ROP_Emporium_badchars

最新推荐文章于 2024-05-29 22:25:11 发布

原创

最新推荐文章于 2024-05-29 22:25:11 发布 · 943 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#安全

文章目录

1. badchars32
- 信息收集
- 黑盒测试
- 反汇编
- 思路
- Exp
2. badchars
- 信息
- 反汇编
- 构造Payload
- 调试分析
- Exp
3. 参考文章

1. badchars32

信息收集

题目提供了一个可执行文件badchars32，一个动态库libbadchars32.so，一个flag.txt。

$ file badchars32
badchars32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=48ae8ea56ad3b3ef64444a622db86aa4f0f26b7d, not stripped
$ file libbadchars32.so
libbadchars32.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=9987e654d1d6aec3dbc0abbab74a28d1ab8b6286, not stripped
$ checksec libbadchars32.so
[*] '/home/starr/Documents/CProject/pwn/libbadchars32.so'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

黑盒测试

$ ./badchars32 < cyclic.txt
badchars by ROP Emporium
x86

badchars are: 'x', 'g', 'a', '.'
> Thank you!
Segmentation fault (core dumped)
$ gdb ./badchars32 ./badchars32.core.5172
...
Core was generated by `./badchars32'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xebebeb6c in ?? ()
pwndbg> cyclic -l 0xebebeb6c
[CRITICAL] Pattern contains characters not present in the alphabet

这里定位溢出点失败了，应该和字符过滤有关，需要分析一下。

反汇编

$ objdump -d -M intel badchars32

080483b0 <pwnme@plt>:
...
080483d0 <print_file@plt>:
...
08048506 <main>:
 8048506:       8d 4c 24 04             lea    ecx,[esp+0x4]
 804850a:       83 e4 f0                and    esp,0xfffffff0
 804850d:       ff 71 fc                push   DWORD PTR [ecx-0x4]
 8048510:       55                      push   ebp
 8048511:       89 e5                   mov    ebp,esp
 8048513:       51                      push   ecx
 8048514:       83 ec 04                sub    esp,0x4
 8048517:       e8 94 fe ff ff          call   80483b0 <pwnme@plt>
 804851c:       b8 00 00 00 00          mov    eax,0x0
 8048521:       83 c4 04                add    esp,0x4
 ...
 8048529:       c3                      ret
 
0804852a <usefulFunction>:
 804852a:       55                      push   ebp
 804852b:       89 e5                   mov    ebp,esp
 804852d:       83 ec 08                sub    esp,0x8
 8048530:       83 ec 0c                sub    esp,0xc
 8048533:       68 e0 85 04 08          push   0x80485e0	# nonexistent
 8048538:       e8 93 fe ff ff          call   80483d0 <print_file@plt>
 804853d:       83 c4 10                add    esp,0x10
 8048540:       90                      nop
 8048541:       c9                      leave
 8048542:       c3                      ret

08048543 <usefulGadgets>:
 8048543:       00 5d 00                add    BYTE PTR [ebp+0x0],bl
 8048546:       c3                      ret
 8048547:       30 5d 00                xor    BYTE PTR [ebp+0x0],bl
 804854a:       c3                      ret
 804854b:       28 5d 00                sub    BYTE PTR [ebp+0x0],bl
 804854e:       c3                      ret
 804854f:       89 37                   mov    DWORD PTR [edi],esi
 8048551:       c3                      ret
$ strings -t x  badchars32 | grep 5e0
    5e0 nonexistent
    
$ objdump -d -M intel libbadchars32.so
000006bd <pwnme>:
 ...
 711:   8d 45 c8                lea    eax,[ebp-0x38]
 714:   83 c0 10                add    eax,0x10
 717:   50                      push   eax
 718:   e8 83 fe ff ff          call   5a0 <memset@plt>
 ...
 747:   68 00 02 00 00          push   0x200
 74c:   8d 45 c8                lea    eax,[ebp-0x38]
 74f:   83 c0 10                add    eax,0x10
 752:   50                      push   eax
 753:   6a 00                   push   0x0
 755:   e8 c6 fd ff ff          call   520 <read@plt>	read(stdin, exp-0x28, 0x200)
 ...

000007cf <print_file>:
 7cf:   55                      push   ebp
 7d0:   89 e5                   mov    ebp,esp
 7d2:   53                      push   ebx
 7d3:   83 ec 34                sub    esp,0x34
 ...
 7eb:   8d 83 cb e8 ff ff       lea    eax,[ebx-0x1735]		"r"
 7f1:   50                      push   eax
 7f2:   ff 75 08                push   DWORD PTR [ebp+0x8]
 7f5:   e8 96 fd ff ff          call   590 <fopen@plt>
 ...
 862:   c3                      ret

主函数调用so中有溢出漏洞的pwnme函数，根据so的反汇编代码手算一下，溢出点偏移应该是(ebp+4) - (ebp-0x28) == 44，其实和前几题一样。

而so中的print_file，可以用来输出flag。

pwnme函数中还有对输入字符串的检查，用ida分析一下：

.text:00000723                 lea     eax, (aBadcharsAreXGA - 2000h)[ebx] ; "badchars are: 'x', 'g', 'a', '.'"
.text:00000729                 push    eax             ; s
.text:0000072A                 call    _puts
.text:0000074C                 lea     eax, [ebp+nInputBytes]
.text:0000074F                 add     eax, 10h
.text:00000752                 push    eax             ; buf
.text:00000753                 push    0               ; fd
.text:00000755                 call    _read
.text:0000075A                 add     esp, 10h
.text:0000075D                 mov     [ebp+nInputBytes], eax
.text:00000760                 mov     [ebp+i], 0
.text:00000767                 jmp     short beginChecking
.text:00000769 ; ---------------------------------------------------------------------------
.text:00000769
.text:00000769 loopCheckInput:                         ; CODE XREF: pwnme+F8↓j
.text:00000769                 mov     [ebp+j], 0
.text:00000770                 jmp     short badchars_0_3
.text:00000772 ; ---------------------------------------------------------------------------
.text:00000772
.text:00000772 checkLogic:                             ; CODE XREF: pwnme+E5↓j
.text:00000772                 mov     eax, [ebp+i]
.text:00000775                 movzx   ecx, [ebp+eax+arrInput] ; arrInput[i]
.text:0000077A                 mov     eax, [ebp+j]
.text:0000077D                 mov     edx, ds:(badcharacters_ptr - 2000h)[ebx]
.text:00000783                 movzx   eax, byte ptr [edx+eax] ; badcharacters[j]
.text:00000787                 cmp     cl, al
.text:00000789                 jnz     short nextBadChar
.text:0000078B                 mov     eax, [ebp+i]    ; if(arrInput[i] == badchars[j])
.text:0000078B                                         ;    arrInput[i] = 0xEB
.text:0000078E                 mov     [ebp+eax+arrInput], 0EBh
.text:00000793
.text:00000793 nextBadChar:                            ; CODE XREF: pwnme+CC↑j
.text:00000793                 mov     eax, [ebp+j]
.text:00000796                 add     eax, 1
.text:00000799                 mov     [ebp+j], eax
.text:0000079C
.text:0000079C badchars_0_3:                           ; CODE XREF: pwnme+B3↑j
.text:0000079C                 mov     eax, [ebp+j]
.text:0000079F                 cmp     eax, 3
.text:000007A2                 jbe     short checkLogic
.text:000007A4                 mov     eax, [ebp+i]
.text:000007A7                 add     eax, 1
.text:000007AA                 mov     [ebp+i], eax
.text:000007AD
.text:000007AD beginChecking:                          ; CODE XREF: pwnme+AA↑j
.text:000007AD                 mov     edx, [ebp+i]
.text:000007B0                 mov     eax, [ebp+nInputBytes]
.text:000007B3                 cmp     edx, eax
.text:000007B5                 jb      short loopCheckInput
.text:000007B7                 sub     esp, 0Ch
.text:000007BA                 lea     eax, (aThankYou - 2000h)[ebx] ; "Thank you!"

坏字符一共4个，”x, g, a, .“，对输入的每个字符进行检查，如果发现坏字符则赋值为0xEB。所以在黑盒测试时，0xebebeb6c是3个a被替换后的数据。

思路

先假设没有过滤，那么需要把flag.txt字符串写进.data里，再返回到print_file。思路和write432一样。

搜索一下pop和mov：

pwndbg> rop --grep "pop|mov"
...
0x080484e7 : mov al, byte ptr [0xc9010804] ; ret
0x0804846d : mov al, byte ptr [0xd0ff0804] ; add esp, 0x10 ; leave ; ret
0x080484ba : mov al, byte ptr [0xd2ff0804] ; add esp, 0x10 ; leave

最低0.47元/天解锁文章