar;rnrnecho offrnrnecho.rnecho ***************************************************rnecho * To start WebLogic Server, use the password *rnecho * assigned to the system user. The system *rnecho * username and password must also be used to *rnecho * access the WebLogic Server console from a web *rnecho * browser. *rnecho ***************************************************rnrn@rem Set WLS_PW equal to your system password for no password prompt server startup.rnset WLS_PW=rnrn@rem Set Production Mode. When set to true, the server starts up in production mode. Whenrn@rem set to false, the server starts up in development mode. The default is false.rnset STARTMODE=truernrnecho onrn"%JAVA_HOME%\bin\java" -hotspot -ms64m -mx64m -classpath "%CLASSPATH%" -Dweblogic.Domain=mydomain -Dweblogic.Name=myserver "-Dbea.home=C:\bea" -Dweblogic.management.password=%WLS_PW% -Dweblogic.ProductionModeEnabled=%STARTMODE% "-Djava.security.policy==C:\bea\wlserver6.1/lib/weblogic.policy" weblogic.Serverrngoto finishrnrnrn:finishrncd config\mydomainrnENDLOCALrnrnrn该怎样改才行呢?rn谢谢!

没有更多推荐了,返回首页