查看: 157|回复: 0

[Pwn] watevr_2019_pwn_5x5-lightsout

[复制链接]
发表于 2020-5-3 00:14:50 | 显示全部楼层 |阅读模式
[md]# M-x 5x5

We can start by examining the given executable, and seeing that the `sym.flip` function is something
like the following:

```c
void flip(char* board, int position, int size) {
  int x = position & 0xf;
  int y = position >> 4;
  if (y > 0) {
    board[y - 1] ^= 1 << x;
  }
  int mask = 0b11;
  if (x > 0) {
    mask = 0b111 << (x - 1);
  }
  board[y] ^= mask;
  if (y < 15) {
    board[y + 1] ^= 1 << x;
  }
}
```

For 8x8 Lights out, we can turn any position into any other position (the proof and method for
doing this, while not trivial, is left as an exercise to the reader). This also means that we
can take any position XOR anything, even if we do not what position it is.

Here we can see that we can write as normally four bytes outside of the buffer, which we can see
is the register `$rbp`, stored on the stack for the return to `main`. In `main`, there is a `char`
pointer, which initially points to the text `"Bye!"`, and will be changed to `"Good job, you won!"`
if the `play_game` function returns a one, which it never will. This pointer is stored in `$rbp-0x8`
in `main`. What we can do is to change the `$rbp` stored on the stack, which in turn makes `$rbp-0x8`
point to any location we want.

For our expoit, we will make `$rbp-0x8` point to the board, which is `$rbp-0x8` in the `play_game`
function. Dynamic analysis can show us that the difference between `$rbp` in `main` and `play_game` is
exactly `0x20`. As we don't know the value of `$rbp` at any point, due to ASLR in the server, we will
either have to guess it, or try every possibility. We know that `$rbp` is aligned to 8 bytes, as
it would cause a segfault otherwise. Brute forcing, we can see that we need to XOR by `0x20`, `0x60`,
`0xe0` or `0x1e0` to subtract by `0x20`, depending on the value of `$rbp`. Once we've XOR:ed `$rbp`
with the correct value, we only need to change the board to be a pointer to the flag string, which is
trivial.

Now we only need to guess what the value of `$rbp` is, and use the corresponding XOR. This should take
around 4 attempts, and then the service should print the flag for us.[/md]



游客,如果您要查看本帖隐藏内容请回复
温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的最好奖励,还可以获得学币奖励,请尊重作者的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046
微信公众号
快速回复 返回顶部 返回列表