-
-
[原创]第十五题 智能设备WriteUp
-
2018-7-15 13:51
-
主要步骤:
1. 运行起来发现提示字符串:“please input your key:”
2. 解压固件:
binwalk -e a9rootf
3. 定位目标程序:
(1)首先将/bin目录下所有文件的字符串导出
(2)根据字符串“please input your key:”定位目标程序,命令如下:
cd _a9rootfs.extracted/ext-root/ mkdir string for i in `ls bin`; do strings bin/$i > string/$i.txt; done grep "input your key" -rn string
可以定位到目标程序是/bin/sh文件
4. 逆向分析/bin/sh与调试
拖入IDA Pro,很快能够定位到Key校验的函数,该函数主要对Key值进行了一系列的转换与异或操作,结果与固定字符串C1371DA51A9030079E21DCDC5B78E38563872139C13F6F相比较,一致则通过,如图1
图 1
STEP2函数进行了一系列的取下标、取值、异或等操作,如图2所示:
图 2
每个函数的比较简单,这里以step2函数为例,做一个简单的分析,如图3:
图3
分析的时候结合动态调试会更容易进行,先使用qemu-arm将/bin/sh运行起来,并监听在12345端口上,命令如下:
qemu-arm -g 12345 ./sh
然后gdb attach上进行调试即可。
5. 基本思路理清楚之后,根据写出解密算法,可以得到Key,解密算法代码如下:
#! /usr/bin/env python
#-*- encoding:utf-8 -*-
st = "0123456789ABCDEF"
src = "C1371DA51A9030079E21DCDC5B78E38563872139C13F6F"
def rstep7(A, table):
L = len(A)
out = bytearray("\x00"*(L/2))
for i in range(L/2):
i1 = table.find(A[i*2])
i2 = table.find(A[i*2+1])
# print i1, i2
v = (i1 << 4) + i2
# print v
out[i] = v
return out
def rstep4(A):
L = len(A)
out = bytearray("\x00"*L)
i = L-1
while i >= 1:
out[i] = A[i] ^ A[i-1]
i -= 1
out[0] = A[0]
for i in range(L/2):
out[i], out[L-1-i] = out[L-1-i], out[i]
return out
def rstep3(A, table):
L = len(A)
out = bytearray("\x00"*L*2)
for i in range(L):
i1 = (A[i] >> 4)
i2 = A[i] & 0x0f
out[i*2] = table[i1]
out[i*2 + 1] = table[i2]
return out
def rstep6(A, table):
L = len(A)
out = bytearray("\x00"*L*2)
for i in range(L):
i1 = (A[i] >> 4)
i2 = A[i] & 0x0f
out[i*2 + 1] = table[i1]
out[i*2] = table[i2]
return out
def RHugeStep2(A):
rs1 = rstep4(A) #step4
print [hex(x) for x in rs1]
t2 = "13579BDF02468ACE"
rs2 = rstep3(rs1, t2) #step3
print rs2
t3 = "0369CF258BE147AD"
rs4 = rstep7(str(rs2), t3) #step5
print [hex(x) for x in rs4]
rs5 = rstep4(rs4) #step4
print [hex(x) for x in rs5]
t4 = "FA50B61C72D83E94"
rs6 = rstep6(rs5, t4) #step6
print rs6
t5 = "FDB08642ECA97531"
rs7 = rstep7(str(rs6), t5) #step2
print [hex(x) for x in rs7]
rs8 = rstep4(rs7) #step4
print [hex(x) for x in rs8]
rs9 = rstep6(rs8, t4) #step6
print rs9
rs10 = rstep7(str(rs9), t3) #step5
print [hex(x) for x in rs10]
rs11 = rstep4(rs10) #step4
print [hex(x) for x in rs11]
rs12 = rstep3(rs11, t2) #step3
print rs12
rs13 = rstep7(str(rs12), t5) #step2
print [hex(x) for x in rs13]
return rs13
def exploit():
target = bytearray("/bin/sh")
rs1 = rstep4(target)
print [hex(x) for x in rs1]
table = "0123456789ABCDEF"
rs2 = rstep3(rs1, table)
print rs2
if "__main__" == __name__:
rs1 = rstep7(src, st)
print [hex(x) for x in rs1]
rs2 = RHugeStep2(rs1)
print str(rs2)
exploit()
可得到Key:2018ctf0520pediy1314yyp,flag:B1732120572455BAFD30F062F9C49A8A996A8A9DDB4283
6. 彩蛋
验证Key正确之后,即完成了本题;不过程序提示可以输入字符串进行exploit,继续对程序分析,发现程序通过system call,调用了execve,输入值经过一次简单转换后作为第二个参数传递给了execve,第一个参数为:/bin/busybox。猜测第二个参数为“/bin/sh”,用这个字符串进行尝试,反推输入为:1B5C41070B4D2F,能够获取shell。
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
